Re: BGP Hijack/Sickness with AS4637

[Chris Conn]

Hello,

I am the contact for AS16532.

We never announced nor are we currently advertising this prefix as we are not a 
transit AS for anyone.  As well, it seems to appear and disappear from AS63956 
looking glass.  According to that LG, the route changed 6d ago, and is *still 
currently visible* at this very moment;

https://lg.coloau.com.au/

Command: show route 18.29.238.0 protocol bgp table vrf-international.inet.0 
active-path

vrf-international.inet.0: 696764 destinations, 2288960 routes (696480 active, 0 
holddown, 103994 hidden)
+ = Active Route, - = Last Active, * = Both

18.29.238.0/23 *[BGP/170] 6d 01:06:11, localpref 90, from 103.97.52.2
  AS path: 4637 3257 29909 16532 16532 16532 16532 I, 
validation-state: unverified


AS16532 is not announcing this prefix.  We have a strict prefix-list that is 
applied to all sessions.  As well, AS29909 is filtering us using our announced 
AS-SETS/RPSL to avoid us the ability to do anything dumb.  And lastly, our 
announcements are being filtered by AS3257 as we are required to provide them 
via LOA.

There is still something wrong somewhere that is injecting this path, anyone 
have a LG pointed to AS4637 seeing this prefix announced with AS16532 in the AS 
path?

I doubt that AS29909 bouncing its BGP session with AS3257 (GTT) would change 
anything, as I am not seeing this prefix in their route-server

pub...@route-server.as3257.net-re0> show route 18.29.238.0 protocol bgp 
active-path

inet.0: 691667 destinations, 11752983 routes (691665 active, 1 holddown, 1 
hidden)
+ = Active Route, - = Last Active, * = Both

18.29.0.0/16   *[BGP/170] 3w4d 11:42:33, MED 0, localpref 100, from 
213.200.87.23
  AS path: 3257 174 3 I, validation-state: unverified
> to 141.136.111.13 via xe-1/0/0.0

{master}
pub...@route-server.as3257.net-re0>


{master}
pub...@route-server.as3257.net-re0> show route 18.29.238.0 protocol bgp | find 
16532

Pattern not found
{master}



So whatever is happening, its not at AS16532, AS29909 nor AS3257 that I can 
find.


Chris Conn
AS16532




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Tom Paseka via NANOG
Sent: Friday, May 25, 2018 6:01 PM
To: Nikolas Geyer 
Cc: NANOG list 
Subject: Re: BGP Hijack/Sickness with AS4637

This looks like a route that has been cached by some ISPs/routers even though a 
withdrawal has actually happened.

If you actually forward packets a long the path, you'll see its not following 
the AS Path suggested, instead the real route that it should be.
Bouncing your session with 4637 would likely clear this.

-Tom

On Fri, May 25, 2018 at 11:59 AM, Nikolas Geyer  wrote:

> Greetings!
>
> Actually, what you have provided below shows the exact opposite. It 
> shows ColoAU have received the route from 4637 who have received it 
> from 3257 who have received it from 29909 who have received it from
> 16532 who originated it. It infers nothing about who 16532 found the route to 
> come from.
>
> It is evident that GTT are advertising that route to Telstra Global :)
>
> Regards,
> Nik.
>
> >
> > And I'm pretty sure AS3257 (GTT ) is in the same boat as us, 
> > as
> they're not the one advertising those routes to AS4637
> >
> > AS16532 found it to come from AS4637 as you can see from this 
> > ColoAU
> LG output below
> >
> >
> > - https://lg.coloau.com.au/
> >
> > vrf-international.inet.0: 696533 destinations, 2248101 routes
> > (696249
> active, 0 holddown, 103835 hidden)
> > + = Active Route, - = Last Active, * = Both
> >
> > 18.29.238.0/23 *[BGP/170] 1d 19:57:28, localpref 90, from
> 103.97.52.2
> >   AS path: 4637 3257 29909 16532 16532 16532
> > 16532
> I, validation-state: unverified
> >
> > --
> > -
> > Alain Hebertaheb...@pubnix.net
> > PubNIX Inc.
> > 50 boul. St-Charles
> > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> > Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
> >
>

FW: BGP Hijack/Sickness with AS4637

[Chris Conn]

Hello,

I am the contact for AS16532.

