Re: DNS Amplification attack?
On Tue, Jan 20, 2009 at 9:16 PM, Kameron Gasso wrote: We're also seeing a great number of these, but the idiots spoofing the queries are hitting several non-recursive nameservers we host - and only generating 59-byte "REFUSED" replies. Looks like they probably just grabbed a bunch of DNS hosts out of WHOIS and hoped that they were recursive resolvers. First post to this list, play nice :) Are you sure about this? I'm seeing these requests on /every/ (unrelated) NS I have access to, which numbers several dozen, in various countries across the world, and from various registries (.net, .org, .com.au). The spread of servers I've checked is so random that I'm wondering just how many NS records they've laid their hands on. I've also noticed that on a server running BIND 9.3.4-P1 with recursion disabled, they're still appear to be getting the list of root NS's from cache, which is a 272-byte response to a 61-byte request, which by my definition is an amplification. Cheers, Jay
Re: DNS Amplification attack?
Quoting Chris Adams :
Once upon a time, j...@miscreant.org said:
I've also noticed that on a server running BIND 9.3.4-P1 with
recursion disabled, they're still appear to be getting the list of
root NS's from cache, which is a 272-byte response to a 61-byte
request, which by my definition is an amplification.
Add "additional-from-cache no;" to the options{} section of your
named.conf.
--
Chris Adams
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
Thanks for the response Chris.
I'm running higher versions of BIND, so don't see this behaviour. But
I will pass it on to the ISP in question ;)
Re: Tightened DNS security question re: DNS amplification attacks.
Quoting Matthew Huff :
Given the recent DNS amplification attacks, I've audit and updated our
authoritative servers. We are using 9.6.0-P1 now. I've been using the cyrmu
templates, but one thing I see is that the dns queries to the . hint file
are still occuring and are not being denied by our servers. For example:
27-Jan-2009 15:00:22.963 queries: client 64.57.246.146#64176: view
external-in: query: . IN NS +
27-Jan-2009 15:00:23.118 queries: client 64.57.246.146#33146: view
external-in: query: . IN NS +
the named.conf has:
...
...
...
view "external-in" in {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "." in {
type hint;
file "db.cache";
};
...
...
since you can't put a "allow-query { none; };" in a hint zone, what can I do
to deny the query to the . zone file?
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
Hi Matthew,
I'm using the following with 9.5.1:
view"external" {
recursion no;
allow-query-cache { none; };
zone "." IN {
type hint;
file "/var/named/named.ca";
And my logs indicate that the requests for . IN NS are being denied:
Jan 28 08:40:38 web1 named[12337]: client 64.57.246.146#33453: view
external: query (cache) './NS/IN' denied
Jan 28 08:40:39 web1 named[12337]: client 67.192.144.0#41794: view
external: query (cache) './NS/IN' denied
Cheers,
Jay
Re: APNIC offline
Tried from the US and AU, I can get to the box's IP, the webserver appears to be down though. Quoting manolo : All, Is anyone else seeing www.apnic.net offline? I have tried from two locations and the website does not respond. whois is working as expected though. Manolo
Re: Tightened DNS security question re: DNS amplification attacks.
Quoting John Martinez : Are we still seeing DNS DDoS attack? Yep. I'm seeing ~2 queries/sec targetting 64.57.246.146. Also seeing requests from 76.9.16.171 every 1 minute 2 seconds.
Re: Is whois.apnic.net down? (IPv6-MW)
Quoting Scott Howard : On Tue, Feb 10, 2009 at 8:48 AM, Dale Carstensen wrote: >I get "Connection timed out" on whois commands to it. Sorry to attempt to answer my own question, but maybe it's the fires in Australia, as the last traceroute hop is a Brisbane.telstra.net Brisbane (where APNIC is) is close to 1000 miles from Melbourne (where the fires are). Ironically the state Brisbane is in is currently experiencing very bad flooding over most of the state... But I digress. www.apnic.net is also down over IPv4, but reachable over IPv6. whois.apnic.net doesn't seem to have an IPv6 address. Scott. 933 ms33 ms33 ms 203.119.76.66 1036 ms35 ms35 ms whois.apnic.net [202.12.29.13] Trace complete. It's reachable from where I'm sitting (NSW)
Re: Network diagram software
Quoting Mathias Wolkert : I'd like to know what software people are using to document networks. Visio is obvious but feels like a straight jacket to me. I liked netviz but it seems owned by CA and unsupported nowadays. What do you use? /Tias I know what you mean about the straight jacket, Visio used to almost drive me to the sanitarium. One day I bit the bullet and RTFM (and a book) and now I don't find it so frustrating ;) I have in the past used SmartDraw (http://www.smartdraw.com), it's commercial, but IMHO resonably priced, and I found it quick and easy to whip up network diagrams with it. It's also pretty good at flow charts. Just my $0.05
Re: Verizon transparent web caching issue? WASRe: Data Center QoS equipment breaking http 1.1?
Quoting u...@3.am: Disregard my disregard. The problem resurfaced with no changes on my part. I purged browser caches and tried them from 3 browsers and each time: http://www.countytheater.org redirected to: http://webmail.ns3.pil.net/ which is another NameVhost on that server sharing that IP. This is incorrect. However, I then switch from a Verizon connection to an ATT 3g connection on the IPhone and the problem goes away. Has anyone heard of upstream transparent caching issues causing this kind of problem? Does anyone else here get the redirect instead of the correct page? TIA From .au the first 3 times I got pil.net. After that I got lots of 302's and finally www.countytheater.org loaded, however the url showing in the browser is http://ns3.pil.net/~jsanders/. Looking at the packet cap it looks like your apache is doing strange things. --jay
RE: home router battery backup
Greetings, I am a home user. Much of my home has been rewired to run off of 12-volts D.C. from a large 1200 Amp/Hour LiFePO4 battery bank that is recharged using Solar. All my lighting, ceiling fans, water pump, Ham radio gear, weather alert radio, USB charging stations, alarm system, security cameras and DVR, my wife's CPAP machine, 40-inch flat screen TV, ROKU streaming device, etc. all now run off 12 VDC. High consumption devices like stove, refrigerators, air conditioners, furnace, still run on AC but get *much* of their power from a 5kw Grid-Tied Solar array (Enphase IQ7 microinverters) which I hope to soon add a battery backup to. There is also a whole-house 4kw backup generator. This is what is known as a "Hybrid" home :) ALL of my servers, workstations, routers/hubs, WiFi, are also converted to run on 12VDC from this battery/solar plant. In many cases it is just a matter of adding a DC-DC buck/booster regulator that can be purchased on Amazon for ten bucks, or so. These generally take 8-40 volts input and will deliver whatever voltage output that you desire. Both my DSL and FTTH are powered this way. It was mentioned that we need to address *reducing* our power consumption in order to reduce our carbon footprint. This ongoing project has helped me to do just that and eliminate so many "power suckers" and wall-warts from my home. We consume around 150 watts on DC and generally around 600 watts on AC (unless a freezer or air conditioner cycles on). When the power goes out, sometimes we don't immediately notice it! I think I am living inside a giant UPS, and more independance from the Grid is refreshing. Enjoy! --- Jay Nugent WB8TKL Ypsilanti, Michigan j...@nuge.com From: Scott T Anderson via NANOG Sent: Thursday, January 13, 2022 7:28 AM To: Scott T Anderson via NANOG Subject: RE: home router battery backup Hi everyone, Thanks very much for all the responses throughout the day. They are very helpful. Your (collective) answers triggered a couple follow-on questions: For those individuals with backup battery power for their modem/router, do they maintain Internet access throughout a power outage (as long as their backup power solution works)? I.e., does the rest of the ISP network maintain service throughout a power outage? Are the modems with backup power designed to operate for a specified period of time without power and if so, for how long and how was that duration identified? If those with backup power do maintain Internet access during a power outage, do they lose that access if the power outage extends beyond a certain time? I.e., does the ISP network equipment go offline at some point in time due to batteries being drained and not having power generation capabilities? Again, thanks for sharing your knowledge and experience! Scott
Re: What do you think about this airline vs 5G brouhaha?
Greetings, On Wed, 19 Jan 2022, Masataka Ohta wrote: Jay Hennigan wrote: Radar receivers are typically some form of direct conversion with rather good selectivity, synchronized to the frequency of the transmitted pulse. No. Direct conversion stage has no inherent frequency selectivity and is subject to saturation by noise of any frequency unless the noise is removed in advance. Selectivity can be enjoyed only after successful unsaturated conversion, direct or to IF. But, the solution is to put an LC band pass/stop filter between an antenna and a receiver, though I have no idea on the difficulty to obtain FAA/FCC approval to do so. By adding an LC bandpass filter will add to the propogation delay of the receiver. When the round-trip time of the echo at 1000 feet is only 2 microseconds, that added delay will throw the RA out of calibration. Perhaps the calibration circuitry can deal with this added delay. --- Jay Nugent WB8TKL
Re: Big day for IPv6 - 1% native penetration
On 11/20/2012 1:24 PM, Blair Trosper wrote: However, I still scratch my head on why most major US ISPs *have* robust IPv6 peering and infrastructure and are ready to go, but they have not turned it on for their fiber/cable/DSL customers for reasons that are not clear to me. I keep pestering my home ISP about turning it on (since their network is now 100% DOCSIS 3), but they just seem to think I'm making up words. One can hope, though. This has partially been a vendor issue, at least for cable providers. Two of the major CMTS vendors (one starts with C, the other A) have had IPv6 related bugs in fairly recent code releases.Both of the MSOs I've worked for have had to delay IPv6 deployment while those vendors get their waterfowl properly aligned. I know we're still waiting for one vendor to get it straightened out. J
Re: carping about CARP
On 12/2/2012 5:28 PM, Adrian Farrel wrote: Far be it from me to get involved in a private pissing match, but... Owen wrote: Perhaps we should ask IETF/IANA to allocate a group of protocol numbers to "the wild west". A protocol-number equivalent of RFC-1918 or private ASNs. You can use these for whatever you want, but so can anyone else and if you do, you do so at your own risk. This won't entirely solve the problem, but at least it would provide some level of shield for protocol numbers that are registered to particular purposes through the IETF/IANA process. Would that be 253 and 254 "Use for experimentation and testing" per RFC 3692? Of course, no-one like to see their pet protocol designated as an experiment (unless they really believe it is something that should be carefully researched and tried out in a controlled environment), but the garden-walling that you describe seems to fit exactly within the 3692 definitions. Adrian RFC 3692, section 1.1: "Values reserved for experimental use are never to be made permanent; permanent assignments should be obtained through standard processes. As described above, experimental numbers are intended for experimentation and testing and are not intended for wide or general deployments. When protocols that use experimental numbers are included in products, the shipping versions of the products must disable recognition of protocol experimental numbers by default -- that is, the end user of the product must explicitly "turn on" the experimental protocol functionality. In most cases, a product implementation must require the end user to configure the value explicitly prior to enabling its usage. Should a product not have a user interface for such end user configuration, the product must require explicit re-programming (e.g., a special firmware download, or installation of a feature card) to configure the experimental number(s) of the protocol(s) implicitly." Of course the use of 'must' or 'must not' in an RFC never stopped anyone from doing the exact opposite. Jay
Re: shameful-cabling gallery of infamy - does anybody know where it went?
