NTT NOC Contact
Looking to discuss a routing issue going through NTT's link to JP.
Re: NTT NOC Contact
On Thu, Nov 27, 2014 at 04:51:59AM -0500, james jones wrote: Looking to discuss a routing issue going through NTT's link to JP. Feel free to contact me off-list with the details. Kind regards, Job
Re: NTT NOC Contact
We are getting a huge amount of traffic loss while sending to JP. I am trying to figure out if the problem is with cogent or NTT. Thoughts? Here is a MTR trace: login02.bal (0.0.0.0) Thu Nov 27 01:58:22 2014 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Last Avg Best Wrst StDev 1. v122-router.bal 0.0% 0.2 0.3 0.2 3.7 0.5 2. netscaler3.bal 0.0% 0.1 0.1 0.1 0.2 0.0 3. gw1.bal.brightcove.com 0.0% 0.6 1.9 0.2 12.4 3.2 4. border1.te9-1.brightcoveinc-2.chg004.pnap.net 2.1% 0.9 2.1 0.4 36.5 6.5 5. core1.te2-2-bbnet2.chg.pnap.net 0.0% 2.1 2.1 1.8 3.5 0.4 6. te0-5-0-33.ccr21.ord03.atlas.cogentco.com 0.0% 1.9 2.5 1.8 16.2 2.5 7. be2003.ccr42.ord01.atlas.cogentco.com 0.0% 2.4 2.5 2.3 3.7 0.3 8. be2157.ccr22.mci01.atlas.cogentco.com 0.0% 14.4 14.3 14.1 17.4 0.5 9. be2133.ccr22.sfo01.atlas.cogentco.com 0.0% 52.0 52.1 51.7 54.0 0.4 10. be2165.ccr22.sjc01.atlas.cogentco.com 23.4% 52.7 52.8 52.6 53.3 0.2 11. be2047.ccr21.sjc03.atlas.cogentco.com 67.4% 53.5 53.5 53.4 53.8 0.1 12. verio.iad01.atlas.cogentco.com 29.8% 53.1 53.2 53.0 54.6 0.4 13. ae-6.r20.snjsca04.us.bb.gin.ntt.net 67.4% 53.3 59.3 53.0 82.3 10.1 14. ae-4.r20.tokyjp05.jp.bb.gin.ntt.net 29.8% 138.2 140.6 138.1 173.9 7.6 15. ae-1.ocn.tokyjp05.jp.bb.gin.ntt.net 69.6% 153.8 153.9 153.8 154.0 0.0 16. 60.37.27.92 97.8% 154.1 154.1 154.1 154.1 0.0 17. 114.147.63.70 36.2% 194.0 167.0 155.0 203.5 16.7 18. 118.23.13.2 63.0% 155.8 155.9 155.8 156.1 0.1 19. 118.23.14.66 100.0 0.0 0.0 0.0 0.0 0.0 20. p3044-ipngnfx01marunouchi.tokyo.ocn.ne.jp 97.8% 150.8 150.8 150.8 150.8 0.0 On Thu, Nov 27, 2014 at 4:56 AM, Job Snijders j...@instituut.net wrote: On Thu, Nov 27, 2014 at 04:51:59AM -0500, james jones wrote: Looking to discuss a routing issue going through NTT's link to JP. Feel free to contact me off-list with the details. Kind regards, Job
Re: Anyone else having trouble reaching thepiratebay.se? AS39138
Looks like its working now (on FIOS anyway) Curious to know why the major networks stopped seeing it yesterday as well. On Thu, Nov 27, 2014 at 12:45 AM, Courtney Smith courtneysm...@comcast.net wrote: No problem here in Los Angeles either, but seeing a lone route through Atrato only. flags destination gateway lpref med aspath origin *194.71.107.0/24 100 0 3491 5580 39138 22351 2.207 51040 i * 194.71.107.0/24 100 0 174 5580 39138 22351 2.207 51040 i On 11/27/2014 午前 11:24, Tony Wicks wrote: No problem here in New Zealand tonyw@vrhost1-w show route 194.71.107.0/24 icore1-w.inet.0: 519451 destinations, 525214 routes (519437 active, 14 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 194.71.107.0/24*[BGP/170] 10:25:44, MED 0, localpref 90 AS path: 4826 5580 39138 22351 131279 51040 I, validation-state: unverified to 175.45.102.9 via ae1.526 Hopefully the body cones thru this time. The issue isn't city or country based. In my last post I pointed out the do not announce to peers community AS5580 was sending to Cogent, Level3 and who knows who else. So any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path from them. When I checked a few hours ago, Comcast, Centurylink, ATT, TATA, and possibly Sprint were not seeing the /24 based on their public looking glasses or route servers. Have not had time to run bgplay to see if routeviews data shows how they previously saw the /24 in past 30 days. Finding the ASN(s) they used to see from would shed light on why they stopped seeing. Checking bgplay and contacting AS51040 to reach out to their upstreams is my suggestion.