We never announced nor are we currently advertising this prefix as we are not a 
transit AS for anyone.  As well, it seems to appear and disappear from AS63956 
looking glass.  According to that LG, the route changed 6d ago, and is *still 
currently visible* at this very moment;

https://lg.coloau.com.au/

Command: show route 18.29.238.0 protocol bgp table vrf-international.inet.0 
active-path

vrf-international.inet.0: 696764 destinations, 2288960 routes (696480 active, 0 
holddown, 103994 hidden)
+ = Active Route, - = Last Active, * = Both

18.29.238.0/23 *[BGP/170] 6d 01:06:11, localpref 90, from 103.97.52.2
  AS path: 4637 3257 29909 16532 16532 16532 16532 I, 
validation-state: unverified


AS16532 is not announcing this prefix.  We have a strict prefix-list that is 
applied to all sessions.  As well, AS29909 is filtering us using our announced 
AS-SETS/RPSL to avoid us the ability to do anything dumb.  And lastly, our 
announcements are being filtered by AS3257 as we are required to provide them 
via LOA.

There is still something wrong somewhere that is injecting this path, anyone 
have a LG pointed to AS4637 seeing this prefix announced with AS16532 in the AS 
path?

I doubt that AS29909 bouncing its BGP session with AS3257 (GTT) would change 
anything, as I am not seeing this prefix in their route-server

pub...@route-server.as3257.net-re0> show route 18.29.238.0 protocol bgp 
active-path

inet.0: 691667 destinations, 11752983 routes (691665 active, 1 holddown, 1 
hidden)
+ = Active Route, - = Last Active, * = Both

18.29.0.0/16   *[BGP/170] 3w4d 11:42:33, MED 0, localpref 100, from 
213.200.87.23
  AS path: 3257 174 3 I, validation-state: unverified
> to 141.136.111.13 via xe-1/0/0.0

{master}
pub...@route-server.as3257.net-re0>


{master}
pub...@route-server.as3257.net-re0> show route 18.29.238.0 protocol bgp | find 
16532

Pattern not found
{master}



So whatever is happening, its not at AS16532, AS29909 nor AS3257 that I can 
find.


Chris Conn
AS16532




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Tom Paseka via NANOG
Sent: Friday, May 25, 2018 6:01 PM
To: Nikolas Geyer 
Cc: NANOG list 
Subject: Re: BGP Hijack/Sickness with AS4637

This looks like a route that has been cached by some ISPs/routers even though a 
withdrawal has actually happened.

If you actually forward packets a long the path, you'll see its not following 
the AS Path suggested, instead the real route that it should be.
Bouncing your session with 4637 would likely clear this.

-Tom

On Fri, May 25, 2018 at 11:59 AM, Nikolas Geyer  wrote:

> Greetings!
>
> Actually, what you have provided below shows the exact opposite. It 
> shows ColoAU have received the route from 4637 who have received it 
> from 3257 who have received it from 29909 who have received it from
> 16532 who originated it. It infers nothing about who 16532 found the route to 
> come from.
>
> It is evident that GTT are advertising that route to Telstra Global :)
>
> Regards,
> Nik.
>
> >
> > And I'm pretty sure AS3257 (GTT ) is in the same boat as us, 
> > as
> they're not the one advertising those routes to AS4637
> >
> > AS16532 found it to come from AS4637 as you can see from this 
> > ColoAU
> LG output below
> >
> >
> > - https://lg.coloau.com.au/
> >
> > vrf-international.inet.0: 696533 destinations, 2248101 routes
> > (696249
> active, 0 holddown, 103835 hidden)
> > + = Active Route, - = Last Active, * = Both
> >
> > 18.29.238.0/23 *[BGP/170] 1d 19:57:28, localpref 90, from
> 103.97.52.2
> >   AS path: 4637 3257 29909 16532 16532 16532
> > 16532
> I, validation-state: unverified
> >
> > --
> > -
> > Alain Hebertaheb...@pubnix.net
> > PubNIX Inc.
> > 50 boul. St-Charles
> > P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> > Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
> >
>

Re: gmail.com contact

[Chris Conn]

:


-Original Message-
From: Markus [mailto:unive...@truemetal.org]
Sent: 26 septembre 2013 07:37
To: nanog@nanog.org
Subject: gmail.com contact

Hi list,

We had a user account compromised a couple of days ago, spam naturally, and now 
the IP is blocked for delivering to gmail.com. We've completed the delivery 
problem form at support.google.com but if there is any way to speed up the 
process our customer and we would appreciate it. Could anyone put me in touch 
with a gmail.com contact?




Hi,

Good luck.  I have been going through the regular channels for over a 
month, to try and de-list a server that has not sent an email for over a 
month to Google or anyone for that matter, and no such luck.  If you get 
a hold of somebody, pls forward me contact info. I am trying again this 
morning, I will do the same for you.


