RE: Tools for streaming analysis
We’re been using elastiflow for about a year now with good results. It's elasticsearch in the backend, so be prepared to throw a lot of ram at it. -ed From: NANOG On Behalf Of Ben Logan Sent: Sunday, January 13, 2019 1:48 PM To: nanog@nanog.org Subject: Tools for streaming analysis Hey folks, Just wondered what others are using for traffic analysis, particularly for identifying the amount of streaming (audio/video) traffic on your networks. I prefer open source, whether free or commercial, but am open to any good suggestions. Looked at ntopng and like it ok, but think it could be more flexible. Like the idea of pmacctd and friends, but not sure how I'd break down the streaming traffic with it. I'm ok with raw data...I can generate the graphs I want. I don't like anything with Solarwinds in the title! Btw, the data will be from a mix of Brocade, Cisco and Juniper routers, so sflow, netflow and IPFIX may all be used. Thanks, Ben
RE: Gonna be a long day for anybody with CPE that does WPA2..
I see here that MikroTik has patched this about a week ago: https://forum.mikrotik.com/viewtopic.php?f=21&t=126695 Any word on other vendor's response to this? Ed -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Job Snijders Sent: Monday, October 16, 2017 5:14 AM To: valdis.kletni...@vt.edu Cc: nanog@nanog.org Subject: Re: Gonna be a long day for anybody with CPE that does WPA2.. Dear all, Website with logo: https://www.krackattacks.com/ Paper with background info: https://papers.mathyvanhoef.com/ccs2017.pdf Kind regards, Job
RE: OSPF Monitoring Tool
I've used librenms and pandorafms for this, librenms is less setup but Pandora is more comprehensive -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Methsri Wickramarathna Sent: Friday, December 1, 2017 11:52 PM To: nanog@nanog.org Subject: OSPF Monitoring Tool Hi Guys, Is anyone knows about a Monitoring tool for OSPF ?? ~~( ŊëŌ )~~
RE: Suggestions for a more privacy conscious email provider
As an anecdotal aside, approx. 70% of incoming portscanners/rdp bots/ssh bots/etc that hit the firewalls at my sites are coming from AWS. I used to send abuse emails but eventually gave up after receiving nothing beyond "well, aws ip's are dynamic/shared so we can't help you" -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Rich Kulawiec Sent: Monday, December 4, 2017 2:27 AM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider On Sun, Dec 03, 2017 at 05:08:33PM +, Filip Hruska wrote: > I personally run my own mail server, but route outgoing emails via Amazon > SES. Not a good idea. Amazon's cloud operations are a constant source of spam and abuse (e.g., brute-force SSH attacks), they refuse to accept complaints per RFC 2142, and -- apparently -- they simply don't care to do anything about it. I've had SES blacklisted in my MTA for years (among other preventative measures) and highly recommend to others. ---rsk
RE: Suggestions for a more privacy conscious email provider
>Last week we found out that Helpscout sends email from AWS servers. Ouch. I'm in the same boat as you are - three of our biggest suppliers have all their public-facing stuff hosted on AWS, including their email smarthosts. None of them have static addresses. >This is incorrect reasoning. Because they're the biggest cloud provider >in the world, they should send the least amount of junk: the larger >an operation is, the easier abuse detection/prevention gets. You'd think so, yes. Somehow Google and DO and most other hosting companies manage to do it. Feels like AWS truly doesn't care about it.
RE: WiFi - login page redirection not working
RHEL comes with it installed and enabled by default, so it can't be that bad /s -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Owen DeLong Sent: Friday, December 1, 2017 12:12 PM To: Vincent Bernat Cc: nanog@nanog.org Subject: Re: WiFi - login page redirection not working > On Dec 1, 2017, at 04:16 , Vincent Bernat wrote: > > ❦ 1 décembre 2017 15:02 +0300, Nikolay Shopik : > >>> DHCP and neighbor discovery can also provide the information of the >>> login page: https://tools.ietf.org/html/rfc7710 >> >> I don't think it got support in any os. > > It's supported on Linux by Network Manager. Oh, you mean the first software anyone with clue turns off as soon as they can because of all the problems it causes for networking? Owen
RE: Suggestions for a more privacy conscious email provider
Email sending limits are one thing. A couple hundred ssh/rdp/sql bots hitting my firewalls constantly is another. From what I'm reading on that AWS doc page, those limits only apply to SES users. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Stephen Satchell Sent: Wednesday, December 6, 2017 11:44 AM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider http://docs.aws.amazon.com/ses/latest/DeveloperGuide/manage-sending-limits.html On 12/05/2017 10:16 AM, Gordon Ewasiuk via NANOG wrote: > AWS imposes "email sending limitations", by default, on all EC2 > accounts. Anyone who wants those limitations removed has to fill out a > form and make a use case to AWS Support. > > AWS also says they work with ISPs and "Internet anti-SPAM orgs" like > Spamhaus. > > That sounds a bit more than "doesn't care about it", no?
