Re: Here we go again.

2016-11-10 Thread Bacon Zombie
https://youtu.be/Yi_2020LJQo

On Nov 10, 2016 18:27, "Aaron C. de Bruyn via NANOG" 
wrote:

> On Wed, Nov 9, 2016 at 2:39 PM, Ronald F. Guilmette
>  wrote:
> > There are plenty of reasons for thinking people to be terrified today.
> > I don't know why you've chosen to focus on such a small one.  Here's a
> > bigger one:
> >
> > http://bit.ly/2fTdmiG
>
> Ok--so on a somewhat NANOG-related note...please tell me that's not a
> *real* picture of the nuclear football and that our lives aren't in
> the hands of Windows Vista...  ;)
>
> -A
>


Re: how to deal with port scan and brute force attack from AS 8075 ?

2016-04-07 Thread Bacon Zombie
They should always just use Shodan.

https://www.shodan.io/explore

On 4 April 2016 at 05:54, Brandon Vincent  wrote:
> On Thu, Mar 31, 2016 at 4:41 AM, DV  wrote:
>> I have noticed this and especially the strange format of the packets with a
>> SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr
>>
>> This may be $whoever trying to establish network performance/congestion via
>> ECN or it could be something else like a fast scan technique or OS
>> fingerprinting
>
> It's OS fingerprinting. Targeted attacks are far more productive. If
> I'm trying to get into an organization, I'd much rather be interested
> in Juniper ScreenOS than someone's personal *nix machine.
>
> Brandon Vincent



-- 


BaconZombie

55:55:44:44:4C:52:4C:52:42:41

LOAD "*",8,1


Re: how to deal with port scan and brute force attack from AS 8075 ?

2016-03-31 Thread Bacon Zombie
I would ignore the portscans since there is nothing wrong with portscanning
the Internet.

Install fail2ban {don't forgot to whitelist your management static IPs}.

You may want to increase the default bantime and findtime {how far back to
search logs}.

On 31 Mar 2016 11:06, "Todd Crane"  wrote:

> I must have missed that… my bad.
>
>
> > On Mar 31, 2016, at 2:01 AM, Dan Hollis  wrote:
> >
> > It's right there in his email:
> >
> > "We have sent email to ab...@microsoft.com, but no answer."
> >
> > -Dan
> >
> > On Thu, 31 Mar 2016, Todd Crane wrote:
> >
> >> Oh and,
> >>
> >> I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool,
> not to mention unprofessional, to publicly call them out on such a public
> forum without giving them an opportunity to correct it first.
> >>
> >>> On Mar 31, 2016, at 1:15 AM, Todd Crane  wrote:
> >>>
> >>> Marcel
> >>>
> >>> Depending on what is on those machines, I would just recommend using
> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough
> to thwart most scripted attacks, especially those from a certain government
> in Asia. This is configurable to various applications, timing schemes, and
> blocking/jailing mechanisms.
> >>>
> >>> -Todd
>  On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <
> nanog@nanog.org> wrote:
> 
>  Dear Nanog'er,
> 
>  We are facing a lot of port scan and brute force attack on port 22
> (but
>  not limited to) from Microsoft AS 8075 range toward our own infra, or
>  toward our customers.
>  We have sent email to ab...@microsoft.com, but no answer.
> 
>  source ip are:
>  NetRange:   40.74.0.0 - 40.125.127.255
>  CIDR:   40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
>  40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12,
> 40.120.0.0/14
>  NetName:MSFT
> 
> 
> 
>  We consider port scan and brute force on ssh port as an attack, and
> even
>  as a pre-DDOS phase (could be use to install botnet, detect unpatched
>  host, and so one).
> 
>  It's one thing to propose services and make money over an infra, it's
> an
>  other thing to take care that you clients do not use this infra to
> make
>  illegal stuffs.
> 
> 
>  How do you deal with such massive amount of 'illegal' traffic ?
> 
>  Thank,
>  Best Regards
>  Marcel
> 
> 
> 
> 
> 
>  He are some examples (we have more than 3000 such packets per day just
>  from them, probably Azure), and source ip is always differents of
> course:
> 
> 
>  Flow Filtering Expression
>  src AS 8075 and dst port 22 and packets=1
>  Limit Flows
>  4
>  Sorting
>  By Date
> 
>  Date_first_seen  Duration Proto _IP_Addr:Port
>  Dst_IP_Addr:Port   Flags Packets
>  2016-02-29 14:55:20.108 0.000 6104.45.210.69:1160  ->
>  x.x.231:22..  1
>  2016-02-29 14:55:20.611 0.000 6104.45.210.69:1161  ->
>  x.x.231:22..  1
>  2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090  ->
>  x.x..14:22..  1
>  2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091  ->
>  x.x..14:22..  1
>  2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088  ->
>  x.x.125:22..  1
>  2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089  ->
>  x.x.125:22..  1
>  2016-02-29 15:01:17.358 0.000 6  40.76.70.58:1168  ->
>  x.x..80:22..  1
>  2016-02-29 15:01:17.676 0.000 6  40.76.70.58:1169  ->
>  x.x..80:22..  1
>  2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176  ->
>  x.x.193:22..  1
>  2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177  ->
>  x.x.193:22..  1
>  2016-02-29 15:02:48.067 0.000 6104.45.210.69:1160  ->
>  x.x.173:22..  1
>  2016-02-29 15:02:48.394 0.000 6104.45.210.69:1161  ->
>  x.x.173:22..  1
>  2016-02-29 15:03:18.854 0.000 640.121.53.153:1041  ->
>  x.x..88:22..  1
>  2016-02-29 15:03:19.172 0.000 640.121.53.153:1042  ->
>  x.x..88:22..  1
>  2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056  ->
>  x.x..45:22..  1
>  2016-02-29 15:07:31.882 0.000 6  40.76.80.17:44895 ->
>  x.x..75:22..  1
>  2016-02-29 15:07:32.245 0.000 6  40.76.80.17:44896 ->
>  x.x..75:22..  1
>  2016-02-29 15:09:08.433 0.000 6  40.76.70.58:1168  ->
>  x.x..31:22..  1
>  2016-02-29 15:09:08.744 0.000 6  40.76.70.58:1169  ->
>  x.x..31:22..  1
>  2016-02-29 15:11:45.668 0.000 6  40.76.80.17:47993 ->
> >>

Re: Oh dear, we've all been made redundant...

2016-03-21 Thread Bacon Zombie
Every time I have to ring about my home internet the first think they ask
be to do is reboot the modem and then connect via cable and check the link
light is green.

Had to fight with them before since the  *FRITZ!**Box* they supplied did
not have network link LEDs. Also I know it was a PPPoE auth  issue looking
at the pcap from the router.

Still did not stop them from insisting it was a modem issues and sent me
out 3 replacements.
On 21 Mar 2016 18:33, "Ken Chase"  wrote:

> "how many times did he reboot it?" "once."  "well, i think he needs to try
> a
> few more times."
>
> The Website Is Down: https://www.youtube.com/watch?v=uRGljemfwUE#t=6m30s
>
> (old but good.)
>
> /kc
>
>
> On Mon, Mar 21, 2016 at 01:06:35PM -0400, Chuck Church said:
>   >Uggghhh.  I've always hated this 'reboot, see if it fixes it'
> methodology.  If the CPEs can't recover from error conditions correctly,
> they shouldn't be used.  I blame Microsoft for making this concept
> acceptable.  LOL.
>   >
>   >Chuck
>   >
>   >-Original Message-
>   >From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike
>   >Sent: Sunday, March 20, 2016 1:22 PM
>   >To: nanog@nanog.org
>   >Subject: Re: Oh dear, we've all been made redundant...
>   >
>   >
>   >This is great, I now have something I can show to my customers to
> confirm that all this power cycling and such really is an 'accepted
> problem'...
>   >
>   >On 03/19/2016 04:16 PM, Warren Kumari wrote:
>   >> Found on Staple's website:
>   >>
> http://www.staples.com/NetReset-Automated-Power-Cycler-for-Modems-and-
>   >> Routers/product_1985686
>   >>
>   >> Fixes all issues, less downtime, less stress...
>   >> Improves performance, eliminates buffering...
>   >> It slices, it dices in teeny, tiny slices.
>   >> It makes mounds of julienne fries in just seconds.
>   >> ...
>   >>
>   >> Description - copied here for convenience:
>   >>
>   >> All the issues associated with the Internet being down can be solved
>   >> by power cycling the modem and router. But that can be hard to do!
>   >> NetReset resolves network issues by offering sequential power cycling.
>   >> This means that when the modem and router are plugged into the device,
>   >> they are powered up at different times. The modem is powered up first,
>   >> then a minute later, the router is powered up. This rebooting will
>   >> occur at initial setup, every 24 hours and after a power failure. Do
>   >> you have a modem/router combo? No problem! NetReset will also power
> cycle the modem/router combo.
>   >>
>   >>
>   >> Automatically resets user's Internet every 24 hours Maximizes Internet
>   >> speed & reliability Eliminates media stream buffering Hands-free
>   >> Internet reset Resets hard-to-reach modem/router Less Internet
>   >> downtime Less daily stress No need to manually reset Reset occurs at
>   >> programmed time Updated information from Internet service provider
>   >> Proper reboot after a power failure Resetting allows equipment to
>   >> auto-correct issues
>   >>
>   >>
>   >
>
> --
> Ken Chase - m...@sizone.org
>


Re: Softlayer / Blocking Cuba IP's ?