Cheers,

Chris

AS174 - cogent - someone without denial syndrome please

[Chris Conn]

Any BGP admins from AS174 monitoring NANOG?  I would appreciate a quick 
email exchange regarding access to www.cogentco.com from some prefixes.


Thanks,

Chris

Re: Facebook broken over v6?

[Chris Conn]

On 2013-06-08 15:29, Chris Conn wrote:
It's affecting anyone running dual stack, as the server responds, 
hangs, times out and then it tries again on v6. At least in the latest 
FF and Safari browsers, I've not tried chrome. I've cc'd this over to 
Nanog, as I've not seen anything about it there, and I'm sure others 
are seeing it. www.v6.facebook.com works fine as a workaround for the 
time being. --


Indeed, I have seen this behaviour for at least a week.  It seems to 
somehow be related to geo-located DNS (akamai?) since the timeouts and 
RSTs I see in the traffic are from IPv6 akamai servers, not facebook itself.


I tried de-peering from a number of networks to try and isolate it and 
it was not transit-specific.  I stopped questioning my network when I 
saw a thread on Sixxs and tunnelbroker about this very issue.


Hopefully it won't persist as right now as having Facebook 
intermittently connect is likely hurting deployment slightly.


Chris

IPv6 Cogent customers

[Chris Conn]

Hello,

Any single-homed or more IPv6 AS174  customers willing to take a 5 
minute test for me?  Please contact me off-list.  We are not single 
homed to them but we have a particular destination that is having 
issues, and the funky part is that any outbound traffic over the Cogent 
transit is just bezerk.  TCP SYN packets never reach the remote end.  
Return traffic, even when forced over Cogent however, is fine.  I can 
force outbound traffic to flow over two other transit providers, and all 
is kosher so long as I never use AS174 to try and _get_ there.


Cogent is blaming Level3 just because they appear in the traceroute, 
therefore I would like if possible a third party to help me since Cogent 
doesn't seem inclined to do anything other than ping.


Thanks in advance and sorry for the noise,

Chris

Re: cloudmark?

[Chris Conn]

On 2013-04-09 10:27, Chris Conn wrote:


Hi,

rant
it seems that many large providers are using cloudmark services. As far as I 
can tell: their policy is unclear, they can hardly be reached, mails to support 
are bouncing (delayed, then bounce).

yes, the mailserver from one of our customers was blocked and this was OK and 
rightful, because they had a problem (cracked account). After the problem was 
resolved we started removing their IPv4 address from blacklists and almost all 
lists removed the ban immediately.

cloudmark CSI service (reset request form) wants a form to be filled ... and 
they claim that they send out an email ... but it doesn't make its way to my 
inbox (no, no filters ...)

and support can't be reached.

Where are the good old times when the 'net was controlled by techs and not by 
lawyers?

I can't recommend cloudmark.
/rant




Your experience does not mirror mine at all.  I have less than 30 
minutes of wait time for any support case, and they are few and far 
between.  Reliability is high and FP rate is low.   I have no idea what 
your reference to lawyers pertains to, however the only issue we have 
ever had was for them to take our money when we renewed for the 
umpteenth time.


Maybe they cater to smaller providers more efficiently.

Chris

Re: IP Address Management IPAM software for small ISP

[Chris Conn]

looking for IPAM solutions for a small regional wireless ISP.
There are 4 Tier 2 personnel and 2 NOC technicians who would be using
the tool, and a small staff of engineers.



Nobody uses HaCI?

Earthlink/RIR1.ORG admin with a clue?

[Chris Conn]

Hello,

If a Earthlink/rir1.org hosting admin would care to contact me off-list 
since it appears the abuse department at earthlink does not understand 
what hosting a phishing site means.  I am being asked for logs to 
prove something, yet the URL I supply which clearly brings someone to 
a phishing site is apparently not proof.


Thanks,

Chris Conn
B2B2C.ca

SORBS?!

[Chris Conn]

Hello,

Is anyone from SORBS still listening?   We have a few IP addresses here 
and there that are listed, one in particular that has been for a spam 
incident from over a year ago.  The last spam date is 03/05/2011 
according to their lookup tools.


We don't have access to their Net Manager even if our ARIN POC 
corresponds to the account on their system we opened a while ago.  We 
use their ISP feedback form and never get any responses back.


Is SORBS still relevant and functional?

Sincerely,

Chris Conn
B2B2C.ca

Re: SORBS?!