Cogent (was Re: NTT NOC Contact)
Seems your MTR sees loss within the Cogent (174) network prior to reaching the NTT network. I think you perhaps need cogent assistance? - Jared On Thu, Nov 27, 2014 at 04:58:59AM -0500, james jones wrote: We are getting a huge amount of traffic loss while sending to JP. I am trying to figure out if the problem is with cogent or NTT. Thoughts? Here is a MTR trace: login02.bal (0.0.0.0) Thu Nov 27 01:58:22 2014 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Last Avg Best Wrst StDev 1. v122-router.bal 0.0% 0.2 0.3 0.2 3.7 0.5 2. netscaler3.bal 0.0% 0.1 0.1 0.1 0.2 0.0 3. gw1.bal.brightcove.com 0.0% 0.6 1.9 0.2 12.4 3.2 4. border1.te9-1.brightcoveinc-2.chg004.pnap.net 2.1% 0.9 2.1 0.4 36.5 6.5 5. core1.te2-2-bbnet2.chg.pnap.net 0.0% 2.1 2.1 1.8 3.5 0.4 6. te0-5-0-33.ccr21.ord03.atlas.cogentco.com 0.0% 1.9 2.5 1.8 16.2 2.5 7. be2003.ccr42.ord01.atlas.cogentco.com 0.0% 2.4 2.5 2.3 3.7 0.3 8. be2157.ccr22.mci01.atlas.cogentco.com 0.0% 14.4 14.3 14.1 17.4 0.5 9. be2133.ccr22.sfo01.atlas.cogentco.com 0.0% 52.0 52.1 51.7 54.0 0.4 10. be2165.ccr22.sjc01.atlas.cogentco.com 23.4% 52.7 52.8 52.6 53.3 0.2 11. be2047.ccr21.sjc03.atlas.cogentco.com 67.4% 53.5 53.5 53.4 53.8 0.1 12. verio.iad01.atlas.cogentco.com 29.8% 53.1 53.2 53.0 54.6 0.4 13. ae-6.r20.snjsca04.us.bb.gin.ntt.net 67.4% 53.3 59.3 53.0 82.3 10.1 14. ae-4.r20.tokyjp05.jp.bb.gin.ntt.net 29.8% 138.2 140.6 138.1 173.9 7.6 15. ae-1.ocn.tokyjp05.jp.bb.gin.ntt.net 69.6% 153.8 153.9 153.8 154.0 0.0 16. 60.37.27.92 97.8% 154.1 154.1 154.1 154.1 0.0 17. 114.147.63.70 36.2% 194.0 167.0 155.0 203.5 16.7 18. 118.23.13.2 63.0% 155.8 155.9 155.8 156.1 0.1 19. 118.23.14.66 100.0 0.0 0.0 0.0 0.0 0.0 20. p3044-ipngnfx01marunouchi.tokyo.ocn.ne.jp 97.8% 150.8 150.8 150.8 150.8 0.0 On Thu, Nov 27, 2014 at 4:56 AM, Job Snijders j...@instituut.net wrote: On Thu, Nov 27, 2014 at 04:51:59AM -0500, james jones wrote: Looking to discuss a routing issue going through NTT's link to JP. Feel free to contact me off-list with the details. Kind regards, Job -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Cogent (was Re: NTT NOC Contact)
On Thu, Nov 27, 2014 at 11:00:32AM -0500, Jared Mauch wrote: Seems your MTR sees loss within the Cogent (174) network prior to reaching the NTT network. I think you perhaps need cogent assistance? This was resolved off-list. James is now engaging with his supplier. For future reference: When assistance is needed from NTT, please reach out directly to n...@ntt.net. That mailbox is guarded 24/7 by good people. Kind regards, Job
bidirectional traceroute (was Re: Cogent (was Re: NTT NOC Contact))
Never assume symetric routing (though Im almost old enough to remember the days of.) Wish there was some kinda bidirect traceroute protocol widely supported. Mostly we only have lg's via www if they happen to have been setup for such occasions :( I know there were a few small projects with this kinda idea, but I am not sure if any of them really got anywhere. /kc On Thu, Nov 27, 2014 at 11:00:32AM -0500, Jared Mauch said: Seems your MTR sees loss within the Cogent (174) network prior to reaching the NTT network. I think you perhaps need cogent assistance? - Jared On Thu, Nov 27, 2014 at 04:58:59AM -0500, james jones wrote: We are getting a huge amount of traffic loss while sending to JP. I am trying to figure out if the problem is with cogent or NTT. Thoughts? Here is a MTR trace: login02.bal (0.0.0.0) Thu Nov 27 01:58:22 2014 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Last Avg Best Wrst StDev 1. v122-router.bal 0.0% 0.2 0.3 0.2 3.7 0.5 2. netscaler3.bal 0.0% 0.1 0.1 0.1 0.2 0.0 3. gw1.bal.brightcove.com 0.0% 0.6 1.9 0.2 12.4 3.2 4. border1.te9-1.brightcoveinc-2.chg004.pnap.net 2.1% 0.9 2.1 0.4 36.5 6.5 5. core1.te2-2-bbnet2.chg.pnap.net 0.0% 2.1 2.1 1.8 3.5 0.4 6. te0-5-0-33.ccr21.ord03.atlas.cogentco.com 