Re: Fiber cut in SF area
George William Herbert wrote: Scott Doty wrote: (Personally, I can think of a MAE-Clueless episode that was worse than this, but that was in the 90's...) The gas main strike out front of the building in Santa Clara? Or something else? -george william herbert gherb...@retro.com Hi George, No, it was when an AS took their full bgp feed fed it into their igp (which used RIP, iirc), which generated (de-aggregated) routes into /24's, which they then announced back into bgp... iirc, part of the chaos than ensued was due to a router bug, so that the routes stuck around in global views, even after the AS killed their announcements, and even after physically disconnecting from their provider. We told our customers the Internet is broken, please try again later...which was acceptable back then. (But I doubt we would get away with just that nowadays... ;-) ) -Scott
Re: Fiber cut in SF area
David Edwards wrote: At 12:55 PM 4/9/2009, you wrote: From the news coverage it appears to be in the general area of http://cow.org/r/?545c -r Interesting. The report I got from a vendor was that it is Above.net with a fiber cut in Redwood City which is affecting a circuit of mine between 200 Paul in SF and PAIX in Palo Alto, which is a ways from south San Jose. http://www.kcbs.com/Phone-Outage-Likely-Caused-by-Vandals/4174734 ''Police say that at 1:20 a.m., four to five fiber optic cables located beneath a manhole were cut and severed on Monterey Highway, north of Blossom Hill Road.'' ''In San Carlos, vandals struck a second time along Old County Road at the edge of San Carlos and Redwood City'' I also heard on KCBS: The cuts were in 4 manholes in San Carlos, and they said it was seven cables. (Not sure if that means the same 7 cables were cut 4 times, or what...) I also heard: there were 4 cables cut in the South SJ manhole. A lot of comms (incl. 911) are out for Santa Cruz County, as well as South Santa Clara Country, including Gilroy and Morgan Hill. Just now, from their web stream, they refer to this as an act of sabotage. On interview was with an info-worker in Morgan Hill, and for her, this was the end of the world. (Personally, I can think of a MAE-Clueless episode that was worse than this, but that was in the 90's...) Finally -- and I'm not a lawyer -- I want to note that killing 911 to a city can get you tried for murder in California, if someone dies as a result, if I understand the law correctly. Better days, -Scott
Re: The DDOS problem security BOF: Am i mistaken?
Dean Anderson wrote: On Wed, 15 Oct 2008, Alan Hannan wrote: Is truth an actual defense to your assertions? Yes. Everything in this message is true, and can be proved to a certainty. Please, sir: I suggest that your messages might contain more that a bit of quixotism... Right or wrong, your posts are certainly not operational, and I feel partially responsible for the ensuing firegrams... So please, if you have anything further to say, either email me directly, or I suggest trying the nanog-futures list. Thank you. -Scott
Re: The DDOS problem security BOF: Am i mistaken?
I do seem to have put my foot in my mouth. I apologize for any offense my comments made, as well as any misunderstanding on my part. I see the note to take this discussion to nanog-futures, so I'll reply further there. And the Security BOF was very good, I was thankful to have been there and hear the discussion. Next time I'll use the microphone. Thank you, -Scott
spurring transition to ipv6 -- make it faster
We've had one presentation on the unfairness of p2p traffic, which (the presenter says) will eventually swamp us. Then just now, we had the presentation subsequent discussion re: ipv6 adoption. Just wondering: what if we gave ipv6 traffic mucho priority over ipv4 traffic, then tell our user communities that ipv6 provides a better quality network experience, including (hopefully) faster page loads, lower video game pings? With such policies in place, folks wouldn't want to stay with the old, slow v4 traffic...and could be a significant selling point. After all, if most p2p traffic is v4, prioritizing ipv6 (as a general concept) should improve the user experience. Anyway, was just an idea, please pardon me if this has been discussed before, or sounds nutty... Thanks, -Scott
The DDOS problem security BOF: Am i mistaken?