Vinny Abello wrote: One of the stranger things a field tech of ours encountered wasn't necessarily bad wiring (although it's not great), but the fact that the demarc was located next to the toilet in the bathroom. Naturally, the constant humidity caused bad corrosion problems and other issues with their telco services. :) So as a general rule of thumb, avoid putting your telco and/or network gear next to the crapper or the services the equipment is meant to provide might also stink. http://users.tellurian.com/vabello/bathroom-demarc.jpg On the plus side, they didn't have to go far for a ground. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Microsoft's Black Tuesday bandwidth impact?
Frank Bulk wrote: Every month I look at my upstream bandwidth graphs and I see no blip in the hours before 3 am on Microsoft's Black Tuesday. I would think that with the thousands of PCs out on our network downloading updates around that time that I would see *something*. I know every Black Tuesday I see my three PC's blinking a logon screen. Are MSFT's monthly updates really a non-event in regards to internet bandwidth? Do you have Akamai servers locally on-net? -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Level3/GTEI well-known DNS down?
Joe Provo wrote: Open resolvers are seriously abused by botnets and related baddies. Perhaps you might need to run a set of resolvers, or get your service provider[s] to give you something similar to well-tuned anycasted resolvers. Rumor from a previous discussion of these "well known" resolvers was that they were deliberately encouraging their use by non-customers, data-mining the lookups for marketing purposes, and selling the statistical results. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: [NANOG] would ip6 help us safeing energy ?
John Levine wrote: > I'm wondering how much content is used TiVo style, not in real time, > but fairly soon thereafter. It might make sense to multicast feeds to > local caches so when people actually want stuff, it doesn't come all > the way across the net. I think the good folks at Akamai may have already thought of this. :-) -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] Tired of ...
Someone via nanog@nanog.org spammed: > Tired of [snip] Can anyone suggest a faster way to get yourself blackholed than to spam this list? -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: FCCs RFC for the Definition of Broadband
William Herrin wrote: You would suggest treating the Ethernet and POTS ports the same for power backup purposes until the ethernet port drops its carrier for 60 seconds or so? Maybe do the same for the POTs ports wrt detecting whether any phones are attached? Nah, that would make far too much sense; there must be something fatally wrong with the idea. Detecting whether an idle phone is attached to a POTS port isn't exactly trivial. This is more true now with modern phones that don't have mechanical ringers. Keeping the ethernet port up on battery if there is link makes sense. For that matter a "Wake-on-LAN" style polling to power it for a second every 30 to detect carrier would be even better. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Issues with Gmail
There's a post-mortem on the gmail blog: NANOG list http://gmailblog.blogspot.com/2009/09/more-on-todays-gmail-issue.html
nanog@nanog.org
Brian Raaen wrote: I appreciate the offline replies. After doing some more research myself the issue appears to be related to the fact that AT&T is announcing the block directly. I did show "ip bgp 72.14.76.0" in a couple routers and some showed the route originating in 701 (they were able to reach it) and others showed it originating in 7018 (and they could not reach it). Here is my question, since I am an ARIN admin contact for the IP block how is the best way to get AT&T to quit announcing the block. If they absolutely refuse to talk to you, have someone who is an AT&T customer open a ticket with them about being unable to reach your network. I would suspect that the discussion here. may get their attention. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Repeated Blacklisting / IP reputation
John Curran wrote: Folks - It appears that we have a real operational problem, in that ARIN does indeed reissue space that has been reclaimed/returned after a hold-down period, and but it appears that even once they are removed from the actual source RBL's, there are still ISP's who are manually updating these and hence block traffic much longer than necessary. I'm sure there's an excellent reason why these addresses stay blocked, but am unable to fathom what exactly that is... Could some folks from the appropriate networks explain why this is such a problem and/or suggest additional steps that ARIN or the receipts should be taking to avoid this situation? I don't think there is an excellent reason, more likely inertia and no real incentive to put forth the effort to proactively remove addresses. Many ISPs and organizations have their own private blocklists not associated with the widely known DNSBLs. Typically during or immediately after a spam run the mail administrator will manually add offending addresses or netblocks. Spamtrap hits may do this automatically. There isn't any real incentive for people to go back and remove addresses unless they're notified by their own customers that legitimate mail coming from those addresses is being blocked. Because these blocklists are individually maintained, there is no central registry or means to "clean them up" when an IP assignment changes. To make matters worse, some organizations may simply ACL the IP space so that the TCP connection is never made in the first place (bad, looks like a network problem rather than deliberate filtering), some may drop it during SMTP with no clear indication as to the reason (less bad, as there is at least a hint that it could be filtering), and some may actually accept the mail and then silently discard it (worst). In addition there are several DNSBLs with different policies regarding delisting. Some just time out after a period of time since abuse was detected. Some require action in the form of a delisting request. Some require a delisting request and a time period with no abuse. Some (the old SPEWS list) may not be easily reached or have well defined policies. In meatspace, once a neighborhood winds up with a reputation of being rife with drive-by shootings, gang activity and drug dealing it may take a long time after the last of the graffiti is gone before some cab drivers will go there. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Repeated Blacklisting / IP reputation
Seth Mattinen wrote: I was always under the impression that smaller orgs were not allowed to join the MAAWG club. They're allowed. At $4k/year minimum, up to $25K/year. By the way, among the members... Experian CheetahMail ExactTarget, Inc Responsys, Inc. Vertical Response, Inc Yesmail -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Repeated Blacklisting / IP reputation
bmann...@vacation.karoshi.com wrote: sounds like domain tasting to me. Oops! Oh yeah. Spammer gets an allocation... "Well, if that netblock was clean before, it sure isn't now! May I please have another?" Lather, rinse, repeat. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Repeated Blacklisting / IP reputation
JC Dill wrote: Joe Greco wrote: Answer queries to whether or not IP space X is currently blocked (potentially at one of hundreds or thousands of points in their system, which corporate security may not wish to share, or even give "some random intern" access to)? Process reports of new ARIN delegations? What are you thinking they're going to do? And why should they care enough to do it? Because if they don't, they are needlessly blocking re-allocated IP addresses, potentially blocking their own users from receiving wanted email. Organizations could (and should) setup a role account and auto-responder for this purpose. Perhaps they should, but until there is sufficient pain from their own users complaining about it there is no financial motivation to do so, and therefore many will not. I would guess that there are thousands of individual blocklists to this day blocking some of Sanford Wallace's and AGIS's old netblocks. As for a role account, there is "postmaster". I would think that the best hope in the real world, rather than an autoresponder would be an RFC that clearly defines text accompanying an SMTP rejection notice triggered by a blocklist, detailing the blocklist and contact for removal. Perhaps encouraging those who code MTAs and DNSBL hooks into them to include such in the configuration files would be a good start. This still puts the onus on the sender or inheritor of the tainted netblock, but makes the search less painful and perhaps even somewhat able to be scripted. Note that this thread deals mostly with SMTP issues regarding DNSBLs, as those are the most common trouble point. We should also consider other forms of blocking/filtering of networks reclaimed from former virus/malware/DoS sources. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Multi-homed implementation and BGP convergence time
andrew.clayba...@securian.com wrote: Hello - my company currently has two connections with a single tier 1 ISP. We are using the AS from our ISP at this time. In the next month we will be implementing a third connection with a second tier 1 ISP, so we will now be using our own AS number on all three routers. My question is when we implement the new connection and update our existing connections to use are own AS number, how much downtime will there be? So far the second ISP has only said that it could be hours for BGP to fully converge. We are looking for more detail about how long the outage will be and how widespread. It should not take several hours. Typically less than 15 minutes. I would suggest that you first ensure that your networks and ASN are in the routing registries. Then schedule a downtime with your present ISP and begin advertising using your ASN. If you're not presently speaking BGP with your existing ISP, set that up first advertising your network(s) with your own ASN. Will it be relatively short to our customers that are on one of the ISPs we are directly connected to? Is downtime less for customers on other tier 1 ISPs versus tier 2, etc. ISPs? There may be a short downtime when you switch to originating from your own ASN. With sufficient clue on your part and that of your current ISP, and assuming that either of the two connections can handle all of your traffic, you may be able to eliminate most or all of it. Adding the second ISP won't result in significant downtime especially if you're just taking default routes and your routers don't need to build large BGP tables. "Tier 1", "tier 2" etc. are terms used primarily by salespeople, and don't have a lot to do with technical matters. We will only be receiving a default route on each of the three connections. Our routers will be advertising a small number of routes - 6 to 8. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Google Pagerank and "Class-C Addresses"
On a similar issue, I have a debate going on in my company about SEO and links coming from IP blocks allocated from different upstream providers will improve page ranks. (So, if I have block A from provider 1 and block B from provider 2, web sites linking each other on block A & B, the rank will go up) Not just different /24, /24s reassigned from different upstream. I can't find anything to prove or dis-prove this theory. Anyone have a link or info on this issue/myth? I shared this discussion thread and was told it's only discussing different /24, not /24 allocated to different providers. As far as I am concerned, if Google used ARIN swip record or routing entry, it's going to identify us as the end provider so I can't see how who gave us the IP would matter. On Mon, Sep 21, 2009 at 12:18 PM, Sebastian Wiesinger wrote: > Hello Nanog, > > I'm looking into a weird request which more and more customers have. > They want "different Class C addresses", by which they mean IPs in > different /24 subnets. > > The apparent reason for this is that Google will rank links from > different /24 higher then links from the same /24. So it's a SEO > thingy. > > I googled a bit and found pages after pages of FUD and such great > things as the "Class C Checker": "This free Class C Checker tool > allows you to check if some sites are hosted on the same Class C IP > Range." > > My question is: Is there any proof that Google does differentiate > between /24s, or even better is there any proof that this isn't the > case? I will not give a customer space from different address blocks > just because he read it in a SEO magazine. > > Perhaps someone from Google itself can answer this question? > > Also how do you handle such requests? I expect I'm not the only one > who gets them. > > Regards, > > Sebastian > > -- > New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) > Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE > SCYTHE. > -- Terry Pratchett, The Fifth Elephant > >
