Re: RIP Dave Mills

[Hal Murray]

Word got out a week ago with a message from Vint cerf to the internet-history 
list.

The thread Vint started is here:
  https://elists.isoc.org/pipermail/internet-history/2024-January/009265.html

Vint is collecting anecdotes here:

Many good stories...  So much more than NTP.



-- 
These are my opinions.  I hate spam.

Re: Northern Virginia has had enough with data centers

[Hal Murray]

> Even traditional data centers have not been known to be especially
> considerate about scheduling their -loud- genset tests. Doesn't matter so
> much in the middle of an industrial zone but when you do it near where people
> live you're going to make them angry. 

Why are gensets loud?

Is there a fundamental physics problem or are they all designed for industrial 
areas where the noise isn't much of a problem?

If I wanted a less noisy one, could I get it?  How much more would it cost?

Are the zoning people smart enough to include noise limits?  ...


-- 
These are my opinions.  I hate spam.

Re: ntp with dhcp

[Hal Murray]

> I'm looking for statistics on setting NTP servers on clients using DHCP, in
> the wild. Does anyone know if there is any available somewhere? 

That brings up an interesting can of worms.

If you run a NAT box with lots of clients, please don't point your NTP clients 
at the pool.  I can't tell your/their traffic from DDoS traffic.

Please setup your own NTP server(s) and point your customers at them.  (If you 
need help with that, poke me off-list.)

I have a couple of servers in the pool.  The pool distributes the load by 
rotating DNS entries with a 150 second TTL.  I see bursts of  100 to 1000 
requests per second for roughly 150 seconds.



-- 
These are my opinions.  I hate spam.

Re: "Hacking" these days - purpose?

[Hal Murray]

> Simple question: What's the purpose of obtaining illicit access to  random
> devices on the Internet these days ...

Aside from stealing user's information, there is also stealing industrial and 
diplomatic secrets.

The Chinese stole a lot of F-35 info.

The news is full of Russians hacking into US Treasury and Commerce 
Departments and probably more.



-- 
These are my opinions.  I hate spam.

Re: Is there any data on packet duplication?

[Hal Murray via NANOG]

b...@herrin.us said:
>  NTP you say? How does iburst work during initial sync up?

How does it work, or how should it work?  1/2 :)

NTP has been around for a long time.  It looks very simple, so anybody thinks 
they can toss off an implementation without much thought.  It will probably 
work, mostly.

The response from an NTP server includes a timestamp that the client put into 
the request.  The client can use that to reject delayed responses to a 
previous request.

When I first started looking for duplicates, I found lots of them.  They were 
NTP version 1 requests.  NTP is up to version 4.  Version 1 came out in 1988, 
RFC 1059.  Since the requests are identical, there is no way for the client to 
separate expected responses from delayed responses from a previous request.

Does anybody happen to know what equipment or software or OS/distro is sending 
version 1 requests?


-- 
These are my opinions.  I hate spam.

Is there any data on packet duplication?

[Hal Murray]

How often do packets magically get duplicated within the network so that the 
target receives 2 copies?  That seems like something somebody at NANOG might 
have studied and given a talk on.

Any suggestions for other places to look?

Context is NTP.  If a client gets an answer, should it keep the socket around 
for a short time so that any late responses or duplicates from the network 
don't turn into ICMP port unreachable back at the server.  Nothing critical, 
just general clutter reduction.

I have packet captures from a NTP server.  I'm trying to sort things out.  
There are a surprising (to me) number of duplicates that arrive back-to-back, 
sometimes the timestamp is the same microsecond.  They could come from buggy 
clients, but that seems like an unlikely sort of bug.

-- 
These are my opinions.  I hate spam.

Re: Abuse Desks

[Hal Murray]

Mike Hammett said:
> IMO, the answer is balance.
> - Handful of SSH connection attempts against a server. Nobody got in,
> security hardening did it's job. I don't think that is worth reporting. -
> Constant brute force SSH attempts from a given source over an extended period
> of time, or a clear pattern of probing, yes, report that. 

The bad guys have already gamed that system.  If you have a zillion bots, you 
can have each bot try a different name/password on a large batch of IP 
Addresses.  A victim only sees one try from each bot.

The daily logwatch reports that land in my mailbox are full of ssh attempts
that end with ": 1 Time".

---

Matt Corallo said:
> I'm open to ideas on what to do here, but the abuse system as it exists today
> is clearly broken for me, and its clearly broken for AWS/GCP/Azure/OVH/etc -
> have you ever tried emailing their registered abuse contacts? I have, the
> problem doesn't go away and there are no responses. 

> especially given most of the real crap out there comes from hosting providers
> like the above who don't have the bandwidth to respond.

"don't have the bandwidth" is an interesting term.  Is that because the 
problem is really hard and it would take a lot of bandwidth/money/whatever, or 
because they choose not to spend money on it and the rest of the net is 
letting them get away with it?

--

Tom Beecher said:
> Abuse departments should be properly handling LEGITIMATE abuse complaints.
> Not crufty background noise traffic that is never going away. 

Agreed.  But the abuse desk is the only place where somebody can find the 
signal in the noise, and with the current pattern, much of the signal is 
trying to hide in the noise.  The abuse desk will only see the signal if 
people actually send in abuse reports and the abuse desk actually looks at 
them.

--

Laszlo Hanyecz said:
> A lot of this  other stuff is just people abusing the abuse contacts to get
> someone  else taken offline.  Phishing websites fall into this category -
> it's  not network abuse, it's just content someone doesn't like, and one way
> to get it taken down is to threaten the network that carries the traffic  for
> it.

I don't report phishing websites unless somebody spams me with the URL.


-- 
These are my opinions.  I hate spam.

RE: Backhoe season?

