Re: random dns queries with random sources

[Anurag Bhatia]

Hello everyone


I can see such crap traffic from over couple of weeks now but yes it
appeared all of sudden and I was also wondering if I am alone experiencing
it.


2014-02-19 14:30 GMT+08:00 Joe Maimon jmai...@ttec.com:



 Dobbins, Roland wrote:


 On Feb 19, 2014, at 1:07 PM, Joe Maimon jmai...@ttec.com wrote:

  There are ways to deal with it on resolvers as well, like RRL and IDS
 and iptables


 None of these things work well for recursive resolvers; they cause more
 problems than they solve.


 Whatever I am doing appears to be working, at least until this cropped up.

 Joe




-- 


Anurag Bhatia
anuragbhatia.com

Linkedin http://in.linkedin.com/in/anuragbhatia21 |
Twitterhttps://twitter.com/anurag_bhatia
Skype: anuragbhatia.com

PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2

Re: random dns queries with random sources

[sthaug]

 Premature send - I meant to add 'Or against the authoritative servers for 
 5kkx.com?'
 
 We've been seeing a spate of reflected (not amplified) DNS attacks against 
 various authoritative servers in Europe for the past week or so, bounced 
 through some type of consumer DSL broadband CPE with an open DNS forwarded on 
 the WAN interface (don't know the make/model, but it was supplied by the 
 broadband operators to the customers), on some European broadband access 
 networks.  

Pretty clearly an attack against various authoritative servers. Right
now I'm seeing attacks against the following domains / name servers:

comedc.com  NS f1g1ns1.dnspod.net vip1.zndns.com v1s1.xundns.com
jd176.com   NS ns{1,2}.dnsabc-g.com
x7ok.comNS safe.qycn.{com,org,net,cn}
bdhope.com  NS ns{1,2}.dnsabc-b.com
yg521.com   NS dns{1,2,3,4,5,6}.iidns.com
56bj56.com  NS ns{1,2}.dnsabc-f.com

This is all detected in AS 2116 - unfortunately we have our share of
customers with open resolvers  / broadband routers with DNS proxies
open towards the WAN side.

Steinar Haug, AS 2116

Re: random dns queries with random sources

[sthaug]

 It has been ongoing for a week or so (but not constant). The domain 
 names have a pattern but are comprised of components that appear to be 
 randomly generated. The source IP addresses for the queries appear to be 
 non duplicated and randomly generated.
 
 query logs are available for unicasting to the interested.
 
 Has nobody else seen this?

We've seen it. It is pretty clearly an attack against authoritative
name servers for various domains, using open recursors or proxies to
reflect the queries.

Steinar Haug, AS 2116

RE: GEO location issue with google

[Praveen Unnikrishnan]

Hi Heather,

Thanks you very much for sorting out this issue.

Praveen Unnikrishnan
Network Engineer
PMGC Technology Group Ltd
T:  020 3542 6401
M: 07827921390
F:  087 1813 1467
E: p...@pmgroupuk.commailto:p...@pmgroupuk.com

[cid:image004.png@01CF2D72.C52965E0]


[cid:image002.jpg@01CE1663.96B300D0]
www.pmgroupuk.comhttp://www.pmgroupuk.com/ | www.pmgchosting.com 
http://www.pmgchosting.com/
How am I doing? Contact my manager, click 
heremailto:sha...@pmgroupuk.com?subject=How's%20Praveen%20doing?.


[cid:image003.jpg@01CE1663.96B300D0]

PMGC Managed Hosting is now live!  After a successful 2012, PMGC continues to 
innovate and develop by offering tailored IT solutions designed to empower you 
through intelligent use of technologies. 
www.pmgchosting.comhttp://www.pmgchosting.com/.

PMGC Technology Group Limited is a company registered in England and Wales. 
Registered number: 7974624 (3/F Sutherland House, 5-6 Argyll Street, London. 
W1F 7TE). This message contains confidential (and potentially legally 
privileged) information solely for its intended recipients. Others may not 
distribute copy or use it. If you have received this communication in error 
please contact the sender as soon as possible and delete the email and any 
attachments without keeping copies. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of the company or 
its associated companies unless otherwise specifically stated. All incoming and 
outgoing e-mails may be monitored in line with current legislation. It is the 
responsibility of the recipient to ensure that emails are virus free before 
opening.

PMGC® is a registered trademark of PMGC Technology Group Ltd.


From: Heather Schiller [mailto:h...@google.com]
Sent: 13 February 2014 05:43
To: Praveen Unnikrishnan
Cc: nanog@nanog.org
Subject: Re: GEO location issue with google

Reported to the appropriate folks.

Going to www.google.co.ukhttp://www.google.co.uk directly, should return you 
English language results.   Appending /en to the end of a google url should 
also return you English language results.  You should also be able to set your 
language preference in your search settings.

 --Heather

On Fri, Feb 7, 2014 at 10:20 AM, Praveen Unnikrishnan 
p...@pmgroupuk.commailto:p...@pmgroupuk.com wrote:
Hi,

We are an ISP based in UK. We have got an ip block from RIPE which is 
5.250.176.0/20http://5.250.176.0/20. All the main search engines like yahoo 
shows we are based in UK. But Google thinks we are from Saudi Arabia and we 
redirected to 
www.google.com.sahttp://www.google.com.sahttp://www.google.com.sa instead 
of googlw.co.ukhttp://googlw.co.uk. I have sent lot of emails to google but 
no luck. All the information from google are in Arabic and youtube shows some 
weird videos as well.

