Not a representative of gmx.com but their emails are being blocked by those who subscribe to the SORBS RBL.
Does anyone have information on why this is, and if you represent SORBS and/or GMX and/or both, would you please trouble yourself with contacting me off-list?
Re: Recent NTP pool traffic increase
Yo All! On Sat, 17 Dec 2016 17:54:55 -0800 "Gary E. Miller"wrote: > # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:" > > And I do indeed get odd results. Some on my local network... To follow up on my own post, so this can be promply laid to rest. After some discussion at NTPsec. It seems that chronyd takes a lot of 'creative license' with RFC 5905 (NTPv4). But it is not malicious, just 'odd', and not new. So, nothing see here, back to the hunt for the real cause of the new NTP traffic. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 pgpoC_Gjv9NIU.pgp Description: OpenPGP digital signature
Re: Wanted: volunteers with bandwidth/storage to help save climate data
On 12/16/2016 1:48 PM, Hugo Slabbert wrote: This started as a technical appeal, but: https://www.nanog.org/list 1. Discussion will focus on Internet operational and technical issues as described in the charter of NANOG. Hard to see how the OP has anything to do with either of the above.
Re: Recent NTP pool traffic increase
Yo All! Someone on nanog was reporrting on the new NTP mystery. He suggested doing a dump similar to this: # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:" And I do indeed get odd results. Some on my local network... This is from a chronyd host to an ntpsec host. I monitor them both continuously and both seem to be keeping good time. 17:36:11.369329 IP (tos 0x0, ttl 64, id 21405, offset 0, flags [DF], proto UDP ( 17), length 76) 204.17.205.7.50937 > 204.17.205.27.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecifi ed), poll 6 (64s), precision 32 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 3691013707.207257069 (2016/12/17 17:35:07) Receive Timestamp:276521666.321684728 (2044/11/11 10:02:42) Transmit Timestamp: 3684123061.899235956 (2016/09/29 00:31:01) Originator - Receive Timestamp: +880475255.114427658 Originator - Transmit Timestamp: -6890645.308021113 That 'Receive Timestamp' is strange. Here is another one from the same chronyd host, to another ntpsec host: 17:36:23.395415 IP (tos 0x0, ttl 64, id 3599, offset 0, flags [DF], proto UDP (1 7), length 76) 204.17.205.7.33551 > 204.17.205.1.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecifi ed), poll 6 (64s), precision 32 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 3691013718.824150890 (2016/12/17 17:35:18) Receive Timestamp:1779216017.648483479 (2092/06/24 18:08:33) Transmit Timestamp: 1405803137.064633429 (2080/08/24 20:20:33) Originator - Receive Timestamp: -1911797701.175667410 Originator - Transmit Timestamp: +2009756714.240482539 Note both the 'Receive Timestamp' and 'Transmit Timestamp' are both strange. All three hosts have GPS for local time. Here is one from a laptop, running chrony, that has not GPS: 17:36:52.643814 IP (tos 0x0, ttl 64, id 24624, offset 0, flags [DF], proto UDP ( 17), length 76) 204.17.205.21.41485 > 204.17.205.8.123: [udp sum ok] NTPv4, length 48 Client, Leap indicator: (0), Stratum 0 (unspecified), poll 6 (64s), pre cision 32 Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec) Reference Timestamp: 0.0 Originator Timestamp: 3691013747.797479298 (2016/12/17 17:35:47) Receive Timestamp:317494016.811980062 (2046/02/28 15:15:12) Transmit Timestamp: 127487236.597620268 (2040/02/21 11:35:32) Originator - Receive Timestamp: +921447565.014500764 Originator - Transmit Timestamp: +731440784.800140969 I have only seen this oddity from chronyd hosts... RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 pgplIfyQ3qLqR.pgp Description: OpenPGP digital signature