First, the good news: so far, the NANOG conference has been very valuable and content-rich, covering a lot of issues that need to be discussed. For that, I am grateful. But now, the bad news(?): Maybe it's just me my paranoia, but do I detect an inkling of murk spam going on with some presentations? Because there seems to be a fundamental misunderstanding, either on my part, or the part of certain vendors: I'm hear to discuss ideas freely share them, and they are here to discuss (it would seem) their products. Sometimes both goals coincide, and that is fine...but... When a vendor at the security BOF starts showing documents that are company confidential, and trying to whip up a climate of fear, that we should all deploy their product in front of our recursive name servers, i get this funny feeling that I am being murk spammed. Perhaps that is my own perspective ( paranoia?), but I found the CERT gentleman's call to monitor icmp backscatter on our authoritative nameservers far more informative -- and open. But I was disappointed with two vendors and their presentations: the first had the tactic of saying DNSSEC is the actual solution when asked about why their product would be necessary...completely ignoring the fact that their proprietary interim solution was by no means the only way to prevent cache poisoning attacks. Indeed, I would daresay it isn't the best, either by a BCP perspective, or a cost analysis perspective. To put a finer point on this, i should say that i found myself discomforted by a presentation suggesting that I should put their proprietary appliances between my recursive name servers the Net, and I am grateful that Mr. Vixie stood up and said that there are other ways of dealing with the problem. Then there was the gentleman with the DDOS detection/mitigation appliance, who flipped through several graphs, which were intended to show the number of each type of attack. It's unfortunate that there wasn't more time for questions, because I really wanted to ask why http GET and spidering attacks weren't listen on their graphs...more on that in a second. Fortunately, said vendor had a table at beer and gear, so I was able to talk with one of their representatives -- and learned that they have just as much trouble with automatic detection of attacks designed to look like a slashdotting...which cleared up the mystery as to why it wasn't on the graphs. Because this is a real problem: anybody, with sufficient knowledge preparation can vandalize _anybody's_ network. Showing me a graph that ping floods happen all the time doesn't impress me -- what would impress me is going over the actual methods, algorithms (and heuristics?) used in these attack mitigation appliances. Because, the best attack mitigation appliance vendor would seem to have 100% of their market, and thus, charge exhorbant prices for their product(s). When I brought this up with Mr. Vendor, his first reaction was to point out that the cost was less than a home-grown solution. When I raised the question of open source software to do the same thing, his reaction was to ask: oh? who's going to write it? And that right there would seem to be a bit of bravado, perhaps fueled by a misunderstanding of the role that FOSS has played on the Net. Fortunately -- and again, I am grateful for this -- the ISC was represented in the security BOF, presenting the SIE concept...as well as what applications _already exist_ to detect and mitigate various attacks. One demonstration that blew me away: detecting a botnet being set up for a phishing attack...and preventing the attack before it even started. So in conclusion, I'll say this: the last NANOG I attended was NANOG 9 -- and i remember that being a more challenging environment for vendors. Probably the biggest problem discussed back then was head-of-line blocking on a vendor's switches. _That_ is the kind of content that i have found valuable, both on this list, and at a conference. And so: If I weren't so knock-kneed in public venues, I would probably be doing what i would like to call on conference participants to do: if someone gives a presentation that includes their own proprietary black-box solution, I think the best benefit for NANOG would be to point out alternatives. -Scott p.s. sorry for the long post.
Re: interger to I P address
On Wed, Aug 27, 2008 at 10:25:10AM -0400, Shadow wrote: Robert D. Scott wrote: The harder way: Decimal: 1089055123 Hex (dashes inserted at octals): 40-E9-A9-93 Decimal (of each octet): 64-233-169-147 IP Address: 64.233.169.147 The this could take all day way : (in bc with scale=0 for integer portions only) 1089055123/(2^24)%(2^8) 64 1089055123/(2^16)%(2^8) 233 1089055123/(2^8)%(2^8) 169 1089055123/(2^0)%(2^8) 147 (Note: 2^0=1 x/1=x so last line could reduce to 1089055123%(2^8).) $ bc bc 1.06 Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. obase=256 1089055123 064 233 169 147 -Scott