RE: Suggestions for a more privacy conscious email provider
-Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Gordon Ewasiuk via NANOG Sent: Wednesday, December 6, 2017 12:30 PM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider > >Suggesting AWS doesn't care seems...well...inaccurate. > >-Gordon This is all anecdotal so take it as you will. In 2016 I filed a total of 76 reports either via their web form or by emailing their abuse email directly. Every single one got this in reply: After submitting the initial abuse report (providing all the information they ask for in an initial report): >Hello, >Thank you for your abuse report. We were unable to identify the customer >responsible for the reported activity. Due to the frequency with which AWS >>public IP addresses can change ownership, we will need additional information >in order to identify the responsible customer(s). Then a few days later, after replying back to their email with the same content that was in the initial abuse report: >Hello, >This is a follow up regarding the abusive content or activity report that you >submitted to AWS. We have investigated this report, and have taken steps to >>mitigate the reported abusive content or activity. Due to our privacy and >security policies we are unable to provide details regarding the resolution of >this >case or the identity of our customer. >We are committed to mediating reports of abusive content or activity to the >satisfaction of both the reporters and our customers. If you believe the >>reported content or activity persists, or are not satisfied with the >resolution of this case, please reply directly to this message with more >information. Your >response should include the most recent activity logs or >web location of the content that you have available that indicates that the >activity or content >persists, as well as a clear, succinct explanation of >what you expect of us and our customer. > >Thank you for bringing this matter to our attention. > >Regards, >AWS Abuse Team So yes, it would //appear// that they do care. They do have an abuse team and they're very good at sending out those canned emails and making you think they've done something. But here we are in 2017 and I'm still seeing the exact same attempts from the exact same IP's that I reported in 2016. The way I see it, there's only two explanations: A bunch of people are running the same exact bots that use the same exact source ports and they all just happened to get the same set of public v4's assigned to them and they all just happened to target all of my sites at the exact same rate. or AWS didn't actually do anything about it. (Yes, none of that applies to their SES service, but there's nothing stopping someone from running postfix on an e2c instance. I won't comment on how the SES team there handles things, because I haven't had any dealings with their abuse team.) -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Filip Hruska Sent: Wednesday, December 6, 2017 12:55 PM To: nanog@nanog.org Subject: Re: Suggestions for a more privacy conscious email provider > >SES can't hit your firewall with bots, it's just an email service. > >Maybe you meant EC2? And as I said earlier, if you have correctly setup >firewall and servers, port scanning or bots can't hurt you in any way. > > >-- >Filip Hruska >Linux System Administrator I don't remember mentioning SES in this thread before today. But as Rich said earlier: >And the latter is the problem: we are faced, unfortunately, with massive >operations that were designed, built, and deployed without the slightest >consideration for responsible behavior toward the rest of the Internet. >All the rest of us are paying the price for that arrogance, incompetence >and negligence: we're paying for it with DoS/DDoS defenses, with spam >and phish defenses, with brute-force attack defenses, with time and >money and computing resources, with complexity, with late nights and >early mornings, with annoyed customers, and -- on the occasions when those >defenses fail -- devastating consequences for organizations and people. > >These costs aren't always obvious because they're not highlighted line >items in an accounting statement. But they're real, and they're huge. > >How huge? Well, one measure could be found in the observation that >there's now an entire -- large and growing -- market segment that >exists solely to mitigate the fallout from these operations. > >And those same massive operations are doing everything they possibly >can to avoid hearing about any of this. That's why abuse@ is effectively >hardwired to /dev/null. And I note with interest that nobody from AWS >has had the professionalism to show up in this thread and say "Gosh, we're >sorry. We screwed up. We'll try to do better. Can you help us?" > >Because we would. I agree, the dumber bots won't cause any harm (beyond the wasted bandwidth)
RE: Suggestions for a more privacy conscious email provider