Re: Recent NTP pool traffic increase
Hi, On Fri, Dec 16, 2016 at 04:44:04PM +0700, Roland Dobbins wrote: > > Looking at the source IP distribution, does a significant proportion > > of the larger query base seem to originate out-of-region? > > And are do they appear to be mostly broadband access networks, or . . . > ? Datapoints are via nfsen (nflow/sflow collection) from a US west coast network lab that has "three" NTP pool servers, one IPv4 only set to 25 Mbps, the other one IPv4 and IPv6 on the same server both set to 100Mbps at the NTP pool registration site. Traffic is about 4 times P95 in the last 3 days from what it was before, and the increase is IPv4 on the server that has IPv4 and IPv6. IPv6 traffic is in line with what it used to be, no large increase. The server with higher bandwidth and IPv4+IPv6 is seeing a large increase on IPv4, from single hosts that seem to be in broadband networks and a certain site's crawler that is hosted on AWS. The latter almost looks like someone hardcoded a config instead of relying on the pool's DNS. The top talker abuses something in the protocol, this does not look for real and I will contact Verizon/FiOS tcpdump -nvvi hme0 port 123 and host 98.113.213.d|grep "Originator - Transmit Timestamp:" Originator - Transmit Timestamp: 2123062516.816546608 (1967/04/12 11:35:16) Originator - Transmit Timestamp: 862276608.564645656 (1927/04/30 01:16:48) Originator - Transmit Timestamp: 3399899220.431115995 (2007/09/27 16:27:00) Originator - Transmit Timestamp: 140873162.935483905 (1904/06/19 11:26:02) Originator - Transmit Timestamp: 1878223676.912769495 (1959/07/09 16:47:56) Originator - Transmit Timestamp: 2713286246.929585296 (1985/12/24 18:37:26) Originator - Transmit Timestamp: 3219464534.831489402 (2002/01/08 07:42:14) Originator - Transmit Timestamp: 2210689093.339715993 (1970/01/20 16:18:13) Originator - Transmit Timestamp: 3899283084.650125848 (2023/07/25 14:11:24) [...] nfdump -M /var/nfsen/profiles-data/live/dmz208_0201:br1 -T -R 2016/12/13/nfcapd.201612131630:2016/12/16/nfcapd.201612161630 -n 10 -s record/bytes -A proto,srcip,dstport -6 "dst ip j.k.l.235 and proto udp" Aggregated flows 51346 Top 10 flows ordered by bytes: Date first seen Duration Proto Src IP Addr Dst Pt PacketsBytes bpsBpp Flows 2016-12-13 16:31:22.608 259394.340 UDP 98.113.213.d12312.3 M1.1 G34107 90 3000 2016-12-13 16:50:31.649 253960.650 UDP 54.236.1.d123126976 11.4 M 359 9031 2016-12-13 17:43:29.760 255090.188 UDP 54.236.1.d123114688 10.3 M 323 9028 2016-12-13 20:23:39.198 211054.259 UDP 54.236.1.d123 901128.1 M 307 9022 2016-12-13 22:29:12.265 218623.774 UDP 204.177.184.d 123 614405.5 M 202 9015 2016-12-14 04:12:44.389 102634.717 UDP 162.243.191.d123 614405.5 M 431 9015 2016-12-13 22:10:33.226 223641.048 UDP 198.199.99.d123 532484.8 M 171 9013 2016-12-13 21:31:18.841 194915.427 UDP 220.253.150.d 123 532484.8 M 196 9013 2016-12-13 20:01:40.452 242771.757 UDP troublemaker123 491524.4 M 145 9012 2016-12-14 05:21:20.634 208902.664 UDP 54.236.1.d123 409603.7 M 141 9010 Summary: total flows: 60396, total bytes: 21023451720, total packets: 233586118, avg bps: 648125, avg pps: 900, avg bpp: 90 Time window: 1970-01-01 00:00:01 - 2016-12-16 16:34:54 Total flows processed: 29676807, Blocks skipped: 0, Bytes read: 1662858132 Sys: 7.730s flows/second: 3839128.8 Wall: 7.722s flows/second: 3842810.0 Note: "troublemaker" is a host on the internal network that has a known issue with NTP time keeping, it originates a lot of packets and steps a lot. Reply to me directly if you want more details. -andreas -- Andreas Ott andr...@naund.org
Re: Routeviews