0.0% 1.9 2.5 1.8 16.2 2.5 7. be2003.ccr42.ord01.atlas.cogentco.com 0.0% 2.4 2.5 2.3 3.7 0.3 8. be2157.ccr22.mci01.atlas.cogentco.com 0.0% 14.4 14.3 14.1 17.4 0.5 9. be2133.ccr22.sfo01.atlas.cogentco.com 0.0% 52.0 52.1 51.7 54.0 0.4 10. be2165.ccr22.sjc01.atlas.cogentco.com 23.4% 52.7 52.8 52.6 53.3 0.2 11. be2047.ccr21.sjc03.atlas.cogentco.com 67.4% 53.5 53.5 53.4 53.8 0.1 12. verio.iad01.atlas.cogentco.com 29.8% 53.1 53.2 53.0 54.6 0.4 13. ae-6.r20.snjsca04.us.bb.gin.ntt.net 67.4% 53.3 59.3 53.0 82.3 10.1 14. ae-4.r20.tokyjp05.jp.bb.gin.ntt.net 29.8% 138.2 140.6 138.1 173.9 7.6 15. ae-1.ocn.tokyjp05.jp.bb.gin.ntt.net 69.6% 153.8 153.9 153.8 154.0 0.0 16. 60.37.27.92 97.8% 154.1 154.1 154.1 154.1 0.0 17. 114.147.63.70 36.2% 194.0 167.0 155.0 203.5 16.7 18. 118.23.13.2 63.0% 155.8 155.9 155.8 156.1 0.1 19. 118.23.14.66 100.0 0.0 0.0 0.0 0.0 0.0 20. p3044-ipngnfx01marunouchi.tokyo.ocn.ne.jp 97.8% 150.8 150.8 150.8 150.8 0.0 On Thu, Nov 27, 2014 at 4:56 AM, Job Snijders j...@instituut.net wrote: On Thu, Nov 27, 2014 at 04:51:59AM -0500, james jones wrote: Looking to discuss a routing issue going through NTT's link to JP. Feel free to contact me off-list with the details. Kind regards, Job -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- Ken Chase - m...@sizone.org Toronto
Re: Anyone else having trouble reaching thepiratebay.se? AS39138
In the post you quoted it says: In my last post I pointed out the do not announce to peers community AS5580 was sending to Cogent, Level3 and who knows who else. So any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path from them. Verizon, ATT, and the rest of those networks are Tier-1 networks meaning if 5580 was tagging the route with do-not-advertise to their transit providers (Level3 Cogent) the other Tier-1s wouldn't have another route to it. Looking at routing updates there were a lot of them yesterday for that prefix, for whatever reason. The lack of reachability was completely due to Atrato, had nothing to do with the ISPs in the US. It was reachable for me yesterday on our network, but we peer directly with Atrato. It's possible they did it to stop a DDoS, some other kind of attack, or any number of reasons. Phil On 11/27/14, 2:47 PM, Javier J jav...@advancedmachines.us wrote: Looks like its working now (on FIOS anyway) Curious to know why the major networks stopped seeing it yesterday as well. On Thu, Nov 27, 2014 at 12:45 AM, Courtney Smith courtneysm...@comcast.net wrote: No problem here in Los Angeles either, but seeing a lone route through Atrato only. flags destination gateway lpref med aspath origin *194.71.107.0/24 100 0 3491 5580 39138 22351 2.207 51040 i * 194.71.107.0/24 100 0 174 5580 39138 22351 2.207 51040 i On 11/27/2014 午前 11:24, Tony Wicks wrote: No problem here in New Zealand tonyw@vrhost1-w show route 194.71.107.0/24 icore1-w.inet.0: 519451 destinations, 525214 routes (519437 active, 14 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 194.71.107.0/24*[BGP/170] 10:25:44, MED 0, localpref 90 AS path: 4826 5580 39138 22351 131279 51040 I, validation-state: unverified to 175.45.102.9 via ae1.526 Hopefully the body cones thru this time. The issue isn't city or country based. In my last post I pointed out the do not announce to peers community AS5580 was sending to Cogent, Level3 and who knows who else. So any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path from them. When I checked a few hours ago, Comcast, Centurylink, ATT, TATA, and possibly Sprint were not seeing the /24 based on their public looking glasses or route servers. Have not had time to run bgplay to see if routeviews data shows how they previously saw the /24 in past 30 days. Finding the ASN(s) they used to see from would shed light on why they stopped seeing. Checking bgplay and contacting AS51040 to reach out to their upstreams is my suggestion.