On Wed, 06 Dec 2017 16:26:00 -0500, Rich Kulawiec said: >Better yet, why not study the large-scale patterns over time >and proactively address it? If only there was some sort of distributed analytics/search/etc platform they could use to do that https://www.elastic.co/ https://aws.amazon.com/elasticsearch-service/ It's not hard. Only took me by myself a few days of farting around to learn it and start getting good hard information out of a single local ES instance that was being fed nothing but firewall logs. I'm sure they would have no trouble with it On Wed, 06 Dec 2017 16:40:00 -0500, valdis.kletni...@vt.edu said: Sent: Wednesday, December 6, 2017 4:40 PM > Is anybody selling monitoring gear that can do deep packet inspection > at line rate on a 100G pipe? Found this within a few minutes of looking: https://accoladetechnology.com/portfolio-item/anic-200Ku/ Not sure if it would meet the needs but I'm sure that there's something out there that can do it. The actual inspection of captured packets doesn't have to be line rate (unless you want to ban people on the fly). Either way, with their resources, anything is possible. I'm sure Cisco would sell you a complete "solution" as well, along with the hefty service contract that comes with buying into Big Green On Wed, 06 Dec 2017 16:43:00 -0500, Brian Kantor said: >For the largest players, I can see no economic advantage in being a good >network neighbor, and plenty of cost (salaries, equipment) to do so. Exactly. But at the same time we don't see this with google, digital ocean, etc other big players in the market. I don't see any feasible way to get them to change their behavior either. For all we know they're already doing this. But if they are they aren't doing much with the data they get out of it -ed
RE: quake3-master-getservers:
https://nmap.org/nsedoc/scripts/quake3-master-getservers.html I'd nuke the entire environment from orbit, no telling what other nasty surprises they left for you -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Richard Sent: Sunday, December 10, 2017 1:36 PM To: nanog@nanog.org Subject: quake3-master-getservers: NANOG group, at a client site who was complaining of having their Active Directory passwords changed every week. Found a PPTP which had been put in place by a ex employee. Fixed that. I have no idea what a master-get servers is. If anyone can ping me-off-list to educate me a bit more, please do. Sincerely, Richard
RE: Free access to measurement network
Yes, the fact that both the city I work in and the town I live in have local govt-enforced monopolies reinforces the statement that I've (and all the other people near me) been voting with our collective wallets this entire time -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett Sent: Saturday, December 16, 2017 10:23 AM Cc: nanog@nanog.org Subject: Re: Free access to measurement network It's a consumer thing. If consumers wanted more options, they would be supporting those options with their wallets. They don't. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Max Tulyev" To: nanog@nanog.org Sent: Saturday, December 16, 2017 4:43:54 AM Subject: Re: Free access to measurement network So for my point of view, better solution is to push some law that ease access to the buildings for ISPs. 15.12.17 19:40, valdis.kletni...@vt.edu пише: > On Fri, 15 Dec 2017 07:47:42 -0500, Dovid Bender said: >> What kind of internet are these devices on? With Net Neutrality gone >> here in the US it would be a good way to measure certain services >> such as SIP to see which ISP's if any are tampering with packets. > > Given previous history, the answer will probably be "most of them". > > "The results are not inspiring. More than 129 million people are > limited to a single provider for broadband Internet access using the > FCC definition of 25 Mbps download and 3 Mbps upload. Out of those 129 > million Americans, about 52 million must obtain Internet access from a > company that has violated network neutrality protections in the past and > continues to undermine the policy today. > > In locations where subscribers have the benefit of limited > competition, the situation isn't much better. Among the 146 million > Americans with the ability to choose between two providers, 48 million > Americans must choose between two companies that have a record of violating > network neutrality." > > https://muninetworks.org/content/177-million-americans-harmed-net-neut > rality >
RE: Any experience with Broadcom ICOS out there?
I've got a few older quanta switches still around, they're running a fairly old version of Broadcom's Fastpath software on top of vxworks 5.x. Fastpath runs ospf and ospfv3 just fine, exports sflow, makes the hardware do everything you'd expect a l3 switch to do. The CLI is kinda quirky, but it works. I'm not sure how much they've changed since then, but from what I understand the software is mainly just a reference spec to go along with the reference hardware designs you can get from Broadcom. Then the company designing/manufacturing the actual switch could/would build something on top that, tailored to any customizations beyond the ref design they added. Haven't had any problems with them, although the documentation Quanta provided was almost useless - par for the course with them from what I've heard.. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Bryan Holloway Sent: Friday, January 5, 2018 4:47 PM To: joel jaeggli ; NANOG list Subject: Re: Any experience with Broadcom ICOS out there? Thank you everyone for the responses so far; I should probably re-phrase the question at this point ... Has anyone had production experience with Broadcom ICOS and the features it claims to support? Positive or negative?
RE: Comparison of freeware open source switch software?