Re: SAS70 Type II compliant colo providers - Chicago, IL
Yes, but with PCI compliance the powers that be (credit card companies) can actually fine you big bucks for being non-compliant. http://www.google.com/search?hl=en&source=hp&q=pci+compliance+fines&aq=f&oq=&aqi=g1g-m1 http://www.pcicomplianceguide.org/pcifaqs.php#11 Cheers, Jayfar On Tue, Sep 22, 2009 at 8:17 PM, Jeffrey Lyon wrote: > People buy SAS 70 compliant anything just because it's the latest > buzzword, kind of like PCI compliance. > > Jeff > > On Tue, Sep 22, 2009 at 7:52 PM, John Curran wrote: >> On Sep 22, 2009, at 11:54 AM, Andy Ashley wrote: >>> >>> Hi, >>> >>> I would really appreciate any recommendations for SAS70 Type II compliant >>> colocation providers in Chicago, IL >> >> Andy - >> >> As an FYI, SAS 70 Type II compliance means whatever that provider's "SAS >> 70 Type II" audit document states for controls, i.e. there is no specific >> requirements associated with SAS 70 Type II, only that you publish a >> documented set of management and security controls and then are audited for >> compliance against that list. That may not be realized by the folks who've >> sent you to go get SAS 70 Type II compliant hosting, but is something that >> you probably want to keep in mind since little items like generators and >> door locks aren't necessarily included. >> >> /John >> >> >> > > > > -- > Jeffrey Lyon, Leadership Team > jeffrey.l...@blacklotus.net | http://www.blacklotus.net > Black Lotus Communications of The IRC Company, Inc. > > Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - > 21 to find out how to "protect your booty." > >
Alcatel-Lucent VPN Firewall Brick
Hello all, Looking for input on Alcatel-Lucent VPN Firewall Brick. I can look up spec and other published information but, as always, the devil is in the detail and you just never know what wall you run into until you actually try it so I wanted to see if anyone has used this and can point out good/bad things about this device. Our other option is Cisco IOS router right now. Are there better options than these two? If there is a better forum to post this question, my apologies. Please direct me to the right place. :) Our goal : We want to provide managed firewall/VPN for Colo/DIA customers. Our specific requirements are - Able to provide VRF/virtual router per customer since address range can overlap between customers. - Able to do client based VPN to the inside network. It could be IPSec or SSL. It has to support Vista/Win7-x64 - Able to do site to site VPN with various devices.(Cisco, - Can rate limit traffic in and out. - Control NAT per customer instance. - Stateful firewall per customer instance. - Good logging Thanks!
Re: dealing with bogon spam ?
Leslie wrote: First off, I'm not certain if unallocated space in blocks less than a /8 is properly called bogon, so pardon my terminology if I'm incorrect. Bogon is probably the correct term for any IP space that doesn't belong on the public Internet because it is reserved, unallocated, etc. We're seeing a decent chunk of spam coming from an unallocated block of address space. We use CYMRU's great list of /8 bogon space to prevent completely off the wall abuse, but the granularity stops at /8's. Obviously, I've written the originating AS and its single upstream provider (sadly without any response). I'm not looking for a one time solution for this issue however -- I'd like to permanently block (and kick) anyone who's using unallocated space illegitimately. Not too permanently, though. That space is likely to become allocated, and the new legitimate user thereof shouldn't have to beg thousands of networks to unblock it. so How have you dealt with this issue? Does anyone publish a more granular listing of unallocated space? Does arin have this information somewhere other than just probing any given ip via whois? I'm not specifically aware of a more granular listing. It would have to be dynamic as new allocations occur all the time. The RIRs (ARIN, RIPE, APNIC, etc.) are the authoritative source for the space allocated to them, but I don't know if they have a real-time bogon list available. In addition to the published list, Team Cymru has a BGP feed and other resources, but I don't know how granular it is with respect to unallocated space. See here: http://www.team-cymru.org/Services/Bogons/ -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: EdgeWater EdgeMarc 4610W
I am scatter brained at the moment so I will kind of babble along some bullet points. We have been using Edgemarcs for a while and we love it for hosted VoIP situation. Their strength is VoIP. Being able to failover SIP servers and Internet access connection is great. You can configure it so you can still make internal calls when the SIP server is unavailable or your internet connection is down. I have not used the wireless model so I don't know much about that part. We had some problem with some VPN to Cisco when you have more than one subnet that needed to tunnel through. The annoying part is when you change anything on the device, it will say voice traffic may get interrupted. I have not gotten around to test what kind of affect it has on voice when you change simple configuration. But it kind of gets old when you get the message when you are changing the DHCP server setting and you know it has nothing to do with passing VoIP packets along. Their support is pretty good. This thing is basically a linux box with Asterisk and Swan rolled into one. Sometimes if you need to do things that can't be done from the GUI, you can get around it by using some basic Linux/Asterisk CLI/config files. But that can get ugly fast. If you have VoIP, it's great! If not, I usually stick with a Cisco ISR. On Thu, Oct 29, 2009 at 6:44 PM, Jaimie Livingston wrote: > Has anyone had any recent direct experience with the EdgeWater EdgeMarc 4610W > multi-service appliance used as a CPE device? > I was recently handed a sales sheet on this swiss-army knife appliance, but > there doesn't seem to be much publically available review of the beastie at > the moment. If it is as advertised, it would be a very handy device as a CPE > option... > > Thanks, > > Jaimie L. >
Re: New Class C's just lit on on AT&T, spamming
Jon Lewis wrote: On Tue, 3 Nov 2009, Michael Peddemors wrote: A new block under AT&T, listed as being owned by: The Karcher Group Inc. ATTIS-9951800 (NET-99-51-80-0-1) 99.51.80.0 - 99.51.81.255 Just started an email marketing campaign to addresses stripped from the web.. There's a far more succinct term for "email marketing campaign"... We wouldn't run out of IP's if this didn't keep happening.. I don't see how this relates to IPv4-runout. The allocation (to AT&T) isn't all that new...and when they cancel this spammer, the space will undoubtedly be assigned to another customer. And that other customer will find that it's poisoned space and will need to look for another subnet. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Transit from Cogent - thoughts?
Adel, Perhaps the best way for you to get an answer to your question without the entire list erupting for no good reason is to click on the following link which will show all messages from the NANOG mailing list about Cogent. Then you can make your decision based on past conversations as opposed to adding more messages to that archive on the topic. BTW, if you don't want to click on the link I've pasted because you are careful and prudent, just go to the nanog.markmail.org website and search for "Cogent". http://nanog.markmail.org/search/?q=cogent Good luck! Jay On Wed, Nov 11, 2009 at 10:04 AM, wrote: > > > Contemplating using Cogent Communications for transit as pricing looks > favourable. Just trying to get a feel for what sort of a reputation they > have in the network operators community. I'm sure people have horror > stories for every provider, but just trying to get a general idea of what > sort of regard they are held in the community. > > Thanks > > Adel > >
Re: Resilience - How many BGP providers
Dylan Ebner wrote: IF you only have one entrance, all you connections are going to run through that conduit, and that makes you susceptable to a rouge backhoe. Not just the rouge ones. The big yellow ones are far more common and can do just as much damage. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Password repository
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.
Re: Password repository
All, I wasn't expecting the number of suggestions I got! Thanks all. It looks like keepass is the popular choice by many. We are looking into that. And those that suggested RADIUS, yes, I am moving towards that direction for what can be moved to the RADIUS direction. However, we also managed so many customer's equipment/web site contents/application/networks as well that we can't use RADIUS in those instances. Again, I appreciate having this list to get ideas on various issues I face everyday. On Wed, Nov 18, 2009 at 10:56 PM, Jay Nakamura wrote: > Quick question, does anyone have software/combination of tools they > recommend on centrally store various passwords securely? > > Thanks. >
Re: DNS query analyzer
Stefan Fouant wrote: -Original Message- From: Raymond Dijkxhoorn [mailto:raym...@prolocation.net] I don't think it's being actively maintained at the moment but you should be able to find it on the NLnet Labs site - http://www.nlnetlabs.nl/projects/dns-analyzer/ I very recently asked the maintainers of that package if its still under development but i heard if was unfortunately dropped. It would be nice if we could convince them to release the source code into the public domain. I'm sure there are a few people who would find it highly useful and would work on it to add to its utility. The source (versions 0.2.0 and 0.3.0) is available at the above URL and there is a GPL license in the tarball. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
RE: DNS question, null MX records
I concur, in fact I see them come in at precisely the wrong order, lowest preference first in the hopes that we're not running spam filtering on those particular hosts. I have found that putting a bogus mx record at lowest preference slows stuff down though. One of my services is for a company with about 150 mboxes, and I receive no less than 1.5mill spam emails a month for it. -Original Message- From: Paul Vixie [mailto:vi...@isc.org] Sent: Thursday, 17 December 2009 11:48 AM To: na...@merit.edu Subject: Re: DNS question, null MX records Douglas Otis writes: > If MX TEST-NET became common, legitimate email handlers unable to > validate messages prior to acceptance might find their server > resource constrained when bouncing a large amount of spam as well. none of this will block spam. spammers do not follow RFC 974 today (since i see a lot of them come to my A RR rather than an MX RR, or in the wrong order). any well known pattern that says "don't try to deliver e-mail here" will only be honoured by friend people who don't want us to get e-mail we don't want to get. -- Paul Vixie KI6YSY
Re: news from Google
Jorge Amodio wrote: Another one from the "Evil Doer" http://www.google.com/advertising/holiday2009/ Wish the guys from Redmond and others copy this action too ... http://en.wikipedia.org/wiki/Bill_&_Melinda_Gates_Foundation
Re: news from Google
William Hamilton wrote: Jay Ess wrote: http://en.wikipedia.org/wiki/Bill_&_Melinda_Gates_Foundation Whilst it may have been established by one of the Microsoft founders, what does that have to do with Microsoft's corporate charitable giving? I would guess that the money originally comes from the profits of MS so i think its related. But you are right that it does not come directly from MS.