Re: Anyone else having trouble reaching thepiratebay.se? AS39138
It was working for me a few hours ago, and now dead at hop 3 on FIOS again. If they have 2 prefixes being advertised from AS51040 http://bgp.he.net/AS51040#_prefixes Why can I traceroute to 1 but not the other? [root@tor-proxy network-scripts]# mtr --report -c 5 194.14.56.1 HOST: tor-proxy.home Loss% Snt Last Avg Best Wrst StDev 1. pfsense.home 0.0% 50.5 1.0 0.4 2.7 1.0 2. L100.NWRKNJ-VFTTP-134.verizo 0.0% 51.3 6.0 1.3 20.6 8.3 3. G0-5-3-4.NWRKNJ-LCR-22.veriz 0.0% 53.2 4.6 3.2 6.7 1.4 4. ae0-0.NWRK-BB-RTR2.verizon-g 0.0% 55.9 8.4 4.9 20.7 6.8 5. ??? 100.0 50.0 0.0 0.0 0.0 0.0 6. 0.ae2.BR3.NYC4.ALTER.NET 0.0% 56.8 6.7 6.6 6.9 0.1 7. 204.255.169.234 0.0% 55.4 5.7 5.2 7.1 0.8 8. ae-2.r23.nycmny01.us.bb.gin. 0.0% 56.2 7.1 5.9 11.0 2.2 9. ae-6.r21.frnkge03.de.bb.gin. 60.0% 5 94.5 92.6 90.7 94.5 2.7 10. ae-1.r02.frnkge03.de.bb.gin. 0.0% 5 95.2 94.3 93.1 95.6 1.1 11. 213.198.77.2140.0% 5 92.7 93.4 92.7 94.1 0.5 12. et030-4.RT.TC1.STO.SE.retn.n 0.0% 5 109.2 109.4 109.0 110.9 0.8 13. GW-ObeNetwork.retn.net0.0% 5 116.0 190.0 111.1 341.8 100.4 14. moria-cr-3.piratpartiet.se 20.0% 5 110.1 111.6 109.9 116.1 2.9 [root@tor-proxy network-scripts]# mtr --report -c 5 194.71.107.27 HOST: tor-proxy.home Loss% Snt Last Avg Best Wrst StDev 1. pfsense.home 0.0% 50.6 0.4 0.3 0.6 0.1 2. L100.NWRKNJ-VFTTP-134.verizo 0.0% 51.4 7.1 1.4 29.1 12.3 3. ??? 100.0 50.0 0.0 0.0 0.0 0.0 The site works 100 % fine over vpn or proxy. So I don't think this is related to any DDOS attack. On Thu, Nov 27, 2014 at 2:06 PM, Phil Bedard bedard.p...@gmail.com wrote: In the post you quoted it says: In my last post I pointed out the do not announce to peers community AS5580 was sending to Cogent, Level3 and who knows who else. So any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path from them. Verizon, ATT, and the rest of those networks are Tier-1 networks meaning if 5580 was tagging the route with do-not-advertise to their transit providers (Level3 Cogent) the other Tier-1s wouldn't have another route to it. Looking at routing updates there were a lot of them yesterday for that prefix, for whatever reason. The lack of reachability was completely due to Atrato, had nothing to do with the ISPs in the US. It was reachable for me yesterday on our network, but we peer directly with Atrato. It's possible they did it to stop a DDoS, some other kind of attack, or any number of reasons. Phil On 11/27/14, 2:47 PM, Javier J jav...@advancedmachines.us wrote: Looks like its working now (on FIOS anyway) Curious to know why the major networks stopped seeing it yesterday as well. On Thu, Nov 27, 2014 at 12:45 AM, Courtney Smith courtneysm...@comcast.net wrote: No problem here in Los Angeles either, but seeing a lone route through Atrato only. flags destination gateway lpref med aspath origin *194.71.107.0/24 100 0 3491 5580 39138 22351 2.207 51040 i * 194.71.107.0/24 100 0 174 5580 39138 22351 2.207 51040 i On 11/27/2014 午前 11:24, Tony Wicks wrote: No problem here in New Zealand tonyw@vrhost1-w show route 194.71.107.0/24 icore1-w.inet.0: 519451 destinations, 525214 routes (519437 active, 14 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 194.71.107.0/24*[BGP/170] 10:25:44, MED 0, localpref 90 AS path: 4826 5580 39138 22351 131279 51040 I, validation-state: unverified to 175.45.102.9 via ae1.526 Hopefully the body cones thru this time. The issue isn't city or country based. In my last post I pointed out the do not announce to peers community AS5580 was sending to Cogent, Level3 and who knows who else. So any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path from them. When I checked a few hours ago, Comcast, Centurylink, ATT, TATA, and possibly Sprint were not seeing the /24 based on their public looking glasses or route servers. Have not had time to run bgplay to see if routeviews data shows how they previously saw the /24 in past 30 days. Finding the ASN(s) they used to see from would shed light on why they stopped seeing. Checking bgplay and contacting AS51040 to reach out to their upstreams is my suggestion.
MediaTemple/GoDaddy contact?
Anyone from media temple/godaddy around? I have a site hosted in mediatemple that a customer can't reach and normal support has been not helpful thus far. Off-list is fine, much appreciated. -- Sean
Transparent hijacking of SMTP submission...