Could anyone please help me to sort this out?

Would be much appreciated for your time.

Praveen Unnikrishnan
Network Engineer
PMGC Technology Group Ltd
T:  020 3542 6401
M: 07827921390
F:  087 1813 1467
E: 
p...@pmgroupuk.commailto:p...@pmgroupuk.commailto:p...@pmgroupuk.commailto:p...@pmgroupuk.com

[cid:image001.png@01CF2418.27F29CA0]


[cid:image002.jpg@01CE1663.96B300D0]
www.pmgroupuk.comhttp://www.pmgroupuk.comhttp://www.pmgroupuk.com/ | 
www.pmgchosting.comhttp://www.pmgchosting.com http://www.pmgchosting.com/
How am I doing? Contact my manager, click 
heremailto:sha...@pmgroupuk.commailto:sha...@pmgroupuk.com?subject=How's%20Praveen%20doing?.


[cid:image003.jpg@01CE1663.96B300D0]

PMGC Managed Hosting is now live!  After a successful 2012, PMGC continues to 
innovate and develop by offering tailored IT solutions designed to empower you 
through intelligent use of technologies. 
www.pmgchosting.comhttp://www.pmgchosting.comhttp://www.pmgchosting.com/.

PMGC Technology Group Limited is a company registered in England and Wales. 
Registered number: 7974624 (3/F Sutherland House, 5-6 Argyll Street, London. 
W1F 7TE). This message contains confidential (and potentially legally 
privileged) information solely for its intended recipients. Others may not 
distribute copy or use it. If you have received this communication in error 
please contact the sender as soon as possible and delete the email and any 
attachments without keeping copies. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of the company or 
its associated companies unless otherwise specifically stated. All incoming and 
outgoing e-mails may be monitored in line with current legislation. It is the 
responsibility of the recipient to ensure that emails are virus free before 
opening.

PMGC(r) is a registered trademark of PMGC Technology Group Ltd.


inline: image002.jpginline: image003.jpginline: image004.png

Re: spamassassin

[Simon Perreault]

Daniel is correct, he gets a cookie! The the others: please learn to
recognize when you have no clue.

We've been having the same problem here for the last three days. I
tracked it down to BAYES_999. Glad to see other people are suffering as
much as I am. :)

Simon

Le 2014-02-19 01:46, Daniel Staal a écrit :
 --As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to
 have said:
 
 in the last 3-4 days, a *massive* amount of spam is making it past
 spamassassin to my users and to me.  see appended for example.  not
 all has dkim.

 clue?
 
 --As for the rest, it is mine.
 
 The spamassassin list has been tracking an issue where a new rule made
 it out of the testbox accidentally, which lowers scores on a lot of
 spam.  It wasn't in the sample you provided, but the rule name is
 BAYES_999 - it catches mail that the bayes filter thinks is 99.9-100%
 sure to be spam.  As it got promoted prematurely, it's showing with a
 score of 1.0.  (The default.)  It's probably a part of your problem.
 
 A fix should be in the rules update today or tomorrow - or you can
 rescore it to the same as BAYES_99 (someplace in the 3 range by default,
 I believe).  That's what used to catch that mail: it used to mean
 99-100%, and now means 99-99.9%.
 
 More info can be found in the mailing list archives for the spamassassin
 list.
 
 Daniel T. Staal

-- 
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

RE: random dns queries with random sources

[Beeman, Davis]

I am late to this train, but it appears no one else has brought this up.  It is 
a DNS tunneling setup, not an attack.  I have been dealing with one of these 
lately as well.  They were using some open resolvers in my network to reflect, 
but the random hostnames in the queries are tunneled traffic or keywords.  
The original sources of the traffic are probably members of a botnet, and this 
is being used as a sneaky CC method.   Due to the tiny amount of data you can 
send in the DNS query name field, this will sort of look like an attack, 
because they have to send thousands of queries to get anything done.  

They are not attacking the authoritative name servers in those domains, as has 
been suggested, rather the authoritative name server in these domains is the 
rouge DNS server in use by the bad actor running a botnet. 

Davis Beeman
Network Security Engineer


-Original Message-
From: Joe Maimon [mailto:jmai...@ttec.com] 
Sent: Tuesday, February 18, 2014 19:08
To: North American Networking and Offtopic Gripes List
Subject: random dns queries with random sources

Hey all,

DNS amplification spoofed source attacks, I get that. I even thought I was 
getting mitigation down to acceptable levels.

But now this. At different times during the previous days and on different 
resolvers, routers with proxy turned on, etc...

Thousand of queries with thousands of source ip addresses.

According to my logs, sources are not being repeated (or not with any 
significant frequency)

What is the purpose of this?

18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query: 
swe.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190: 
query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924: 
query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query: 
uehkaiy.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000: 
query: yqv.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585: 
query: e.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query: 
bfpofpj.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316: 
query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265: 
query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query: 
ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093: 
query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822: 
query: ebb.5kkx.com IN A + (66.199.132.5)
18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108: 
query: l.5kkx.com IN A + (66.199.132.7)

Re: random dns queries with random sources

[Dobbins, Roland]

On Feb 19, 2014, at 10:57 PM, Beeman, Davis davis.bee...@integratelecom.com 
wrote:

 I am late to this train, but it appears no one else has brought this up.  It 
 is a DNS tunneling setup, not an attack. 