Re: I don't need no stinking firewall!
Simon Lockhart wrote: Generally, I just use stateless ACLs when I need additional network level security. However, they do have one big disadvantage. Say you've got a server where you want to allow outbound HTTP access to anywhere on the Internet, but only SSH inbound from your home DSL. To do this, you'd build an inbound ACL which looks something like: - Allow from home DSL IP to server port 22 - Allow from anywhere port 80 to server Change the above to: - Allow from anywhere port 80 to server port > 1023 Or better: - Allow from anywhere port 80 to server port > 1023 established - Deny all other traffic. You need the port 80 rule to allow the return traffic from all those outbound connections. Those outbound connections will originate from a random high port, so just allow those as destination ports on your inbound rule. However, an enterprising hacker realises that he can create a TCP connection from port 80 on his own box to port 22 on your server. Not with the above rules. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: I don't need no stinking firewall!
Jason Shearer wrote: Doesn't using the established allow any packet with ACK/RST set Yes, as would be expected for legitimate return traffic for a TCP connection initiated from a browser inside the firewall. and wouldn't you have to allow all high ports? That's what the ">" is for. Cisco syntax "gt" (greater than). The point is that either of these will deny unsolicited new connection attempts from the outside to TCP 22 (and 445, 135, etc.) -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: I don't need no stinking firewall!
Nenad Andric wrote: On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan wrote: Or better: - Allow from anywhere port 80 to server port > 1023 established Adding "established" brings us back to stateful firewall! Not really. It only looks to see if the ACK or RST bits are set. This is different from a stateful firewall which memorizes each outbound packet and checks the return for a match source/destination/sequence. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Using /31 for router links
Greetings, On Fri, 22 Jan 2010, Seth Mattinen wrote: > In the past I've always used /30's for PTP connection subnets out of old > habit (i.e. Ethernet that won't take unnumbered) but now I'm considering > switching to /31's in order to stretch my IPv4 space further. Has anyone > else does this? Good? Bad? Based on the bit of testing I've done this > shouldn't be a problem since it's only between routers. Yes, this *IS* done *ALL* the time. P-t-P means that there are ONLY two devices on the wire - hence point to point. It ONLY uses two IP addresses (one on each end) and there is no reason or need to ARP on this wire. So no need for a broadcast or network addresses - it is just the two end points. --- Jay Nugent Nugent Telecommunications Train how you will Operate, and you will Operate how you were Trained. +----+ | Jay Nugent j...@nuge.com(734)484-5105(734)649-0850/Cell | | Nugent Telecommunications [www.nuge.com]| | Internet Consulting/Linux SysAdmin/Engineering & Design/ISP Reseller | | ISP Monitoring [www.ispmonitor.org] ISP & Modem Performance Monitoring | | Web-Pegasus[www.webpegasus.com] Web Hosting/DNS Hosting/Shell Accts| ++ 7:01pm up 43 days, 18:42, 3 users, load average: 1.10, 0.96, 0.63
Re: Connectivity problems to google via openDNS
Mark wrote: Hello nanog, Just wondering if anyone is experiencing the same problem with google and openDNS on their end or knows what's going on there with openDNS. The problem just occurred about 20 minutes ago. Don't do that then. OpenDNS is a form of censorware and almost certainly hijacking queries to Google (and numerous other sites), redirecting to its own servers. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: black listing of web traffic
Andrey Gordon wrote: Can't find my IP on any of the black lists. Don't have any proxies. Sites that behave poorly are consistent. That is to say that facebook.com, apple.com would always come up without an issue, but cnn.com, forever21.com(i know, don't ask, students), store.apple.com would consistently take forever to come up. Just wanted to check of rate-limiting web clients is a common practice nowdays in the industry. If it's not, it's probably an unlikely cause of my troubles... It could be that the problem sites have some form of load balancer that has an issue keeping state on multiple sessions from the same IP. You mentioned that changing the source IP fixed it. Is this a temporary fix that breaks after several users access the sites from the new IP? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: The Internet Revealed - A film about IXPs v2.0: now available
Larry Sheldon wrote: That is definitely the best answer--if you don't like it, do one (at your expense of time and other resources) that you like better. Zzz. I think I am probably a member of the target audience, and I though it was great (and recommended it to other folk). I like it for what it was. But i agree with Mike's points. This video is something i could show my mother when she asks "how the Internet works" and thats pretty much it. Amazing how many people there are that can't do it, but can find fault with those that can and do. So, for example, if i don't like how a car works i must be able to build a car to be allowed to voice my opinion?
Re: AT&T Mind Boggles...
Mark Tinka wrote: AT&T, what gives? You need the proper perspective on these things. Rent and watch this classic movie from 1967, then you'll understand. http://www.imdb.com/title/tt0062153/ -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: dns interceptors [SEC=UNCLASSIFIED]
IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. NOTICE: This communication may contain confidential and/or privileged information. If you are not the intended recipient, or believe that you have received this communication in error you are obligated to kill yourself and anyone else who may have read it, not necessarily in that order. So there. My disclaimer is scarier than yours. Nyaah. You started this silly nonsense. Knock it off and I will too, ok? It's worthless from a legal standpoint and is responsible for the needless suffering of billions of innocent electrons. Nobody reads it anyway. You're not actually reading this, are you? I didn't think so. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Spamhaus and Barracuda Networks BRBL
On 2/22/10 11:40 AM, Dave Sparro wrote: > Actually I can sympathize with Barracuda on this one: > Bob's Widgets is running thier own mail server for their 25 employees. > They decide the need better spam filters. > They can hire Bob's nephew to drop in a Linux server running Postfix and > SpamAssassan. In this situation it's OK for Little Bobby to configure > the Spamhaus RBLs for use on this solution. > They could also hire Barracuda to do essentially the same thing > (assumption based on source code published at > http://source.barracuda.com/source/ ). In this case Bob's Widgets is > not allowed to use Spamhaus. > > Their list, their rules; but it is indeed strange to me. Bob is in the widget business, he profits from selling widgets. He doesn't profit from the spam-filtering business. Spamhaus is, out of sheer niceness to the community, willing to accommodate one-off widget makers with some freebies. Thank you. Spamhaus. We appreciate it. Barracuda is in the spam-filtering business, they profit directly from it. Spamhaus isn't willing to allow a for-profit entity to deploy their filters on thousands of machines at substantial cost to Spamhaus in terms of bandwidth and server load without being compensated for it. This seems reasonable to me. If Bob's Widgets' nephew syncs Bob's machine to the University of Wisconsin's NTP server, it isn't a big deal. When Netgear hard-codes UoW's NTP server's IP into a gazillion consumer boxes, it is. That's the difference. http://pages.cs.wisc.edu/~plonka/netgear-sntp/ -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Spamcop Blocks Facebook?
On 2/25/10 10:12 PM, deles...@gmail.com wrote: > Maybe I'm wrong on this, and I'm not a mailadmin anywhere nor have I been or > pretended to have been in the past. But I'm pretty sure FB only sends you > mail based on the prefrences you choose, and I know this is the answer you > where given so mostly a statement. How does that equal spam :) Facebook, like many similar sites, rather aggressively requests that its users supply their email credentials so that the site can "invite" their contacts. All of them. Every stinkin' email address they can mine. If the user/victim falls for this, the social networking site will scrape every email address it can find in the user/victim's contact list and "invite" them to join. These invitations are often forged to appear as if sent from from the user/victim's email address. Similarly, if anyone on Facebook uses the site to forward content (often Trojanned), then Facebook now has the address of the forwardee and will "invite" and then 'remind" repeatedly. So it isn't the Facebook members that Facebook spams (although they might do that too). It's the non-member addresses they scrape from their members. As it's entire contact lists that get scraped, it's bulk. As the people being "invited" and "reminded" didn't ask for it, it's unsolicited. And it's obviously email. Put those together and you get Unsolicited Bulk Email, AKA spam. And those sites that send with their user's name as the sender are even more egregious because they are forging header information. Social networking site users are not the site's customers. They are the site's product. This product is sold to advertisers and data-miners. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
RE: Alaska IXP?
On Mar 4, 2010, at 8:13 AM, Sean Donelan wrote: > On Wed, 3 Mar 2010, Antonio Querubin wrote: >> On Wed, 3 Mar 2010, Sean Donelan wrote: >> >>> Are there any common locations in Alaska where multiple local ISPs exchange traffic, either transit or peering? Or is Seattle the closest exchange point for Alaska ISPs? >> >> peeringdb.com lists only SIX (in Seattle) and PAIX Seattle. > > Thanks and also thanks to the other folks that replied privately. That matches basically what I had found, but I wanted to check. > > Transit is also ok, I'm doing the usual minimum connections/maximum communications in case of (earthquake, volcano, tsunomi, etc) math. Is > there someplace in Anchorage that buying transit or peering from one or a few ISPs is significant enough, or is it going back to Seattle anyway and > the local ISPs already have done the math. > >What I've seen is that in smaller markets (in my previous life), eg: Michigan, even when the providers are all in the same facility they > >1) Lacked understanding of traffic-patterns to understand peering savings >2) Lacked ability to interconnect (eg: no switch on-site, no bgp/routing capability) >3) CLEC or other colo provider prohibited #2 > >This meant traffic would regularly be diverted to Chicago or similar for exchange between local ISPs. >The one time I was able to pull off a local facility cross-connect, it was difficult to get it at a speed greater than 10megs (this was 1999 or so). >With the dropping metro-ethernet/ftth type equipment that can do 1G for "cheap", perhaps a short fiber build for x-connect would help faciltiate things >these days. (i should model that and post the results). >- Jared We've seen the same issues in Minnesota. Locally referred to as the "Chicago Problem". Adding on to point 3, there is also a lack of neutral facilities with a sufficient amount of traffic to justify the next carrier connecting. In rural areas many times the two ISPs that provide services are enemies at the business level. A couple of us have started to talk about starting an exchange point. With transit being so cheap it is sometimes difficult to justify paying for the x-connects for a small piece of the routing table. Have you considered starting your own exchange point with some of the local players? Just having the connectivity in place may help with DR situations in addition to all of the benefits of an exchange point. I would also be very interested in seeing any modeling on the subject. There was a document a couple of years ago that was pretty good talking about when to peer but if memory serves it was more focused on the larger carriers. Jay
RE: Alaska IXP?