[Hal Murray]

> I heard, and am seeing that construction type jobs don't seem to be affected
> much with the virus shutdown.  I mean I see guys building homes and working
> on roads all around me...  furthermore, we've heard of a couple fiber cuts
> that have brought portions of our network down a couple times in the last
> week or so. 

I suspect any reduction in backhoe activity will depend strongly on where you 
are looking.  The San Francisco Bay area, including Silicon Valley is taking 
things seriously.

>From the City of Menlo Park, Calif, March 20th:

   Due to the statewide stay-at-home order, effective Friday, March 20, no
   construction activity is allowed within the city of Menlo Park, except
   for essential infrastructure projects as determined by the City
   Manager/Emergency Services Director, until further notice. Active
   construction sites are instructed to secure their site and cease all
   further work immediately. Only activities necessary to address
   immediate health and safety concerns, as determined by the City
   Manager/Emergency Services Director, are allowed. This action is not
   taken lightly and is out of extreme concern for the health and safety
   of construction workers and city employees. Further guidance in light
   of this decision is expected to be released the week of March 23, 2020.
   Please visit the city website at menlopark.org/coronavirus for updates.



-- 
These are my opinions.  I hate spam.

Re: UDP/123 policers & status

[Hal Murray]

Steven Sommars said:
> The secure time transfer of NTS was designed to avoid amplification attacks.

I work on NTP software (ntpsec).  I have a couple of low cost cloud servers in 
the pool where I can test things and collect data.

I see bursts of 10K to several million packets "from" the same IP Address at 
1K to 10K packets per second.  Ballpark of 100 events per day, depending on 
the size cutoff.  I saw one that lasted for most of a day at 1K packeets/sec.

All the packets I've seen have been vanilla NTP requests - no attempt at 
amplification.  I'm only checking a very small fraction of the garbage.

I haven't seen any pattern in the target IP Address.  Reverse DNS names that 
look like servers are rare.  I see legitimate NTP requests from some of the 
targets.

Would data be useful?  If so, who, what, ... (poke me off list)

I don't see any good solution that a NTP server can implement.  If I block 
them all, the victim can't get time.  If I let some fraction through, that 
just reduces the size of the DDoS.  I don't see a fraction that lets enough 
through so the victim is likely to get a response to a legitimate request 
without also getting a big chunk of garbage.  I'm currently using a fraction 
of 0.  If the victim is using several servers, one server getting knocked out 
shouldn't be a big deal.  (The pool mode of ntpd should drop that system and 
use DNS to get another.)

If NTS is used, it would be possible to include the clients IP Address in the 
cookie and only respond to requests with cookies that were issued to the 
client.  That has privacy/tracking complications.

--

I don't want to start a flame war, but why isn't BCP 38 widely deployed?  Can 
somebody give me a pointer to a talk at NANOG or such?  What fraction of the 
world does implement BCP 38?

I'd also be interested in general background info on DDoS.  Who is DDoS-ing 
whom and/or why?  Is this gamers trying to get an advantage on a competitor?  
Bad guys making a test run to see if the server can be used for a real run?  
Is DDoS software widely available on the dark web?  ...





-- 
These are my opinions.  I hate spam.

RE: Internet diameter?

[Hal Murray]

Keith Medcalf  said:
> "just static content" would be more accurate ...

  and using http rather than https

> There were many attempts at this by Johhny-cum-lately ISPs back in the 90's
> -- particularly Telco and Cableco's -- with their "transparent poxies".
> Eventually they discovered that it was more cost efficient to actually
> provide the customer with what the customer had purchased. 

One of the complications in this area is an extra layer of logging which could 
turn into privacy invasion.

I'm pretty sure it was Comcast, but a quick search didn't find a good 
reference.  Many years ago, there were a lot of complaints when customers 
discovered that their transparent proxy web site traffic was getting logged.  
Comcast said they weren't using it for anything beyond normal operations work, 
but nobody believed them.  Shortly after that, they gave up on proxying.

I'm sure the general reputation of modern Telcos and Cablecos for privacy 
invasion didn't help.


-- 
These are my opinions.  I hate spam.

Re: Are any of you starting to get AI robocalls?

[HAL]

 I've worked at a telco for 15 years and I can say this problem is not
going away anytime soon. The issue is the SS7 network that carriers use
inherently trusts calls from long distance trunks without verification...
I've analyzed incoming spoofed calls from our STP and they all come from
foreign point codes on the SS7 network somewhere else in the world.  One
potential solution was to block incoming calls from an LD trunk with a
local NXX, but since number portability came into play this would also
block legitimate calls and couldn't be implemented without also having a
whitelist of ported numbers to let through. While you could in theory
customize your SS7 STP to do this, the manufactures of that equipment are
not very interested in that development work without being paid to do it,
and since the FCC/CRTC and other regulatory bodies haven't forced it yet...
nobody is voluntarily going to cough up the $$$.

This is very similar, in a way, to how email used to be in the 90s.. with
open SMTP relays all over the place and anyone could spoof email.. all you
need to do to access it is have some sort of digital interface (like a PRI
for example) to be able to connect directly and specify (ie spoof) your ANI
when placing a call).