This makes a lot of sense - good insight, will look into this further!

---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

  Luck is the residue of opportunity and design.

   -- John Milton

Re: random dns queries with random sources

[Simon Perreault]

Le 2014-02-19 11:28, Dobbins, Roland a écrit :
 I am late to this train, but it appears no one else has brought this up.  It 
 is a DNS tunneling setup, not an attack. 
 
 This makes a lot of sense - good insight, will look into this further!

I use this for free wi-fi in airports and such:

http://code.kryo.se/iodine/

If the wi-fi is configured to use an open resolver, we end up with the
situation you describe.

Simon
-- 
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: random dns queries with random sources

[Tempest]

Or if you tell your bots to use a set of open resolvers, it helps hide them
by a step.


On Wed, Feb 19, 2014 at 8:32 AM, Simon Perreault 
simon.perrea...@viagenie.ca wrote:

 Le 2014-02-19 11:28, Dobbins, Roland a écrit :
  I am late to this train, but it appears no one else has brought this
 up.  It is a DNS tunneling setup, not an attack.
 
  This makes a lot of sense - good insight, will look into this further!

 I use this for free wi-fi in airports and such:

 http://code.kryo.se/iodine/

 If the wi-fi is configured to use an open resolver, we end up with the
 situation you describe.

 Simon
 --
 DTN made easy, lean, and smart -- http://postellation.viagenie.ca
 NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
 STUN/TURN server   -- http://numb.viagenie.ca

Deadline Approaching [was: Ad Hoc BCOP Committee - Call for Volunteers]

[Chris Grundemann]

Hello again NANOGers,

FYI - The deadline for BCOP committee nominations is 28 February.

We have received several great candidates already and are hoping to receive
several more!

If you are interested in joining this grassroots effort to make the
Internet a safer, more predictable place (or know someone who should) -
please send an email with a brief bio to be...@nanog.org ASAP. We'll be
kicking off committee calls in early March! =)

Thanks!
~Chris


On Fri, Jan 31, 2014 at 1:56 PM, Chris Grundemann cgrundem...@gmail.comwrote:

 Hail NANOGers!

 Per approval of the NANOG Board in February 2013, a community effort to
 develop a NANOG sponsored regional BCOP effort was engaged. NANOG BCOP
 Tracks and updates were provided at RIPE, ARIN, NANOG 57, 58, and 59.

 In November of 2013, sufficient interest and momentum in the NANOG BCOP
 effort emerged. On November 21, 2013, the NANOG Board approved the
 appointment of an Ad Hoc Committee Chair who would report to the Board and
 direct the efforts of NANOG-BCOP.

 I have agreed to serve as Chair and am now seeking volunteers to continue
 with the important work of the committee. Please consider volunteering your
 time and effort in support of this important NANOG activity!

 To help guide you, please review the following committee expectations:

 Strategies and Goals:
 * Support an open, transparent, and bottom-up/grassroots process for the
 creation of current
 and living practical network operation documentation
 * Facilitate the development of mutually rewarding documents and guides
 * Maintain the sense of community and accessibility in BCOP materials
 * Develop and deploy a portfolio of guides that meet the needs of the
 broad range of NANOG operators

 Deliverables:
 * Responsible for recruiting a minimum of 1 shepard per calendar year.
 * Responsible for recruiting a minimum of 1 author per calendar year.
 * Required to attend at least 75% of all scheduled committee calls.
 * Expected to attend 66% of all NANOG meetings over the course of your
 two-year term.
 * A BCOP Ad Hoc Committee Member is expected to volunteer up to 10 hours
 in the 12 weeks Leading into a NANOG meeting and an additional 15 hours all
 year round

 Also see the website at http://bcop.nanog.org for more information.

 If you are interested in participating, please send your short bio to
 Betty Burke, NANOG Executive Director, be...@nanog.org. Betty can also
 answer any and all questions you may have. Betty or I will be sure to
 follow-up with each volunteer and get our important work underway as soon
 as possible.

 Cheers,
 ~Chris

 --
 @ChrisGrundemann
 http://chrisgrundemann.com




-- 
@ChrisGrundemann
http://chrisgrundemann.com

Re: random dns queries with random sources

[Joe Maimon]

Beeman, Davis wrote:


rather the authoritative name server in these domains is the rouge DNS server 
in use by the bad actor running a botnet.

Davis Beeman
Network Security Engineer




Somebody must be registering these domain names.

And I should be able to compile a list of the auth servers in question.

Joe

RE: random dns queries with random sources

[Beeman, Davis]

They are, and dropping them just as fast.  It seems like the last a day or two, 
and then move on to another domain name.  They are similar enough that the bots 
probably work off a formula to determine valid requests.

It may be a coincidence, if you believe in those, but this type of CC traffic 
started ramping up wildly about a month after the ZeroAccess servers got 
blocked...  

Davis Beeman | Network Security Engineer | 360.816.3052
Integra 


-Original Message-
From: Joe Maimon [mailto:jmai...@ttec.com] 
Sent: Wednesday, February 19, 2014 08:59
To: Beeman, Davis; North American Networking and Offtopic Gripes List
Subject: Re: random dns queries with random sources



Beeman, Davis wrote:

 rather the authoritative name server in these domains is the rouge DNS server 
 in use by the bad actor running a botnet.

 Davis Beeman
 Network Security Engineer



Somebody must be registering these domain names.

And I should be able to compile a list of the auth servers in question.