[Chris Conn]

On 2012-04-04 17:33:


  Hi,

  Actually knowing Chris, and his outfit, that 18k request seems 
unwarranted :(

  As for SORBS, they have a ticket system at http://support.sorbs.net/ 
which use the same username/password as https://www.us.sorbs.net.  You can 
follow up there with your ticket #, if their robot is being a bit too fascist.
  ( ecarbonel was the guy that help us in our case )

  PS: The ticketing system is not that fast, so be patient.

  /wave Chris



Hi Alain!

The 18K thing was another operator, but we have not had much luck.  I 
will give my attention to the ticket for now and wait until something 
happens.  Its not a crucial issue since from what I can tell its mostly 
a cosmetic thing (and a bit of a managerial pain to have to explain the 
implications to a customer).


I have no beef with SORBS, we even rsync their zone on our DNS servers 
so we can provide faster access to it to our customers that might use 
it.  However recently, getting listing action seems to fall into a void.


Cheers,

Chris

Re: SORBS contact?

[Chris Conn]

Hello,

Thank you to all that answered, all helpful info.  Surprisingly minutes 
after my Nanog post, a couple of my tickets saw action and the /24 was 
finally removed a short while later.


Thanks again,

Chris

SORBS contact?

[Chris Conn]

Hello,

We have opened a number of tickets in the SORBS DUHL system to notify 
them of the use of a former dialup /24 for static assignments to no 
avail.  Anyone from SORBS reading this?


Thank you,

Chris Conn
B2B2C.ca

Re: Future of the IPv6 CPE survey on RIPE Labs - Your Input Needed

[Chris Conn]

On 27/01/11 08:17 -0600, Jack Bates wrote:

On 1/27/2011 12:57 AM, Frank Bulk wrote:

Have you looked at D-Link's DIR-825?  It has most of the things you're
looking for.  The DIR-655 is a more affordable option.


Haven't had the chance to look at that one. Will check it out.


In regards to (2), is it even possible to do DHCPv6-PD on with a SLAAC WAN?


It had better be, as IOS 12.2 SRE only supports SLAAC + DHCPv6-PD.
Most of the Cisco documentation I've seen, says that is their
beautiful layout. No more proxyarp/nd. Instead, assign a /64 to each
subinterface, perform SLAAC, then hand out prefixes via DHCPv6-PD if
someone needs a prefix.


The DIR-825(Rev B) running firmware 2.05NA does. From the status screen:

IPv6 Connection Type : Autoconfiguration (SLAAC/DHCPv6)
Network Status :   Connected

WAN IPv6 Address : 2610:b8:0:234:218:e7ff:fef8:66dc/64
IPv6 Default Gateway : fe80::c67d:4fff:fed6:5401
LAN IPv6 Address : 2610:b8:100f:1:218:e7ff:fef8:66db/64
LAN IPv6 Link-Local Address :  fe80::218:e7ff:fef8:66db/64
Primary IPv6 DNS Server :  2610:b8:0:3:215:c5ff:fef3:f9c8
Secondary IPv6 DNS Server :2610:b8:0:3:215:c5ff:feee:9448
DHCP-PD :  Enabled
IPv6 network assigned
by DHCP-PD :   2610:b8:100f::/48

The latest firmware has fairly good support, but is lacking configurable v6
firewall settings. I haven't done any firewall testing yet, but I'd imagine
all incoming v6 connections are blocked.

The Emulator hasn't been updated yet to reflect the options in the new
firmware, but this should give you an idea of what the configuration looks
like:

http://www.support.dlink.com/emulators/dir825_revB/203NA/adv_link_local.html

The DIR-615 should have similar support, but I haven't upgraded it yet.


Hello,

As for the DIR-615, it should, but it doesn't...At least, the E3/E4 
revisions I had.  I contacted D-LINK support and was able to get a beta 
build that seems promising.  But DHCP-PD over PPPoE works relatively 
well, minus a couple of little features.  I am hoping to have that 
hammered out soon, as the 615 is a capable little sub-50$ home CPE.  But 
D-Link engineering seems receptive to my observations.


I have to check the state of the firewalling in it too ;)

Chris

Cogeco MX/SMTP administrator?

[Chris Conn]

Hello,

Could a Cogeco MX/SMTP admin contact me off list please, we seem to be 
suffering from the same fate as these individuals;


http://www.dslreports.com/forum/r24888256-Email-sent-to-AOL-is-timing-out

Thanks,

Chris Conn
B2B2C.ca