2016-02-20 Thread Bacon Zombie
They have not blocked port 25 on their "legacy" EU Servers.
On 20 Feb 2016 9:39 am, "Yang Yu"  wrote:

> On Fri, Feb 19, 2016 at 9:18 PM, Tony Wicks  wrote:
> > I had a couple of VM's (personal mail/web hosting) with a provider who
> used Softlayer for transit. About a month ago Softlayer (without any notice
> or warning) blocked all outgoing port 25 at multipole datacentres for this
> provider. It took the hosting provider half a day to work out what had
> happened. Needless to say as much as I liked the company I had to move my
> hosts elsewhere (they did refund me to their credit). It seems that someone
> at Softlayer is extremely aggressive on their blocking policies to the
> point of making their service unusable. I would highly recommend the
> community votes with its wallet when it comes to these turkeys.
> >
>
> http://knowledgelayer.softlayer.com/content/outbound-email-port-25
>
> The announcement supposedly came out sometime late last year.
> "We offer a trusted third party email relay service from SendGrid for
> those customers who need to be able to send outbound email from their
> domains or applications."
>
> It seems some indirect customers were not informed of it until it went
> into effect on Feb 1, 2016. For me the monitoring service on port 25
> stopped working.
>


Re: Netflix NOC? VPN Mismarked?

2016-01-28 Thread Bacon Zombie
Do all "smart" TVs and Game consoles fully support IPv6 out of the box?
On 28 Jan 2016 10:17, "Chris Knipe"  wrote:

> On Thu, Jan 28, 2016 at 11:07 AM, Owen DeLong  wrote:
>
> >
> > Fortunately Netflix is running IPv6 for most things already. If you’re an
> > ISP and you’re not
> > allowing them to reach Netflix via IPv6, then you’re part of the problem
> > rather than the solution.
> >
> >
> Sure.  Easy to say when you have access to IPv6, and your transit providers
> actually PROVIDE IPv6 services.
>
> So sick and tired of this IPv6 preaching.  There are HUGE obstacles in huge
> parts of the world preventing the use of IPv6.
>
> Simply throwing IPv6 as a solution to absolutely everything, is hardly an
> solution at all I'm afraid.
>
> --
> Chris.
>


Re: ICYMI: FBI looking into LA fiber cuts, Super Bowl

2016-01-20 Thread Bacon Zombie
*Twitch **Plays* Super Bowl Drone needs to be a thing.
On 20 Jan 2016 17:43, "Scott Whyte"  wrote:

>
>
> On 1/20/16 08:25, Naslund, Steve wrote:
>
>> Helicopters near the Super Bowl are cleared to be there and are flown by
>> vetted professional pilots.  A human pilot in a helicopter presumably has
>> some kind of qualification to be there while a drone (although I don't like
>> that word) could be flown by any moron with a couple hundred bucks.  I also
>> think the government is going completely overboard with the "drone threat"
>> but in the case of the Super Bowl, there should definitely be a reasonable
>> restriction on drone flights, ANY flight for that matter.  I think
>> reasonable drone pilots would agree with that.
>>
> Can't wait for autonomous drones in the $50 range.  And the autonomous
> counter-drones.
>
>>
>> Steven Naslund
>> Chicago IL
>>
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
>> valdis.kletni...@vt.edu
>> Sent: Wednesday, January 20, 2016 9:46 AM
>> To: Rafael Possamai
>> Cc: nanog@nanog.org
>> Subject: Re: ICYMI: FBI looking into LA fiber cuts, Super Bowl
>>
>> On Tue, 19 Jan 2016 15:41:31 -0600, Rafael Possamai said:
>>
>>> I fail to see how drones relate to fiber cuts and the superbowl. Did
>>> the article author just throw that in there? The news helicopter
>>> getting aerial footage also poses a risk, so not sure what's special
>>> about drones.
>>>
>> Drones don't cost $200 per hour to keep in the air, and they're not as
>> obvious as a helicopter.  So it becomes a lot easier to get in there and
>> grab some unauthorized video
>>
>
>


Re: ICYMI: FBI looking into LA fiber cuts, Super Bowl

2016-01-19 Thread Bacon Zombie
Am I the only one who thinks the below line is BS?

 "...pose a risk of injury to event-goers if an operator loses control."

If there is not safeguards in-place for "normal" network issues then
we would of heard of injuries before.

On 19 January 2016 at 21:30, Grant Ridder  wrote:
> Broke ground in April 2012
> http://www.mercurynews.com/southbayfootball/ci_20434376/49ers-break-ground-this-evening-stadium-at-center
>
> -Grant
>
> On Tue, Jan 19, 2016 at 12:12 PM, Jay R. Ashworth  wrote:
>
>> - Original Message -
>> > From: "Owen DeLong" 
>>
>> > Correct me if I’m wrong, but these FO vandalisms have been going on in
>> the bay
>> > area since before the stadium
>> > was even funded.
>> >
>> > This leads me to believe that this is just another example of an LE
>> landgrab.
>>
>> How old's the stadium?  The article does mention late '14.
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth  Baylink
>> j...@baylink.com
>> Designer The Things I Think   RFC
>> 2100
>> Ashworth & Associates   http://www.bcp38.info  2000 Land
>> Rover DII
>> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
>> 1274
>>



-- 


BaconZombie

55:55:44:44:4C:52:4C:52:42:41

LOAD "*",8,1


Re: Whatsapp issue ?

2015-12-31 Thread Bacon Zombie
Its kinda working in Berlin.

Probably due to everyone messaging "Happy New 0xB33r".
On 31 Dec 2015 7:53 pm, "Idafe Houghton"  wrote:

> Somebody has told me if I knew that WA it's down.
>
> I knew, but not that it also affected Barcelona, Spain.
>
> Well, kind of expected. No surprise.
>
> On jue, dic 31, 2015 at 6:01 , Emanuel Linoan  wrote:
>
>> Whatsapp down in SE-Brazil too.
>>
>> Enviado do meu iPhone
>>
>>  Em 31/12/2015, às 13:48, Marco Paesani  escreveu:
>>>
>>>  Hi,
>>>  here in Italy WA don't working, anybody know why ?
>>>  Thanks !
>>>  Ciao,
>>>  --
>>>
>>>  Marco Paesani
>>>  MPAE Srl
>>>
>>>  Skype: mpaesani
>>>  Mobile: +39 348 6019349
>>>  Success depends on the right choice !
>>>  Email: ma...@paesani.it
>>>
>>


Re: Questions regarding equipment for a large LAN event

2015-12-07 Thread Bacon Zombie
Have a look at what they did for QuakeCon.

What Powers Quakecon | Network Operations Center Tour https
://
www.youtube.com
/watch?v=
mOv62lBdlXU


https://mobile.twitter.com/quakeconnetwork
On Dec 7, 2015 1:15 PM,  wrote:

> hi
>
>
> okay...so lots of gig connections with 10g interconnects etc - have you
> actually done network
> analysis/flows of the events in the past to see what you actually require
> to run the event?
> what sort of stuff are they doing - multiplayer PvP stuff or are they
> shipping
> images/ISOs across to each other?   as well as the data requirements what
> sort of protection
> do you put into place (that would affect choice of edge switch).   as
> others will probably
> say, this is really more suited to eg c-nsp
>
>
> alan
>


Re: Modem as a service?

2015-12-06 Thread Bacon Zombie
Have you looked into scheduled scans with WarVOX?
On Dec 6, 2015 7:39 PM, "James Laszko"  wrote:

We are looking to automate testing of OOB modem connections when our NMS
detects a site connection failure.  Rather than have a live body call a
modem number (or even a fax) to see if it answers (to determine if there is
a potential site power issue), we'd like to be able to utilize some "Modem
as a service" to automate this.  I've exhausted my Google skills trying to
see if anything like this exists.  Anyone have any experience?