On 3/4/10 8:57 AM, "Jay Hanke" wrote: >> >> We've seen the same issues in Minnesota. Locally referred to as the "Chicago >>. Problem". Adding on to point 3, there is also a lack of neutral facilities >> with a sufficient amount of traffic to justify the next carrier connecting. >> In rural areas many times the two ISPs that provide services are enemies at >> the business level. A couple of us have started to talk about starting an >> exchange point. With transit being so cheap it is sometimes difficult to >> justify paying for the x-connects for a small piece of the routing table. >> >> Have you considered starting your own exchange point with some of the local >> players? Just having the connectivity in place may help with DR situations >> in addition to all of the benefits of an exchange point. > >Any interest by other anchor tenants in the area, such as the higher >education facilities? In Madison, we have MadIX[1], an exchange point hosted >by the University of Wisconsin-Madison, with a presence in one of the >neutral carrier hotels in Madison. > >That eliminates the carrier to carrier issues you run into in the smaller >cities, also helps with the "Chicago Problem" which we are very familiar >with here as well. > >[1] http://kb.wisc.edu/ns/page.php?id=6636 > >Andrew >From the looks of the link it looks like there is a bit of traction at the MadIX. One of the other interested carriers has talked to the University of MN and they showed some interest in participating. The trick is getting the first couple of participants to get to critical mass. Is the MadIX using a route server or is it strictly layer2? Thanks, Jay
Small IXP [was Alaska IXP?]
[snip] > Does anybody have some numbers they're able to share? In the "two small ISPs > in the boonies" scenario, *is* there enough cross traffic to make an > interconnect worth it? (I'd expect that gaming/IM/email across town to a friend > on The Other ISP would dominate here?) Or are both competitors too busy > carrying customer traffic to the same sites elsewhere (google, youtube, amazon, > etc)? Phrased differently, how big/small a cross-connect is worth the effort? > Or at the cogent website ($4/meg) do the cost justify peering anymore? Obviously some of this always depends on the loop costs. Going to try to write something up that would be useful for smaller ISPs. The BGP barrier IMHO is quite high in most cases, not all the small ISPs carry their routes out to the edge in the same manner as the larger SPs. - Jared In our efforts, BGP hasn't come up as often as the Cogent (low cost) issue. I think there are two aspects, one is the opportunity. If you need to build or bury it gets pretty tough to keep costs below $4/meg. The second is traffic volume, if you can set up a peering connection for $200 per month for a full GE you need to stuff 50 Mb/s over the link to break even. That may be tough unless you have an anchor institution like a college or a content network. Rural wholesale (delivered to ISP) is going at $50-60 per Mb in large parts of the US. That brings the breakeven to about 4 Mb which is much easier for the small guys. I think the dominate application driving cross connects right now is might be business VPN between the small ISPs either at L2 or L3. Also, keep in mind though the cheap Internet is only at a limited number of metro area and you still need to pay to transport that Internet back to your network. jay
Re: Same AS number from different location and Migration of IP addresses
devang patel wrote: So if I will have the globally unique IP addresses for both the site which are located at different location then its perfectly fine to use the same as number in for same organisation having two different site located at different location...right!!! Right. But as others have stated you will have to do some configuration in order for the two locations to communicate *with each other*. There are a a few different ways to accomplish this as has been discussed previously. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: www.Amazon.com down?
Jay R. Ashworth wrote: On Fri, Jun 06, 2008 at 08:02:44PM +0100, IT Mailing List wrote: Amazon.com seems to be back up. From here, it's only the homepage; clickthroughs and searches are still down. Same here. Amusingly, the first item recommended on my home page is "IT Disaster Recovery Planning For Dummies." -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: OT: www.Amazon.com down?
Adam Fields wrote: This is rather suspicious (and confirmed by three other people): $ whois amazon.com AMAZON.COM.Z.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM AMAZON.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM AMAZON.COM.IS.N0T.AS.1337.AS.WWW.GULLI.COM AMAZON.COM whois for yahoo.com and google.com yield similar results. I expect this means that DNS has been compromised somewhere. No compromise, just people getting cute by registering host records. Microsoft.com is a mild example... -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Level3 IPv6 availability?
Is anyone at Level3 who is familiar with IPv6, or anyone who is a Level3 IPv6 customer lurking here? We are a Level3 BGP customer and our contacts are giving us a deer-in-the-headlights stare when we want to bring up our /32, claiming that they don't do IPv6 at all. Not native, not tunneled, zip, nada. Yet, I see lots of AS3356 in the ipv6 routing tables, and there's this from three years ago... http://nanog.org/mtg-0510/bamford.html -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Arbitrary de-peering
Jon Lewis wrote: On Mon, 28 Jul 2008, William Waites wrote: Tier 1 has enough peering relationships with enough other Tier 1 networks that they can always buy temporary transit privileges over an existing link. Every peering agreement I've seen has language to the effect that an entity can't both be a transit customer and a peer. Even if allowed, the temporary transit privileges would need to be provisioned and turned up which isn't going to happen instantaneously. Tier 1 means you don't buy transit, no? "We are a Tier 1 provider" tends to mean "I am a salesperson". -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: impossible circuit
Is this only happening in one direction? One possibility is that the carrier has a different circuit that is provisioned up, HDLC, with no physical connection. A short-circuit in a DACS or MUX is bridging the transmit interface towards your destination with a transmit interface on the unused but active circuit. This would cause your traffic in that direction to fork both on the desired path and some rogue path that eventually gets routed to your destination. The ethernet equivalent would be a SPAN monitor port plumbed to a transmit-only interface on a different network. Definitely a strange one. If I'm correct, when the other circuit starts to get customer traffic things will probably break completely for either the new customer seeing your PPP traffic or for both of you. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Native v6 with Level(3)?
Christopher Morrow wrote: On 8/22/08, Kyle Murray <[EMAIL PROTECTED]> wrote: Here is the response I got from L3 when I inquired about IPV6: "The answer to your questions is "no", we have not yet inplemented IPV6 for our customers yet. IPV4 is the de facto on our backbone nad alledge router on which customers connectc." Poor spelling aside, it seems they have not implemented it yet. If someone manages to get them to implement, I would really like to hear about it. wow that is odd.. since stewart bamford has been off giving ipv6 deployment talks to various conferences (including this one: http://www.nanog.org/mtg-0510/bamford.html ) maybe L3's support staff should check their internal documentation?? Slide 17 says: "Deployment completed Q3 2005"... so, they apparently have it, can get it to you and do 6PE (or did 6PE a bit ago). Maybe ask again and aim the nay-sayer to the nanog preso and ask them to call stewart up directly? We had the same issue when we inquired initially. Apparently Level(1) support at Level(3) has Level(0) clue as to their capabilities. I responded to Kyle off-list as to the email address for getting to the people with the answers. Stewart is still on the team and they had us up and running on IPv6 within a couple of days once I contacted the right people. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Jay Shao is out of the office.
I will be out of the office starting 09/15/2008 and will not return until 09/21/2008. I will respond to your message when I return. Please contact with [EMAIL PROTECTED] for any production issues - DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Re: high latency ds3 issue on unloaded line
John Lee wrote: Mike, Your latencies which suddenly appear for several hours and then go away and do this on a regular basis sounds like a layer 2, facility switching issue. As you indicated " the problem comes on during the day and then lets up late in the evening" sounds like the under lying facility is being switched back around the "long side" of the SONET ring or other facility. Some carrier facilities are scheduled for "one path or direction" say during the day that are supposed to be for lower latency time periods for interactive work and then switch for a lower cost, higher latency path in the evening when computer to computer backups do not care. If you can plot the times the issues start and end and that these occur daily during the week and not on weekends etc that would be a strong indicator. For 1000 ms latencies, that would be a VERY long "long side". I think there is something else going on here. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Used (SONET) equipment sources/lists?
Forrest W. Christian wrote: I'm switching one end of a PtP DS3 to a location which only has fiber to the carrier. As a result, I'm really in need of a Fujitsu FlashWave 4010 or equivalent which can take a sonet-framed OC3 from a carrier and break it out into individual DS3's. So far, my normal sources of used equipment have come up dry - but most of them really only deal with data networking (cisco) stuff, so it's a bit out of their league.A long time ago (you know, like 100 internet years ago), I used to post these type of needs to misc.forsale.computers.net-hardware with good results, but that doesn't look very useful anymore. Take a look at Adtran's OPTI-3 or more scalable OPTI-6100 series products. I have no idea why Adtran has mile-long URLs, so here goes: http://tinyurl.com/3gt54w http://tinyurl.com/2z3yeg Some used gear out there but not a lot. The right wholesaler can give you a pretty good discount on the new stuff. We've had excellent results with Adtran equipment. Note that this gear as well as TTBOMK the Fujitsu is native 48VDC power, so figure in a power supply if you're in an AC environment. Adtran sells compatible power supplies if needed. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: the attack continues..