Sent from my Samsung device Original message From: John KempDate: 2016-12-17 13:30 (GMT-05:00) To: nanog@nanog.org Subject: Re: Routeviews It's back/renewed as of... Domain Name: ROUTEVIEWS.ORG Domain ID: D48496876-LROR WHOIS Server: Referral URL: http://www.networksolutions.com Updated Date: 2016-12-16T18:41:42Z Creation Date: 2000-12-14T23:05:47Z John Kemp On 12/16/16 9:44 AM, John Kemp wrote: > > We're looking at it now. Thanks. > > John Kemp > > On 12/16/16 9:21 AM, Marty Strong via NANOG wrote: >> Looks like somebody didn’t renew the domain >> >> $ whois routeviews.org >> Domain Name: ROUTEVIEWS.ORG >> Domain ID: D48496876-LROR >> WHOIS Server: >> Referral URL: http://www.networksolutions.com >> Updated Date: 2016-12-16T10:30:46Z >> Creation Date: 2000-12-14T23:05:47Z >> Registry Expiry Date: 2017-12-14T23:05:47Z >> Sponsoring Registrar: Network Solutions, LLC >> Sponsoring Registrar IANA ID: 2 >> Domain Status: clientTransferProhibited >> https://icann.org/epp#clientTransferProhibited >> Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod >> Registrant ID: C11717-NS >> Registrant Name: Perfect Privacy, LLC >> Registrant Organization: Network Solutions LLC >> Registrant Street: 12808 Gran Bay Parkway West >> Registrant Street: care of Network Solutions (DOMAIN-RESALE) >> Registrant Street: FL >> Registrant City: Jacksonville >> Registrant State/Province: FL >> Registrant Postal Code: 32217 >> Registrant Country: US >> Registrant Phone: +1.5707088780 >> Registrant Phone Ext: >> Registrant Fax: +1.5707088780 >> Registrant Fax Ext: >> Registrant Email: pendingrenewalordelet...@networksolutions.com >> Admin ID: C11717-NS >> Admin Name: Perfect Privacy, LLC >> Admin Organization: Network Solutions LLC >> Admin Street: 12808 Gran Bay Parkway West >> Admin Street: care of Network Solutions (DOMAIN-RESALE) >> Admin Street: FL >> Admin City: Jacksonville >> Admin State/Province: FL >> Admin Postal Code: 32217 >> Admin Country: US >> Admin Phone: +1.5707088780 >> Admin Phone Ext: >> Admin Fax: +1.5707088780 >> Admin Fax Ext: >> Admin Email: pendingrenewalordelet...@networksolutions.com >> Tech ID: C11717-NS >> Tech Name: Perfect Privacy, LLC >> Tech Organization: Network Solutions LLC >> Tech Street: 12808 Gran Bay Parkway West >> Tech Street: care of Network Solutions (DOMAIN-RESALE) >> Tech Street: FL >> Tech City: Jacksonville >> Tech State/Province: FL >> Tech Postal Code: 32217 >> Tech Country: US >> Tech Phone: +1.5707088780 >> Tech Phone Ext: >> Tech Fax: +1.5707088780 >> Tech Fax Ext: >> Tech Email: pendingrenewalordelet...@networksolutions.com >> Name Server: NS1.PENDINGRENEWALDELETION.COM >> Name Server: NS2.PENDINGRENEWALDELETION.COM >> DNSSEC: unsigned > Last update of WHOIS database: 2016-12-16T17:19:44Z <<< >> >> For more information on Whois status codes, please visit >> https://icann.org/epp >> >> Access to Public Interest Registry WHOIS information is provided to assist >> persons in determining the contents of a domain name registration record in >> the Public Interest Registry registry database. The data in this record is >> provided by Public Interest Registry for informational purposes only, and >> Public Interest Registry does not guarantee its accuracy. This service is >> intended only for query-based access. You agree that you will use this data >> only for lawful purposes and that, under no circumstances will you use this >> data to(a) allow, enable, or otherwise support the transmission by e-mail, >> telephone, or facsimile of mass unsolicited, commercial advertising or >> solicitations to entities other than the data recipient's own existing >> customers; or (b) enable high volume, automate >> >> Regards, >> Marty Strong >> -- >> Cloudflare - AS13335 >> Network Engineer >> ma...@cloudflare.com >> +44 7584 906 055 >> smartflare (Skype) >> >> https://www.peeringdb.com/asn/13335 >>