Thank you,


James Laszko
Mythos Technology Inc
jam...@mythostech.com


Re: NTP versions in production use?

2015-07-12 Thread Bacon Zombie
Are you using Nmap or masscan?
Also I'd be interested in what switches and settings you are using.
On 12 Jul 2015 16:26, "Alistair Mackenzie"  wrote:

> I’m currently running a scan of the internet and querying NTP versions.
>
> I’ll publish the results of it on Github and mail them in here :)
>
>
>
>
> On 12/07/2015 15:15, "NANOG on behalf of Mike O'Connor" <
> nanog-boun...@nanog.org on behalf of m...@dojo.mi.org> wrote:
>
> >:Thanks, and I'm kinda stunned that folks are running such ancient
> >:versions of NTP.
> >
> >I suggest you get accustomed to being stunned.
> >
> >:https://support.ntp.org/bin/view/Dev/ReleaseTimeline
> >:
> >:4.2.0 was EOL'd in June of 2006, and we've fixed about 3,000 issues in
> >:the codebase since then.
> >
> >4.2.0 may have been EOL'd in 2006, but it was still shipping as the
> >default in FreeBSD until 2009.
> >
> >Out of those 3000 issues, only a tiny fraction are security-related
> >that would apply to JunOS.  I expect that they backport security and
> >other fixes as necessary, until some bigger engineering effort and|or
> >headache calls for a forklift/mass upgrade of things.
> >
> >
> >--
> > Michael J. O'Connor
> m...@dojo.mi.org
> >
> =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
> >"Fire me, boy!" -The Human
> Bullet
>
>


Re: Fwd: [ PRIVACY Forum ] Windows 10 will share your Wi-Fi key with

2015-07-07 Thread Bacon Zombie
This is on by default in the beta like all the reporting in MS.

Will probably be either a prompt in the RTM version.
On 7 Jul 2015 05:05, "Sean Donelan"  wrote:

> On Mon, 6 Jul 2015, Joe Greco wrote:
>
>> Anyways, if you look on the first page of "Customize settings", yes
>> there's an option for "Automatically connect to networks shared by my
>> contacts" and it CAN be turned off, but it defaults to on.
>>
>
> Defaults matter.  Every configuration parameter has a default setting,
> whether intentional or not.
>
>


Re: How long will it take to completely get rid of IPv4 or will it happen at all?

2015-06-27 Thread Bacon Zombie
Is anybody still using IPX or TokenRing?

I've heard that TokenRing is over 9000 times better for iSCSI since you are
guaranteed that the packets will not get collisions.
On 27 Jun 2015 18:39, "Fredy Kuenzler"  wrote:

> Am 27.06.2015 um 16:38 schrieb Bob Evans:
> > We have a greater supply for packets to travel than we do for
> > addresses required to move packets. Do you know how many packets a
> > single IP address can generate or utilize, if it was attached too
> > "The World's Fastest Internet" in someplace like Canadaland or Sweden
> > on init7's Fiber7 ?
>
> Thanks for mentioning Fiber7, which is actually available in
> Switzerland, not Sweden. And every Fiber7 customer gets a /48, too.
>
> --
> Fredy Kuenzler
>
> -
> Fiber7. No Limits.
> https://www.fiber7.ch
> -
>
> Init7 (Switzerland) Ltd.
> AS13030
> St.-Georgen-Strasse 70
> CH-8400 Winterthur
> Skype:   flyingpotato
> Phone:   +41 44 315 4400
> Fax: +41 44 315 4401
> Twitter: @init7 / @kuenzler
> http://www.init7.net/
>
>


Re: Lists of VPN exit addresses?

2015-06-10 Thread Bacon Zombie
Well if they are using Hola then EVERY person with it installed is an
exit-node.

http://adios-hola.org

https://m.reddit.com/r/netsec/comments/37rit3/adios_hola_why_you_should_immediately_uninstall/
On 10 Jun 2015 14:28, "Jared Mauch"  wrote:

>
> > On Jun 10, 2015, at 8:08 AM, Roland Dobbins  wrote:
> >
> >
> > On 10 Jun 2015, at 18:56, John Levine wrote:
> >
> >> I presume there is no need to explain why this would be of interest.
> >
> > To keep consumers who've legitimately purchased/rented/subscribed to
> content from accessing same when they travel internationally?
> >
> > Because as a regular international traveler, that's what springs to mind
> when I see requests like this.
> >
> > Another thought is governmentally-driven censorship, something else I
> encounter a lot in my travels.
>
> I’ll just simplify this and say that the Tor Project publishes a list of
> its exit nodes so you can block these if your abuse/fraud requirements
> necessitate this.
>
> https://check.torproject.org/cgi-bin/TorBulkExitList.py
>
> If it’s for geolocation blocking, I’m in favor of these political
> limitations to go away.  It doesn’t take a genius to bypass these if that’s
> your intent.
>
> - Jared


Re: most accurate geo-IP source to build country-based access lists

2015-06-08 Thread Bacon Zombie
Tinder would be more accurate since it uses the phones GPS.

You could also cross check what subreddits they are subscribed to.
On 8 Jun 2015 23:12,  wrote:

> Hi,
>
> > Have you thought about application layer tests - e.g. is the
> > client's character set/language set to Swedish? Has the user
> > identified himself/herself/henself as living in or being from
> > Sweeden?
>
> ...just waiting for someone to suggest checking their web cookies
> to see what area they've got defined in adultfriendfinder or whatever...
> ;-)
>
> alan
>


Re: Password Decryption Methods?

2015-06-02 Thread Bacon Zombie
Grab the firmware and run it through BinWalk. Your should be able to pull
out the firmware and see what it does to the password before storing it.
On 2 Jun 2015 22:03, "Landon Stewart"  wrote:

On Jun 2, 2015, at 9:23 AM, Michael O Holstein 
wrote:
> If you can share the other details (make, model, firmware revision,
processor type, etc.) .. whatever you know and can share) .. it would be
more helpful. Also, how'd you get the hash? .. from a config file backup or
from another device that used it to access this one? If so, what software,
etc.

Serial # too.  :-D


Re: Huawei and ZTE Routers

2015-05-08 Thread Bacon Zombie
You could try cross posting to UKNOG since BT use Huawei in their DSLAMs.

http://lists.uknof.org.uk/cgi-bin/mailman/listinfo/uknof/
On 7 May 2015 21:18, "ML"  wrote:

> On 5/7/2015 2:25 PM, Daniel Corbe wrote:
>
>> Colton Conor  writes:
>>
>>  The other thread about the Alcatel-Lucent routers has been pleasantly
>>> delightful. Our organization used to believe that Juniper, Cisco, and
>>> Brocade were the only true vendors for carrier grade routing, but now we
>>> are going to throw Alcatel-Lucent into the mix.
>>>
>>> ZTE and Huawei, the big chinese vendors, have also been mentioned to us.
>>> I
>>> know there are large national security issues with using these vendors in
>>> the US, but I know Level3 and other large American vendors use Huawei and
>>> ZTE in their networks.
>>>
>>> How do their products perform? How are they compared to Cisco and Juniper
>>> on the performance side of the house? Is their pricing really half or
>>> less
>>> of that of Cisco and Juniper? Is it worth using these vendors or not
>>> worth
>>> the hassle?
>>>
>> I don't know much about Huawei but be wary of ZTE's claims.  They love
>> their vendor lock-in.  They have a bad habit of giving away hardware for
>> next to nothing and then ratcheting up support costs.
>>
>> Opex needs to be a consideration when selecting an equipment vendor as
>> well as capex.
>>
>>
> 2nd hand information:
>
> Apparently the NMS for ZTE's GPON gear is an ugly contraption.
> When upgrades are needed:
> "we have to deploy a series of convuluted batch files"
> "and it has to be installed in the directory that whatever they installed
> it to in China"
> "paths are hardcoded in the app"
>
>
> Hopefully there is no crossover into ZTE's other products.
>
>


Re: BGP offloading (fixing legacy router BGP scalability issues)

2015-04-03 Thread Bacon Zombie
Is port scanning illegal in China?

If not the there is no reason for then to do anything about it.
On 3 Apr 2015 19:00, "Barry Shein"  wrote:

>
> On April 2, 2015 at 14:19 goe...@anime.net (goe...@anime.net) wrote:
>  > a number of years back i did have someone contact in chinese and the
>  > response was that the customer was doing nothing wrong.
>
> Ok, that's progress of a sort, what's the authoritative source of
> right and wrong, something beyond "c'mon it's obvious!"?
>
> --
> -Barry Shein
>
> The World  | b...@theworld.com   |
> http://www.TheWorld.com
> Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR,
> Canada
> Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
>


Re: Purpose of spoofed packets ???