Joe

Looking for an Amazon EC2 East Contact

[Ray Van Dolson]

Seeing pretty consistent packet loss to/from instances in EC2 East
(54.80 IPs) from various vantage points.

Working through normal support channels, but looking for a contact to
help expedite.

Thanks,
Ray

VMware Training

[Phil Gardner]

Not sure if this list is the best place, but it is probably the only 
list that I'm on that won't give me a bunch of grief about the chosen 
technology.


I looked at VMware's site, and there are a ton of options. I'm wondering 
if anyone has some basic suggestions or experiences.


I'm a Linux admin by trade (RH based), with ok networking ability. I'm 
sufficiently versed in deploying scripted ESXi (including 5.x) 
installations for a specific environment, including vswitches/SAN config 
(but only with NFS datastores backed by a NetApp, unfortunately, no 
blockbased stores).


I'd like to get experience deploying VCenter clusters, down to DRS/HA 
config, other block based storage, and anything else a large environment 
needs.


Thoughts or experiences?

--
_
Phil Gardner
PGP Key ID 0xFECC890C
OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538

Re: VMware Training

[Eugeniu Patrascu]

On Wed, Feb 19, 2014 at 8:14 PM, Phil Gardner phil.gardne...@gmail.comwrote:

 Not sure if this list is the best place, but it is probably the only list
 that I'm on that won't give me a bunch of grief about the chosen technology.

 I looked at VMware's site, and there are a ton of options. I'm wondering
 if anyone has some basic suggestions or experiences.

 I'm a Linux admin by trade (RH based), with ok networking ability. I'm
 sufficiently versed in deploying scripted ESXi (including 5.x)
 installations for a specific environment, including vswitches/SAN config
 (but only with NFS datastores backed by a NetApp, unfortunately, no
 blockbased stores).


If you want block storage, just export an iSCSI device to the ESXi machines
(tgtadm on RedHat is all you need and a few gigs of free space). VMFS is
cluster aware so you can export the same volume to independent ESXi hosts
and as long you don't access the same files, you're good to go.



 I'd like to get experience deploying VCenter clusters, down to DRS/HA
 config, other block based storage, and anything else a large environment
 needs.


All you need is licenses (Enterprise Plus to get all the nice features) and
a vCenter server. If you already have it, just create a new cluster and
follow the prompts in the wizards and play with all the options.


 Thoughts or experiences?


When I first started with this it seemed like rocket science, but once you
create a cluster and do DRS/HA/dvSwitch/etc it's all pretty basic:
- HA in VMware means that if a host fails, the VMs will be restarted on a
different host.
- DRS it means automated live migration of virtual machines based on load.
- dvSwitch is a distributed virtual switch whereby you have a consistent
configuration across the hosts that you configure from the vCenter server.

If you know RedHat, than from experience in a few days you can learn the
ins/outs of how a VMware cluster works.

With ESXi 5.1+ you can run ESXi inside an ESXi host so if you have a lot of
memory on a host you can create your own little lab with all the features
and experiment with them.

If you want to certify, than official training is a mandatory requirement.

HTH,
Eugeniu

Re: VMware Training

[Matt Chung]

Hey Phil,
I recently did the VCP certification/course through VMWare however I was
working with the technology over the past 5 years. Based off your desire to
gain experience with it, my recommendation is to load up VMware Workstation
on your computer and deploy ESXi instances as the guests. This is a cost
feasible and although performance won't be production grade, you have the
ability to play with clusters, DRS/HA config, OpenSAN (for your block based
storage), etc.  There is a myriad of training docs available but if you do
want the certification itself, you'll have to go through the official
course(s).

Cheers,
Matt Chung


On Wed, Feb 19, 2014 at 12:14 PM, Phil Gardner phil.gardne...@gmail.comwrote:

 Not sure if this list is the best place, but it is probably the only list
 that I'm on that won't give me a bunch of grief about the chosen technology.

 I looked at VMware's site, and there are a ton of options. I'm wondering
 if anyone has some basic suggestions or experiences.

 I'm a Linux admin by trade (RH based), with ok networking ability. I'm
 sufficiently versed in deploying scripted ESXi (including 5.x)
 installations for a specific environment, including vswitches/SAN config
 (but only with NFS datastores backed by a NetApp, unfortunately, no
 blockbased stores).

 I'd like to get experience deploying VCenter clusters, down to DRS/HA
 config, other block based storage, and anything else a large environment
 needs.

 Thoughts or experiences?

 --
 _
 Phil Gardner
 PGP Key ID 0xFECC890C
 OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538




-- 
-Matt Chung

Re: VMware Training

[Jay Ashworth]

- Original Message -
 From: Eugeniu Patrascu eu...@imacandi.net

 If you want block storage, just export an iSCSI device to the ESXi machines
 (tgtadm on RedHat is all you need and a few gigs of free space). VMFS is
 cluster aware so you can export the same volume to independent ESXi hosts
 and as long you don't access the same files, you're good to go.

My understanding of cluster-aware filesystem was can be mounted at the
physical block level by multiple operating system instances with complete
safety.  That seems to conflict with what you suggest, Eugeniu; am I 
missing something (as I often do)?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth  Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

random dns queries with random sources

[Dale Rumph]

Davis,

Having seen this in the past, and managing both open resolvers and
authoritative servers for several large eyeball networks, I think your
assumption is correct this definitely smells like CC traffic being handled
via DNS.