*--*


On Thu, Apr 5, 2018 at 1:44 PM, Dovid Bender  wrote:

> On Thu, Apr 5, 2018 at 11:12 AM, Brian  wrote:
>
> > On Thu, 2018-04-05 at 07:55 -0700, Brian Kantor wrote:
> >
> > > So the logical conclusion is that caller ID is useless as an
> > > anti-vspam measure and the situation is hopeless, so the only
> > > solution is to not personally answer the phone at all -- let voice
> > > mail take a message.
> >
> > Pretty much. We've received calls here with the CID displaying as our
> > own info, and others coming up as a neighbor's number. Some even appear
> > as law enforcement when they're scammers looking for donations to
> > charities that don't exist. I suppose if you're going to commit one
> > crime, go for broke.
> >
> > > This is what I have adopted on my personal landline.  With the
> > > ringers disconnected.  Although I get probably a half-dozen incoming
> > > calls a day, perhaps one a week will leave a message.  Most of those
> > > messages are recorded announcements that started playing even before
> > > the voicemail greeting finished.
> >
> > I've been enjoying quiet on a VoIP line with asterisk. Those who I
> > know/expect/desire calls from I can route them directly to my extension,
> > those others get the IVR. It works parallel to IP routing. I can go a
> > few days without hearing my phone ring yet my logs are filled with
> > spammers/telemarketing calls. Robo-dialers have no clue which extension
> > a human may be at, and I've been doing this for over 15 years with great
> > success. With a digium wildcard, this can work for POTS lines as well.
> >
> >
> >
>
> A simple "Thank you for calling the line of $NAME. To prove you are not a
> robot press 1". That seems to weed out most of them.
>

-- 


This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed. If you have received this email in error please notify the 
system manager. This message contains confidential information and is 
intended only for the individual named. If you are not the named addressee 
you should not disseminate, distribute or copy this email. Please notify 
the sender immediately by e-mail if you have received this email by mistake 
and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking 
any action in reliance on the contents of this information is strictly 
prohibited.

Re: WWV Broadcast Outages

[Hal Murray]

"Majdi S. Abbas"  said:
>   That said, I and many others "still use" WWV -- there aren't exactly a
> surplus of suitable backup methods to GPS these days. 

Any suggestions for gear and/or software that works with WWV (or CHU)?  Or 
general suggestions for non GPS sources of time?

Dave Mills had a driver in ntpd that used a PC audio port to listen to WWV.  
I don't know anybody who ever used it.  I think there was code to tell some 
brand of receiver with a serial/USB port how to change frequencies so you 
could use the one that worked best for that time of day.

There used to be WWVB (60 KHz) receivers.  The good ones phase locked to the 
carrier.  The general rise in EMI made those close to useless in most 
locations.  NIST finished the job when they changed the modulation format a few 
years ago.  As far as I know, there aren't any replacements for the old gear 
that take advantage of the new modulation format.  GPS works too well.

There are some boxes that recover the time from nearby cell phone towers.  I 
think they will stop working as the towers get upgraded to the newer 
protocols that use a different form of timing.  That will probably take many 
years.  But the cell phone towers depend on GPS.  (You can ususlly spot the 
conical antenna(s) if you look around a bit.)



-- 
These are my opinions.  I hate spam.

Re: Leap Second planned for 2016

[Hal Ponton]

I'll just leave this here :)

http://spendyourleapsecondhere.com/
--
--
Regards,

Hal Ponton
Senior Network Engineer

Buzcom / FibreWiFi





Andrew Kirch <mailto:trel...@trelane.net>
9 July 2016 at 00:09
Its a whole extra second you can spend doing something awesome. You 
have to

plan now!

Javier J <mailto:jav...@advancedmachines.us>
8 July 2016 at 23:53

Time to start preparing



Unless you are running something that can't handle leap seconds what do you
really need to prepare for?



On Thu, Jul 7, 2016 at 12:59 PM, Andrew Gallo<akg1...@gmail.com>  wrote:


Looks like we'll have another second in 2016:
http://www.space.com/33361-leap-second-2016-atomic-clocks.html


Time to start preparing



Andrew Gallo <mailto:akg1...@gmail.com>
7 July 2016 at 17:59
Looks like we'll have another second in 2016:
http://www.space.com/33361-leap-second-2016-atomic-clocks.html


Time to start preparing

Re: B5-Lite

[Hal Ponton]

Hi Mike,

We had the target signal as per the B5's GUI indicated we should have, 
there is a fair bit of noise in the area, however, the UBNT PowerBridge 
that was doing the link at 30MHz channel bandwidth was passing 70-80Mbps.


Our engineers spent as much time possible aligning the link, we had a 
team at each end assisting in this.


We reviewed with Mimosa and our Distributor, but there's only so much 
time we could spend on this link. Once the newer firmware was released 
(I think v1.2.0) we tested again and got better performance so this may 
have been an early problem that has been ironed out now, but for me I 
would only use them on smaller distance links. YMMV

--
--
Regards,

Hal Ponton
Senior Network Engineer

Buzcom / FibreWiFi





Mike Hammett <mailto:na...@ics-il.net>
17 May 2016 at 16:06
I think there is some information missing on your longer link. Did you 
still have appropriate signal? Was there noise?


I have a B5 link that's about 2 miles that's rocking full data rate 
and a B5c one that's going about 4 miles at full data rate. My 8 mile 
B5c link is less than full data rate due to interference.





-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



Midwest Internet Exchange
http://www.midwest-ix.com


- Original Message -

From: "Hal Ponton" <h...@buzcom.net>
To: "Matt Hoppes" <mattli...@rivervalleyinternet.net>
Cc: "North American Network Operators' Group" <nanog@nanog.org>
Sent: Saturday, May 14, 2016 7:31:10 AM
Subject: Re: B5-Lite

We've deployed 2 B5 links into production, the newer firmware seems to 
have fixed the issues we saw in the links when we first tested them.


We have a very rural customer where two hops are needed around the 
site. We're lucky in that we had two 80MHz channels free. We see 
around 350Mbps both ways actual throughput on both links.


However, these links are short est. 200mtrs when we had tested these 
on longer links their performance was awful, on a 40MHz channel we saw 
20Mbps.


For our longer links that need a bit more throughput than a Rocket M5 
we either use Licensed radios or the AF5X which works very well.


Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi



Hal Ponton <mailto:h...@buzcom.net>
14 May 2016 at 13:31
We've deployed 2 B5 links into production, the newer firmware seems to 
have fixed the issues we saw in the links when we first tested them.


We have a very rural customer where two hops are needed around the 
site. We're lucky in that we had two 80MHz channels free. We see 
around 350Mbps both ways actual throughput on both links.


However, these links are short est. 200mtrs when we had tested these 
on longer links their performance was awful, on a 40MHz channel we saw 
20Mbps.


For our longer links that need a bit more throughput than a Rocket M5 
we either use Licensed radios or the AF5X which works very well.


Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi

Re: B5-Lite

[Hal Ponton]

For that distance link you could use to 300m 45 degree slant AF5x antenna 

Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi

> On 14 May 2016, at 18:43, Jared Mauch <ja...@puck.nether.net> wrote:
> 
> 
>> On May 14, 2016, at 6:07 AM, Matt Hoppes <mattli...@rivervalleyinternet.net> 
>> wrote:
>> 
>> Jared - why not go to Ubiquiti AC gear if you need some more speed and 
>> something more modern?
> 
> Concern is with the UBNT AC 500mm dish and wind loading on the tower even 
> with radome.
> 
> b5 is ~450mm and b5-lite is 260mm.
> 
> The link is 4.88km (3mi) so keeping bandwidth and link up are key.
> 
> - Jared

Re: B5-Lite

[Hal Ponton]

We've deployed 2 B5 links into production, the newer firmware seems to have 
fixed the issues we saw in the links when we first tested them.

We have a very rural customer where two hops are needed around the site. We're 
lucky in that we had two 80MHz channels free. We see around 350Mbps both ways 
actual throughput on both links.

However, these links are short est. 200mtrs when we had tested these on longer 
links their performance was awful, on a 40MHz channel we saw 20Mbps.

For our longer links that need a bit more throughput than a Rocket M5 we either 
use Licensed radios or the AF5X which works very well. 

Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi

> On 14 May 2016, at 11:07, Matt Hoppes <mattli...@rivervalleyinternet.net> 
> wrote:
> 
> Jared - why not go to Ubiquiti AC gear if you need some more speed and 
> something more modern?
> 
>> On May 14, 2016, at 01:43, Eric C. Miller <e...@ericheather.com> wrote:
>> 
>> B5c is the only product that I've had much success with from Mimosa.
>> 
>> The B5Lite is a cheap plastic shell and, and it performs like it too.
>> 
>> If you have UBNT gear now, Mimosa is a good next step, but I'd strongly 
>> recommend that you stear away from the lite and go with the B5c. We use them 
>> with rocket dishes. You just need the RP-SMA to N cables.
>> 
>> 
>> Eric Miller, CCNP
>> Network Engineering Consultant
>> 
>> 
>> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jared Mauch
>> Sent: Friday, May 13, 2016 7:06 PM
>> To: North American Network Operators' Group <nanog@nanog.org>
>> Subject: B5-Lite
>> 
>> Anyone deployed this radio in production in the US?  I’m curious to hear 
>> from people who are using it, looking at replacing some UBNT hardware with 
>> it on some PTP links, going from the M-series class devices to something 
>> more modern.
>> 
>> Thanks,
>> 
>> - Jared

Re: Best practices for sending network maintenance notifications

[Hal Ponton]

I think there was a BCP being worked on. I seem to recall it was being 
discussed as a Facebook group. But there's no RFC, at least that I know of.

Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi

Tel: 07429 979 217
Email: h...@buzcom.net

> On 6 Apr 2016, at 19:56, Dan Mahoney, System Admin <d...@prime.gushi.org> 
> wrote:
> 
> All,
> 
> We recently, at $dayjob, had one of our peers (at Symantec)  send out a 
> network maint notification, putting 70 addresses in the "To:" field, rather 
> than using BCC or the exchange's mailing list.
> 
> Naturally, when you mail 30 addresses, of the forms peering@ and noc@ various 
> organizations, you're likely to hit at least a few autoresponders and ticket 
> systems...
> 
> And at least one or two of those autoresponders are of course brainded and 
> configured to reply-all.  (In this case, Verizon's ServiceNow setup was such 
> a stupid responder).  And that made things fun in our own ticket system, as 
> our RT setup happily created a bunch of tickets.
> 
> My question for the group -- does anyone know if there's a "best practices" 
> for sending maint notifications like this?  An RFC sort of thing?
> 
> While it would define a social protocol, rather than a truly technical one, 
> if there's not such a document, it seems like it could useful.  And once such 
> a thing exists, exchanges could of course helpfully point their members AT it 
> (for both their humans, and ticket systems, to follow).
> 
> -Dan
> 
> -- 
> 

Re: Modem as a service?

[Hal Ponton]

Apologies,

Should have listed the following link as this is suited for the US market 
whereas the other is European.

