Re: high latency on West Coast?

2015-09-22 Thread Tom Canabarro 
Does anyone have an official explanation or report for this issue? We found
that latency between US-WEST-2 and US-WEST-1 jumped from 20ms to over 200ms
during a ~48 hour period, roughly between midnight Sept. 18th UTC to 1am
Sept. 20th UTC.

AWS confirmed they were working on an issue with an external provider, but
that was pretty much it.

--
Tom Canabarro.

On Sun, Sep 20, 2015 at 12:59 AM, Florin Andrei 
wrote:

> On 2015-09-18 14:57, andrew wrote:
>
>> L3 fiber cut .
>>
>
> Is this related to the wave of deliberate fiber cuts on the West Coast
> this year?
>
> --
> Florin Andrei
> http://florin.myip.org/
>

Re: DDoS auto-mitigation best practices (for eyeball networks)

2015-09-22 Thread Chase Christian 
Most video games utilize peer-to-peer traffic (which is why many require
port forwarding/UPnP), so the attacker has the IP addresses of all of their
peers in their firewall logs. There are even 'gaming routers' that
specialize in gaming this peer-to-peer system for competitive advantages,
such as specifically blocking the IPs of players you don't want to play
against:

https://netduma.com/why/for-gamers/

Once an attacker has identified his target, getting the IP is as simple as
joining/being in an online game with that player.

On Mon, Sep 21, 2015 at 5:00 AM,  wrote:

> 99% of the attacks we see are gaming related -- somehow the other players
> know the IP and then attack our customer for an advantage in the game, or
> retribution.
>
> Most DHCP servers (correctly) give the same IP address if the CPE is
> rebooted.  Ours are one of those. =)
>
> Frank
>
> -Original Message-
> From: Mehmet Akcin [mailto:meh...@akcin.net]
> Sent: Saturday, September 19, 2015 3:10 PM
> To: Frank Bulk 
> Cc: nanog@nanog.org
> Subject: Re: DDoS auto-mitigation best practices (for eyeball networks)
>
> How does he/she become target? How does IP address gets exposed?
>
> I guess simplest way is to reboot modem and hope to get new ip (or call n
> request)
>
> Mehmet
>
> > On Sep 19, 2015, at 12:54, Frank Bulk  wrote:
> >
> > Could the community share some DDoS auto-mitigation best practices for
> > eyeball networks, where the target is a residential broadband subscriber?
> > I'm not asking so much about the customer communication as much as
> > configuration of any thresholds or settings, such as:
> > - minimum traffic volume before responding (for volumetric attacks)
> > - minimum time to wait before responding
> > - filter percentage: 100% of the traffic toward target (or if volumetric,
> > just a certain percentage)?
> > - time before mitigation is automatically removed
> > - and if the attack should recur shortly thereafter, time to respond and
> > remove again
> > - use of an upstream provider(s) mitigation services versus one's own
> > mitigation tools
> > - network placement of mitigation (presumably upstream as possible)
> > - and anything else
> >
> > I ask about best practice for broadband subscribers on eyeball networks
> > because it's different environment than data center and hosting
> environments
> > or when one's network is being used to DDoS a target.
> >
> > Regards,
> >
> > Frank
> >
>
>
>

Re: cisco.com unavailable

2015-09-22 Thread Bob Clabaugh 

I've been using it from Oregon, USA all morning without problems.

On 9/21/2015 11:51 AM, Murat Kaipov wrote:

Hi folks!
Is cisco.com  unavailable or it is affected just for 
Rostelecom?

Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Mark Stevens 

Hi All,

Has anyone seen that something (most likely an alg) on Verizon's LTE/4G 
network is rewriting SIP headers,in particular From Tag identifiers? We 
cannot make a SIP call from our cellphones (using cellular data) beyond 
30 seconds because the TAGs are rewritten and the destination Asterisk 
server drops the call because of this.


Thanks

Mark

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Christopher Morrow 
On Tue, Sep 22, 2015 at 12:03 PM, Mark Stevens  wrote:
> Hi All,
>
> Has anyone seen that something (most likely an alg) on Verizon's LTE/4G
> network is rewriting SIP headers,in particular From Tag identifiers? We
> cannot make a SIP call from our cellphones (using cellular data) beyond 30
> seconds because the TAGs are rewritten and the destination Asterisk server
> drops the call because of this.
>

I'm shocked that the cellular carrier is making over-the-top phone
calls non-functional. I'm sure they'll agree to meet you at their CO
so you can do the proper work request sometime between 6am and 7pm in
2 weeks time.

go incombancy!