I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. signature.asc Description: OpenPGP digital signature
Re: Anyone else having trouble reaching thepiratebay.se? AS39138
It looks like they use different upstream providers for each prefix, probably hosted in different locations. The 194.71.107.0/24 prefix on my network was withdrawn by Ataro, and is now reachable via this path: 194.71.107.0/24*[BGP/170] 00:04:34 AS path: 3356 3320 3320 24961 24961 24961 24961 39138 22351 131279 51040 I, validation-state: unverified The 4 minutes isn't really a good thing. This is the other prefix, via RETN who we also peer with. 194.14.56.0/24 *[BGP/170] 1d 07:15:42, MED 0 AS path: 9002 197595 51040 I AS 24961 is myLoc.de who could be their hosting provider and may have had issues with Atrato, who is now Hibernia. Who knows it looks like normal BGP/Internet issues to me, if you are looking for some kind of conspiracy nothing is going on. Phil From: Javier J jav...@advancedmachines.us Date: Thursday, November 27, 2014 at 2:16 PM To: Phil B bedard.p...@gmail.com Cc: Courtney Smith courtneysm...@comcast.net, nanog@nanog.org nanog@nanog.org Subject: Re: Anyone else having trouble reaching thepiratebay.se? AS39138 It was working for me a few hours ago, and now dead at hop 3 on FIOS again. If they have 2 prefixes being advertised from AS51040 http://bgp.he.net/AS51040#_prefixes Why can I traceroute to 1 but not the other? [root@tor-proxy network-scripts]# mtr --report -c 5 194.14.56.1 HOST: tor-proxy.home Loss% Snt Last Avg Best Wrst StDev 1. pfsense.home 0.0% 50.5 1.0 0.4 2.7 1.0 2. L100.NWRKNJ-VFTTP-134.verizo 0.0% 51.3 6.0 1.3 20.6 8.3 3. G0-5-3-4.NWRKNJ-LCR-22.veriz 0.0% 53.2 4.6 3.2 6.7 1.4 4. ae0-0.NWRK-BB-RTR2.verizon-g 0.0% 55.9 8.4 4.9 20.7 6.8 5. ??? 100.0 50.0 0.0 0.0 0.0 0.0 6. 0.ae2.BR3.NYC4.ALTER.NET 0.0% 56.8 6.7 6.6 6.9 0.1 7. 204.255.169.234 0.0% 55.4 5.7 5.2 7.1 0.8 8. ae-2.r23.nycmny01.us.bb.gin. 0.0% 56.2 7.1 5.9 11.0 2.2 9. ae-6.r21.frnkge03.de.bb.gin. 60.0% 5 94.5 92.6 90.7 94.5 2.7 10. ae-1.r02.frnkge03.de.bb.gin. 0.0% 5 95.2 94.3 93.1 95.6 1.1 11. 213.198.77.2140.0% 5 92.7 93.4 92.7 94.1 0.5 12. et030-4.RT.TC1.STO.SE.retn.n 0.0% 5 109.2 109.4 109.0 110.9 0.8 13. GW-ObeNetwork.retn.net0.0% 5 116.0 190.0 111.1 341.8 100.4 14. moria-cr-3.piratpartiet.se 20.0% 5 110.1 111.6 109.9 116.1 2.9 [root@tor-proxy network-scripts]# mtr --report -c 5 194.71.107.27 HOST: tor-proxy.home Loss% Snt Last Avg Best Wrst StDev 1. pfsense.home 0.0% 50.6 0.4 0.3 0.6 0.1 2. L100.NWRKNJ-VFTTP-134.verizo 0.0% 51.4 7.1 1.4 29.1 12.3 3. ??? 100.0 50.0 0.0 0.0 0.0 0.0 The site works 100 % fine over vpn or proxy. So I don't think this is related to any DDOS attack. On Thu, Nov 27, 2014 at 2:06 PM, Phil Bedard bedard.p...@gmail.com wrote: In the post you quoted it says: In my last post I pointed out the do not announce to peers community AS5580 was sending to Cogent, Level3 and who knows who else. So any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path from them. Verizon, ATT, and the rest of those networks are Tier-1 networks meaning if 5580 was tagging the route with do-not-advertise to their transit providers (Level3 Cogent) the other Tier-1s wouldn't have another route to it. Looking at routing updates there were a lot of them yesterday for that prefix, for whatever reason. The lack of reachability was completely due to Atrato, had nothing to do with the ISPs in the US. It was reachable for me yesterday on our network, but we peer directly with Atrato. It's possible they did it to stop a DDoS, some other kind of attack, or any number of reasons. Phil On 11/27/14, 2:47 PM, Javier J jav...@advancedmachines.us wrote: Looks like its working now (on FIOS anyway) Curious to know why the major networks stopped seeing it yesterday as well. On Thu, Nov 27, 2014 at 12:45 AM, Courtney Smith courtneysm...@comcast.net wrote: No problem here in Los Angeles either, but seeing a lone route through Atrato only. flags destination gateway lpref med aspath origin *194.71.107.0/24 100 0 3491 5580 39138 22351 2.207 51040 i * 194.71.107.0/24 100 0 174 5580 39138 22351 2.207 51040 i On 11/27/2014 午前 11:24, Tony Wicks wrote: No problem here in New Zealand tonyw@vrhost1-w show route 194.71.107.0/24 icore1-w.inet.0: 519451 destinations, 525214 routes (519437 active, 14 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 194.71.107.0/24*[BGP/170] 10:25:44, MED 0, localpref 90 AS path: 4826 5580 39138 22351
Re: Transparent hijacking of SMTP submission...