2015-03-10 Thread Bacon Zombie
Nmap has an option to "hide" your real IP among either a provides or IP
list of IP addresses.

" D *<**decoy1**>*[,*<**decoy2**>*][,ME][,...] (Cloak a scan with decoys)

Causes a decoy scan to be performed, which makes it appear to the remote
host that the host(s) you specify as decoys are scanning the target network
too. Thus their IDS might report 5–10 port scans from unique IP addresses,
but they won't know which IP was scanning them and which were innocent
decoys. While this can be defeated through router path tracing,
response-dropping, and other active mechanisms, it is generally an
effective technique for hiding your IP address."

http://nmap.org/book/man-bypass-firewalls-ids.html
On 11 Mar 2015 02:17, "Steve Atkins"  wrote:


On Mar 10, 2015, at 4:40 PM, Matthew Huff  wrote:

> We recently got an abuse report of an IP address in our net range.
However, that IP address isn't in use in our networks and the covering
network is null routed, so no return traffic is possible. We have external
BGP monitoring, so unless something very tricky is going on, we don't have
part of our prefix hijacked.
>
> I assume the source address was spoofed, but this leads to my question.
Since the person that submitted the report didn't mention a high packet
rate (it was on ssh port 22), it doesn't look like some sort of SYN attack,
but any OS fingerprinting or doorknob twisting wouldn't be useful from the
attacker if the traffic doesn't return to them, so what gives?
>
> BTW, we are in the ARIN region, the report came out of the RIPE region.

Either the reporter doesn't know what they're talking about (common enough)
or someone is scanning for open ssh ports, hiding their real IP address by
burying it in a host of faked source addresses. That's a standard option on
some of the stealthier port scanners, IIRC.

Cheers,
  Steve


Re: OT - Small DNS "appliances" for remote offices.

2015-02-18 Thread Bacon Zombie
You also have to watch out for issues with the Pi corrupting SD cards.
On 19 Feb 2015 01:04, "Geoff Mulligan"  wrote:

> I have used the BeagleBone to run a few simple servers.  I don't know if
> the ethernet port on the Bone is on the USB bus. It is slightly more
> expensive than a PI, but they have worked well for me.
>
> Geoff
>
> On 02/18/2015 04:44 PM, Peter Loron wrote:
>
>> For any site where you would use a Pi as the DNS cache, it won't be an
>> issue. DNS isn't that heavy at those query rates.
>>
>> Yeah, it would be awesome if they'd been able to get a SoC that included
>> ethernet.
>>
>> -Pete
>>
>> On 2015-02-18 15:08, Robert Webb wrote:
>>
>>> What I do not like about the Pi is the network port is on the USB bus
>>> and thus limited to USB speeds.
>>>
>>>  Original message From: Maxwell Cole
>>>  Date:02/18/2015  4:30 PM
>>> (GMT-05:00) To: "nanog@nanog.org >> 'NANOG list'"
>>>  Subject: Re: OT - Small DNS "appliances"
>>> for remote offices. 
>>> 
>>>
>>
>


Re: North Korean internet goes dark (yes, they had one)

2014-12-27 Thread Bacon Zombie
CCC would not do anything pro-NK.

On 27 December 2014 at 19:49, Javier J  wrote:

> Looks like it is still going on.
>
> you can make this stuff up:
>
> ""Obama always goes reckless in words and deeds like a monkey in a tropical
> forest,""
>
>
> http://arstechnica.com/tech-policy/2014/12/north-korea-suffers-another-internet-outage-hurls-racial-slur-at-pres-obama/
>
> On Wed, Dec 24, 2014 at 6:26 PM, Keith Medcalf 
> wrote:
>
> > >> What would be the point in blocking them? They don't even have
> > >> electricity in the country, what would I worry about coming out
> > >> of their IP block that wouldn't be more interesting than dangerous.
> > >> Pretty obvious if it was really them behind the Sony hack, it
> > >> was outsourced.
> >
> > >For the few elite that do have Internet in DPRK it would be 1) a big
> > >inconvenience which would annoy them a lot and 2) they have to transmit
> > >what they want attacked to the outsourced crew (whoever they might be)
> > >somehow.  I doubt the outsourced group has a fax#.
> >
> > I am pretty sure that they have fax machines in Washington Dee Cee.
> >
> > ---
> > Theory is when you know everything but nothing works.  Practice is when
> > everything works but no one knows why.  Sometimes theory and practice are
> > combined:  nothing works and no one knows why.
> >
> >
> >
> >
> >
> >
>



-- 


BaconZombie

55:55:44:44:4C:52:4C:52:42:41

LOAD "*",8,1


Re: Got a call at 4am - RAID Gurus Please Read

2014-12-11 Thread Bacon Zombie
Are you running ZFS and RAIDZ on Linux or BSD?
On 10 Dec 2014 23:21, "Javier J"  wrote:

> I'm just going to chime in here since I recently had to deal with bit-rot
> affecting a 6TB linux raid5 setup using mdadm (6x 1TB disks)
>
> We couldn't rebuild because of 5 URE sectors on one of the other disks in
> the array after a power / ups issue rebooted our storage box.
>
> We are now using ZFS RAIDZ and the question I ask myself is, why wasn't I
> using ZFS years ago?
>
> +1 for ZFS and RAIDZ
>
>
>
> On Wed, Dec 10, 2014 at 8:40 AM, Rob Seastrom  wrote:
>
> >
> > The subject is drifting a bit but I'm going with the flow here:
> >
> > Seth Mos  writes:
> >
> > > Raid10 is the only valid raid format these days. With the disks as big
> > > as they get these days it's possible for silent corruption.
> >
> > How do you detect it?  A man with two watches is never sure what time it
> > is.
> >
> > Unless you have a filesystem that detects and corrects silent
> > corruption, you're still hosed, you just don't know it yet.  RAID10
> > between the disks in and of itself doesn't help.
> >
> > > And with 4TB+ disks that is a real thing.  Raid 6 is ok, if you accept
> > > rebuilds that take a week, literally. Although the rebuild rate on our
> > > 11 disk raid 6 SSD array (2TB) is less then a day.
> >
> > I did a rebuild on a RAIDZ2 vdev recently (made out of 4tb WD reds).
> > It took nowhere near a day let alone a week.  Theoretically takes 8-11
> > hours if the vdev is completely full, proportionately less if it's
> > not, and I was at about 2/3 in use.
> >
> > -r
> >
> >
>


Re: Comcast thinks it ok to install public wifi in your house

2014-12-11 Thread Bacon Zombie
BT in the UK did the same thing a few years ago with a silent firmware
upgrade.
On 11 Dec 2014 15:51, "Scott Helms"  wrote:

> John,
>
> My apologies, I misread your email :)
>
>
> Scott Helms
> Vice President of Technology
> ZCorum
> (678) 507-5000
> 
> http://twitter.com/kscotthelms
> 
>
> On Thu, Dec 11, 2014 at 9:46 AM, John Peach 
> wrote:
>
> > On Thu, 11 Dec 2014 09:37:22 -0500
> > Scott Helms  wrote:
> >
> > > It is, you only have to log in once and then it remembers your MAC
> > > address.  Harvesting usable MAC addresses is as trivial as putting up
> > > an open access point with the SSIDs xfinitywifi and CableWifi and
> > > recording the MAC addresses that connect to it.
> >
> > I was just pointing out that you don't even need to login with the
> > device. Cablevision allow you to register a MAC address on their
> > website.
> >
> >
> > >
> > >
> > > Scott Helms
> > > Vice President of Technology
> > > ZCorum
> > > (678) 507-5000
> > > 
> > > http://twitter.com/kscotthelms
> > > 
> > >
> > > On Thu, Dec 11, 2014 at 9:30 AM, John Peach
> > >  wrote:
> > >
> > > > On Thu, 11 Dec 2014 09:24:10 -0500
> > > > valdis.kletni...@vt.edu wrote:
> > > >
> > > > > On Thu, 11 Dec 2014 00:11:07 -0500, Jay Ashworth said:
> > > > > > I will give them their props: I only had to sign in *once*, last
> > > > > > year; their auth controller has recognized my MAC address at
> > > > > > every spot I've used since.
> > > > >
> > > > > Actually, that's sort of scary if you think about it too hard.
> > > > > Shared-secret authentication has its flaws, but it still beats
> > > > > shared-nonsecret auth.
> > > > >
> > > > > I really hope it's something on your laptop other than the mac
> > > > > address
> > > >
> > > > It's not - Cablevision allow you to register devices via their
> > > > website by mac address.
> > > >
> >
>


RE: Cisco CCNA Training (Udemy Discounted Training)