http://www.tekview-solutions.com/powertxtduo.php

Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi

Tel: 07429 979 217
Email: h...@buzcom.net

> On 7 Dec 2015, at 01:18, Hal Ponton <h...@buzcom.net> wrote:
> 
> There are already devices that are doing this like PowerTxT, it may be based 
> off another company I may add but we are using them for OOB monitoring of 
> power for remote sites.
> 
> They have just enough power in the capacitors to send a text message to a 
> master number or gateway for an NMS.
> 
> Have a look at http://www.tekview-solutions.com/powertxt.php
> 
> Regards,
> 
> Hal Ponton
> 
> Senior Network Engineer
> 
> Buzcom / FibreWiFi
> 
> Tel: 07429 979 217
> Email: h...@buzcom.net
> 
>> On 7 Dec 2015, at 01:07, b <b-na...@grmbl.net> wrote:
>> 
>> What about a $20 android phone, when it detects a power loss (stops 
>> charging), send an sms.
>> 
>>>> On Mon, Dec 07, 2015 at 12:03:48PM +1100, Karl Auer wrote:
>>>> On Sun, 2015-12-06 at 18:13 -0600, Josh Reynolds wrote:
>>>> You could always just use UPS equipment that can send out alerts on power
>>>> outages and low bat voltage. Or, use equipment that supports dying gasp.
>>> 
>>> The equipment you have needs to be able to send the alert, which means
>>> SMS or email-capable equipment needs to stay powered up long enough to
>>> do that.
>>> 
>>> There might be a product idea here, if no-one's done it already:
>>> Something like a RaspBerry Pi, running off a lithium battery, with a
>>> recharge circuit and something to detect a power outage. Add a 3G/4G
>>> card to send an SMS alert, put it all in a box, plug it into power. Only
>>> configuration needed is setting the SMS target(s)... If you made it
>>> network addressable (on 3G/4G) it could send emails as well.
>>> 
>>> Regards, K.
>>> 
>>> -- 
>>> ~~~
>>> Karl Auer (ka...@biplane.com.au)
>>> http://www.biplane.com.au/kauer
>>> http://twitter.com/kauer389
>>> 
>>> GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>>> Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
>>> 
>>> 

Re: Modem as a service?

[Hal Ponton]

There are already devices that are doing this like PowerTxT, it may be based 
off another company I may add but we are using them for OOB monitoring of power 
for remote sites.

They have just enough power in the capacitors to send a text message to a 
master number or gateway for an NMS.

Have a look at http://www.tekview-solutions.com/powertxt.php

Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi

Tel: 07429 979 217
Email: h...@buzcom.net

> On 7 Dec 2015, at 01:07, b <b-na...@grmbl.net> wrote:
> 
> What about a $20 android phone, when it detects a power loss (stops 
> charging), send an sms.
> 
>> On Mon, Dec 07, 2015 at 12:03:48PM +1100, Karl Auer wrote:
>>> On Sun, 2015-12-06 at 18:13 -0600, Josh Reynolds wrote:
>>> You could always just use UPS equipment that can send out alerts on power
>>> outages and low bat voltage. Or, use equipment that supports dying gasp.
>> 
>> The equipment you have needs to be able to send the alert, which means
>> SMS or email-capable equipment needs to stay powered up long enough to
>> do that.
>> 
>> There might be a product idea here, if no-one's done it already:
>> Something like a RaspBerry Pi, running off a lithium battery, with a
>> recharge circuit and something to detect a power outage. Add a 3G/4G
>> card to send an SMS alert, put it all in a box, plug it into power. Only
>> configuration needed is setting the SMS target(s)... If you made it
>> network addressable (on 3G/4G) it could send emails as well.
>> 
>> Regards, K.
>> 
>> -- 
>> ~~~
>> Karl Auer (ka...@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>> 
>> GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>> Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
>> 
>> 

Re: cisco.com unavailable

[Hal Ponton]

Works from the UK from a few ISP's
--
--
Regards,

Hal Ponton
Senior Network Engineer

Buzcom / FibreWiFi





Keith Stokes <mailto:kei...@neilltech.com>
21 September 2015 19:55
It works fine for me from Cox.



---

Keith Stokes


From: NANOG <nanog-boun...@nanog.org> on behalf of Murat Kaipov 
<mkai...@outlook.com>

Sent: Monday, September 21, 2015 1:51 PM
To: nanog@nanog.org
Subject: cisco.com unavailable

Hi folks!
Is cisco.com <http://cisco.com/> unavailable or it is affected just 
for Rostelecom?

Murat Kaipov <mailto:mkai...@outlook.com>
21 September 2015 19:51
Hi folks!
Is cisco.com <http://cisco.com/> unavailable or it is affected just 
for Rostelecom?

Re: Ghosts in our 6 New Ubiquity Pros - provision issues.

[Hal Ponton]

What version of the controller are you using, we're running 3.something at that 
works fine.

We've turned off auto update on all of the sites on the server, and Nagios 
monitors them, we certainly don't see reboots 2-3 times a day, the last time 
ours rebooted was when we lost power at our office.

Contact me off list if you want me to take a look.

Regards,

Hal Ponton

Senior Network Engineer

Buzcom / FibreWiFi

Tel: 07429 979 217
Email: h...@buzcom.net

 On 19 Jun 2015, at 11:01, Bob Evans b...@fiberinternetcenter.com wrote:
 
 Ubiquiti Networks UniFi UAP-PRO Enterprise WiFi System - hard to recommend
 at this point. We saw people mention this brand here on the list - people
 like them. So what could we have set incorrectly ? They drop link and
 re-provision on their own at odd times day or night.
 
 We have completed everything tech support asked of us. (Really, lame
 emails they respond with as if they didn't read your text - they won't
 call and you can't call them). We used POE from ciscos - then changed to
 their POE provided. They didn't recommend it, but we plugged them all into
 APC UPSes. no difference. They all re-provision at different times
 even when no one is connected or in the building at odd hours like 2am.
 Each one does this 2-3 times per 24 hour period.
 
 Has anyone else experienced this?
 Anyone know what we may have set incorrectly ?
 Is this normal - do people put up with the 2 mins the APs are unavailable
 about 3 times a day? (UniFi support acts like it's not a big issues.)
 
 We use the UniFi controller on mac os x. We use their EdgeMax Edge Router.
 All the latest software in everything UniFi.
 
 Thank You
 Bob Evans
 
 
 
 
 
 
 

Re: ddos attack blog

[Hal Murray]

 I was being a bit extreme, I don't expect UDP to be blocked and there  are
 valid uses for NTP and it needs to pass. Can you imagine the trading
 servers not having access to NTP? 

Sure.