> Thanks
>
> Mark

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread joel jaeggli 
On 9/22/15 9:03 AM, Mark Stevens wrote:
> Hi All,
> 
> Has anyone seen that something (most likely an alg) on Verizon's LTE/4G
> network is rewriting SIP headers,in particular From Tag identifiers? We
> cannot make a SIP call from our cellphones (using cellular data) beyond
> 30 seconds because the TAGs are rewritten and the destination Asterisk
> server drops the call because of this.

sounds like a really good application for TLS

> Thanks
> 
> Mark
> 




signature.asc
Description: OpenPGP digital signature

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Mark Stevens 
TLS would be perfect but it is not viable at this point. I guess with 
Verizon being what they are, it is time to start working on a SIP over  
TLS implementation.


On 9/22/2015 12:24 PM, joel jaeggli wrote:

On 9/22/15 9:03 AM, Mark Stevens wrote:

Hi All,

Has anyone seen that something (most likely an alg) on Verizon's LTE/4G
network is rewriting SIP headers,in particular From Tag identifiers? We
cannot make a SIP call from our cellphones (using cellular data) beyond
30 seconds because the TAGs are rewritten and the destination Asterisk
server drops the call because of this.

sounds like a really good application for TLS


Thanks

Mark

RE: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Naslund, Steve 
Send all of your signaling over TLS and they won't be able to see or modify it.

Steven Naslund
Chicago IL

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mark Stevens
Sent: Tuesday, September 22, 2015 11:03 AM
To: nanog@nanog.org
Subject: Verizon Wireless LTE/4G and SIP Header Manipulation

Hi All,

Has anyone seen that something (most likely an alg) on Verizon's LTE/4G network 
is rewriting SIP headers,in particular From Tag identifiers? We cannot make a 
SIP call from our cellphones (using cellular data) beyond
30 seconds because the TAGs are rewritten and the destination Asterisk server 
drops the call because of this.

Thanks

Mark

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Dovid Bender 
We have this every now and then. Mainly with traffic from the middle east. 
Switching the port to something other than 5060 seems to help most of the time. 
Every so often we need to go the vpn route.

I know that yealink, snim and possibly polycom have vpn clients built into them.
--Original Message--
From: Mark Stevens
Sender: NANOG
To: nanog@nanog.org
Subject: Verizon Wireless LTE/4G and SIP Header Manipulation
Sent: Sep 22, 2015 12:03

Hi All,

Has anyone seen that something (most likely an alg) on Verizon's LTE/4G 
network is rewriting SIP headers,in particular From Tag identifiers? We 
cannot make a SIP call from our cellphones (using cellular data) beyond 
30 seconds because the TAGs are rewritten and the destination Asterisk 
server drops the call because of this.

Thanks

Mark

Regards,

Dovid

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Christopher Morrow 
On Tue, Sep 22, 2015 at 12:22 PM, Christopher Morrow
 wrote:
> On Tue, Sep 22, 2015 at 12:03 PM, Mark Stevens  wrote:
>> Hi All,
>>
>> Has anyone seen that something (most likely an alg) on Verizon's LTE/4G
>> network is rewriting SIP headers,in particular From Tag identifiers? We
>> cannot make a SIP call from our cellphones (using cellular data) beyond 30
>> seconds because the TAGs are rewritten and the destination Asterisk server
>> drops the call because of this.
>>
>
> I'm shocked that the cellular carrier is making over-the-top phone
> calls non-functional. I'm sure they'll agree to meet you at their CO
> so you can do the proper work request sometime between 6am and 7pm in
> 2 weeks time.
>

joking aside, are you sure the packets get mangledin VZW and not
elsewhere along the path? how would you be able to prove it?

> go incombancy!
>
>> Thanks
>>
>> Mark

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread William McCall 
I've seen this behavior before (a few years back). Moved off of VzW for
this reason (i'm lazy to implement workarounds).

IIRC when i investigated, the ALG was trying to not do something nefarious
but just poorly implemented.