2014-12-04 Thread Bacon Zombie
Anybody got codes valid for December?
On 14 Nov 2014 18:07, "Wakefield, Thad M." 
wrote:

> Since there was some interest in the Udemy CCNA training, I'll risk
> forwarding these additional discounts:
>
> Remember that this is ONLY for the month of NOVEMBER!
> *** CCNA Course is now $24 with coupon code: THANKS24
> https://www.udemy.com/the-complete-ccna-200-120-course/?couponCode=THANKS24
> *** ROUTING Course is now $14 with coupon code: THANKS14
>
> https://www.udemy.com/routing-configuration-router-administration/?couponCode=THANKS14
> *** SWITCHING Course is now $9 with coupon code: THANKS9
> https://www.udemy.com/layer-2-switching-vlans/?couponCode=THANKS9
> *** IPv4 Course is now $9 with coupon code: THANKS9
>
> https://www.udemy.com/everything-you-need-to-know-about-ipv4-and-its-configuration/?couponCode=THANKS9
> *** IPv6 Course is now $9 with coupon code: THANKS9
> https://www.udemy.com/the_abcs_of_ipv6/?couponCode=THANKS9
> *** VLANs Course is now $5 with coupon code: THANKS5
>
> https://www.udemy.com/overview-of-vlans-access-list-nat-bonus-material/?couponCode=THANKS5
> *** OSPF Course is now $14 with coupon code: THANKS14
> https://www.udemy.com/ospf-breakdown/?couponCode=THANKS14
> *** HEX Course is FREE *** use coupon code: THANKSFREE
>
> https://www.udemy.com/learn-how-to-do-hex-conversions-in-under-30-seconds/?couponCode=THANKSFREE
>
>


RE: Cisco CCNA Training (Udemy Discounted Training)

2014-11-14 Thread Bacon Zombie
Is that the codes can only be used during November or access to the
training?
On 14 Nov 2014 18:07, "Wakefield, Thad M." 
wrote:

> Since there was some interest in the Udemy CCNA training, I'll risk
> forwarding these additional discounts:
>
> Remember that this is ONLY for the month of NOVEMBER!
> *** CCNA Course is now $24 with coupon code: THANKS24
> https://www.udemy.com/the-complete-ccna-200-120-course/?couponCode=THANKS24
> *** ROUTING Course is now $14 with coupon code: THANKS14
>
> https://www.udemy.com/routing-configuration-router-administration/?couponCode=THANKS14
> *** SWITCHING Course is now $9 with coupon code: THANKS9
> https://www.udemy.com/layer-2-switching-vlans/?couponCode=THANKS9
> *** IPv4 Course is now $9 with coupon code: THANKS9
>
> https://www.udemy.com/everything-you-need-to-know-about-ipv4-and-its-configuration/?couponCode=THANKS9
> *** IPv6 Course is now $9 with coupon code: THANKS9
> https://www.udemy.com/the_abcs_of_ipv6/?couponCode=THANKS9
> *** VLANs Course is now $5 with coupon code: THANKS5
>
> https://www.udemy.com/overview-of-vlans-access-list-nat-bonus-material/?couponCode=THANKS5
> *** OSPF Course is now $14 with coupon code: THANKS14
> https://www.udemy.com/ospf-breakdown/?couponCode=THANKS14
> *** HEX Course is FREE *** use coupon code: THANKSFREE
>
> https://www.udemy.com/learn-how-to-do-hex-conversions-in-under-30-seconds/?couponCode=THANKSFREE
>
>


Re: cheap laptop with 32G or 64G recommendations

2014-11-12 Thread Bacon Zombie
I'd say 60% of laptops at security conferences I've been to are Lenovo, 30%
Apple and 10% Dell/other.
On 12 Nov 2014 20:35, "John Schiel"  wrote:

>
> On 11/11/2014 05:54 PM, lobna gouda wrote:
>
>> Thanks all for your reply, lenovo seems decent almost all the pc ( lenovo
>> and hp) are decent with the 16G.somebody mentioned with 16g it is a bit
>> slow; Keith here is saying the 32G he had no issue. i intend to buy my own
>> memory just to save on the costi agree 64 will be sky expensive and cloud
>> will do, then.By the way W530 is replaced by W540, donot see much benefit
>> for my case.
>>
>
> Be careful with Lenovo, some folks think it has a bad security reputation.
> Why? *shrug*, not sure but maybe because it's a Chinese company with ties
> to the PRC and IIRC, there was a BIOS flaw.
>
> --John
>
>  Brgds,
>> Lobna Gouda
>>
>>> Date: Tue, 11 Nov 2014 12:13:09 -0800
>>> From: blakan...@gmail.com
>>> To: nanog@nanog.org
>>> Subject: Re: cheap laptop with 32G or 64G recommendations
>>>
>>> I have an almost two-year old Lenovo W530 with 32G ram. I've been happy
>>> with it. I don't find myself taking advantage of the ram (w/ VMWare
>>> Workstation) as much as I thought I would.
>>>
>>> http://shop.lenovo.com/us/en/laptops/thinkpad/w-series/w530/
>>>
>>> -Keith
>>>
>>> Darden, Patrick wrote:
>>>
 If there is a cheap quad-core laptop with 64GB of ram and no huge
 downsides...  then sign me up!  I expect that will be the standard in 5
 years, but right now that is a hoss.

 Izaac's suggestion of using the cloud is good, if you can do it.  Cloud
 services have come a long way--fast and easy to set up complex
 environments.  Great article comparing performance and costs:

 http://www.infoworld.com/article/2610403/cloud-
 computing/ultimate-cloud-speed-tests--amazon-vs--
 google-vs--windows-azure.html

 --p


 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Izaac
 Sent: Monday, November 10, 2014 6:25 PM
 To: NANOG
 Subject: [EXTERNAL]Re: cheap laptop with 32G or 64G recommendations

 On November 10, 2014 4:49:08 PM EST, lobna gouda <
 lobna_go...@hotmail.com> wrote:

> Hello,
> Any recommendation, not looking for anything fantasy,  my understanding
> it should be quardcore, with more than DIMM0 slot so each can have 8G.
> wind7-64bits to work. I want to use it as a server or practice logical
> routers
>
 "Cheap" and "64GiB of RAM" are incompatible concepts in laptops.

 There is no earthly reason you should need to carry a machine like that
 anyway. If for some reason you need something so equipped, get yourself a
 cloud instance and connect to it. That's how you save money.

 If you're stuck working in a completely isolated environment, then work
 it into the contract. That's the cost of being on an island.

 --
 Izaac

>>>
>>
>
>


Re: Tech Laptop with DB9

2014-11-10 Thread Bacon Zombie
You mean like they did with the last driver update pushed via Windows
Update?

http://hackaday.com/2014/10/22/watch-that-windows-update-ftdi-drivers-are-killing-fake-chips/
On 10 Nov 2014 23:32, "John Schiel"  wrote:

>
> On 11/10/2014 02:05 PM, joel jaeggli wrote:
>
>> ftdi chipsets work on both mac and windows devices.
>>
>
> I'd be careful with FTDI chipsets, you want to make sure you get the real
> chip. If they decide to move forward with bricking counterfeit chips,
> you'll be wasting your $$.
>
>
> --John
>
>
>> http://www.amazon.com/Serial-Console-Rollover-Cable-
>> Routers/dp/B00M2SAKMG/ref=sr_1_16?s=electronics&ie=UTF8&
>> qid=1415653377&sr=1-16&keywords=ftdi+serial
>>
>> On 11/10/14 10:39 AM, Max Clark wrote:
>>
>>> Hi all,
>>>
>>> DB9 ports seem to be a nearly extinct feature on laptops. Any
>>> suggestions on a cheap laptop for use in field support (with an onboard
>>> DB9)?
>>>
>>> Thanks,
>>> Max
>>>
>>>
>>>
>>
>


Re: GMail contact - misroute / security issue

2014-09-30 Thread Bacon Zombie
This probably also effected German users.
On Sep 30, 2014 6:32 PM, "Alexander Harrowell" 
wrote:

> Related oddness: if you're British and a GMail user, you either got a
> gmail.com username before the lawsuit, or you got a googlemail.com
> between the lawsuit and the point when Google and the owner of the
> "gmail" trademark settled, or then you got a gmail.com again.
>
> Google chose to alias googlemail.com and gmail.com addresses so as to
> minimise the mess, but this doesn't stop people who have
> googlemail.com entering gmail.com (or vice versa) when they set up an
> account on www.somewebsi.te, because they are conditioned to use
> gmail.com/googlemail.com interchangeably, and then being baffled as to
> why firstname.lastn...@googlemail.com (or vice versa)/password1234
> doesn't work, because googlemail==gmail and anyway my address is
> really firstname.lastn...@gmail.com (or googlemail) - look, I get
> email on it, it must be the right one :-)
>
>
>
> On Tue, Sep 30, 2014 at 12:17 AM, Jeff Woolsey  wrote:
> > On 09/29/14 10:06, Nicolai wrote:
> >>
> >> Most likely reason: gmail is so common that someone mistypes
> >> johnsm...@example.com as johnsm...@gmail.com, not paying attention to
> what
> >> they're doing. It happens.
> >
> >
> > More likely, I think, is that newbies think that email addresses already
> > exist for everyone on the planet at firstl...@gmail.com, and they just
> give
> > that when asked (maybe they think it's throwaway and never actually
> expect
> > to get any email there).  I'm in the same boat.   It doesn't bother me
> all
> > that much because gmail is not my primary mail service.  I use it to
> store
> > big stuff that's clogging the mail service I do pay for.  In fact, it
> can be
> > entertaining, as I get usernames and passwords for sites that this guy
> > signed up for.  He's also a poker player and has recently tried to
> enroll at
> > an art college.  The latter I could reply to and explain that their
> > prospective student is an idiot and should not be accepted, but that's
> what
> > will happen anyway if I don't say anything.
> >
> > --
> > Jeff Woolsey {woolsey,jlw}@{jlw,jxh}.com first.last@{gmail,jlw}.com
> > Spum bad keming.
> > Nature abhors a straight antenna, a clean lens, and unused storage
> capacity.
> > "Delete! Delete! OK!" -Dr. Bronner on disk space management
> > "Card sorting, Joel." -me, re Solitaire
> >
>


Re: Match.com contact - Previously: GMail contact - misroute / security issue

2014-09-29 Thread Bacon Zombie
You sure you wife did not sign up or Match.com and using this as a cover
story?
On Sep 29, 2014 6:17 AM, "John Fraizer"  wrote:

> Set up a filter in the GMAIL console to match (pun intended) the "Match"
> emails and filter them into their own label.  Then, hide that label.  Don't
> delete them though.  You might have a gold mine there.  Think of the
> comedic relief you could provide others with "
> www.My-wife-keeps-getting-sent-pics-of-some-guys-tiny.org"  You could post
> the emails, the profile names of the pervs, etc.  Sort of like a 20/20 "To
> catch a..." only instead of predator, it would be perv.
>
> --
> John Fraizer
> ΥΣΜΧ
>


Re: Saying goodnight to my GSR

2014-09-20 Thread Bacon Zombie
OK thank you for decommissioning this.*

* Only if you either had authority to do so for max 1 year or had no
authority but were fighting to have it patches or replaced for years.
On Sep 20, 2014 7:54 PM, "Daniel Sterling" 
wrote:

> On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie 
> wrote:
>
> > So when was the last time you patched this internet facing device?
>
> Isn't the better response, thank you for decommissioning it?
>
> Can someone from cisco set up a poll or release whatever numbers they
> have about how many of these old devices are still in service?
>
> Thanks,
> Dan
>


Re: Saying goodnight to my GSR

2014-09-20 Thread Bacon Zombie
So when was the last time you patched this internet facing device?
On Sep 20, 2014 7:12 PM, "Matthew S. Crocker" 
wrote:

> -48VDC.
>
>
>
> > On Sep 20, 2014, at 10:58 AM, James R Cutler <
> james.cut...@consultant.com> wrote:
> >
> > On Sep 20, 2014, at 10:18 AM, Matthew Crocker 
> wrote about his old router:
> >
> >> 
> >> gsr8-1 uptime is 9 years, 9 weeks, 2 days, 8 hours, 39 minutes
> >> Uptime for this control processor is 9 years, 2 weeks, 2 days, 18
> minutes
> >> System returned to ROM by Stateful Switchover at 13:46:36 UTC Tue Sep 6
> 2005
> >> 
> >
> > Matt,
> >
> > Wow.  You have amazing power reliability!
> >
> > Want to tell us your secret?
> >
> > Regards.
> >
> > James R. Cutler
> > james.cut...@consultant.com
> > PGP keys at http://pgp.mit.edu
> >
> >
> >
>
>


Re: Help me make sense of these traceroutes please

2013-12-25 Thread Bacon Zombie
Pitcher of Guinness!?! What blasphemy is this, the only way to drink it is
via individually poured pint glasses.

Back to the issues I'd say MPLS or GHCQ before NSA.
On 25 Dec 2013 15:52,  wrote:

> On Tue, 24 Dec 2013 19:03:02 -0500, Sam Moats said:
>
> > Also you'd be amazed how many network issues can be solved with a bunch
> > of IT folks and an ample supply of Guinness
>
> I once heard the claim that if you couldn't explain your network design and
> have the listener understand it after you had split a pitcher of Guiness,
> it was probably too complicated.
>
>


Re: Prism continued

2013-06-12 Thread Bacon Zombie
There is no way they could of paid for all the Splunk licencing costs
which the budget quoted before

On 9 June 2013 18:42, Daniel Rohan  wrote:
> Anyone else notice that the Boundless Informant GUI looks suspiciously like
> the Splunk GUI?
>
> And according to the article, it sounds like it does exactly what Splunk is
> capable of, albeit on a grander scale than I thought possible.
>
> dgr
> On Jun 9, 2013 9:29 AM, "Warren Bailey" <
> wbai...@satelliteintelligencegroup.com> wrote:
>
>> I suppose this system was part of the 20MM as well?
>>
>>
>> http://gizmodo.com/meet-boundless-informant-the-nsa-tool-that-watches-the-512107983
>>
>>
>>
>> Sent from my Mobile Device.
>>



-- 


BaconZombie

LOAD "*",8,1



"After Being Cut From Norway, The Pirate Bay Returns From North Korea" or is it just BGP Tricks

2013-03-04 Thread Bacon Zombie
The Pirate Bay have released a press release that they are now hosted
out of North Korea:

"The Pirate Bay has been hunted in many countries around the world.
This is truly an ironic situation. We have been fighting for a
free world, and our opponents are mostly huge corporations from the
United States of America, a place where freedom and freedom of speech
is said to be held high..
...We believe that being offered our virtual asylum in Korea is a
first step of this country's changing view of access to
information..."

http://falkvinge.net/2013/03/04/after-being-cut-from-norway-the-pirate-bay-returns-from-north-korea/
https://thepiratebay.se/blog/229


But there is a lot of debate on Reddit that they are not really in
North Korea and just doing some BGP trickery:

"Anyone can hijack an AS number and not cause any issues for the real
user – In this case The Pirate Bay set up a Sat dish in Phenom Penh,
Cambodia – Intelsat gives them a BGP session there.

The peer net for BGP handoff is 175.45.177.217/30, .216 is Intelsats
side and .217 is The Pirate Bay’s.
One can use ANY IP they wish for these handoffs, internal, their own,
“hijacked” – In this case The Pirate Bay “hijacked” 2 IPs from the
North Korean network which does not matter for them as this is only
acessible from their side, not from the internet.

TBP then injected AS131279 as peer in the upstream table – so it does
not look like this:

 AS22351 – AS51040

But instead:

 AS22351 – AS131279 – AS51040

This is possible because either Intelsat does not filter BGP
announcements (unlikely) or TBP wrote a fake LOA for this AS (likely).

Now as we traceroute the TBP IP we see the /30 subnet used for the
handoff in Phenom Penh, which is why TPB says it is in North Korea –
The ICMP (ping) reply from the IP makes it seem legit but does
actually come from and entirely different network (aka the real
Star-KP network).

(Theres some more but i spare you that as it is pretty technological –
for example that AS131279 does not hand over AS51040 routes to
AS4737)."

http://www.reddit.com/r/technology/comments/19nb00/after_being_cut_from_norway_the_pirate_bay/


Anybody have an input on this and able to confirm or deny the claims
of BGP Hijacking?

--


BaconZombie

LOAD "*",8,1



Re: Problem with email to Hawaiilink.net email

2013-01-15 Thread Bacon Zombie
Looks like you are not the only one with issues connecting to Hawaii:

http://permalink.gmane.org/gmane.org.operators.isotf.outages/5231

On 16 January 2013 00:19, david peahi  wrote:
> Does anyone know of any problems in Hawaii with email or DNS problems?
> Sending from gmail.com and pacbell.net domains, I get:
>
>
> host mail.hawaiilink.net[24.43.223.114] said: 553
> 5.1.8 emailaddr...@pacbell.net ... Domain of sender address
> emailaddr...@pacbell.net does not exist (in reply to MAIL FROM command)
>
> Regards,
>
> David



--


BaconZombie

LOAD "*",8,1

ฦ ฮ้ Ỏ̷͖͈̞̩͎̻̫̫̜͉̠̫͕̭̭̫̫̹̗̹͈̼̠̖͍͚̥͈
ฦ้็้็็


Re: Hurricane Electric Tunnelbroker staff?