They could setup internal NTP servers listening to GPS.  Would it be as good 
overall as using external servers?   Probably not, but it might be good 
enough.  I doubt if it would be very high on any trading floors list of nasty 
problems.

They could arrange to poke holes through the generic UDP block - whitelist 
the few known cases where UDP traffic is expected.  Would it be a pain to 
administer?  Probably, but I'll bet it could be made to work.


-- 
These are my opinions.  I hate spam.

Re: [VoiceOps] (cross post) VoIP heat charts...

[Hal Murray]

 http://www.nanpa.com/nanp1/allutlzd.zip lists NPANXX and Ratecentre.

How does number portability interact with this?

What fraction of numbers have been ported?  (Where should I look/google to 
find the answer?)


-- 
These are my opinions.  I hate spam.

Re: Mikrotik Cloud Core Router and BGP real life experiences?

[Hal Murray]

nanog-requ...@nanog.org said:
 We replaced a few Maxxwave 6 port Atom's with the CCR. ~400Mb/s and ~40K
 pps aggregate across all ports. CPU load went from ~25% to ~0-2%. These are
 in a configuration where they have little or no firewall/nat/queue rules.
 And in most cases are running MPLS. 

How much CPU does it take to implement BCP-38?



-- 
These are my opinions.  I hate spam.

Re: Automatic abuse reports

[Hal Murray]

William Herrin b...@herrin.us said:
 That's the main problem: you can generate the report but if it's about
 some doofus in Dubai what are the odds of it doing any good?

It's much worse than that.

Several 500 pound gorillas expect you to jump through various hoops to report 
abuse.  Have you tried reporting a drop box to Yahoo or Google lately?

On top of that, many outfits big enough to own a CIDR block are outsourcing 
their mail to Google.  Google has a good spam filter.  It's good enough to 
reject spam reports to abuse@hosted-by-google

I wonder what would happen if RIRs required working abuse mailboxes.  There 
are two levels of working.  The first is doesn't bounce or get rejected 
with a sensible reason.  The second is actually gets acted upon.

If you were magically appointed big-shot in charge of everything, how long 
would you let an ISP host a spammer's web site or DNS server or ...?  What 
about retail ISPs with zillions of zombied systems?


-- 
These are my opinions.  I hate spam.

Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS)

[Hal Murray]

 at what point is the Internet a piece of infrastructure whereby we
 actually need a way to watch this thing holistically as it is one system and
 not just a bunch of inter-jointed systems? Who's job is it to do nothing but
 ensure that the state of DNS and other services is running as it
 shouldwho's the clearing house here.

 The Internet:  Discovering new SPOF since 1969! 
:)  Thanks.

Perhaps we should setup a distributed system for checking things rather than 
another SPOF.  That's distributed both geographically and administratively 
and using several code-bases.

In this context, I'd expect lots of false alarms due to people changing their 
DNS servers but forgetting to inform their monitoring setup (either internal 
or outsourced).

How would you check/verify that the communication path from the monitoring 
agency to the right people in your NOC was working correctly?


-- 
These are my opinions.  I hate spam.

Re: OOB core router connectivity wish list

[Hal Murray]

It might help clarify things if you added two (hopefully) short sections:

  One discussing how to get off the ground.
  How do I get my ssh key on a factory-reset box?

  Another discussing security.
  There may be conflicting requirements for different usage scenarios.



-- 
These are my opinions.  I hate spam.

Re: FYI Netflix is down

[Hal Murray]

George Herbert george.herb...@gmail.com said:

 I worked for a Sun clone vendor (Axil) for a while and took some of our
 systems and storage to Comdex one year in the 90s.  We had a RAID unit
 (Mylex controller) we had just introduced.  Beforehand, I made REALLY REALLY
 SURE that the pull-the-disk and pull-the-redundant-power tricks worked.  And
 showed them to people with the Please keep in mind that this voids the
 warranty, but here we *rip* go  All of the other server vendors were
 giving me dirty looks for that one. Apparently I sold a few systems that
 way. 

:)  Nice.  Thanks.

Many years ago, I worked for one of DEC's research groups.  We built a 
network using FDDI 4B/5B link technology based on AMD TAXI chips.  (They were 
state of the art back then.)  The switches were 3U(?) boxes with 12 ports.  
It took a rack of 6 or 8 of them in the phone closet to cover a floor.  
Workstations had 2 cables plugged into different switches.  In theory, we 
covered any single point of failure.

My office was near the phone closet.  I got to watch my boss give demos to 
visiting VIPs.  He was pretty good at it.  In the middle of explaining 
things, he would grab a power cord and yank it.  Blinka-blinka=blinka and the 
remaining switches would reconfigure and go back to work.  (It took under a 
second.)

It was interesting to watch the VIPs.  Most of them got it: the network 
really could recover quickly. The interesting ones had a telco background.  
They were really surprised.  The concept of disrupting live traffic for 
something as insignificant as a demo was off scale in their culture.

It was just a research lab.  We were used to eating our own dog food.

--

Greg D. Moore moor...@greenms.com said:

 If folks have not read it, I would suggest reading Normal Accidents  by
 Charles Perrow.

+1

 The it can't happen is almost guaranteed to happen. ;-)  And when  it
 does, it'll often interact in ways we can't predict or sometimes  even
 understand. 

My memory of that sort of event is roughly...  (see above for context)

The hardware broke and turned a vanilla packet into a super-long packet.  My 
FPGA code was supposed to catch that case and do something sane.  It was 
never tested and didn't work.  It poured crap all over memory.  Needless to 
say, things went downhill from there.

Easy to spot in hindsight.  None of us thought that was an interesting case 
while we were testing.


-- 
These are my opinions.  I hate spam.

NTP/THunderbolt (was Re: strat-1 gps)

[Hal Murray]

   Thing with the Thunderbolts is not all revisions of the firmware seem to
 play nice with ntpd.