Here's one you missed: http://www.projectfloodlight.org/indigo/ If you're only interested in stuff that goes on iron, openvswitch is out - it's pure software meant to run on hypervisors -Ed -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hank Nussbacher Sent: Tuesday, January 9, 2018 2:18 AM To: nanog@nanog.org Subject: Comparison of freeware open source switch software? I have seen numerous comparisons and RIPE presentations on performance issues of BIRD vs Quagga vs FRR. I am looking for the same thing for freeware switch software. Has anyone done a feature comparison between: http://openvswitch.org/ https://www.openswitch.net/ https://cumulusnetworks.com/products/cumulus-linux/ ...any other I am missing... I am familiar with: http://packetpushers.net/open-networking-cheat-sheet/ https://www.networkworld.com/article/2919599/cisco-subnet/clearing-the-fog-around-open-switching-terminology.html so to clarify I am interested only in bare-metal or whitebox swicthes and freeware, open source software. And even better - has anyone done a benchmark to see which performs best? Thanks, Hank
RE: Comparison of freeware open source switch software?
> SwitchDev, which is incorporated into the Linux kernel Neat! I'll have to keep my eyes on this in the future, it'd be cool if we could have VyOS handling routing on the hardware and the vm hosts, would save me a bit of brainpower -Ed -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Raymond Burkholder Sent: Tuesday, January 9, 2018 11:12 AM To: nanog@nanog.org Subject: RE: Comparison of freeware open source switch software?
RE: Open Souce Network Operating Systems
> Is there anything that can do it all today? VyOS, maybe. You'd have a fun time getting it working across the full set of hardware you're thinking of though
RE: improving signal to noise ratio from centralized network syslogs
On Fri, Jan 26, 2018 at 6:30 AM, Steven Miano wrote: >either ELK (or any derivative there of such as: Elasticache, Fluentd, Kibana) I'm partial to graylog - it does some of the heavy lifting of getting a logging-centric ELK stack up and running -Ed
RE: Merit radb https interface, TLS1.0 only?
I'd hope that it's not supposed to be that way, but I'm seeing the same thing with chrome on win10 and firefox on debian 9, so it's not just you. -Ed -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Eric Kuhnke Sent: Friday, February 2, 2018 9:16 PM To: nanog@nanog.org list Subject: Merit radb https interface, TLS1.0 only? >Is the radb login page supposed to be TLS1.0 only?
RE: Console Servers & Cellular Providers
Pretty bad bordering on unusable most of the time (steel and concrete buildings after all). I'm only setup in buildings we own, so I've been able to put antennas up on the roof for this. At our more remote sites where there's no cell service at all I have POTS lines. KVMoIP is a bit painful at 56k, but it's usable. Ed -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of James Milko Sent: Wednesday, February 7, 2018 11:38 AM To: Randy Carpenter Cc: Michael Starr ; nanog Subject: Re: Console Servers & Cellular Providers How is cell reception in multi-story data centers/carrier hotels? Good enough for remote management? JM
RE: Remote power cycle recommendations
MFI was abandoned by ubnt some time ago. I've got a few of their environmental monitoring devices from that line in place and wouldn't really recommend any of it. The controller software is flakey, finicky, and hasn't been updated in years. -Ed -Original Message- From: NANOG On Behalf Of Michel 'ic' Luczak Sent: Monday, April 30, 2018 3:19 PM To: Andy Ringsmuth Cc: North American Network Operators' Group Subject: Re: Remote power cycle recommendations If rack-mount is not a hard requirement, I would definitely look into Ubiquiti’s mPower range. You will find anything from a single socket (WiFi only) to a 6 socket PDU (WiFi and Ethernet, probably 8 sockets for US but I’m in Europe) with central management system (free) and detailed consumption graphs and costs if you provide the kWh cost. I’m running many of those with the controller/management software installed remotely in a central location and have several alerts and automation scripts setup when consumption goes beyond a certain level (meaning the equipment has crashed). https://www.ubnt.com/mfi/mpower/ Regards, Michel > On 27 Apr 2018, at 17:46, Andy Ringsmuth wrote: > > I’m sure many here are familiar with or using/have used devices to remotely > power cycle equipment. I’m considering a Dataprobe iBoot-G2 and am curious if > you’ve had experience with it, or other recommendations. > > I only need one outlet to be remotely power cycle-able. I have one piece of > equipment that is occasionally a little flaky and, well, you know the hassle. > > What do people recommend? There seem to be plenty out there which are more > designed to auto-reboot when Internet connectivity is lost, aka remotely > reboot the ‘ol cable modem for instance, but that’s not my scenario. > > Thanks in advance. > > > Andy Ringsmuth > a...@newslink.com > News Link – Manager Technology, Travel & Facilities > 2201 Winthrop Rd., Lincoln, NE 68502-4158 > (402) 475-6397(402) 304-0083 cellular >