2012-12-23 Thread Bacon Zombie
Can I ask why you count a port scan at something bad?
Or is it just the length of time it has been running for and it re-running
the same scan repetitively?



ฤ๊็๊ ฮ้
ฦ้็้็็


On 23 December 2012 05:31, Ben Carleton  wrote:

> Hi folks,
>
> I am seeing an IPv6-connected host on my network (which is on a HE.net
> tunnel) apparently being portscanned by an HE server at 2001:470:0:64::2
> for about the last hour or so. It is trying to hit several different ports
> four times each before moving on and eventually repeating itself.
>
> If anyone from HE can shed some light on what's going on here it would be
> greatly appreciated, I can provide the IP of the host in question off-list
> if needed.
>
> Thanks,
> -- Ben
>
>


-- 


BaconZombie

LOAD "*",8,1


Re: Google burp

2012-10-31 Thread Bacon Zombie
And if you are a Chrome user have a look at Vimium [1]

[1] http://vimium.github.com/

On 31 October 2012 23:43, Chris Adams  wrote:
> Once upon a time, shawn wilson  said:
>> yeah, be careful with their new compose feature. i'm used to vim, so i
>> hit esc half way through an email which generally does nothing.
>> however, with this "new" feature, it closed the email. then it took it
>> longer to appear in drafts than it did to compose a new email. so, now
>> i've disabled it. i hope they don't force the issue until they give me
>> vim key bindings in my email editor :)
>
> Have you tried the Firefox add-on that can turn input boxes into vi
> mode?  Does that work with Gmail?
> --
> Chris Adams 
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
>



-- 


???

BaconZombie

LOAD "*",8,1


Re: Network scan tool/appliance horror stories

2012-10-29 Thread Bacon Zombie
It all depends on what tools they are using and how you have your system
setup.

Both NMAP and Nessus can check system\service to see if common accounts
have default or non password at all.
This can cause these accounts to be locked out.

There are other "exploits" that can cause systems\services to be DOS'd but
these normally have to be enabled.

Best to get a statement of works from them which should list all the tools
including options they will be using.

They also should be able to hand over a raw dump of ALL commands run during
the testing.

On 29 October 2012 19:25, Justin M. Streiner wrote:

> On Mon, 29 Oct 2012, Pedersen, Sean wrote:
>
>  We're evaluating several tools at the moment, and one vendor wants to
>> dynamically scan our network to pick up hosts - SNMP, port-scans, WMI, the
>> works. I was curious if anyone had any particularly gruesome horror stories
>> of scanning tools run amok.
>>
>
> If you have any overloaded/under-powered network gear, such as stateful
> firewalls and routers that do lots of NAT, you might find them very
> quickly, depending on how aggressive the scanning tool is.  There might
> also be devices out there that, while possibly lightly loaded, can reach
> some minimally documented resource threshold under a very aggressive scan,
> and subsequently tip over.
>
> Also, if you're doing IPv6, the performance metrics for many network
> devices can be a bit more of a moving target.
>
> jms
>
>


-- 


???


BaconZombie

LOAD "*",8,1


Re: Google opens Web Window on their Data Centers

2012-10-19 Thread Bacon Zombie
It looks right the right-hand side is real and the left is just a
mirror on most of the pictures.
You can see from the LED's, empty slots in the racks, hanging cables and labels.

Here is a collect of photos you from the Reddit thread on it:

http://imgur.com/a/UBxVc

Also they did not show any of their custom networking equipment.

http://www.networking-forum.com/viewtopic.php?f=46&t=29803

The whole event was all just Smoke and Mirrors.

www.youtube.co.jp/watch?v=kU4RHfjeE8w

On 19 October 2012 14:09, Jérôme Fleury  wrote:
> On Thu, Oct 18, 2012 at 5:34 PM, Tony Finch  wrote:
>> Tony Patti  wrote:
>>>
>>> http://www.google.com/about/datacenters/gallery/#/
>>
>> Also worth seeing is this article which explains how their hot aisles work:
>> http://www.datacenterknowledge.com/archives/2012/10/17/how-google-cools-its-armada-of-servers/
>> And this longer and fluffier piece in Wired:
>> http://www.wired.com/wiredenterprise/2012/10/ff-inside-google-data-center/all/
>
> http://www.google.com/about/datacenters/gallery/#/tech/12
>
> This picture has obviously been photoshopped. If you look closely,
> this is a mirrored picture: left and right sides are strictly the
> same.
>



-- 
ฤ๊็๊
ฮ้้้
ฦ้็้็็้็็้็็้้้

BaconZombie

LOAD "*",8,1


Re: Internet-wide port scans

2012-10-16 Thread Bacon Zombie
Have a look at the talks done by Fyodor the creator of Nmap "Scanning the
Internet".

http://nmap.org/presentations/BHDC08/bhdc08-slides-fyodor.pdf

http://www.securitytube.net/video/170

http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html

Also if you are look for a host CloudSigma are open to Security Researches
using their VPS system for this kind of work.

http://www.cloudsigma.com/




 On 16 Oct 2012 05:59, "Scott Weeks"  wrote:

>
>
> --- djahanda...@gmail.com wrote:
> From: Darius Jahandarie 
>
> Either way, in the US at least, it's not legal to port scan random
> machines on the internet, so this was a rather useless exercise. (And
> --
>
>
> Want to re-write that section or should I respond now?  ;-)
>
> scott
>
>


Re: The Department of Work and Pensions, UK has an entire /8

2012-09-18 Thread Bacon Zombie
Well 172.0.0.0 to 172.15.255.255 is now owned by AT&T and they have
live systems on some of them already.

On 18 September 2012 17:39, George Herbert  wrote:
>
> I'm having problems finding any announcements for this net 10/8, too.  Can 
> someone talk to these "IANA" folks about reclaiming it, too?  They have a 
> bunch of other space in 172.x they should be able to use...
>
>
> George William Herbert
> Sent from my iPhone
>
> On Sep 18, 2012, at 8:36 AM, "John Levine"  wrote:
>
>>> John Graham-Cumming, who found this unused block, wrote in a blog post that
>>> the DWP was in possession of 51.0.0.0/8 IPv4 addresses.
>>
>>
>> Please, don't anyone tell him about 25/8.
>>
>>
>



-- 


???

BaconZombie

LOAD "*",8,1


Re: Heads-Up: GoDaddy Broke the Interwebs...

2012-09-11 Thread Bacon Zombie
The blog says 99.999% uptime, but I'm guessing this "outage" lasted
more them  5.4930002 minutes and they probably had other issues
during the year.


On 11 September 2012 21:53, Rubens Kuhl  wrote:
>
> > No large flows reported to the affected NSes, tweets were suspicious at 
> > best, other anon-ops denied the attack was them, and GoDaddy admitted 
> > internal error.
> >
> > I'm going to take GoDaddy at their word, and give them major kudos for 
> > owning up to the mistake - in public.
>
> That doesn't mean that their description of the internal error fits
> what happened. Not to say that there were an attack, just that there
> can be more internal failures, including processes, to be accounted
> for. Whether they will publish a root-cause analysis/swiss chesse
> model/ or not is up to them, but to
> tech-savvy stakeholders I think they are still in debt.
>
>
> Rubens
>



--


???

BaconZombie

LOAD "*",8,1


Re: Blocking MX query

2012-09-04 Thread Bacon Zombie
Are you saying that you only allow your subscribers to use your DNS Servers
and block access to all other DNS Server?

On 4 September 2012 11:07, Ibrahim  wrote:

> Hi All,
>
> I've read old archive about blocking SMTP port (TCP port 25). In my current
> situation we are mobile operator and use NAT for our subscribers and we
> have few spammers, a bit difficult to track it because mostly our
> subscribers are prepaid services. If we block TCP port 25, there might be
> "good" subscribers will not be able to send email.
> We are thinking to block MX queries on our DNS server, so only spammer that
> use their own SMTP server will got affected. All DNS queries from our
> subscribers already redirected to our DNS cache servers. But seem Bind
> don't have feature to block MX query. Any best practice to block MX query?
>
>
> Regards
> Ibrahim
>



-- 


???


BaconZombie

LOAD "*",8,1


Re: Fair Use Policy

2012-08-22 Thread Bacon Zombie
I how you are talking about 3G or there is a typo.
An ISP with a 5GB cap that is charging the end user more then 5$ total
{including line rental} a month should not be allow to operate.