Re: Routeviews
It's back/renewed as of... Domain Name: ROUTEVIEWS.ORG Domain ID: D48496876-LROR WHOIS Server: Referral URL: http://www.networksolutions.com Updated Date: 2016-12-16T18:41:42Z Creation Date: 2000-12-14T23:05:47Z John Kemp On 12/16/16 9:44 AM, John Kemp wrote: > > We're looking at it now. Thanks. > > John Kemp > > On 12/16/16 9:21 AM, Marty Strong via NANOG wrote: >> Looks like somebody didn’t renew the domain >> >> $ whois routeviews.org >> Domain Name: ROUTEVIEWS.ORG >> Domain ID: D48496876-LROR >> WHOIS Server: >> Referral URL: http://www.networksolutions.com >> Updated Date: 2016-12-16T10:30:46Z >> Creation Date: 2000-12-14T23:05:47Z >> Registry Expiry Date: 2017-12-14T23:05:47Z >> Sponsoring Registrar: Network Solutions, LLC >> Sponsoring Registrar IANA ID: 2 >> Domain Status: clientTransferProhibited >> https://icann.org/epp#clientTransferProhibited >> Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod >> Registrant ID: C11717-NS >> Registrant Name: Perfect Privacy, LLC >> Registrant Organization: Network Solutions LLC >> Registrant Street: 12808 Gran Bay Parkway West >> Registrant Street: care of Network Solutions (DOMAIN-RESALE) >> Registrant Street: FL >> Registrant City: Jacksonville >> Registrant State/Province: FL >> Registrant Postal Code: 32217 >> Registrant Country: US >> Registrant Phone: +1.5707088780 >> Registrant Phone Ext: >> Registrant Fax: +1.5707088780 >> Registrant Fax Ext: >> Registrant Email: pendingrenewalordelet...@networksolutions.com >> Admin ID: C11717-NS >> Admin Name: Perfect Privacy, LLC >> Admin Organization: Network Solutions LLC >> Admin Street: 12808 Gran Bay Parkway West >> Admin Street: care of Network Solutions (DOMAIN-RESALE) >> Admin Street: FL >> Admin City: Jacksonville >> Admin State/Province: FL >> Admin Postal Code: 32217 >> Admin Country: US >> Admin Phone: +1.5707088780 >> Admin Phone Ext: >> Admin Fax: +1.5707088780 >> Admin Fax Ext: >> Admin Email: pendingrenewalordelet...@networksolutions.com >> Tech ID: C11717-NS >> Tech Name: Perfect Privacy, LLC >> Tech Organization: Network Solutions LLC >> Tech Street: 12808 Gran Bay Parkway West >> Tech Street: care of Network Solutions (DOMAIN-RESALE) >> Tech Street: FL >> Tech City: Jacksonville >> Tech State/Province: FL >> Tech Postal Code: 32217 >> Tech Country: US >> Tech Phone: +1.5707088780 >> Tech Phone Ext: >> Tech Fax: +1.5707088780 >> Tech Fax Ext: >> Tech Email: pendingrenewalordelet...@networksolutions.com >> Name Server: NS1.PENDINGRENEWALDELETION.COM >> Name Server: NS2.PENDINGRENEWALDELETION.COM >> DNSSEC: unsigned > Last update of WHOIS database: 2016-12-16T17:19:44Z <<< >> >> For more information on Whois status codes, please visit >> https://icann.org/epp >> >> Access to Public Interest Registry WHOIS information is provided to assist >> persons in determining the contents of a domain name registration record in >> the Public Interest Registry registry database. The data in this record is >> provided by Public Interest Registry for informational purposes only, and >> Public Interest Registry does not guarantee its accuracy. This service is >> intended only for query-based access. You agree that you will use this data >> only for lawful purposes and that, under no circumstances will you use this >> data to(a) allow, enable, or otherwise support the transmission by e-mail, >> telephone, or facsimile of mass unsolicited, commercial advertising or >> solicitations to entities other than the data recipient's own existing >> customers; or (b) enable high volume, automate >> >> Regards, >> Marty Strong >> -- >> Cloudflare - AS13335 >> Network Engineer >> ma...@cloudflare.com >> +44 7584 906 055 >> smartflare (Skype) >> >> https://www.peeringdb.com/asn/13335 >>