Which is why your MTA should always be setup to require the use of STARTTLS. Additionally the CERT presented should also match the name of the server. There is absolutely no reason for a ISP / hotspot to inspect submission traffic. The stopping spam argument doesn't wash with submission. Mark In message 54778167.7080...@bogus.com, joel jaeggli writes: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Transparent hijacking of SMTP submission...
Yes. Till that hotspots IP space gets blackholed by a major freemail because of all the nigerians and hijacked devices emitting bot traffic through stolen auth credentials. There's other ways to stop this but they take actual hard work and rather more gear than a rusted up old asa you pull out of your closet as like as not. On Nov 28, 2014 2:10 AM, Mark Andrews ma...@isc.org wrote: Which is why your MTA should always be setup to require the use of STARTTLS. Additionally the CERT presented should also match the name of the server. There is absolutely no reason for a ISP / hotspot to inspect submission traffic. The stopping spam argument doesn't wash with submission. Mark In message 54778167.7080...@bogus.com, joel jaeggli writes: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Transparent hijacking of SMTP submission...
In message CAArzuouvhnHo7BbAWUwiR3=m0x2O6Qe=2qlcvb29i07oax-...@mail.gmail.com , Suresh Ramasubramanian writes: Yes. Till that hotspots IP space gets blackholed by a major freemail because of all the nigerians and hijacked devices emitting bot traffic through stolen auth credentials. Why would it black hole the address rather than the block the compromised credentials? The whole point of submission is to authenticate the submitter and to be able to trace spam back to the submitter and deal with the issue at that level of granuality. Blocking at that level also stop the credentials being used from anywhere. scalpel vs chainsaw. Just because you provide free email doesn't give you the right to not do the service properly. You encouraged people to use your service. You should resource it to deal with the resulting load and that includes dealing with spam and scans being sent with stolen credentials. As a free email provider you have the plain text. Mark There's other ways to stop this but they take actual hard work and rather more gear than a rusted up old asa you pull out of your closet as like as not. On Nov 28, 2014 2:10 AM, Mark Andrews ma...@isc.org wrote: Which is why your MTA should always be setup to require the use of STARTTLS. Additionally the CERT presented should also match the name of the server. There is absolutely no reason for a ISP / hotspot to inspect submission traffic. The stopping spam argument doesn't wash with submission. Mark In message 54778167.7080...@bogus.com, joel jaeggli writes: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org --bcaec517c6c01f783d0508e015a5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable p dir=3DltrYes. Till that hotspots IP space gets blackholed by a major = freemail because of all the nigerians and hijacked devices emitting bot tra= ffic through stolen auth credentials. /p p dir=3DltrThere#39;s other ways to stop this but they take actual har= d work and rather more gear than a rusted up old asa you pull out of your c= loset as like as not. br /p div class=3Dgmail_quoteOn Nov 28, 2014 2:10 AM, quot;Mark Andrewsquot= ; lt;a href=3Dmailto:ma...@isc.org;ma...@isc.org/agt; wrote:br type= =3Dattributionblockquote class=3Dgmail_quote style=3Dmargin:0 0 0 .8= ex;border-left:1px #ccc solid;padding-left:1exbr Which is why your MTA should always be setup to require the use ofbr STARTTLS.=C2=A0 Additionally the CERT presented should also match thebr name of the server.br br There is absolutely no reason for a ISP / hotspot to inspectbr submission traffic.=C2=A0 The quot;stopping spamquot; argument doesn#39;= t wash withbr submission.br br Markbr br In message lt;a href=3Dmailto:54778167.7080...@bogus.com;54778167.70808= 0...@bogus.com/agt;, joel jaeggli writes:br gt;br gt; I don#39;t see this in my home market, but I do see it in someone els= e#39;s...br gt; I kind of expect this for port 25 but...br gt;br gt; J@mb-aye:~$telnet 147.28.0.81 587br gt; Trying 147.28.0.81...br gt; Connected to a href=3Dhttp://nagasaki.bogus.com; target=3D_blankn= agasaki.bogus.com/a.br gt; Escape character is #39;^]#39;.br gt; 220 a href=3Dhttp://nagasaki.bogus.com; target=3D_blanknagasaki.b= ogus.com/a ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014br gt; 19:17:44 GMTbr gt; ehlo a href=3Dhttp://bogus.com; target=3D_blankbogus.com/abr gt; a href=3Dhttp://250-nagasaki.bogus.com; target=3D_blank250-nagasa= ki.bogus.com/a Hello a href=3Dhttp://XXX.wa.comcast.net; ta= rget=3D_blankXXX.wa.comcast.net/abr gt; [XXX.XXX.XXX.XXX], pleased to meet youbr gt; 250 ENHANCEDSTATUSCODESbr gt;br gt; J@mb-aye:~$telnet 2001:418:1::81 587br gt; Trying
Re: Transparent hijacking of SMTP submission...
On Thu, Nov 27, 2014 at 2:54 PM, joel jaeggli joe...@bogus.com wrote: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. Hi Joel, I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? Thanks, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: Transparent hijacking of SMTP submission...