Beavis wrote: Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39. "Beavis", you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: the attack continues..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank Bulk wrote: > The website is "http://www.betmania.com/"; and when I try to connect to it I > get "Database Error: Unable to connect to the database:Could not connect to > MySQL". > > It's not unusual for betting sites to be DDoSed for ransom. Also competition (rival companies) based attacks are extremely common in the gambling/betting industry as well these days. Are you running any special promotions at the same time as your competition? - --J > > Frank > > -Original Message- > From: Jay Hennigan [mailto:[EMAIL PROTECTED] > Sent: Saturday, October 18, 2008 10:24 AM > To: NANOG list > Subject: Re: the attack continues.. > > Beavis wrote: >> Hello Lists, >> >> I'm still getting attacked and most of the IP's i got have been >> reported. and just this morning it looks as if someone is testing my >> network. and sending out short TCP_SESSION requests. now i may be >> paranoid but this past few days have been hell.. just want to know if >> the folks from these ip's can help me out. >> >> Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start >> Time,Extra Info >> 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 >> 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 >> 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 >> >> First 3 IP's come from AOL, I'll try to see if I can get their attention. >> >> Last IP is from a Wildblue Communications WBC-39. > > "Beavis", you're running a web server on 200.0.179.73, some sort of > gambling site. Those who operate web servers generally expect traffic > to TCP port 80. If you're not aware that you have a web server running, > then it is most likely your machine that is infected with a bot. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO =J0JL -END PGP SIGNATURE-
Re: [funsec] McColo: Major Source of Online Scams and Spams KnockedOffline (fwd)
Jason Ross wrote: On Wed, Nov 12, 2008 at 14:16, Nick Newman <[EMAIL PROTECTED]> wrote: How many cops does it take to throw a community lynching? None. The question that remains is: Why is the community having to resort to lynching? I think we're using the wrong metaphors here. A community lynching would be storming his datacenter and setting his servers on fire. That didn't happen. A better metaphor would be a rowdy patron in an upscale bar attempting to deal drugs and being tossed out by the bouncer. Although dealing drugs is illegal, the people in the bar are more concerned about getting rid of the jerk than throwing his butt in jail (although that would be nice as well). If law enforcement is busy with gang warfare in another part of town, their priority in responding to a rowdy in a bar is going to be low, especially if there's a bouncer who is capable of dealing with the problem. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: DOS attack assistance?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pete Templin wrote: > One of my customers, a host at 64.8.105.15, is feeling a "bonus" > ~130kpps from 88.191.63.28. I've null-routed the source, though our > Engine2 GE cards don't seem to be doing a proper job of that, > unfortunately. The attack is a solid 300% more pps than our aggregate > traffic levels. > > It's coming in via 6461, but they don't appear to have any ability to > backtrack it. Their only offer is to blackhole the destination until > the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS > that has little if any information publicly visible. > > Any pointers on what to do next? If it's all coming from that single IP 88.191.63.28, just request that your upstream block it. Usually if you explain the situation to them they'll oblige. Otherwise you'll want to look at mitigation gear (Toplayer, Cisco, etc) there are loads out there or you can look into a DDoS mitigation service. The Contacts I can see for that ASN are role: Technical Contact for ProXad address:Free SAS / ProXad address:8, rue de la Ville L'Eveque address:75008 Paris phone: +33 1 73 50 20 00 fax-no: +33 1 73 92 25 69 remarks:trouble: Information: http://www.proxad.net/ remarks:trouble: Spam/Abuse requests: mailto:[EMAIL PROTECTED] admin-c:RA999-RIPE tech-c: FG4214-RIPE nic-hdl:TCP8-RIPE mnt-by: PROXAD-MNT source: RIPE # Filtered abuse-mailbox: [EMAIL PROTECTED] Hope that helps! - --J -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktKf8ACgkQETh+0NgvOtF+IgCdFE4TD885Ot9d97b+Dhenmrn8 oVYAniR3qua8mG3D7escGxv+td458jUK =BwvQ -END PGP SIGNATURE-
Re: an over-the-top data center
The Anarcat wrote: On Tue, Dec 02, 2008 at 11:19:36AM -0500, Jeremy Jackson wrote: Seems like dry-ice was used to make the "tropical fog" in the photos, not water poured over hot rocks like a sauna/bath house. I've tried to avoid stating the obvious reading through all this funny thread, but I can't help it now. Am I the only one thinking that shady lights, tropical fog, creepy tunnels, blue/colored lights, and *waterfalls* are *bad* things in a datacenter? I mean, it make a good movie set, but seriously... I wouldn't want to be looking for that damn blue "locator" LED on that 10th switch with a blue neon light... Not to mention dry ice = carbon dioxide which isn't particularly healthy for the humans in that enclosed space. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Telecom Collapse?
The Verizon lay-offs article you linked to ("Verizon just laid off thousands
of people
")
in the blog post is dated December 29, *2002*
Cheers,
Jayfar
On Thu, Dec 4, 2008 at 12:36 PM, Jim Cowie <[EMAIL PROTECTED]> wrote:
> On Thu, Dec 4, 2008 at 12:20 PM, Wayne E. Bouchard <[EMAIL PROTECTED]> wrote:
>
> > That the old ILECs are having problems due to the fact that few if any
> > of them know how to run a decent business is not exactly news. IMO, it
> > might be best if some of them were finaly placed in the position of
> > figuring out how to come into the 21st century and actually compete
> > for business.
>
>
> I wasn't going to say anything, but as long as you brought it up ...
>
> http://www.renesys.com/blog/2008/12/fiber-to-the-home-ideal-econom.shtml
>
> Outlandish and bizarre, yes, but perhaps no more so than the other things
> you read in the
> papers these days?--jim
>
Re: 3356-1239 Issues in Socal ?
Brian Boles wrote: Anyone know of problems in SoCal between 3356-1239? Yes, we're seeing routes advertised from 1239 in Anaheim to endpoints in 3356 that aren't reachable. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: What to do when your ISP off-shores tech support
Matthew Black wrote: I've had difficulties reaching anyone with a brain at my DSL provider Verizon California. Switch to a local ISP with local tech support. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: What to do when your ISP off-shores tech support
Martin Hannigan wrote: Hi Jay: Is there really anything wrong with sending first-level technical support offshore? Macs are macs, Windows is windows and mail is mail whether you're in Mumbai or Memphis. As long as the language skills are good and the people are well trained, it should be mostly irrelevant, IMHO. In and of itself and setting aside patriotic/nationalistic issues, probably not, assuming adequate technical and product knowledge and language skills. I suppose that it would be possible that if it were done well enough one wouldn't be able to tell. However, there is something about dealing with a local company that adds value. People seem to care more about their community and neighbors than a random, barely understandable voice on a G.729 8k codec at the other end of a satellite link. I have generally found dealing with most offshore tech support to be very frustrating. The language issues are burdensome, some accents so thick as to be barely understandable, and the lack of clue and scripted menu-driven responses are obvious and usually of no value. I wouldn't be calling if the problem could be solved by reading the documentation and some judicious web searching. There are some exceptions, including Cisco TAC which is very good. I've talked to Cisco engineers in Australia and Europe on occasion. I've had mixed results with Linksys support, which I believe is in the Philippines. Dealing with one offshore AT&T billing representative who was clearly a non-English speaker was extremely painful. The latency and nonsense of the person's responses suggested either some type of auto-translator or satellite link, or both. The person wasn't capable of getting the hint when I asked after several minutes of frustration what the "A" in "AT&T" stood for, and in fact claimed to have no idea. I suspect that this level of disservice may be deliberate so that people will pay bogus charges on bills because the frustration level of disputing them is intentionally high. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: What to do when your ISP off-shores tech support
Joe Greco wrote: Sure. Blaming off-shore tech support is pretty easy stuff, but the reality is that the trouble is more along the line of appropriate training. But, the reason that US-based $TELCO and $CABLECO use off-shore tech support is that they don't want to pay for the training and supervision to do it right in-house. The same person diagnosing your IP routing issues may indeed be asking, "Would you like fries with that?" thirty seconds later. [1] And, for purposes of, "Would you like fries with that?", off-shore is good enough that most customers can't tell, nor do they care. It may often be better than a newbie local ten feet from you. It's the ultimate scripted application, a literal menu. People expect half-duplex-low-fi audio when talking to a tin speaker buried inside of a plastic clown. ;-) Some discussion suggested that the RR people were highly script-oriented and not necessarily capable of complicated problem solving. And they are afraid to admit (or don't realize) that they are not capable of complicated problem solving. They're following a script, just like the fast food order-takers. Or maybe they don't have the authority to escalate it to someone with clue, even if/when they do realize they're over their heads. It appears that the TWC Business tier 1 people actually have a fair amount of technical training and clue, and resources to tap if that's not good enough. Further, he was bright enough to let me know that they had a "better than turbo" package available with a higher upstream speed, for only a little more, that'd make me a business customer, so I'd never have to deal with Road Runner again. Based on this one experience, we were more than happy to sign an annual contract and pay just $10/mo more, and have direct access to people who know what words like "DHCP" and "route" actually mean. I did ask, and all the local people are, in fact, local. It's a matter of training and technical knowledge. None of them was really putting together the fact that the modem was sketchy for the service class we had. So, regardless of geographic location, using scripted clueless order-takers without the ability to escalate for customer support is a bad thing. And, scripted clueless order-takers exist solely because they're cheap, not because they provide anything remotely resembling good service. Cheap, from a US-centric perspective, generally means offshore. The interesting thing about your experience is that your service problems resulted in an up-sell, but only because you were persistent enough to fight through the system. Furthermore, it took a person with clue to do the up-sell. How many customers and up-sell opportunities does RR lose because of their decision to go with cheap, scripted, clueless off-shore support? My point is that you not only need the language skills and a good phone connection, but also a reasonable process to deal with knowledgeable people. I understand the need to provide scripted support, but there should also be a reasonable path to determine that someone has an exceptional problem and isn't being well-served by the script. Precisely. Or for better service have reasonably clueful people at level 1 so that they can quickly and expeditiously deal with the easy problems that could be scripted. The scripted part could (and often is) being done with IVR, no humans at all. But, please, if you do this, use DTMF menus and not that God-awful worthless "Tell-me" speech-guessing machine. And make sure that every menu has a "0-to-human-being" option. [1] http://broncocommunications.com/ -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: What to do when your ISP off-shores tech support
Skywing wrote: I find those speech recognition menus quite annoying. American Airlines has one that's just not good enough over a lower bitrate cell voice link in a crowded situation when you're trying to determine what's the deal with cancelled flights or whatnot along with everyone else in the plane. Always have to waste a minute for it to decide that it's going to punt to a real person. It would be nice if there was a way to bypass it. http://www.get2human.com/gethuman_list.asp Jay wrote: But, the reason that US-based $TELCO and $CABLECO use off-shore tech support is that they don't want to pay for the training and supervision to do it right in-house. Jay, that's an interesting misstatement. It implies that they're going to be paying a lesser rate to do it right somewhere else, which typically does not seem to be what happens. Perhaps my wording didn't convey my meaning. They don't care about doing it right nearly as much as they care about doing it cheap. This often means outsourced, which often means offshore. The same person diagnosing your IP routing issues may indeed be asking, "Would you like fries with that?" thirty seconds later. [1] Does Bronco actually do that? :-) They actually do outsourced offshore order-taking for fast food drive-through restaurants. Several big-name chains in fact. And they're quite good at it, the customer probably doesn't know. Whether the same people also answer the phones for $TELCO and $CABLECO, I don't know. And they are afraid to admit (or don't realize) that they are not capable of complicated problem solving. They're following a script, just like the fast food order-takers. Don't-realize. The number of times I've been talked down to by people who don't have any clue what the "4" in "IPv4" means is depressingly high. I do not need to reboot my Windows PC to know that the DHCP answer my UNIX box is getting from the DHCP server, dumped in gory detail, is providing an IP address in a prefix that's not appearing in the global routing table now. Or maybe they don't have the authority to escalate it to someone with clue, even if/when they do realize they're over their heads. That's definitely a problem. Yep. I suspect it's a culture of "What are we paying you for if you can't solve the problems?" aimed at the scripted call center people. Call center work is a miserable job. The people are thoroughly timed and scrutinized, graded on the number of calls they take per hour, time on the phone to each caller (less is better), etc. Automated metrics with the goal of pushing as many calls at as few people as possible. I wouldn't be surprised if many of them are penalized for escalating issues. The interesting thing about your experience is that your service problems resulted in an up-sell, but only because you were persistent enough to fight through the system. Plausible interpretation, but not really accurate. An upsell would normally be convincing someone to buy something that they would not otherwise have thought to be useful; is it really an "upsell" when you fail to advertise your new service offerings on your web site, and so leave your potential business customers with the impression that the only offerings you have are the same in-excess-of-T1 prices that you offered last time they talked to you? You remained a customer and signed up for for a higher tier of services at increased cost based on a conversation with a clueful person, and you were only able to reach that person after some persistence. How many others gave up before getting that far and went elsewhere? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Circuit numbering scheme - best practice?