Just my 2c - YMMV - All sales final, As is

- Dale Rumph
- Network Engineer/Security Consultant
On Feb 19, 2014 10:58 AM, Beeman, Davis davis.bee...@integratelecom.com
wrote:

 I am late to this train, but it appears no one else has brought this up.
  It is a DNS tunneling setup, not an attack.  I have been dealing with one
 of these lately as well.  They were using some open resolvers in my network
 to reflect, but the random hostnames in the queries are tunneled traffic
 or keywords.  The original sources of the traffic are probably members of a
 botnet, and this is being used as a sneaky CC method.   Due to the tiny
 amount of data you can send in the DNS query name field, this will sort of
 look like an attack, because they have to send thousands of queries to get
 anything done.

 They are not attacking the authoritative name servers in those domains, as
 has been suggested, rather the authoritative name server in these domains
 is the rouge DNS server in use by the bad actor running a botnet.

 Davis Beeman
 Network Security Engineer


 -Original Message-
 From: Joe Maimon [mailto:jmai...@ttec.com]
 Sent: Tuesday, February 18, 2014 19:08
 To: North American Networking and Offtopic Gripes List
 Subject: random dns queries with random sources

 Hey all,

 DNS amplification spoofed source attacks, I get that. I even thought I was
 getting mitigation down to acceptable levels.

 But now this. At different times during the previous days and on different
 resolvers, routers with proxy turned on, etc...

 Thousand of queries with thousands of source ip addresses.

 According to my logs, sources are not being repeated (or not with any
 significant frequency)

 What is the purpose of this?

 18-Feb-2014 21:45:24.982 queries: info: client 38.89.3.12#19391: query:
 swe.5kkx.com IN A + (66.199.132.5)
 18-Feb-2014 21:45:25.067 queries: info: client 4.109.210.187#55190:
 query: ngqrbwuzquz.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.105 queries: info: client 91.82.209.221#33924:
 query: bgbtqcdtzen.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.106 queries: info: client 6.29.8.224#4379: query:
 uehkaiy.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.106 queries: info: client 67.27.41.169#44000:
 query: yqv.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.107 queries: info: client 45.207.31.218#30585:
 query: e.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:25.644 queries: info: client 95.217.89.95#5396: query:
 bfpofpj.5kkx.com IN A + (66.199.132.5)
 18-Feb-2014 21:45:25.823 queries: info: client 89.47.129.187#12316:
 query: aocdesguijxym.5kkx.com IN A + (66.199.132.5)
 18-Feb-2014 21:45:26.021 queries: info: client 15.205.106.62#34265:
 query: xqgyahfugnt.5kkx.com IN A + (66.199.132.7)
 18-Feb-2014 21:45:26.057 queries: info: client 128.64.33.29#7584: query:
 ijwhqfmpohmj.5kkx.com IN A + (216.222.148.103)
 18-Feb-2014 21:45:26.330 queries: info: client 102.206.85.254#8093:
 query: ibojknsrqjohib.5kkx.com IN A + (216.222.148.103)
 18-Feb-2014 21:45:26.333 queries: info: client 40.121.221.81#10822:
 query: ebb.5kkx.com IN A + (66.199.132.5)
 18-Feb-2014 21:45:26.752 queries: info: client 104.55.169.43#30108:
 query: l.5kkx.com IN A + (66.199.132.7)

Re: random dns queries with random sources

[Masataka Ohta]

Joe Maimon wrote:

 What is the purpose of this?

It may be an experiment that rate limiting is useless to suppress
amplification against attacks simultaneously on many targets.

A better protection should be to shutdown secure DNS, which is
not very secure.

Masataka Ohta

Re: GEO location issue with google

[Robert Drake]

For future reference, the last time this issue came up someone said 
doing this was a good way to get their geo stuff fixed automatically:


http://tools.ietf.org/html/draft-google-self-published-geofeeds-02

I haven't messed with it yet, but it seems like a good idea.  I want to 
write something that lets me export this from our IPAM but I've been 
busy and it isn't a problem for us at the moment.


Thanks,
Robert

On 2/19/2014 8:02 AM, Praveen Unnikrishnan wrote:

Hi Heather,

Thanks you very much for sorting out this issue.

Praveen Unnikrishnan
Network Engineer
PMGC Technology Group Ltd
T:  020 3542 6401
M: 07827921390
F:  087 1813 1467
E: p...@pmgroupuk.commailto:p...@pmgroupuk.com

[cid:image004.png@01CF2D72.C52965E0]


[cid:image002.jpg@01CE1663.96B300D0]
www.pmgroupuk.comhttp://www.pmgroupuk.com/ | www.pmgchosting.com 
http://www.pmgchosting.com/
How am I doing? Contact my manager, click 
heremailto:sha...@pmgroupuk.com?subject=How's%20Praveen%20doing?.


[cid:image003.jpg@01CE1663.96B300D0]

PMGC Managed Hosting is now live!  After a successful 2012, PMGC continues to 
innovate and develop by offering tailored IT solutions designed to empower you 
through intelligent use of technologies. 
www.pmgchosting.comhttp://www.pmgchosting.com/.

PMGC Technology Group Limited is a company registered in England and Wales. 
Registered number: 7974624 (3/F Sutherland House, 5-6 Argyll Street, London. 
W1F 7TE). This message contains confidential (and potentially legally 
privileged) information solely for its intended recipients. Others may not 
distribute copy or use it. If you have received this communication in error 
please contact the sender as soon as possible and delete the email and any 
attachments without keeping copies. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of the company or 
its associated companies unless otherwise specifically stated. All incoming and 
outgoing e-mails may be monitored in line with current legislation. It is the 
responsibility of the recipient to ensure that emails are virus free before 
opening.

