Not a representative of gmx.com but their emails are being blocked by those who subscribe to the SORBS RBL.

2016-12-17 Thread Large Hadron Collider 
Does anyone have information on why this is, and if you represent SORBS 
and/or GMX and/or both, would you please trouble yourself with 
contacting me off-list?

Re: Recent NTP pool traffic increase

2016-12-17 Thread Gary E. Miller 
Yo All!

On Sat, 17 Dec 2016 17:54:55 -0800
"Gary E. Miller"  wrote:

> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"
> 
> And I do indeed get odd results.  Some on my local network...

To follow up on my own post, so this can be promply laid to rest.

After some discussion at NTPsec.  It seems that chronyd takes a lot
of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,
just 'odd', and not new.

So, nothing see here, back to the hunt for the real cause of the new
NTP traffic.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpoC_Gjv9NIU.pgp
Description: OpenPGP digital signature

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-17 Thread Doug Barton 

On 12/16/2016 1:48 PM, Hugo Slabbert wrote:

This started as a technical appeal, but:

https://www.nanog.org/list

1. Discussion will focus on Internet operational and technical issues as
described in the charter of NANOG.


Hard to see how the OP has anything to do with either of the above.

Re: Recent NTP pool traffic increase

2016-12-17 Thread Gary E. Miller 
Yo All!

Someone on nanog was reporrting on the new NTP mystery.  He suggested
doing a dump similar to this:

# tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"

And I do indeed get odd results.  Some on my local network...

This is from a chronyd host to an ntpsec host.  I monitor them both
continuously and both seem to be keeping good time.

17:36:11.369329 IP (tos 0x0, ttl 64, id 21405, offset 0, flags [DF], proto UDP (
17), length 76)
204.17.205.7.50937 > 204.17.205.27.123: [udp sum ok] NTPv4, length 48
Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecifi
ed), poll 6 (64s), precision 32
Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec)
  Reference Timestamp:  0.0
  Originator Timestamp: 3691013707.207257069 (2016/12/17 17:35:07)
  Receive Timestamp:276521666.321684728 (2044/11/11 10:02:42)
  Transmit Timestamp:   3684123061.899235956 (2016/09/29 00:31:01)
Originator - Receive Timestamp:  +880475255.114427658
Originator - Transmit Timestamp: -6890645.308021113

That 'Receive Timestamp' is strange.

Here is another one from the same chronyd host, to another ntpsec host:

17:36:23.395415 IP (tos 0x0, ttl 64, id 3599, offset 0, flags [DF], proto UDP (1
7), length 76)
204.17.205.7.33551 > 204.17.205.1.123: [udp sum ok] NTPv4, length 48
Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecifi
ed), poll 6 (64s), precision 32
Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec)
  Reference Timestamp:  0.0
  Originator Timestamp: 3691013718.824150890 (2016/12/17 17:35:18)
  Receive Timestamp:1779216017.648483479 (2092/06/24 18:08:33)
  Transmit Timestamp:   1405803137.064633429 (2080/08/24 20:20:33)
Originator - Receive Timestamp:  -1911797701.175667410
Originator - Transmit Timestamp: +2009756714.240482539

Note both the 'Receive Timestamp' and 'Transmit Timestamp' are both strange.

All three hosts have GPS for local time.

Here is one from a laptop, running chrony, that has not GPS:

17:36:52.643814 IP (tos 0x0, ttl 64, id 24624, offset 0, flags [DF], proto UDP (
17), length 76)
204.17.205.21.41485 > 204.17.205.8.123: [udp sum ok] NTPv4, length 48
Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 6 (64s), pre
cision 32
Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec)
  Reference Timestamp:  0.0
  Originator Timestamp: 3691013747.797479298 (2016/12/17 17:35:47)
  Receive Timestamp:317494016.811980062 (2046/02/28 15:15:12)
  Transmit Timestamp:   127487236.597620268 (2040/02/21 11:35:32)
Originator - Receive Timestamp:  +921447565.014500764
Originator - Transmit Timestamp: +731440784.800140969

I have only seen this oddity from chronyd hosts...



RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgplIfyQ3qLqR.pgp
Description: OpenPGP digital signature

Re: Recent NTP pool traffic increase

2016-12-17 Thread Andreas Ott 
Hi,
On Fri, Dec 16, 2016 at 04:44:04PM +0700, Roland Dobbins wrote:
> > Looking at the source IP distribution, does a significant proportion 
> > of the larger query base seem to originate out-of-region?
> 
> And are do they appear to be mostly broadband access networks, or . . . 
> ?

Datapoints are via nfsen (nflow/sflow collection) from a US west coast
network lab that has "three" NTP pool servers, one IPv4 only set to 25
Mbps, the other one IPv4 and IPv6 on the same server both set to 100Mbps
at the NTP pool registration site.

Traffic is about 4 times P95 in the last 3 days from what it was before, and
the increase is IPv4 on the server that has IPv4 and IPv6. IPv6 traffic is
in line with what it used to be, no large increase.

The server with higher bandwidth and IPv4+IPv6 is seeing a large increase
on IPv4, from single hosts that seem to be in broadband networks and a certain
site's crawler that is hosted on AWS. The latter almost looks like someone
hardcoded a config instead of relying on the pool's DNS. 

The top talker abuses something in the protocol, this does not look for real and
I will contact Verizon/FiOS

tcpdump -nvvi hme0 port 123 and host 98.113.213.d|grep "Originator - Transmit 
Timestamp:"
Originator - Transmit Timestamp: 2123062516.816546608 (1967/04/12 
11:35:16)
Originator - Transmit Timestamp: 862276608.564645656 (1927/04/30 
01:16:48)
Originator - Transmit Timestamp: 3399899220.431115995 (2007/09/27 
16:27:00)
Originator - Transmit Timestamp: 140873162.935483905 (1904/06/19 
11:26:02)
Originator - Transmit Timestamp: 1878223676.912769495 (1959/07/09 
16:47:56)
Originator - Transmit Timestamp: 2713286246.929585296 (1985/12/24 
18:37:26)
Originator - Transmit Timestamp: 3219464534.831489402 (2002/01/08 
07:42:14)
Originator - Transmit Timestamp: 2210689093.339715993 (1970/01/20 
16:18:13)
Originator - Transmit Timestamp: 3899283084.650125848 (2023/07/25 
14:11:24)
[...]


nfdump -M /var/nfsen/profiles-data/live/dmz208_0201:br1  -T  -R 
2016/12/13/nfcapd.201612131630:2016/12/16/nfcapd.201612161630 -n 10 -s 
record/bytes -A proto,srcip,dstport -6 "dst ip j.k.l.235 and proto udp"
Aggregated flows 51346
Top 10 flows ordered by bytes:
Date first seen  Duration  Proto Src IP 
Addr Dst Pt   PacketsBytes  bpsBpp Flows
2016-12-13 16:31:22.608 259394.340  UDP 
98.113.213.d12312.3 M1.1 G34107 90  3000
2016-12-13 16:50:31.649 253960.650  UDP   
54.236.1.d123126976   11.4 M  359 9031
2016-12-13 17:43:29.760 255090.188  UDP   
54.236.1.d123114688   10.3 M  323 9028
2016-12-13 20:23:39.198 211054.259  UDP   
54.236.1.d123 901128.1 M  307 9022
2016-12-13 22:29:12.265 218623.774  UDP   204.177.184.d 
   123 614405.5 M  202 9015
2016-12-14 04:12:44.389 102634.717  UDP
162.243.191.d123 614405.5 M  431 9015
2016-12-13 22:10:33.226 223641.048  UDP 
198.199.99.d123 532484.8 M  171 9013
2016-12-13 21:31:18.841 194915.427  UDP   220.253.150.d 
   123 532484.8 M  196 9013
2016-12-13 20:01:40.452 242771.757  UDP  
troublemaker123 491524.4 M  145 9012
2016-12-14 05:21:20.634 208902.664  UDP   
54.236.1.d123 409603.7 M  141 9010
Summary: total flows: 60396, total bytes: 21023451720, total packets: 
233586118, avg bps: 648125, avg pps: 900, avg bpp: 90
Time window: 1970-01-01 00:00:01 - 2016-12-16 16:34:54
Total flows processed: 29676807, Blocks skipped: 0, Bytes read: 1662858132
Sys: 7.730s flows/second: 3839128.8  Wall: 7.722s flows/second: 3842810.0 

Note: "troublemaker" is a host on the internal network that has a known issue
with NTP time keeping, it originates a lot of packets and steps a lot.


Reply to me directly if you want more details.

-andreas
-- 
Andreas Ott   andr...@naund.org

Re: Routeviews

2016-12-17 Thread Elizabethtown 






Sent from my Samsung device

 Original message 
From: John Kemp  
Date: 2016-12-17  13:30  (GMT-05:00) 
To: nanog@nanog.org 
Subject: Re: Routeviews 


It's back/renewed as of...

Domain Name: ROUTEVIEWS.ORG
Domain ID: D48496876-LROR
WHOIS Server:
Referral URL: http://www.networksolutions.com
Updated Date: 2016-12-16T18:41:42Z
Creation Date: 2000-12-14T23:05:47Z

John Kemp

On 12/16/16 9:44 AM, John Kemp wrote:
> 
> We're looking at it now.  Thanks.
> 
> John Kemp
> 
> On 12/16/16 9:21 AM, Marty Strong via NANOG wrote:
>> Looks like somebody didn’t renew the domain
>>
>> $ whois routeviews.org
>> Domain Name: ROUTEVIEWS.ORG
>> Domain ID: D48496876-LROR
>> WHOIS Server:
>> Referral URL: http://www.networksolutions.com
>> Updated Date: 2016-12-16T10:30:46Z
>> Creation Date: 2000-12-14T23:05:47Z
>> Registry Expiry Date: 2017-12-14T23:05:47Z
>> Sponsoring Registrar: Network Solutions, LLC
>> Sponsoring Registrar IANA ID: 2
>> Domain Status: clientTransferProhibited 
>> https://icann.org/epp#clientTransferProhibited
>> Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
>> Registrant ID: C11717-NS
>> Registrant Name: Perfect Privacy, LLC
>> Registrant Organization: Network Solutions LLC
>> Registrant Street: 12808 Gran Bay Parkway West
>> Registrant Street: care of Network Solutions (DOMAIN-RESALE)
>> Registrant Street: FL
>> Registrant City: Jacksonville
>> Registrant State/Province: FL
>> Registrant Postal Code: 32217
>> Registrant Country: US
>> Registrant Phone: +1.5707088780
>> Registrant Phone Ext:
>> Registrant Fax: +1.5707088780
>> Registrant Fax Ext:
>> Registrant Email: pendingrenewalordelet...@networksolutions.com
>> Admin ID: C11717-NS
>> Admin Name: Perfect Privacy, LLC
>> Admin Organization: Network Solutions LLC
>> Admin Street: 12808 Gran Bay Parkway West
>> Admin Street: care of Network Solutions (DOMAIN-RESALE)
>> Admin Street: FL
>> Admin City: Jacksonville
>> Admin State/Province: FL
>> Admin Postal Code: 32217
>> Admin Country: US
>> Admin Phone: +1.5707088780
>> Admin Phone Ext:
>> Admin Fax: +1.5707088780
>> Admin Fax Ext:
>> Admin Email: pendingrenewalordelet...@networksolutions.com
>> Tech ID: C11717-NS
>> Tech Name: Perfect Privacy, LLC
>> Tech Organization: Network Solutions LLC
>> Tech Street: 12808 Gran Bay Parkway West
>> Tech Street: care of Network Solutions (DOMAIN-RESALE)
>> Tech Street: FL
>> Tech City: Jacksonville
>> Tech State/Province: FL
>> Tech Postal Code: 32217
>> Tech Country: US
>> Tech Phone: +1.5707088780
>> Tech Phone Ext:
>> Tech Fax: +1.5707088780
>> Tech Fax Ext:
>> Tech Email: pendingrenewalordelet...@networksolutions.com
>> Name Server: NS1.PENDINGRENEWALDELETION.COM
>> Name Server: NS2.PENDINGRENEWALDELETION.COM
>> DNSSEC: unsigned
> Last update of WHOIS database: 2016-12-16T17:19:44Z <<<
>>
>> For more information on Whois status codes, please visit 
>> https://icann.org/epp
>>
>> Access to Public Interest Registry WHOIS information is provided to assist 
>> persons in determining the contents of a domain name registration record in 
>> the Public Interest Registry registry database. The data in this record is 
>> provided by Public Interest Registry for informational purposes only, and 
>> Public Interest Registry does not guarantee its accuracy. This service is 
>> intended only for query-based access. You agree that you will use this data 
>> only for lawful purposes and that, under no circumstances will you use this 
>> data to(a) allow, enable, or otherwise support the transmission by e-mail, 
>> telephone, or facsimile of mass unsolicited, commercial advertising or 
>> solicitations to entities other than the data recipient's own existing 
>> customers; or (b) enable high volume, automate
>>
>> Regards,
>> Marty Strong
>> --
>> Cloudflare - AS13335
>> Network Engineer
>> ma...@cloudflare.com
>> +44 7584 906 055
>> smartflare (Skype)
>>
>> https://www.peeringdb.com/asn/13335
>>

Re: Routeviews

2016-12-17 Thread John Kemp 

It's back/renewed as of...

Domain Name: ROUTEVIEWS.ORG
Domain ID: D48496876-LROR
WHOIS Server:
Referral URL: http://www.networksolutions.com
Updated Date: 2016-12-16T18:41:42Z
Creation Date: 2000-12-14T23:05:47Z

John Kemp

On 12/16/16 9:44 AM, John Kemp wrote:
> 
> We're looking at it now.  Thanks.
> 
> John Kemp
> 
> On 12/16/16 9:21 AM, Marty Strong via NANOG wrote:
>> Looks like somebody didn’t renew the domain
>>
>> $ whois routeviews.org
>> Domain Name: ROUTEVIEWS.ORG
>> Domain ID: D48496876-LROR
>> WHOIS Server:
>> Referral URL: http://www.networksolutions.com
>> Updated Date: 2016-12-16T10:30:46Z
>> Creation Date: 2000-12-14T23:05:47Z
>> Registry Expiry Date: 2017-12-14T23:05:47Z
>> Sponsoring Registrar: Network Solutions, LLC
>> Sponsoring Registrar IANA ID: 2
>> Domain Status: clientTransferProhibited 
>> https://icann.org/epp#clientTransferProhibited
>> Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
>> Registrant ID: C11717-NS
>> Registrant Name: Perfect Privacy, LLC
>> Registrant Organization: Network Solutions LLC
>> Registrant Street: 12808 Gran Bay Parkway West
>> Registrant Street: care of Network Solutions (DOMAIN-RESALE)
>> Registrant Street: FL
>> Registrant City: Jacksonville
>> Registrant State/Province: FL
>> Registrant Postal Code: 32217
>> Registrant Country: US
>> Registrant Phone: +1.5707088780
>> Registrant Phone Ext:
>> Registrant Fax: +1.5707088780
>> Registrant Fax Ext:
>> Registrant Email: pendingrenewalordelet...@networksolutions.com
>> Admin ID: C11717-NS
>> Admin Name: Perfect Privacy, LLC
>> Admin Organization: Network Solutions LLC
>> Admin Street: 12808 Gran Bay Parkway West
>> Admin Street: care of Network Solutions (DOMAIN-RESALE)
>> Admin Street: FL
>> Admin City: Jacksonville
>> Admin State/Province: FL
>> Admin Postal Code: 32217
>> Admin Country: US
>> Admin Phone: +1.5707088780
>> Admin Phone Ext:
>> Admin Fax: +1.5707088780
>> Admin Fax Ext:
>> Admin Email: pendingrenewalordelet...@networksolutions.com
>> Tech ID: C11717-NS
>> Tech Name: Perfect Privacy, LLC
>> Tech Organization: Network Solutions LLC
>> Tech Street: 12808 Gran Bay Parkway West
>> Tech Street: care of Network Solutions (DOMAIN-RESALE)
>> Tech Street: FL
>> Tech City: Jacksonville
>> Tech State/Province: FL
>> Tech Postal Code: 32217
>> Tech Country: US
>> Tech Phone: +1.5707088780
>> Tech Phone Ext:
>> Tech Fax: +1.5707088780
>> Tech Fax Ext:
>> Tech Email: pendingrenewalordelet...@networksolutions.com
>> Name Server: NS1.PENDINGRENEWALDELETION.COM
>> Name Server: NS2.PENDINGRENEWALDELETION.COM
>> DNSSEC: unsigned
> Last update of WHOIS database: 2016-12-16T17:19:44Z <<<
>>
>> For more information on Whois status codes, please visit 
>> https://icann.org/epp
>>
>> Access to Public Interest Registry WHOIS information is provided to assist 
>> persons in determining the contents of a domain name registration record in 
>> the Public Interest Registry registry database. The data in this record is 
>> provided by Public Interest Registry for informational purposes only, and 
>> Public Interest Registry does not guarantee its accuracy. This service is 
>> intended only for query-based access. You agree that you will use this data 
>> only for lawful purposes and that, under no circumstances will you use this 
>> data to(a) allow, enable, or otherwise support the transmission by e-mail, 
>> telephone, or facsimile of mass unsolicited, commercial advertising or 
>> solicitations to entities other than the data recipient's own existing 
>> customers; or (b) enable high volume, automate
>>
>> Regards,
>> Marty Strong
>> --
>> Cloudflare - AS13335
>> Network Engineer
>> ma...@cloudflare.com
>> +44 7584 906 055
>> smartflare (Skype)
>>
>> https://www.peeringdb.com/asn/13335
>>