And if your infrastructure and handle 25% at a minimum maxing out their
connect them don't advertise " unlimited " since you can't provide it and
it is false advertising.

The world would be a better place if ISPs that either throttled, cut off or
added on extra charges to the end users bill were fined to hell for false
advertising and repeat offenders were named and shamed on a public website.
 On 22 Aug 2012 20:42, "Shahab Vahabzadeh"  wrote:

> Dear Owen,
> Would you please describe this some how more in my bussiness plan?
> I have both limited and unlimited users.
> For example I have these services in my package:
> 512Kb-5GB-1Month
> 256Kb-Unlimit-1Month
> And like this.
> Thanks
>
> On Thu, Aug 23, 2012 at 12:02 AM, Owen DeLong  wrote:
>
> > Right... more specific aspect of the same coin. If you have adequate
> > facilities, you don't need to shape users.
> > If you have users that are overconsuming for your pricing model, there
> are
> > two good solutions:
> >
> > 1. Raise the prices enough for everyone that you can absorb these users.
> >  2. Implement usage-based charges (or usage based charges above a certain
> > usage tier) that cause these users to either self-regulate or pay for the
> > necessary
> >  upgrades to your infrastructure.
> >
> > Claiming to deliver "unlimited" service and then shaping it is, IMHO, a
> > questionable business practice at best.
> >
> > Owen
> >
> > On Aug 22, 2012, at 12:06 , Shahab Vahabzadeh 
> > wrote:
> >
> > What I am talking mostly is some services like COA, in which you can
> > change users shape time-base and periodically without disconnecting them.
> >
> > On Wed, Aug 22, 2012 at 11:33 PM, Owen DeLong  wrote:
> >
> >> If you want to control usage that way, sell a metered product. Bill the
> >> heavy users more for their usage.
> >>
> >> Otherwise, price your services such that you can build adequate upstream
> >> capacity to serve your users.
> >>
> >> I'm not a fan of using "rateshaping" (which is what you are describing)
> >> to cover for inadequate facilities.
> >>
> >> Owen
> >>
> >> On Aug 22, 2012, at 11:57 , Shahab Vahabzadeh 
> >> wrote:
> >>
> >> Dear Owen,
> >> As you know in pick time of internet usage like midnight in which we
> have
> >> free-access times too, some users which really want to use internet for
> >> their daily usage and not downloading or using peer-to-peer services
> >> unfairly affecting this problem.
> >> Some companies are using some polices for users to solve this problem.
> >> Do you have any Idea?
> >> Thanks
> >>
> >> On Wed, Aug 22, 2012 at 11:22 PM, Owen DeLong  wrote:
> >>
> >>> I think the first step would be to define what you mean by fair use.
> >>>
> >>> Are you talking in the DMCA sense of the term, the legal sense of the
> >>> term as applies
> >>> to IP in other areas, or something else?
> >>>
> >>> Owen
> >>>
> >>> On Aug 22, 2012, at 11:40 , Shahab Vahabzadeh  >
> >>> wrote:
> >>>
> >>> > Hello Everybody,
> >>> > Has any body any good and easy setup idea for "Fair Use Policy"
> >>> service for
> >>> > my xdsl customers?!
> >>> > Can do this in the BRAS side and nothing done with accounting and
> >>> radius?
> >>> > Thanks
> >>> >
> >>> > --
> >>> > Regards,
> >>> > Shahab Vahabzadeh, Network Engineer and System Administrator
> >>> >
> >>> > Cell Phone: +1 (415) 871 0742
> >>> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367
> >>> BF90
> >>>
> >>>
> >>
> >>
> >> --
> >> Regards,
> >> Shahab Vahabzadeh, Network Engineer and System Administrator
> >>
> >> Cell Phone: +1 (415) 871 0742
> >> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
> >>
> >>
> >>
> >
> >
> > --
> > Regards,
> > Shahab Vahabzadeh, Network Engineer and System Administrator
> >
> > Cell Phone: +1 (415) 871 0742
> > PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
> >
> >
> >
>
>
> --
> Regards,
> Shahab Vahabzadeh, Network Engineer and System Administrator
>
> Cell Phone: +1 (415) 871 0742
> PGP Key Fingerprint = 8E34 B335 D702 0CA7 5A81  C2EE 76A2 46C2 5367 BF90
>


Re: Penetration Test Assistance

2012-06-05 Thread Bacon Zombie
You should have a look at the Pentest Standards page, it was created
by some very skilled Pen Testers how are trying to create a minimum
standard for all tests and reporting.

http://www.pentest-standard.org/index.php/Main_Page

Also you should just have to give them your external net-block
allocation that is in scope unless it is a more forced test and not a
general external test.

On 5 June 2012 20:48, Brett Watson  wrote:
>
> On Jun 5, 2012, at 9:52 AM, Peter Kristolaitis wrote:
>
>>
>> As far as horror stories... yeah.   My most memorable experience was a guy 
>> (with a CISSP designation, working for a company who came highly 
>> recommended) who:
>>    - Spent a day trying to get his Backtrack CD to "work properly".  When I 
>> looked at it, it was just a color depth issue in X that took about 45 
>> seconds from "why is this broken?" to "hey look, I fixed it!".
>>    - Completely missed the honeypot machine I set up for the test.  I had 
>> logs from the machine showing that his scanning had hit the machine and had 
>> found several of the vulnerabilities, but the entire machine was absent from 
>> the report.
>>    - Called us complaining that a certain behavior that "he'd never seen 
>> before" was happening when he tried to nmap our network.  The "certain 
>> behavior" was a firewall with some IPS functionality, along with him not 
>> knowing how to read nmap output.
>>    - Completely messed up the report -- three times.  His report had the 
>> wrong ports & vulnerabilities listed on the wrong IPs, so according to the 
>> report, we apparently had FreeBSD boxes running IOS or MS SQL...
>>    - Stopped taking our calls when we asked why the honeypot machine was 
>> completely missing from the report.
>>
>> In general, my experience with most "pen testers" is a severe 
>> disappointment, and isn't anything that couldn't be done in-house by taking 
>> the person in your department who has the most ingrained hacker/geek 
>> personality, giving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot 
>> of coffee, and saying "Find stuff we don't know about. Go.".   There is the 
>> occasional pen tester who is absolutely phenomenal and does the job properly 
>> (i.e. the guys who actually write their own shellcode, etc), but the vast 
>> majority of "pen testers" just use automated tools and call it a day.  Like 
>> everything else in IT, security has been "commercialized" to the point where 
>> finding really good vendors/people is hard, because everyone and their mom 
>> has CEH, CISSP, and whatever other alphabet soup certifications you can 
>> imagine.
>
> I agree with a lot of what you've said, but there are absolutely good 
> security guys (pen tester, vulnerability assessors, etc) that use both open 
> source and commercial automated tools, but still do a fantastic job because 
> they understand the underlying technologies and protocols.
>
> I used to do a lot of this in the past, had lots of automated tools, and only 
> occasionally wrote some assessment modules or exploit code if necessary.
>
> But again, a person in that position has to understand technology 
> holistically (network, systems, software, protocols, etc).
>
> -b



-- 
BaconZombie

LOAD "*",8,1



Re: ping me please...

2011-06-23 Thread Bacon Zombie
Reachable from Ireland using Eircom AS5466.

Host is up (0.029s latency).
Not shown: 64531 filtered ports, 1002 closed ports
PORT  STATE SERVICEVERSION
443/tcp   open  ssl/http   Cisco ASA firewall http config (Cisco AWARE 2.0)
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: SSL VPN Service
|_Requested resource was http://65.5.48.2/+CSCOE+/logon.html
1/tcp open  tcpwrapped

Network Distance: 4 hops
TRACEROUTE (using port 995/tcp)

HOP RTT  ADDRESS
1   0.00 ms  10.xxx.xxx.xxx
2   16.00 ms 192.xxx.xxx.xxx
3   16.00 ms xxx.xxx.xxx.xxx
4   16.00 ms 65.5.48.2


On 23 June 2011 14:07, Eric J Esslinger  wrote:
> I have just turned up and migrated to a new circuit. I'm getting a few 
> reports from one customer that some of his users are unable to reach his 
> system.
> If I could get people on the list to ping 65.5.48.2, and if it fails, to do a 
> traceroute and email it to me offlist? I'd appreciate it.
> Thanks.
> __
> Eric Esslinger
> Information Services Manager - Fayetteville Public Utilities
> http://www.fpu-tn.com/
> (931)433-1522 ext 165
>
> This message may contain confidential and/or proprietary information and is 
> intended for the person/entity to whom it was originally addressed. Any use 
> by others is strictly prohibited.
>
>



-- 
BaconZombie

LOAD "*",8,1