Would anybody with more info please contact me off-list.

We should be able to fix that, or at least document it.



-- 
These are my opinions.  I hate spam.

RE: EBAY and AMAZON

[Hal Murray]

[Snip good collection of security setting suggestions.  Does anybody have 
others or a URL?]

 I could never quite understand how anyone could get phished by e-mail
 since I have never ever seen a phishing or other malicious message that
 was not obviously so, even when I don't have me spectacles on!

Your imagination needs serious recalibration.

  You are a geek, not a naive, dumb, or unfortunately, typical user. 

  Windows security sucks.

  Most users will pick convenience over security.  What fraction of users 
(customers) would be happy with your suggested settings?

  Phishers are smart.  They are willing to work for high value targets.

Google for spear phishing.  After you have read a few of those, google for 
spear phishing RSA.

From the comments section of an Arstechnica article on the RSA event:
 So why do any workplace computers in sensitive environments
 have Flash in the first place?
 Because the training materials are no doubt flash based. 

:)

If you are interested in security, the whole comments section may be worth 
scanning.

My probably naive view is that this type of problem could easily be solved by 
having the serious work done on a special class of well locked down machines 
and making a pool of more open systems available for checking mail or 
facebook or whatever.

I've heard stories of people filling USB slots with epoxy so idiots can't 
insert thumb drives found in the parking lot or brought from home.  I forget 
the context.


-- 
These are my opinions.  I hate spam.

CVV numbers

[Hal Murray]

In response to my comment about:

 If I'm not supposed to not tell anyone, why is it even printed where I can 
 read it?

(Sorry for the extra not in there.)

I got an off list suggestion of:
  http://www.cvvnumber.com/

It looks reasonable.

But then, whois for cvvnumber.com says:

Registrant:
   Domains By Proxy, LLC
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

Should I really take them seriously?


-- 
These are my opinions.  I hate spam.

Re: Dear Linkedin,

[Hal Murray]

 I have accounts at probably 100's of sites. Am I to understand
 that I am supposed to remember each one of them and dutifully
 update them every month or two?

 Yes; of course if most of those accounts are moribund and unused then you
 don't need to change them so often, but the passwords you use frequently
 should be changed at regular intervals.

 It's pretty commonsensical once the threat is understood. 

Does anybody have a good URL explaining that idea?  It's been kicking around 
for many years.  I've never seen a convincing writeup.

Does your bank request/require that you change the PIN on your ATM card every 
few months?

Security is a tradeoff.  I think there are two cases for passwords.  I'll 
call them important and junk.  I'm willing to store the junk ones in a file 
or piece of paper that I'm careful with.  I have to memorize the important 
ones.

I'm only smart enough to memorize a few good passwords.  If I change them 
every few months, they will be less good, or fewer of them.


-- 
These are my opinions.  I hate spam.

Re: Dear Linkedin, [and proposed mitigation approach

[Hal Murray]

 Yes, well, I'm being cynical ...

Yes, but are you being cynical enough?

--

 Is 14 months a excusable length of time for someone not to have
 changed their password after a break?  

That cuts both ways.  Who is changing the password, the good guys or the bad 
guys?



-- 
These are my opinions.  I hate spam.

Re: Dear Linkedin,

[Hal Murray]

 Does your bank request/require that you change the PIN
 on your ATM card every few months?

 ATM cards are not passwords, they are a coarse form of two-factor
 authentication - You have the card, you have the PIN.  

 You have to possess both in order to transact - at least in in theory.

 Compare that with the secrecy surrounding the CVV - the last three digits
 on the number on the back of the card which you are not meant to tell
 anyone and which _will_ be different if your card is lost/stolen and
 reissued.

If I'm not supposed to not tell anyone, why is it even printed where I can 
read it?



[Context is only having so-many brain cycles to memorize passwords.]

 It's harder as we get old.  Use technology to aid with the heavy lifting.  :-)

Right.  But the meta problem is figuring out which technology to trust.

Phishing is the tip of the iceberg on social engineering.  So far, the bad 
guys are winning.





-- 
These are my opinions.  I hate spam.

Re: Wacky Weekend: The '.secure' gTLD

[Hal Murray]

 I think this is an interesting concept, but i don't know how well it will
 hold up in the long run.  All the initial verification and continuous
 scanning will no doubtingly give the .secure TLD a high cost relative to
 other TLD's. 

Right.  But your high cost is relative to dime-a-dozen vanity domains 
and/or domains for small/tiny businesses.  That's not their target market.

How much would it be worth to a bank if they could keep a few of their 
customers from being scammed?  How much would it be worth to an ISP if they 
could keep a few of their customers from being phished?  For starters, just 
consider the support costs.

Here is a note from a different context that says it only costs $99 for 
Verisign to certify you to sign secure-boot stuff for Windows 8, so I think 
that's the right ballpark.
  http://mjg59.dreamwidth.org/12368.html

I'm assuming that the hard part is the initial verification, not the ongoing 
monitoring that can be automated.  YMMV.  I might be all wet.  ...


-- 
These are my opinions.  I hate spam.

RE: Outdoor Wireless Access Point

[Hal Murray]

 Hi...How do I do it!
 I'm utterly amazed how many people give away free consultant work.
 We need to keep people working... not giving it away.   
 Ethics... Security... etc...
 Does the university give away free diploma's?   I don't think so. 

I don't expect a free diploma, but many universities are offering free 
internet videos of various classes.

If you want a sample, here are a few good starting points:
  http://ocw.mit.edu/
  http://oyc.yale.edu/
  http://webcast.berkeley.edu/


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)

[Hal Murray]

I'm not a lawyer nor an operator.