No. He is a comcast customer. And some third party wifi access point blocked his smtp submission over TLS by setting up an asa device to inspect 587 as well. On Nov 28, 2014 6:16 AM, William Herrin b...@herrin.us wrote: On Thu, Nov 27, 2014 at 2:54 PM, joel jaeggli joe...@bogus.com wrote: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. Hi Joel, I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? Thanks, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: Transparent hijacking of SMTP submission...
Oh it depends on the numbers. Just how many legitimate smtp submission attempts do you get from say an access point at Joes diner in nowhere, OH? Versus just how many password cracking and malware relay attempts across how many of your users, from an unpatched xp box the guy is using for a billing app? At the scale of the problem a provider with any kind of userbase faces, you need a chainsaw, not a scalpel, given that you're out to cut a tree rather than perform plastic surgery. On Nov 28, 2014 6:08 AM, Mark Andrews ma...@isc.org wrote: In message CAArzuouvhnHo7BbAWUwiR3=m0x2O6Qe= 2qlcvb29i07oax-...@mail.gmail.com , Suresh Ramasubramanian writes: Yes. Till that hotspots IP space gets blackholed by a major freemail because of all the nigerians and hijacked devices emitting bot traffic through stolen auth credentials. Why would it black hole the address rather than the block the compromised credentials? The whole point of submission is to authenticate the submitter and to be able to trace spam back to the submitter and deal with the issue at that level of granuality. Blocking at that level also stop the credentials being used from anywhere. scalpel vs chainsaw. Just because you provide free email doesn't give you the right to not do the service properly. You encouraged people to use your service. You should resource it to deal with the resulting load and that includes dealing with spam and scans being sent with stolen credentials. As a free email provider you have the plain text. Mark There's other ways to stop this but they take actual hard work and rather more gear than a rusted up old asa you pull out of your closet as like as not. On Nov 28, 2014 2:10 AM, Mark Andrews ma...@isc.org wrote: Which is why your MTA should always be setup to require the use of STARTTLS. Additionally the CERT presented should also match the name of the server. There is absolutely no reason for a ISP / hotspot to inspect submission traffic. The stopping spam argument doesn't wash with submission. Mark In message 54778167.7080...@bogus.com, joel jaeggli writes: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org --bcaec517c6c01f783d0508e015a5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable p dir=3DltrYes. Till that hotspots IP space gets blackholed by a major = freemail because of all the nigerians and hijacked devices emitting bot tra= ffic through stolen auth credentials. /p p dir=3DltrThere#39;s other ways to stop this but they take actual har= d work and rather more gear than a rusted up old asa you pull out of your c= loset as like as not. br /p div class=3Dgmail_quoteOn Nov 28, 2014 2:10 AM, quot;Mark Andrewsquot= ; lt;a href=3Dmailto:ma...@isc.org;ma...@isc.org/agt; wrote:br type= =3Dattributionblockquote class=3Dgmail_quote style=3Dmargin:0 0 0 .8= ex;border-left:1px #ccc solid;padding-left:1exbr Which is why your MTA should always be setup to require the use ofbr STARTTLS.=C2=A0 Additionally the CERT presented should also match thebr name of the server.br br There is absolutely no reason for a ISP / hotspot to inspectbr submission traffic.=C2=A0 The quot;stopping spamquot; argument doesn#39;= t wash withbr submission.br br Markbr br In message lt;a href=3Dmailto:54778167.7080...@bogus.com 54778167.70808= 0...@bogus.com/agt;, joel jaeggli writes:br gt;br gt; I don#39;t see this in my home market, but I do see it in someone els= e#39;s...br gt; I kind of expect this for port 25 but...br gt;br gt; J@mb-aye:~$telnet 147.28.0.81 587br gt; Trying 147.28.0.81...br gt; Connected to
Re: Transparent hijacking of SMTP submission...
- Original Message - From: William Herrin b...@herrin.us that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? Yup; that's what he's saying. This was in the technical press earlier this week -- or the end of last. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Transparent hijacking of SMTP submission...