PMGC® is a registered trademark of PMGC Technology Group Ltd.


From: Heather Schiller [mailto:h...@google.com]
Sent: 13 February 2014 05:43
To: Praveen Unnikrishnan
Cc: nanog@nanog.org
Subject: Re: GEO location issue with google

Reported to the appropriate folks.

Going to www.google.co.ukhttp://www.google.co.uk directly, should return you 
English language results.   Appending /en to the end of a google url should also 
return you English language results.  You should also be able to set your language 
preference in your search settings.

  --Heather

On Fri, Feb 7, 2014 at 10:20 AM, Praveen Unnikrishnan 
p...@pmgroupuk.commailto:p...@pmgroupuk.com wrote:
Hi,

We are an ISP based in UK. We have got an ip block from RIPE which is 
5.250.176.0/20http://5.250.176.0/20. All the main search engines like yahoo shows we are based 
in UK. But Google thinks we are from Saudi Arabia and we redirected to 
www.google.com.sahttp://www.google.com.sahttp://www.google.com.sa instead of 
googlw.co.ukhttp://googlw.co.uk. I have sent lot of emails to google but no luck. All the 
information from google are in Arabic and youtube shows some weird videos as well.

Could anyone please help me to sort this out?

Would be much appreciated for your time.

Praveen Unnikrishnan
Network Engineer
PMGC Technology Group Ltd
T:  020 3542 6401
M: 07827921390
F:  087 1813 1467
E: 
p...@pmgroupuk.commailto:p...@pmgroupuk.commailto:p...@pmgroupuk.commailto:p...@pmgroupuk.com

[cid:image001.png@01CF2418.27F29CA0]


[cid:image002.jpg@01CE1663.96B300D0]
www.pmgroupuk.comhttp://www.pmgroupuk.comhttp://www.pmgroupuk.com/ | 
www.pmgchosting.comhttp://www.pmgchosting.com http://www.pmgchosting.com/
How am I doing? Contact my manager, click 
heremailto:sha...@pmgroupuk.commailto:sha...@pmgroupuk.com?subject=How's%20Praveen%20doing?.


[cid:image003.jpg@01CE1663.96B300D0]

PMGC Managed Hosting is now live!  After a successful 2012, PMGC continues to innovate and 
develop by offering tailored IT solutions designed to empower you through intelligent use 
of technologies. 
www.pmgchosting.comhttp://www.pmgchosting.comhttp://www.pmgchosting.com/.

PMGC Technology Group Limited is a company registered in England and Wales. 
Registered number: 7974624 (3/F Sutherland House, 5-6 Argyll Street, London. 
W1F 7TE). This message contains confidential (and potentially legally 
privileged) information solely for its intended recipients. Others may not 
distribute copy or use it. If you have received this communication in error 
please contact the sender as soon as possible and delete the email and any 
attachments without keeping copies. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of the company or 
its associated companies unless otherwise specifically 

NTP DRDos Blog post

[Harlan Stenn]

Folks,

I just posted http://nwtime.org/ntp-winter-2013-network-drdos-attacks/ .

In general we've never allowed comments to blog posts on that site;
we're currently discussing if we should allow them for this post.

I'd love to hear any feedback about the post.

Thanks...

-- 
Harlan Stenn st...@ntp.org
http://networktimefoundation.org  - be a member!

Re: spamassassin

[Randy Bush]

 Daniel is correct, he gets a cookie! The the others: please learn to
 recognize when you have no clue.

simon, you just do not understand the purpose of the nanog list

 We've been having the same problem here for the last three days. I
 tracked it down to BAYES_999. Glad to see other people are suffering
 as much as I am. :)

as the fix is not yet out, would be cool if someone with more fu than i
posted a recipe to hack for the moment.

randy

Re: spamassassin

[Gary E. Miller]

Yo Randy!

On Thu, 20 Feb 2014 10:48:49 +0800
Randy Bush ra...@psg.com wrote:

  We've been having the same problem here for the last three days. I
  tracked it down to BAYES_999. Glad to see other people are suffering
  as much as I am. :)
 
 as the fix is not yet out, would be cool if someone with more fu than
 i posted a recipe to hack for the moment.

http://www.gossamer-threads.com/lists/spamassassin/users/183433

body BAYES_99 eval:check_bayes('0.99', '0.999')
body BAYES_999 eval:check_bayes('0.999', '1.00')
score BAYES_99 0 0 3.8 3.5
score BAYES_999 0 0 4.0 3.7

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701
g...@rellim.com  Tel:+1(541)382-8588


signature.asc
Description: PGP signature

Re: spamassassin

[Andris Kalnozols]

On 2/19/2014 6:48 PM, Randy Bush wrote:

Daniel is correct, he gets a cookie! The the others: please learn to
recognize when you have no clue.


simon, you just do not understand the purpose of the nanog list


We've been having the same problem here for the last three days. I
tracked it down to BAYES_999. Glad to see other people are suffering
as much as I am. :)


as the fix is not yet out, would be cool if someone with more fu than i
posted a recipe to hack for the moment.


I found this config. block in the file 50_scores.cf and added
the BAYES_999 entry:


# make the Bayes scores unmutable (as discussed in bug 4505)
ifplugin Mail::SpamAssassin::Plugin::Bayes
score BAYES_00  0  0 -1.5   -1.9
score BAYES_05  0  0 -0.3   -0.5
score BAYES_20  0  0 -0.001 -0.001
score BAYES_40  0  0 -0.001 -0.001
score BAYES_50  0  0  2.00.8
score BAYES_60  0  0  2.51.5
score BAYES_80  0  0  2.72.0
score BAYES_95  0  0  3.23.0
score BAYES_99  0  0  3.83.5
score BAYES_999 0  0  4.03.9
endif


--
Andris

Re: spamassassin

[Randy Bush]

 http://www.gossamer-threads.com/lists/spamassassin/users/183433

as blabby as nanog, and not really specific

 body BAYES_99 eval:check_bayes('0.99', '0.999')
 body BAYES_999 eval:check_bayes('0.999', '1.00')
 score BAYES_99 0 0 3.8 3.5
 score BAYES_999 0 0 4.0 3.7

and this is a replacement for both 999 and 99?  

randy

Re: VMware Training

[Jimmy Hess]

On Wed, Feb 19, 2014 at 12:14 PM, Phil Gardner phil.gardne...@gmail.comwrote:

Seeing you are a Linux admin;VMware's prof. training offerings are
basic point and click things,  not very Linux-admin friendly;  no
advanced subjects or even CLI usage in Install, Configure, Manage.   If
you are already at the level of doing scripted ESXi installs and
configuring hosts for SAN storage and networking  according to VMware's
best practices,   then you should be able to work out the little that is
left  by reading the  ample documentation and a few whitepapers,unless
you need  proof of completing a class as a certification pre-requisite.

One way to get the extra experiences would be  to start  by putting
together the simplest two-node or three node cluster you can muster;  try
various configurations, put it through its paces:  make it break in every
conceivable way,  fix it

There is almost nothing extra to do for DRS/HA config,  other than to
design the networking, storage, compute,  and DNS  properly to be resilient
and support them.

You literally just check a box to turn on DRS, and a box to turn on HA,
 select an admission policy,  and select automation level and migration
threshold.

Of course, there are advanced options, and 'exotic'  clusters where you
need to know the magic option names.   You may also need to specify
additional isolation IP addresses,  or  tweak timeouts for VMware tools
heartbeat monitoring,  to cut down on unwanted false HA restarts.

These are not things you will find in the training classes;  you need to
read the documentation  and literature contained on various blogs ---  it
would probably be best to read some of Duncan Epping and Scott Lowe's
books;  if you have the time, and to further solidify understanding.


Ultimately; you are not going to be able to do this realistically, without
real servers comparable to the real world,  so a laptop running ESXi  may
not be enough.

You could also  find a company to lease  you some lab hours to tinker with
other storage technology;  i'm sure by now there are online cloud-based
Rent-A-Labs   with the EMC VNX/Dell Equallogic/HP storage hardware.

vswitches/SAN config (but only with NFS datastores backed by a NetApp,
unfortunately,

Also... with uh... NetApp units running current software at least can  very
easily create an extra block-based lun on top of a volume, to be served out
as a block target.You might  want to ask your storage vendor  support
what it would take  to get  the  keycode  to turn on   FC or iSCSI
 licenses,   so you can present an extra  40gb scratch volume..Or
you could download the  Netapp  simulator to play with  :-O


All the ESXi documentation is online,   and all the relevant software has a
60-day evaluation grace period after install. You just need to work through
it.
   Get things working in the lab,  then  start trying out more complicated
scenarios and trying the advanced knobs later,  read the installation
directions;
see how things work.

Buying or scavenging a used server is probably easiest to do for long-term
playing;  look for something with 32GB of RAM,  and  4 or more 2.5  SAS
drives. Try to have 100GB of  total disk space in a hardware RAID10  or
RAID0  with 256MB or so controller writeback cache,  or a SSD;the idea
is to have enough space to install vCenter and operations manager and a few
VMs.

A 3 year old  Dell 11G R610 or  HP DL360 G6  likely falls into this
category.
Install ESXi on the server,  andcreate  3  virtual machines  that will
be  Nested ESXi servers;  OS of the VMs will be ESXi.

See:
http://www.virtuallyghetto.com/2012/08/how-to-enable-nested-esxi-other.html

If you would rather build a desktop tower for ESXi; look for a desktop
motherboard with a 64-bit Intel Proc  with DDR2  ECC Memory support  in at
least 32GB of RAM,  VT-d support,  and   onboard Broadcom or Intel
 networking.
Network controller and Storage controller choices are key;  exotic hardware
won't work

Considering  vCenter itself  wants a minimum 12GB of RAM:  in case you want
to test out _both_
 the vCenter virtual appliance, and the standard  install on Windows
 about 32GB RAM is great.

In competition against the VMware HCL, there's a white box HCL:
http://www.vm-help.com/esx40i/esx40_whitebox_HCL.php

I would look to something such as the  Iomega Storcenter PX6, PX4 or
Synology DS1512+ as an  inexpensive shared storagesolution for playing
around with iSCSI-based block targets.   I think the Iomegas may be the
least-cost physical arrays on the official Vmware HCL,  with VAAI support.

You can also use a virtual machine running on the local disks of your ESXi
server to present shared storage,
as another VM If you run your  cluster's   ESXi servers as  nested virtual
machines, on  one server.