RE: l2tpv3 Issue on 6800
Unicast vxlan maybe? -ed From: NANOG On Behalf Of Hari . Sent: Thursday, September 27, 2018 9:38 PM To: nanog@nanog.org Subject: l2tpv3 Issue on 6800 Hello Team, We are trying to extend the L2doamin for IP cloud (Non MPLS), the intention was to use l2tpv3, but it doesn't seem to be supported in 6800/3850.. Anyone tried or can provide some guidance.. Ta,
RE: mailops https breakage
Fun fact about letsencrypt certs, they expire after a month or so. Looks like the site admin never noticed/cared to update it (since 2016), even though there's a nice little helper program to auto-update them that you can throw in a cronjob (or scheduled task, if you're into IIS) and forget about Ed Pers -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Lyndon Nerenberg Sent: Sunday, June 11, 2017 6:27 PM To: NANOG list Subject: mailops https breakage > On Aug 27, 2016, at 6:46 PM, Matt Palmer wrote: > > On Sat, Aug 27, 2016 at 01:25:42AM -, John Levine wrote: >> In article >> you >> write: >>> I was working within the limits of what I had available. >> >> Here's the subscription page for mailop. It's got about as odd a mix >> of people as nanog, ranging from people with single user linux >> machines to people who run some of the largest mail systems in the >> world, including Gmail: >> >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > I know they're mailops, and not tlsops, but surely presenting a cert > that didn't expire six months ago isn't beyond the site admin's capabilities? I tried again, ten months later. Still broken :-( Is there a replacement site I'm missing out on?
Re: mailops https breakage
Both. Either. Take your pick Ed Pers From: Seth Mattinen Sent: Tuesday, June 20, 8:06 PM Subject: Re: mailops https breakage To: nanog@nanog.org On 6/20/17 16:57, Keith Medcalf wrote: > How else would one maintain government control over free encryption certificates? So Let's Encrypt is run by the Illuminati now? Or is it Freemasons? It's hard to keep track.
RE: Temperature monitoring
+1 for the serverscheck.com gear. Been running it as a humidity monitor in the plant for a year or so now and it's been rock solid. If you're the kind of shop that requires calibration for that sort of equipment they'll handle that as well. Great company to work with. Pair it with Cacti + thold plugin or whatever other snmp monitoring you like - or the base units can handle alerting on their own. FYI for those interested - the stated max length of connecting cable between the base station and the sensor units (30ft iirc) is way under what it'll do in the real world - I've got at least one sensor unit that's a good 500ft away from the base station and it's been working just fine Ed Pers -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of David Charlebois Sent: Sunday, July 16, 2017 10:02 PM To: NANOG Subject: Re: Temperature monitoring we use: https://serverscheck.com/sensors/ - simple setup, graph nicely in Cacti. I went with ServerCheck wired based units + external temp+humidity probe. The base unit displays the temperature which is a nice quick reference if you are in the room. On Fri, Jul 14, 2017 at 8:31 AM, Dan White wrote: > We use Asentria. > > On 07/13/17 22:33 -0400, Dovid Bender wrote: > >> All, >> >> We had an issue with a DC where temps were elevated. The one bit of >> hardware that wasn't watched much was the one that sent out the >> initial alert. Looking for recommendations on hardware that I can >> mount/hang in each cabinet that is easy to set up and will alert us >> if temps go beyond a certain point. >> > > -- > Dan White > BTC Broadband > Network Admin Lead > Ph 918.366.0248 (direct) main: (918)366-8000 > Fax 918.366.6610email: dwh...@olp.net > http://www.btcbroadband.com >
Northeast TWC/Spectrum contact?
Hi Can someone from TWC/Spectrum’s northeast division please contact me off list? AS11351 for what it’s worth About a week ago my modem dropped from 24 bonded channels at about -6dBmV to 19 channels ranging from -9.30 to -21.30dBmV, and I started seeing very high latency and packetloss. I’ve also been seeing a lot of Lost MDD’s and RCS Partial’s in my event log. Haven’t put a tdr down the customer side cabling yet but I doubt that’s the issue, it’s only a 25’ run and a visual inspection doesn’t show anything out of the ordinary. Sorry for spamming the list, but every time I’ve called TWC customer support lines in the past I’ve been transferred between 5-8 people who each told me to reboot my modem and check the cables. Thanks for your time, Ed Pers
RE: Hurricane Maria: Summary of communication status - and lack of
> The telecommunications damage in PR and USVI will be a good test how well the > EAS works during extreme telecommunications damage. From my brief time as a radio station tech, all you need for EAS to function properly is power to the receiver/decoder and for the station's transmitter to be alive