- Original Message - From: William Herrin b...@herrin.us I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? And, of course, *just* as I hit send, I remembered it was in RISKS, linking to EFF: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks Note that's dated 11 November, so this is a couple weeks old now. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Anyone else having trouble reaching thepiratebay.se? AS39138
Thanks Phil. I guess the confusion is that during the outages, it was reachable from everywhere except Comcast, Verizon and ATT-U-verse all at the same time. Every proxy, vpn etc tested worked fine. Also the fact that the traces dropped immediately and not far off on a far network. In addition to that. Other users on other ISP in the local area (cable-vision / optimum, NYC) had no problem. obviously not all providers are using the same routes to the same destination. Just that when a controversial site becomes inaccessible, questions start to be raised. I think it was also mentioned somewhere on some site that as far as the pirate bay was concerned, everything on their end was operating normally. On Thu, Nov 27, 2014 at 3:30 PM, Phil Bedard bedard.p...@gmail.com wrote: It looks like they use different upstream providers for each prefix, probably hosted in different locations. The 194.71.107.0/24 prefix on my network was withdrawn by Ataro, and is now reachable via this path: 194.71.107.0/24*[BGP/170] 00:04:34 AS path: 3356 3320 3320 24961 24961 24961 24961 39138 22351 131279 51040 I, validation-state: unverified The 4 minutes isn't really a good thing. This is the other prefix, via RETN who we also peer with. 194.14.56.0/24 *[BGP/170] 1d 07:15:42, MED 0 AS path: 9002 197595 51040 I AS 24961 is myLoc.de who could be their hosting provider and may have had issues with Atrato, who is now Hibernia. Who knows it looks like normal BGP/Internet issues to me, if you are looking for some kind of conspiracy nothing is going on. Phil From: Javier J jav...@advancedmachines.us Date: Thursday, November 27, 2014 at 2:16 PM To: Phil B bedard.p...@gmail.com Cc: Courtney Smith courtneysm...@comcast.net, nanog@nanog.org nanog@nanog.org Subject: Re: Anyone else having trouble reaching thepiratebay.se? AS39138 It was working for me a few hours ago, and now dead at hop 3 on FIOS again. If they have 2 prefixes being advertised from AS51040 http://bgp.he.net/AS51040#_prefixes Why can I traceroute to 1 but not the other? [root@tor-proxy network-scripts]# mtr --report -c 5 194.14.56.1 HOST: tor-proxy.home Loss% Snt Last Avg Best Wrst StDev 1. pfsense.home 0.0% 50.5 1.0 0.4 2.7 1.0 2. L100.NWRKNJ-VFTTP-134.verizo 0.0% 51.3 6.0 1.3 20.6 8.3 3. G0-5-3-4.NWRKNJ-LCR-22.veriz 0.0% 53.2 4.6 3.2 6.7 1.4 4. ae0-0.NWRK-BB-RTR2.verizon-g 0.0% 55.9 8.4 4.9 20.7 6.8 5. ??? 100.0 50.0 0.0 0.0 0.0 0.0 6. 0.ae2.BR3.NYC4.ALTER.NET 0.0% 56.8 6.7 6.6 6.9 0.1 7. 204.255.169.234 0.0% 55.4 5.7 5.2 7.1 0.8 8. ae-2.r23.nycmny01.us.bb.gin. 0.0% 56.2 7.1 5.9 11.0 2.2 9. ae-6.r21.frnkge03.de.bb.gin. 60.0% 5 94.5 92.6 90.7 94.5 2.7 10. ae-1.r02.frnkge03.de.bb.gin. 0.0% 5 95.2 94.3 93.1 95.6 1.1 11. 213.198.77.2140.0% 5 92.7 93.4 92.7 94.1 0.5 12. et030-4.RT.TC1.STO.SE.retn.n 0.0% 5 109.2 109.4 109.0 110.9 0.8 13. GW-ObeNetwork.retn.net0.0% 5 116.0 190.0 111.1 341.8 100.4 14. moria-cr-3.piratpartiet.se 20.0% 5 110.1 111.6 109.9 116.1 2.9 [root@tor-proxy network-scripts]# mtr --report -c 5 194.71.107.27 HOST: tor-proxy.home Loss% Snt Last Avg Best Wrst StDev 1. pfsense.home 0.0% 50.6 0.4 0.3 0.6 0.1 2. L100.NWRKNJ-VFTTP-134.verizo 0.0% 51.4 7.1 1.4 29.1 12.3 3. ??? 100.0 50.0 0.0 0.0 0.0 0.0 The site works 100 % fine over vpn or proxy. So I don't think this is related to any DDOS attack. On Thu, Nov 27, 2014 at 2:06 PM, Phil Bedard bedard.p...@gmail.com wrote: In the post you quoted it says: In my last post I pointed out the do not announce to peers community AS5580 was sending to Cogent, Level3 and who knows who else. So any ASN that is not a customer of Cogent or Level3 wont learn the 5580 path from them. Verizon, ATT, and the rest of those networks are Tier-1 networks meaning if 5580 was tagging the route with do-not-advertise to their transit providers (Level3 Cogent) the other Tier-1s wouldn't have another route to it. Looking at routing updates there were a lot of them yesterday for that prefix, for whatever reason. The lack of reachability was completely due to Atrato, had nothing to do with the ISPs in the US. It was reachable for me yesterday on our network, but we peer directly with Atrato. It's possible they did it to stop a DDoS, some other kind of attack, or any number of reasons. Phil On 11/27/14, 2:47 PM, Javier J jav...@advancedmachines.us wrote: Looks like its working now (on FIOS anyway) Curious to know why the major networks stopped seeing it yesterday as well.
Re: Anyone else having trouble reaching thepiratebay.se? AS39138
Work for me, but with awful trace. Is it possible to arrange the direct peering with AS39138? Please contact me off-list if there are admins of AS39138. On 26.11.14 19:41, Javier J wrote: Name: thepiratebay.se Address: 194.71.107.27 Its reachable from some places and not others. Is it being filtered? Is it being hijacked? Email to them bounced from google apps. Are we now officially living in a police state? mtr dies at hop 2 for me: 2. l100.nwrknj-vfttp-134.verizon-gni.net ( 173.70.26.1 ) Is verizon now censoring the internet for me?
Re: Anyone else having trouble reaching thepiratebay.se? AS39138
Working for me now on FiOS in NYC. -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -