Re: 600,000 routers bricked
let's hope that this action didn't harm anyone - particularly a vulnerable person who might have an emergency system using IP to send alerts On Mon, 3 Jun 2024 at 01:22, Josh Luthman wrote: > > >And then when it became clear that the issue wasn't being addressed, they > >forcibly turned off those 600,000 routers. I am finding it difficult not to > >applaud that action. > > The concern is that someone would shut off the routers or compromise them, so > they compromised and shut them off? > > On Sun, Jun 2, 2024 at 4:03 PM Dave Taht wrote: >> >> >> >> https://www.linkedin.com/pulse/60-families-using-one-internet-provider-have-routers-bruce-perens-geedc/ >> >> >> -- >> https://www.youtube.com/watch?v=BVFWSyMp3xg&t=1098s Waves Podcast >> Dave Täht CSO, LibreQos
Re: Rack rails on network equipment
> We operate over 1000 switches in our data centers, and hardware failures that > require a switch swap are common enough where the speed of swap starts to > matter to some extent. We probably swap a switch or two a month. having operated a network of over 2000 switches, where we would see maybe one die a year (and let me tell you, some of those switches were not in nice places...no data centre air handled clean rack spaces etc) this failure rate is very high and would certainly be a factor in vendor choice. for initial install, there are quicker ways of dealing with cage nut installs... but when a switch die in service, the mounting isnt a speed factor, its the cabling (and as others have said, the startup time of some modern switches, you can patch every cable back in before the thing has even booted these days). alan
Re: Gaming Consoles and IPv4
not just how it handles IPv4 - these things don't even do proper WiFi - meaning no happy joy for lots of students on campus where 802.1X wifi is provisioned alan
Re: IPv6 Pain Experiment
hi, > Go ahead and read your v4 address over the phone and then do the same with > your v6 address. Which is easier? I do understand all about these addresses > both being binary underneath ( I've been doing this for over 30 years now). > However it is much easier to communicate using four decimal octets. ::1 so much quicker than 127.0.0.1 ;-) > People generally do not like change and being forced to learn something new. some people dont... but its called progress. I'd have to worry about someone whose only experience is of TCP/IP networking (and only IPv4 at that). do they also get wobbly when their data is now on a big broadcast collision domain network after all those years of moving it to a switched system? >That is just human nature. You have to give them a reason to want to do it >(more money, better service, less long term cost, etc.). the ability to communicate to the rest of the growing world where IPv4 addresses just arent there anymore? >It is hard to make the case to eliminate v4 in use cases where it is working >perfectly fine (especially RFC1918 inside an enterprise). 2 things on this. just an internal network? yes, you could say 'why bother'? I *could* think about being in that campbut actually, i'd stick the security hat on and say, just like I did with wireless 'we dont have any wireless' - oh really? without being in the domain and having kit that will detect it/trace its source etc how will you know int he IPv6 world...if you arent the one controlling it on your network (and reporting on it) then you will have clients happily talking to each other on it, tunnelling it around the place (hello all those TEREDO tunnels) and being the router for traffic. all the fun with ff02::1 on your local segment ;-) alan
Re: IPv6 Pain Experiment
hi,
the old UK reverse name notation actually comes from some sensible
ideas - firstly from the big-endian processing methods - but also the
most important part of the address
comes first - ideal for global routing decisions early. who cares
about the actual hostname , get to the actual TLD ;-)
anyway, a little unfair as that decision was made before the Internet
domain standard was agreed/established. hey, competing systems...one
of them usually wins. in this case the
other one did ;-)
as for IPv6, the topic of this thread. having done campus IPv6
deployments, working out addressing schemes, sorting out kit upgrades
(and broken by many 'oh, IPv6 is in a future
release' or 'its on our roadmap' vendor promises) a few things. it
gives us native end to end on a network that is now too big to handle
that with IPv4 - NAT etc causing all kinds of new
things to be cooked up to ensure things dont break. deploying it is
trivial-ish (these days) - you have so much choice...and eventually
decent routers doing SLAAC will finally be able to serve
other details such as DNS/time/etc via SLAAC - servers? give them
static addresses...simple ones that dont populate all the last half...
that gets me on to my small annoyance... /64 bit subnet masks for
local networks. really? ALL of that address space and then throw such
a large range away on subnets commonly populated
with no more than a couple of hundred clients...maybe a few thousand
at worst. what a mistake.
I come from a background where we had IPv4/DECNET/AppleTalk/IPX all
around the place - to be honest, 2 fairly simply IP protocols being
handled/routed has never kept me up at night
and I enjoyed many times of cleaning things up and getting people to
realise what access their systems needed...a quick refresh of access
rules (on hosts and in network kit) and
monitoring ('you monitor that service on its IPV4...why not IPv6' was
said way too many times)
address format? at least you can put :c01d:c0ff:ee and dead:beef etc
in your addresses... as others have said, IPv4 is only a number in a
superficial sense (who HASNT been burnt
by an engineer putting a few 0's into IP address boxes on kit that
forces all fields to be populated? we had A6 and mess, things
took a while to iron out and just like
BSD dying, IPv6 deployment (and DNSSEC!) just really hasnt been
'completed' yet. but thats okay, because I'm still curious why the US
techies didnt just bite the bullet and
got for IPv8 ;-)
alan
Re: Protecting 1Gb Ethernet From Lightning Strikes
hi, have seen and suffered from same. nearby strikes can cause enough surge to fry things. best solution - air-gaps where possible between devices (eg fibre to link switches), surge protectors on ethernet cables where needed (eg feeds from Access points) - and if the APs have external antennae then use lightning arrestors on the coax cables. why main wireless vendors still don't do SFP/SFP+-based APs I don't know... (would mean only the AP cooks and the edge switch isnt the victim alan
Re: Cisco wifi signal fluctuations
hi, do you have any of the WLC settings on such as dynamic power assignment (which allows the controller to work out neighbour cell coverage and reduce the signal to stop much overlap). which 5GHz channels are being used - if you're using those in DFS space then RADAR detection means that DAC will kick in and the APs will be changing channel (which of course, means they'll be doing some clear channel assessment before coming back. is the SSID still doing WPA? If so, any MAC check failures from a dodgy client will cause the AP to enact counter measures etc etc really, I'd suggest turning on much logging for this area/building , slap it all into a simple ELK setup (just spin one up from available docker compose files if needed) - and then browse the resulting dataset with Kibana etc to see whats going on. or go and do a proper wireless survey and fix it from base level up :) alan On Thu, 18 Jul 2019 at 19:46, Vikash Sorout via NANOG wrote: > > On Cisco wifi, we started seeing signal fluctuations since 1-2 months. The > only change that was done to change windows user preference from 2.4 GHz > Radio to 5 GHz radio through a windows group policy change. But this was done > in response to the problem reported by certain users.We have lately > discovered that some of the neighboring APs opt for same frequency band at > 5.0 GHz and also at 2.4 GHz. Reboot of these APs have not helped to choose > different frequency band by these APs.Channel assignment is set to be auto > and we cannot change it to static though we are aware of definitive AP > positions at all floors in campus. The reason being that the controller > serves APAC and we do not know the definite / relative positions of different > APs.The wireless survey conducted before (when there was no complaint on > wifi) did show presence of co-channel interferences in certain areas, but SNR > was seen to be very good in all areas of all the floors. > > For skype, we have call drop or call noisy complain from users across the > three floors irrespective of if they are connected to wifi or LAN. > > We are using Cisco WLC 5520 controller. > > > > Regards, > Vikash Sorout > Hand-phone : +91-9013866229 > Email: vikash_sor...@yahoo.com
Re: QoS for Office365
hi, use Direct Access PAC file for clients to get the right endpoints. Apply QoS to that traffic - and use that same PAC file to feed the IP ranges into your QoS rules on the firewall/router ? alan On Mon, 8 Jul 2019 at 17:15, Joe Yabuki wrote: > > Hi all, > > How do you deal with QoS for Office365, since the IPs are subject to changes ? > > How can we mark the trafic while keeping the security (I fear the marking > based on TCP/UDP Ports since they are not without an additional risk coming > from worms/virus using those ports for example, and doing that directly on > the PCs doesn't seem to be the best solution) ? > > Many thanks, > Joe
Re: Packetstream - how does this not violate just about every provider's ToS?
hi, > Just ran into packetstream.io: Had a quick look but doesn't seem to mention Blockchain at all - therefore it can't be that good! ;-) alan
Re: Multicast traffic % in enterprise network ?
when i was last on a proper working multicast-enabled UK university network, could pick up the BBC streams (TV and radio) using VLC :) alan
Re: Proving Gig Speed
hi, another prediction would be that your internet connection (and most devices in house) connected by 5G - maybe with some local WiFi - 802.11ax - if theres still spectrum left after the LTE groups have taken it all for aforementioned 5G purposes... legacy devices, still around for another decade or more can have some 2.4GHz connectivity - that ISM band is troublesome to repurpose thanks to all the medical and video senders etc. big old wild west there... alan
Re: Application or Software to detect or Block unmanaged swicthes
as already said - this can be covered with adequate processes and management (even so far as, not doing your job right? time for HR...). however, there are many ways to ensure that random ports arent doing anything other than what they should be doing - most of these are L2 security features - port-security, BPDUGAURD, default vlan pruning, along with other protections such as DHCP snooping etc. however, if its the network team doing this - then they could just turn those things off anyway - so you need to also ensure all managed switch configs have their configs audited and checked - grabbed by SNMP and checked/audited against known template etc etc. if a switch cannot be audited then disconnect its uplink. but then your end users/customers no longer have connections - which is why its really down to management processes. WHY are they doing this? there could be other reasons why due process isnt being followed other than eg incompetence, malice, laziness etc alan
Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent
real ones send such formulae as LaTeX attachments - where their recipients can have a simple plugin to view/display it inline (then save to edit/modify etc). HTML is horrible for formula...but at least I guess a little better than MS Word. alan
Re: Catalyst 4500 listening on TCP 6154 on all interfaces
hi, thank-you Dario for your input and response from Cisco PSIRT - very useful and welcome. alan
Re: Remote power cycle recommendations
+1 for the APC kit :) alan
Re: China Showdown Huawei vs ZTE
https://www.theregister.co.uk/2018/04/26/hyperoptics_zte_routers/ yet another ZTE issue . :( alan
Re: Cloudflare 1.1.1.1 public DNS broken w/ AT&T CPE
thats probably a key part of the experiment - to find locations and systems where 1.1.1.1 is trashed. it should be routable and its about time that vendors stopped messing around in that space - hopefully this is one of the sticks that prods people to start to behave - at which point 1.0.0.0/8 will regain value too and can be used by APNIC for other requirements. as for those berating addresses used for experiments - there are MANY networking experiments going on out there , the Internet itself derives from one big ongoing experiment...and some would even say it IS still an experiment. alan On 2 April 2018 at 17:04, John R. Levine wrote: >> This looks like a willy-waving exercise by Cloudflare coming up with the >> lowest >> quad-digit IP. They must have known that this would cause routing issues, >> and >> now suddenly it's our responsibility to make significant changes to live >> infrastructures just so they can continue to look clever with the IP >> address. > > > Perhaps we can ask APNIC what the experiment is. They surely know that > 1.1.1.1 is messed up so I doubt that Matt expects every coffee shop in the > world to bend to his will. > > Regards, > John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for > Dummies", > Please consider the environment before reading this e-mail. https://jl.ly
Re: Yet another Quadruple DNS?
exactly. intercept/inject? why. an ISP can just run its own standard DNS servers on 8.8.8.8 and 8.8.4.4 and point their customers to those - they own their routing space, they can just route to those locallyso anyone thinking they can avoid their ISP by choosing some other addresses are mistaken the only way to avoid is through encrypted lookups to a known/trusted/and signed endpoint etc
Re: Wi-Fi Analyzer
Scout Aircheck G2 is quite nifty - but a lot of tools out there are only just a little bit above what you can do with a decent Android phone (one with 802.11a/b/g/n/ac chipset) and WiFiAnalyzer ! :) alan
Re: Alternatives to ISE?
if you're already slurping the commercial koolaid (support contracts, someone to blame etc etc) - then Aruba Clearpass? (otherwise local homebrew with FreeRADIUS core or PacketFence as FOSSOTS ;-) ) alan
Re: OSPF Monitoring Tool
Commercial, or free? For commercial route explorer should do the job, for free, run eg quagga or such with relevant actions on logs. alan
Re: Moving fibre trunks: interruptions?
i'm sure theres plenty of aerial in europe. usually carried on e.g. the top messenger cable on pylons - given i've attended talks about the issues of fixing such fibre after storms in Scotland :) On 1 September 2017 at 20:52, Rod Beck wrote: > I don't think there is virtually any aerial in Europe. So given the cost > difference why is virtually all fiber buried on this side of the Atlantic? > > > > From: NANOG on behalf of Jared Mauch > > Sent: Friday, September 1, 2017 9:37 PM > To: Michael Loftis > Cc: Nanog@nanog.org > Subject: Re: Moving fibre trunks: interruptions? > > > >> On Sep 1, 2017, at 3:32 PM, Michael Loftis wrote: >> >> If it is in the railroad RoW they may be restricted to daylight working >> only. Check with your provider or OSP crew. >> > > > Yup. Railroad work is complex just because you have to coordinate with the > railroad owner and they have to be onsite for all work. The cost of going > underground vs aerial is also astronomical in many cases. > > - Jared
RE: SNMP syslocation field for GPS coordinates, and use with automation tools
Yes. But don’t just put in coordinates... Put in other details and use a standard separator 😊 alan
Re: Spitballing IoT Security
Hi, Hi, >Put it another way: you bring home a NEST and the first thing you the >expert might do is read the net to figure out which ports to open. Are >you really going to not open those ports? Put onto its own isolated vlan with only internet access. Unfortunately no basic routers that are for the home come with such a setup by default. That's the first big win. alan
Re: Spitballing IoT Security
Hi, >At which point the 3GS was almost 5 years old (having originally been >released in June 2009) and had been already superseded by the iPhone 4, >4S, 5 and 5S/5C. But the release of and presence of those phones does not make the older phone suddenly stop working. As noted, the phone might be obsolete to those people hungering for the latest tech but as a phone and web client etc it still works fine. and will continue doing so whilst the battery is okay. ... and then, with no updates it can be the next attack vector Which is the point. These things stay out there...like those winXP boxes. There are 2 choices 1) manufacturers are responsible for the devices. No longer caring for them? Recall them. Compensate the users. 2) stronger obsolescence. eg kill switch/firmware tombstoning/network connectivity function ending timebomb as a user of lots of legacy tech i find either option bad :/ alan
Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
hi, >From: NANOG on behalf of Mike Hammett > >Sent: 27 September 2016 16:30 >Cc: nanog@nanog.org >Subject: Re: Krebs on Security booted off Akamai network after DDoS attack >proves pricey > >You must not support end users. haha...i read that wrong. I read it as a command, rather than an observation! ;-) alan
Re: Don't press the big red buttom on the wall!
>“Unfortunately because it was human >error we weren’t prepared for it,” >Holmes said. "But it's elementary!" Watson retorted :) alan
Re: Cisco 2 factor authentication
As per other statements of such seen elsewhere online, do you have examples or code which will allow the recovery of passwords in a radius exchange? Yes, the shared secret mechanism is widely stated as 'weak' but actively attacked? alan
Re: mrtg alternative
+1 for Statseeker. Ease of use etc (price depends on eg site size etc). Can do lots on just one mid server unlike some other bloaty solutions out there. But we also still use MRTG for some local bespoke measurements PS you can get a free Eval of statseeker. Obnote, don't work for them just a fairly happy customer alan
Re: Equipment Supporting 2.5gbps and 5gbps
Um. You don't have an option for old copper plants. This stuff gives you 2.5gig or 5gig on cat5/cat5e (depending on distance). If you can do 10g you really shouldn't be carrying about this stuff. In the optical world just jump to using 10Gig (where you can) alan
Re: Binge On! - get your umbrellas out, stuff's hitting the fan.
For the sake of security of all internet connected hosts - especially in this new era of even more IOT junk , security updates, firmware and new OS updates should be granted libre data rates so that users who keep their devices updated are not penalised. as for carriers pipes...will, if multicast was seriously taken up then eg OS updates could be streamed out on regular updates alan
Re: Binge On! - get your umbrellas out, stuff's hitting the fan.
You're assuming that people are only using phones with their SIM - those that use a mifi dongle and thus view content on a tablet or laptop will notice We could rate limit traffic from YouTube to 1.5mbps and let the adaptive streaming knock the steam to 480p bit our users with 100mbit connections might wonder why they cannot view 720p or 1080p - and why spicy they view such content - its like putting back the web and online video services 5 years. Where does it stop? 320x240 ? Bulk data and background update processes are things that could possibly by throttled - after all, that's pretty much what QoS does. Most of my phone data is google play software updates and on woes phone ios and itunes store updates - it doesn't matter if the update ticks along in the background. Audio and video need to be good. alan
Re: announcement of freerouter
>RouterOS is an existing product by MikroTik Yes but this was an announcement about freerouter. If RouterOS has an announcement to make they can send their own email ;) alan
Re: MACsec to edge hosts
The host has to support it... I've only seen the cisco anyconnect client add such support to the host alan
RE: Nat
I'm surprised that noone of the home wifi router folk haven't cornered the market on that one in terms of client separation. Most people don't need the devices to talk to each other so by default all ports on different VLANs .. 192.168.0-8.x etc Internet of things security out of the box. Web interface to change port membership for those that DO need inter device access Or maybe there are such defaults out there from some suppliers i'm not familiar with? :) alan
Re: Advance notice - H-root address change on December 1, 2015
No. CentOS follows RedHat. They backport fixes to older versions rather than put the new version out. It appears that have aversion to new feature and just want to put the fixes onto the older versions. So that 9.9.4 probably has 60% of the changes that the diff of 9.9.4 has to 9.9.8 . This action confuses most. alan
Re: EyeBall View
Indeed. They just need more places across the world hosting Anchors :) alan
Re: Why is NANOG not being blacklisted like any other provider that sent 500 spam messages in 3 days?
I was looking out for the sub-Reddit thread ;) alan
Re: The spam is real
There's also probably a large number of people gnashing their teeth that all of these compromised sites have been so readily identified by a very basic spam scam. A massive waste of opportunity for real black hats alan
Re: EyeBall View
What, like RIPE NCC ? :) alan
RE: Static IPs
Aye. It was an amusing anecdote/joke about their poor wording/pitch. I didn't see it as some sales thingguess others are having a stressful day or got out of bed the wrong side today :/ alan
Re: RIPE atlas probes
'should have largely the same vantage point ...' That's *exactly* one of the functions of these probes. It's very interesting what they can find out. Never assume (you know the rest of that...) alan
Re: Inexpensive probes for automated bandwidth testing purposes
One of the small microPC solutions. Depending on what you want to test (eg bandwidth) you may find platforms like raspberrypi too limited. Intel NUC or LIVA platforms? https://www.perfsonar.net/deploy/hardware-selection/low-cost-hardware/ alan
Re: Recent trouble with QUIC?
Yes. Next gen firewalls stop that kind of game ;) alan
Re: Ear protection
Great summary of the thread No-one using remote control robots with video feed etc for working in these environments then? Plans to? ;) alan
Re: Extraneous "legal" babble--and my reaction to it.
>It's just text at the bottom of your email. 1 often a very large amount of text - in this case the legalese was something like 10x longer than the comment! 2 its pointless. Its not enforceable and doesn't mean anything. Shall i put a chapter of war and peace at the end of my emails? You could just ignore it. ;) alan
RE: Windows 10 Release
'QoS problems are to be expected' . Uh? Don't you put QoS into place just to ensure that the minimum bandwidth you need to ensure critical services (such that your voice traffic is not impeded for example) are NOT affected across your WAN links when there are big globs of data banging around? Surely, If anything, this is the one case and time when the QoS deployment effort can be shown to have value (obviously the policies would already have been validated against saturated links as part of sign off) alan
Re: Hotels/Airports with IPv6
2 mbit is still more than 32 bit ;) alan
Re: Hotels/Airports with IPv6
>No. They should just ask, with the best >geek intonation, whether "this >place still is stuck with 32-bit Internet" I'm sure they'd gladly report that their Internet is 24 mbit and not just 32 bit ;) alan
Re: Any Verizon datacenter techs about?
>There was signing of NDAs Which you obviously read and follow to the letter ;) alan
Re: REMINDER: LEAP SECOND
I do feel sorry for you unix/linux users having a problem in year 2038 fortunately I get another ~ 8 years... my Amiga gets its first big problem in 2046 ;-) http://web.archive.org/web/19981203142814/http://www.amiga.com/092098-y2k.html alan PS if i get to see the 2078 issue I'll be old enough to fuss about other things than a 2 digit date display..and I'm sure if I'm around until 7 February, 2114, 06:28:16 I'll have more to worry about than an old Amiga finally reaching the end of its useful life...unless its actually driving my life support system! ;-)
Re: eBay is looking for network heavies...
'Don't learn by heart that which you can look up.' apart from enough basics to get you up and connected so that you CAN look things up! ;) There's a whole debate about the education system and learning things by rote that can be looked up. In many sectors you have reference tomes. ..some MUST be reviewed before doing any work. I think there are some key advantages to knowing things when in the field BEFORE you then see the rest of the day go by while troubleshooting. You have to know eg the basics of OSPF to know what to look up when an adjacency doesn't come up. ..to be in 'the right ballpark' as they say :) alan
Re: Android (lack of) support for DHCPv6
'We plan to use DHCPv6 rather than SLAAC for a variety of reasons' Care to elaborate on the reasons? Due to client support we have both. In fact we had SLAAC for many years and just 2 years ago we added DHCPv6 ..that was to ensure fuller client support (since windows and OSX amongst others started to support it) but also because of the ongoing slowness of our kit supporting the growing list of SLAAC extensions to provide DNS/NTP etc values :/ dual-stack since 2001. HE 'sage' ;) alan
Re: WiFi courses/vendors recommendation
+1 for CWNP courses. The CWNA and CWDP cover RF quite well too you'll pick up most of what's needed. ..imho most of the vendor specific courses only benefit is to tell you how to manage their control plane. Which button to click on the interface etc ;) alan