Some software options are   Linux...  Nexenta  FreeNAS...  Open-e.
HP Lefthand Isilon... FalconstorNutanix   (I would look at the
first 3 primarily)

Or
You can also use a spare 

Re: spamassassin

[Michael Butler]

On 02/19/14 22:22, Randy Bush wrote:
 http://www.gossamer-threads.com/lists/spamassassin/users/183433
 
 as blabby as nanog, and not really specific
 
 body BAYES_99 eval:check_bayes('0.99', '0.999')
 body BAYES_999 eval:check_bayes('0.999', '1.00')
 score BAYES_99 0 0 3.8 3.5
 score BAYES_999 0 0 4.0 3.7
 
 and this is a replacement for both 999 and 99?  

You should be able to just whack it into local.cf and it'll override
whatever other instances there are,

Michael

Re: VMware Training

[Jimmy Hess]

On Wed, Feb 19, 2014 at 2:06 PM, Jay Ashworth j...@baylink.com wrote:

 - Original Message -
  From: Eugeniu Patrascu eu...@imacandi.net
 [snip]
 My understanding of cluster-aware filesystem was can be mounted at the
 physical block level by multiple operating system instances with complete
 safety.  That seems to conflict with what you suggest, Eugeniu; am I
 missing something (as I often do)?


When one of the hosts has a virtual disk file open for write access on a
VMFS cluster-aware filesystem,it is locked to that particular host,
 and  a process on a different host is denied the ability write to the
file,   or even open the file for read access.

Another host cannot even read/write metadata about the file's directory
entry.
Attempts to do so,  get rejected with an error.

So you don't really have to worry all that much about as long you don't
access the same files,  although: certainly you should not try to, either.

Only the software in ESXi can access the VMFS ---  there is no ability to
run arbitrary applications.

(Which is also, why I like NFS more than shared block storage; you can
conceptually use  the likes of  a storage array feature such as FlexClone
to makea copy-on-write clone of a file, take a storage level snapshot,
and then do a granular restore ofa specific VM;  without  having to
restore the entire volume as a unit.

You can't pull that off with a clustered filesystem on a block target!)


Also, the VMFS filesystem is cluster aware  by method of exclusion  (SCSI
Reservations) and separate journaling.

Metadata locks are global  in the VMFS cluster-aware filesystem.  Only one
host is allowed to write to
any of the metadata -on the entire volume a- time,   unless you have VAAI
VMFS extensions, and yourstorage vendor supports the ATS  (atomic test
and set),
resulting in a performance bottleneck.

For that reason,  while VMFS is cluster aware,  you cannot necessarily have
a large number of cluster nodes,
or more than a few dozen open files,  before  performance degrades  due to
the metadata bottleneck.


Another consideration is that;  in the event that you have a power outage
which simultaneously  impacts your storage array and all your hosts:you
 may very well  be unable to  regain access to any of your files,
until the  specific host that had that file locked comes back up,   or you
wait out a   ~30 to ~60 minute timeout period.




 Cheers,
 -- jra

--
-JH

Re: VMware Training

[Jay Ashworth]

Why bother with a clustering FS, then, if you cannot actually /use it/ as one?
- jra

On February 19, 2014 10:44:22 PM EST, Jimmy Hess mysi...@gmail.com wrote:
On Wed, Feb 19, 2014 at 2:06 PM, Jay Ashworth j...@baylink.com wrote:

 - Original Message -
  From: Eugeniu Patrascu eu...@imacandi.net
 [snip]
 My understanding of cluster-aware filesystem was can be mounted at
the
 physical block level by multiple operating system instances with
complete
 safety.  That seems to conflict with what you suggest, Eugeniu; am I
 missing something (as I often do)?


When one of the hosts has a virtual disk file open for write access on
a
VMFS cluster-aware filesystem,it is locked to that particular host,
 and  a process on a different host is denied the ability write to the
file,   or even open the file for read access.

Another host cannot even read/write metadata about the file's directory
entry.
Attempts to do so,  get rejected with an error.

So you don't really have to worry all that much about as long you
don't
access the same files,  although: certainly you should not try to,
either.

Only the software in ESXi can access the VMFS ---  there is no ability
to
run arbitrary applications.

(Which is also, why I like NFS more than shared block storage; you can
conceptually use  the likes of  a storage array feature such as
FlexClone
to makea copy-on-write clone of a file, take a storage level
snapshot,
and then do a granular restore ofa specific VM;  without  having to
restore the entire volume as a unit.

You can't pull that off with a clustered filesystem on a block target!)


Also, the VMFS filesystem is cluster aware  by method of exclusion 
(SCSI
Reservations) and separate journaling.

Metadata locks are global  in the VMFS cluster-aware filesystem.  Only
one
host is allowed to write to
any of the metadata -on the entire volume a- time,   unless you have
VAAI
VMFS extensions, and yourstorage vendor supports the ATS  (atomic
test
and set),
resulting in a performance bottleneck.

For that reason,  while VMFS is cluster aware,  you cannot necessarily
have
a large number of cluster nodes,
or more than a few dozen open files,  before  performance degrades  due
to
the metadata bottleneck.


Another consideration is that;  in the event that you have a power
outage
which simultaneously  impacts your storage array and all your hosts:   
you
 may very well  be unable to  regain access to any of your files,
until the  specific host that had that file locked comes back up,   or
you
wait out a   ~30 to ~60 minute timeout period.




 Cheers,
 -- jra

--
-JH

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.