 Imagine that instead of www.google.com, it was www.whitehouse.gov

 At some point, I suspect that this gets service to get it fixed RIGHT NOW.
 At some point, the guys informing you it's RIGHT NOW show up with badges.

Where is Milo Medin when we need him?

 The question is, when is it badges?  It can be construed as a denial of
 service attack on the addresses' rightful owners.  They will respond to any
 major government site being hijacked.  Probably to Apple or Google.  Likely
 to a Tier-1 ISPs internal infrastructure. 

How long should it take to fix a problem like this?

Why didn't one of the players upstream from the bad guy pull their plug or 
drop the bogus announcement?  Why didn't any of the players between the first 
upstream and the tier 1s apply pressure?

Do existing contracts cover this case?  If not, what needs to be fixed?  Is a 
RFC needed so the lawyers have something to reference?

Would a session to discuss this at a NANOG gathering help?


 a) law enforcement doesn't understand the problem. and b) the law moves
 very slowly. 

It might be a good idea to make sure that somebody in law enforcement does 
understands what happened here so they can think about what who needs to do 
what the next time something like this happens.  (Make sure that operators 
know how to get in touch with somebody who knows.)


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)

[Hal Murray]

 Where is Milo Medin when we need him?
 how would he be helping?

He would have pulled the plug.

The story is from the very early days of the internet, probably long before 
NANOG existed.

Milo worked at NASA and found a cracker from Finland on one of NASAs 
machines.  The link from Finland to the rest of the world went through Norway 
to NASA.  (That's THE link, there was only one link connecting all of 
Scandinavia to the rest of the net.)  So Milo called the guy in Finland and 
said Please fix it.  The reply was We can't do anything.  We respect civil 
liberties.  Soon he got the message because  he wasn't connected to the net 
any more.

If anybody has a good URL for the story, please let me know.  I found one 
reference in google-books that said 1988.

-

 AFAIK there's no law covering the use of what party X considers their 32 bit
 numbers (assigned by party A) by party Y.

Do contracts cover that?  I'd expect that the paperwork for peer-peer, 
customer-ISP and ISP-backbone links would include some nice broad legalese 
about not doing nasty things.


 Besides, how would that work?  Say ARIN assigns US company X (operating only
 in the US) a block, but German company Y (with no US operations) starts
 announcing the same block.  How are US or German laws going to help, when
 the parties have no common jurisdiction? 

The law could be written to apply to the company bringing the bogus 
announcements across the US border.


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: Recent DNS attacks from China?

[Hal Murray]

 I am wondering if anyone else is seeing a sudden increase in DNS attacks
 emanating from chinese IP addresses?  Over the past 24 hours we've seen a
 sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10
 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.

 This anomalous traffic started roughly 24 hours ago, and while we've had
 occasions of anomalous chinese traffic, never anything of this type.

I don't know if it's related, but at about the same time USNO reported an 
attack on their NTP servers.

I could easily imagine a piece of malware with a bug that does massive 
retransmits on both DNS and NTP.

---

From: Rich schmidt.r...@gmail.com
Newsgroups: comp.protocols.time.ntp
Subject: NTP Denial of Service attack 29 November 2011
Date: Tue, 29 Nov 2011 12:44:44 -0800 (PST)
Organization: http://groups.google.com
NNTP-Posting-Host: 199.211.133.254

USNO is seeing an apparent coordinated denial of service attack on NTP
originating with the following IPs:
220.117.53.67; 218.92.115.152; 114.40.28.224; 218.201.21.194. 

--

At 11 pm EST 29 Nov 2011 the Navy Cyber Defense Operations Command
ordered USNO to take NTP servers in Washington, DC offline, and USNO
complied.   USNO serves more than 3 million clients.  This is the
first time in 17 years that we have ceased NTP operations.



NTP Service from USNO Washington was restored at 30.56 November 2011
UTC.  No further information is available for dissemination at this
time.


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: First real-world SCADA attack in US

[Hal Murray]

 Like any of the decades largest breaches this could have been avoided by
 following BCP's.  In addition SCADA networks are easily protected via
 behavioral and signature based security technologies.  

Is there a BCP that covers security for SCADA?

Note that Google for BCP SCADA finds
  BS-25999 Business Continuity Plan Implementation Checklist ...

--

Suppose a friend of yours was a low-level geek working for either a 
user/operator of a SCADA system or a vendor of software/hardware for that 
market.  If he asked you for info about security, where would you send him?  
(Assume he knows all about SCADA but little about networks or security.)

For that matter, is there any good security info for small to medium sized 
businesses?  Say a local store, travel agency, or doctor/dentist.



-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Re: First real-world SCADA attack in US

[Hal Murray]

 On an Illinois water utility:
 http://www.msnbc.msn.com/id/45359594/ns/technology_and_science-security

That URL says:
 The Nov. 8 incident was described in a one-page report from the Illinois
 Statewide Terrorism and Intelligence Center, according to Joe Weiss, a
 prominent expert on protecting infrastructure from cyber attacks.

Joe Weiss gave a good talk at Stanford last Oct 12.
  http://www.stanford.edu/class/ee380/

My quick summary: The whole SCADA industry isn't tuned into network security 
issues.  It's not part of their culture.

--

Several years ago, Idaho National Labs ran an experiment.  They blew up a 
diesel generator by remote control.  Aurora is the buzzword.

The abstract page for his talk has a link to a CNN video.  It only has a few 
seconds of the generator.  Here is a longer version on YouTube:
  http://www.youtube.com/watch?v=fJyWngDco3g


-- 
These are my opinions, not necessarily my employer's.  I hate spam.

Anyone from Trinidad and Tobago TSTT on list?

[Hal Lightwood]

Please contact me at your convenience.
Thank you

-- Hal A. Lightwood hal.lightw...@gmail.com
-- Tel: 510 621 3040
-- Skype: hal.lightwood