On Tue, Sep 22, 2015 at 12:51 PM, Christopher Morrow <
morrowc.li...@gmail.com> wrote:

> On Tue, Sep 22, 2015 at 12:22 PM, Christopher Morrow
>  wrote:
> > On Tue, Sep 22, 2015 at 12:03 PM, Mark Stevens 
> wrote:
> >> Hi All,
> >>
> >> Has anyone seen that something (most likely an alg) on Verizon's LTE/4G
> >> network is rewriting SIP headers,in particular From Tag identifiers? We
> >> cannot make a SIP call from our cellphones (using cellular data) beyond
> 30
> >> seconds because the TAGs are rewritten and the destination Asterisk
> server
> >> drops the call because of this.
> >>
> >
> > I'm shocked that the cellular carrier is making over-the-top phone
> > calls non-functional. I'm sure they'll agree to meet you at their CO
> > so you can do the proper work request sometime between 6am and 7pm in
> > 2 weeks time.
> >
>
> joking aside, are you sure the packets get mangledin VZW and not
> elsewhere along the path? how would you be able to prove it?
>
> > go incombancy!
> >
> >> Thanks
> >>
> >> Mark
>



-- 
William McCall

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Mark Stevens 
The TAG unique identifier is being changed and this only happens through 
VZ LTE networks, not wired networks or even other cellular data networks 
(Sprint, ATT, T-Mobile)
Their phones are IPV6 so the packets are getting converted to IPV4 so it 
is either happening there or there is a global ALG in Verizon land that 
is doing it .
For positive proof I would need Verizon to fess up (LOL) but that will 
not happen or sniff traffic from the cellphone itself.





On 9/22/2015 3:51 PM, Christopher Morrow wrote:

On Tue, Sep 22, 2015 at 12:22 PM, Christopher Morrow
 wrote:

On Tue, Sep 22, 2015 at 12:03 PM, Mark Stevens  wrote:

Hi All,

Has anyone seen that something (most likely an alg) on Verizon's LTE/4G
network is rewriting SIP headers,in particular From Tag identifiers? We
cannot make a SIP call from our cellphones (using cellular data) beyond 30
seconds because the TAGs are rewritten and the destination Asterisk server
drops the call because of this.


I'm shocked that the cellular carrier is making over-the-top phone
calls non-functional. I'm sure they'll agree to meet you at their CO
so you can do the proper work request sometime between 6am and 7pm in
2 weeks time.


joking aside, are you sure the packets get mangledin VZW and not
elsewhere along the path? how would you be able to prove it?


go incombancy!


Thanks

Mark

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Christopher Morrow 
On Tue, Sep 22, 2015 at 4:16 PM, Mark Stevens  wrote:
> The TAG unique identifier is being changed and this only happens through VZ
> LTE networks, not wired networks or even other cellular data networks
> (Sprint, ATT, T-Mobile)
> Their phones are IPV6 so the packets are getting converted to IPV4 so it is
> either happening there or there is a global ALG in Verizon land that is
> doing it .
> For positive proof I would need Verizon to fess up (LOL) but that will not
> happen or sniff traffic from the cellphone itself.

welp, interesting, good luck in your battle with the pstn.

Re: Verizon Wireless LTE/4G and SIP Header Manipulation

2015-09-22 Thread Jared Mauch 

> On Sep 22, 2015, at 4:24 PM, Christopher Morrow  
> wrote:
> 
> On Tue, Sep 22, 2015 at 4:16 PM, Mark Stevens  wrote:
>> The TAG unique identifier is being changed and this only happens through VZ
>> LTE networks, not wired networks or even other cellular data networks
>> (Sprint, ATT, T-Mobile)
>> Their phones are IPV6 so the packets are getting converted to IPV4 so it is
>> either happening there or there is a global ALG in Verizon land that is
>> doing it .
>> For positive proof I would need Verizon to fess up (LOL) but that will not
>> happen or sniff traffic from the cellphone itself.
> 
> welp, interesting, good luck in your battle with the pstn.

I’ll say it’s not just VZW that does this, there are issues with many CPE 
devices
that mangle SIP traffic due to broken ALG.  My plea is if you’re a carrier
that provides a CPE, *please* provide an option to disable the ALG, or expose it
to the customer so they can disable it.  *Looks in 7018/7132 direction*

- Jared