We've grown to the point that "The MCI T-1 in Ontario" or "Bob's ethernet to port 6/23 on switch 7" aren't scaling. Also in working with carriers we are frequently asked to provide our internal circuit number. I've seen a lot of the the LEC scheme NN--NN where has some significance with regard to the speed and type of circuit. The leading NN seems to be a mystery and the trailing NN is a serial number. I've also seen DS1-NNN as a straight speed-serial number type of thing and horrendously long circuit numbers including CLLI codes such as 101/T3/SNLOCAGTH07/SNLOCA01K15 . Any suggestions from those who have been down this road as to a schema that makes sense and is scalable? Are there documented best practices? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Jay Shao is out of the office.
I will be out of the office starting 01/17/2009 and will not return until 02/09/2009. I will respond to your message when I return. Please contact with net...@dtcc.com for any production issues - DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Inauguration streaming traffic
We're a regional ISP, about 80% SMB 20% residential. We're seeing almost double our normal downstream traffic right now. Anyone else? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: ISP Unbundling circuits
Greetings, On Thu, 29 Jan 2009, itmailinglist wrote: > Hi everyone, > Is it common for an ISP to install a lased line (circuit) and when the > service ends, the service is not unbundled again but all the cabling is left > where it is? I have even seen that a circuit is still active on there > exchanges after years and no one at the ISP seems to care that they are > wasting there own resources. *EVERY* ISP I have consulted for has failed to perform the simplest of Order Entry processes, including an item-by-item checklist of what to do when a customer disconnects. At each ISP we have found numerous circuits still in place and being paid for month after month. Only when we have gone through all of their circuit billings and customer accounts do we find all the loose ends and get their record keeping cleaned up. And then set them up with internal processes and databases that prevent such costly errors. --- Jay Nugent ISPmonitor.org "You can't manage what you can't measure" Providing monitoring and consulting services for ISP's Train how you will Operate, and you will Operate how you were Trained. +----+ | Jay Nugent j...@nuge.com(734)484-5105(734)649-0850/Cell | | Nugent Telecommunications [www.nuge.com]| | Internet Consulting/Linux SysAdmin/Engineering & Design/ISP Reseller | | ISP Monitoring [www.ispmonitor.org] ISP & Modem Performance Monitoring | | Web-Pegasus[www.webpegasus.com] Web Hosting/DNS Hosting/Shell Accts| ++ 8:01am up 60 days, 16:28, 4 users, load average: 0.72, 0.16, 0.05
Re: slightly OT: wall mount UPS for demarc
Peter Pauly wrote: I'm looking to buy several small wall mounted UPS's to power a telco's metro ethernet switches. (Yes, they should have provided some kind of protection, but won't). The closest suitable UPS I've found is this: http://www.tripplite.com/EN/products/model.cfm?txtSeriesID=419&EID=361&txtModelID=3640 Can anyone suggest a better alternative? I want something sturdy, preferably metal, that can screw to a wall and be worry free for years at a time. Any UPS will have batteries, probably sealed lead-acid for a small UPS. That is likely to negate "worry free for years at a time", especially if wall-mounted in an unconditioned demarc/MPOE closet as opposed to a temperature-controlled data center. At a minimum, plan on an annual visit to do routine maintenance and load test the batteries. You'll be lucky to get more than three years of service out of them. A typical Chatsworth, etc. 19-inch rack shelf available in various depths can be flipped around and screwed to a wall to support many of the stand-alone UPSes. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Recommendation for wiring contractor in Scottsdale, AZ
We have a need for a DS-3 extension (734 duplex co-ax, 300 foot run, BNC termination) in Scottsdale, AZ. A recommendation for a clueful wiring contractor familiar with this type of work would be greatly appreciated! -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Jay Shao is out of the office.
I will be out of the office starting 03/27/2009 and will not return until 03/30/2009. I will respond to your message when I return. Please contact with net...@dtcc.com for any production issues - DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Re: Oddly, this has been a complaint
Joe Blanchard wrote: Not that I care one way or another, but since I've gotten 20+ complaints. going to www.whitehouse.org yields something else. I know I know, perhaps old news. whitehouse.gov does not equal whitehouse.org . And some of us who have been around for a while can attest with some certainty that whitehouse.gov DEFINITELY doesn't equal whitehouse.com . :-) -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Outside plant protection, fiber cuts, interwebz down oh noes!
On Apr 10, 2009, at 12:05 PM, Carlos Alcantar wrote: Your right about having the right tools whats a manhole hook cost $50 Less than half that. http://www.toolup.com/condux/08023000.html -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
AS701 IPv6 at One Wilshire?
Is anyone getting IPv6 native (not tunneled) from Verizon/UUNet/MCI via ethernet at One Wilshire? We're getting conflicting reports as to its availability there. Their sales people appear to be clue-deprived re v6. Off-list replies are fine. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: downloading speed
chandrashakher pawar wrote: Dear Group member, We are level one ISP. one of my customer is connected to fast ethernet. His link speed 100,000 kbps. while downloading any thing from net he downloading speed donot go above 200 kbps. While doing multiple download he get aroung 200 kbps in every window. But when he close all the windows no change in downloading speed is observed. our router is C12KPRP-K4P-M Please advise what could be the cause? Most likely: http://www.google.com/search?q=tcp+tuning Also check for duplex mismatch, cable problems, interface errors, etc. Also verify that you're comparing the same units, bits vs bytes. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: downloading speed
chandrashakher pawar wrote: No errors on the interface. none of our customer on this router has complait us this issue i have changed this to "negotiation auto" as suggested by one of our member. tommorow customer will test again and reply. round-trip-time is good, no bacbone chocked. Unit will not make bit differnce as: The customer tried troubleshooting the issue after connecting laptop directily to the 100 mbps link. In that case also the result was same. Note that your screenshot displays bytes, not bits. So it will display one-eighth the download speed measured in bits. Check the TCP tuning on the downloading PC. The fact that multiple windows achieve a higher aggregate speed points to this. Use the Google link I supplied earlier, also search "Bandwidth-delay product". Are both ends of the link a substantial geographic distance (several miles) apart? Note that the adjustments for TCP tuning are to the TCP stack on the machine doing the download, not the network gear. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Where to buy Internet IP addresses
LEdouard Louis wrote: Optimum Online business only offer 5 static IP address. Where can I buy a block of Internet IP address for Business? How much does it cost? Only five? Really? Our basic residential users get 18 quintillion addresses, and business users get 65536 times that many. Tell them you need a few more. :-) Seriously, we do indeed provide that many addresses, but that's on a new protocol being implemented to avoid the exact problem you're having. Talk to your sales guy and see if they will assign a "/28" to you, which would give you 13 usable addresses for your hosts. If not, and you have a valid need for more space, switch ISPs. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Where to buy Internet IP addresses
Ian Mason wrote: There are about 11 million /56s per person on the planet, we're not about to run out. "We have enough addresses for about four billion of these." http://www.cs.utexas.edu/users/chris/think/ARPANET/images/imp.gif "We're not about to run out." -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Anomalies with AS13214 ?
We're getting cyclops[1] alerts that AS13214 is advertising itself as origin for all of our prefixes. Their anomaly report shows thousands of prefixes originating there. Anyone else seeing evidence of this or being affected? [1] http://cyclops.cs.ucla.edu/ -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Anomalies with AS13214 ?
Robert D. Scott wrote: It looks like Cyclops is seeing these from AS 48285, but I see no indication they are being advertised to any production upstream provider. Our /16 is being alerted in Cyclops, but I can not find any advert on any looking glass. That's what I'm seeing as well. It's possible that 13214 is broken but not causing an issue except to their customers. Or 48285 is broken or just giving bad data to Cyclops. Cyclops has hundreds of monitors and this is the only one showing the issue. I suspect that if there's a real problem it isn't affecting anyone other than 48285 and maybe 13214. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: MX problems
Polar Humenn wrote: I'm in Syracuse NY, and I'm having problems getting sendmail to get to MX servers, with the errors of "No Route to Host" or "Connection timed Out". Apparently this is been happening for over 5 days. I can send mail within Syracuse University, but as soon as I venture out nothing. Traceroute seems to loose it after about the 9 or 10th hop. It seems that I can get to almost any website, but tracerouting or pinging these MX servers is not happening. Is there anything going on, or at least something that started 5-7 days ago? I find the same problem from within Syracuse Univeristy to my RoadRunner account at home (which does not pass through the university routers). I only noticed it from the university since thats where I usually send my email through. Like I would no have been able to post to this list Many ISPs, especially for residential and similar customers, filter TCP 25 outbound and provide a "smart host" MTA on net for their customers to use for sending outbound mail. This is an anti-abuse measure. If an offnet MX host returns pings but times out when you telnet to port 25, you're probably being filtered (somewhat) locally. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Why choose 120 volts?
Aaron Wendel wrote: Our power is handed to us at 480v. We then deliver it to the customer at whatever they need. The nice thing about 120v is that everything uses it. No odd cords (as mentioned before) or expensive PDUs. I've had a lot of people suggest that running our servers at 240v would save us money because we'd use less amps. Last time I looked at my bill I was being billed by the kWh, not amp and 240v at half the amps is still the same wattage. I've been told this so many times though that I'm starting to doubt myself. If anyone can present a reason for me to switch to 240v I'd like to hear it. Some servers (HP/Compaq comes to mind) and Cisco switches have limitations in terms of performance and/or capacity on 120v circuits. Yes, it all gets crunched down to 5VDC and similar low voltages in the power supply. The limitation is likely due to the gauge of wire used and copper losses in the input circuitry. Higher current connectors and switches, larger copper conductors, etc. are costly. If you have an application that needs that kind of power, higher voltages make sense. This is just as true if the application is a server as it is if it's an electric stove or clothes dryer. Most of the rest of the world has 240v as conventional domestic power, and most server rooms or datacenters supporting >2KVA single devices have 208 or 240v available, so it makes sense for manufacturers of high-power gear to save the money on copper and connectors and insist on higher input voltages for full spec output. Yes, it would be nice to be able to plug in your laptop charger, etc. And the voltage on that charger is likely compatible with anything from 100 to 240V. Wiring a NEMA 5-15 with 208V is just wrong, though. I have an IEC male to NEMA 5-15 female pigtail (old-school "monitor cord") with a big sticker saying "208V - Be very careful what you plug in here" for just that purpose. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Why choose 120 volts?
david raistrick wrote: On Tue, 26 May 2009, Joe Greco wrote: http://www.cdw.com/shop/products/default.aspx?edc=1036852 Great, you're the latest person to invent a way to present a 5-15R that offers something besides 120VAC. This is neither new nor novel, but it *is* dangerous and risky, and in no way "solves the problem." No, this does NOT present 208v at a 5-15R. Don't believe me, buy one and put a voltmeter across it. It indeed can and does present 208V (or 240v in some cases) to a 5-15R. I use one of them for that purpose to power my laptop charger from the IEC power strips present in racks fed from 208v. That cord is just an adapter with three copper wires. Putting a voltmeter on its output will just measure what is present on its input. That cord mated to an IEC cord in Europe will put 240v 50 Hz on the receptacle. Mated to an IEC PDU on a 208v-wired rack, it will measure 208v. This is not necessarily dangerous, *IF* you are aware of it and don't leave it plugged in for someone unaware of the voltage present to use. Radio Shack sells an adapter from the Schucko round pin 240v receptacles to a 5-15R. It works just fine for my laptop because the laptop power supply is *designed* to operate on any voltage from 100 to 240 volts. It would NOT work just fine if someone plugged in a 120v-only appliance. If you leave that cord plugged in to a 208V-fed rack and walk away from it, there is a likelihood that someone else looking for a convenience outlet will discover it and plug something in. If that "something" isn't happy with the 208v it gets, the magic smoke that is contained in the device will escape. As we all know, once the smoke gets out, the device will stop functioning. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Why choose 120 volts?
Dave Larter wrote: I was referring to, when a 120v device is attached to the 5-15 end of the cord. On the inside of these grounded devices I often find that the neutral is tied to ground. Often??? Name one device designed that way. And please tell us how well that device works when you plug it in to a GFCI-protected outlet in your kitchen. I believe that you are very mistaken. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: problems with cisco 7200 and PA-T3
Adam Goodman wrote: Just installed a cisco 7204vxr with a DS3 interface. we are not getting more than 5Mbits. show interface is not reporting any errors. the provider tech put a piece test equipment on the circuit and sees errors. Do you have access to both ends of the circuit? No errors on either end? In which direction does the provider tech show errors and where in the circuit is the test set being placed? Does the test set show errors running to a hard (co-ax) loop? if so you have a problem with the span. Have you verified that there is exactly one clocking source on the circuit? Does anyone else use a cisco 7200 with a DS3 interface that we might be able to speak with? We have several. In some cases a 10dB attenuator is needed on the receive side if the carrier is too "hot" but this manifests as errors. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: End User Internet Monitoring for Supervisor recommendations
Greetings, On Tue, 9 Jun 2009, Brian Raaen wrote: > Our Company has been doing some testing with Linux Untangled servers. > http://www.untangle.com/ > > JoeSox wrote: > > I have a friend in a shop that is not running any robust Websense like > > applications. They are looking for a freeware solution or possibly > > inexpensive solution just for a few requests not for the entire > > company. I used one a while back but I since have lost the > > information and that PC that I dropped the application on has since > > been rebuilt. > > > > Does anyone have any recommendations that meet the following requirements: > > 1) A Supervisor can navigate to a url to see end user's internet activity. > > 2) Freeware or close to it Also take a look at NTOP. Let's ya see all workstation and router traffic on your LAN and can be viewed with a browser pointed to port :3000 --- Jay Nugent Train how you will Operate, and you will Operate how you were Trained. ++ | Jay Nugent j...@nuge.com(734)484-5105(734)649-0850/Cell | | Nugent Telecommunications [www.nuge.com]| | Internet Consulting/Linux SysAdmin/Engineering & Design/ISP Reseller | | ISP Monitoring [www.ispmonitor.org] ISP & Modem Performance Monitoring | | Web-Pegasus[www.webpegasus.com] Web Hosting/DNS Hosting/Shell Accts| ++ 2:01pm up 2 days, 7:15, 2 users, load average: 0.00, 0.03, 0.00 begin:vcard fn:Brian Raaen n:Raaen;Brian org:Zcorum;DataCenter adr:Georgia;;United States of America email;internet:bra...@zcorum.com title:Network Engineer tel;work:770-295-8691 version:2.1 end:vcard
Re: Telephones for Noisy Data Centers
Michael J McCafferty wrote: All, I'd be OK if we were in a facility that was only average in terms of noise, but we are not. I need an exceptional phone for the data center. Something that doesn't transmit the horrible background noise to the other end, and something that is loud without being painful for the user of this phone. Cordless would be very fine, headset is excellent. Ordinary desk phone is OK... but the most important thing is that it works for clear communication. A loud ringer would great too... but if the best phone doesn't have one, I'll get an auxiliary ringer. Does anyone have a phone model that they find to be excellent in a louder than usual data center? Old-school ITT Cortelco 2500 (desk) or 2554 (wall) set. Replace microphone element with noise-canceling microphone. Best one is Roanwell Confidencer available from Mike Sandman, Graybar, etc. Also good is Walker - Clarity NoiseCensor or Allen-Tel GB117 (available from Graybar). For exceptionally loud areas, an amplified handset such as Allen-Tel GBG6M-44 as well. The noise-canceling microphone is the key. It will help you be heard at the other end and kill the noise in the sidetone to you. Works wonders. The 2500 desk phone has a dual-gong mechanical ringer, loud and distinctive. 2554 wall model is single gong, still fairly loud. Google for suppliers of these items if you aren't near a Graybar. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Wireless bridge
Jason Gurtz wrote: Are you sure there's not a moisture problem in the antennae cabling? Get an SWR meter that can handle the 2.4 GHz range and make sure that SWR is very low (approaching 1:1 but certainly less than 2:1). Hook up the meter in-line at the AP. Test this after everything is wet and again when there's been a dry spell. Minimize the number of exposed connections and use dielectric grease. Use dielectric grease sparingly on the outer threads of the connector. Don't let it get in contact with the inside where it bridges the center pin and the shield. This will cause nasty impedance bumps. The inside of the connector should be dry. The grease on the threads helps to ensure this. Any exposed connections should be well wrapped with that rubberized electricians tape first, then with regular. Yep, the stretchy stuff. 3M type 23. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: Telephones for Noisy Data Centers
Robert E. Seastrom wrote: Jay Hennigan writes: Replace microphone element with noise-canceling microphone. Best one is Roanwell Confidencer available from Mike Sandman, Graybar, etc. Also good is Walker - Clarity NoiseCensor or Allen-Tel GB117 (available from Graybar). +1 on the Confidencer - back when I worked for a trading firm, these +were standard issue on all phones on the floor. They work great. Indeed. The other solutions work great for a single user on a cellular phone, but I prefer a plain old wired telephone with a handset for the emergency phone at a data center. It's usable by anyone. Ever try handing your bluetooth headset with custom earmold to the electrician working on the UPS? Data centers tend to be noisy in more than just the acoustic spectrum, mobile reception often isn't the greatest. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
AT&T and having two BGP peers
We are getting an Ethernet DIA circuit from AT&T but they insist that they can't BGP peer with 2 routers on our side. The WAN circuit can only have /30 they say. Has anyone been able to successfully talk them in to bending their rule? If so, how? I know this should have been negotiated before signing a contract but I was unfortunately not in the loop... :( It seems like a ridiculous bureaucratic restriction.
