Re: Senderbase is offbase, need some help
On Sat, 2010-04-17 at 16:45 -0400, William Herrin wrote: Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only 0.48 for both but still, they shouldn't even appear. Yep, same here, at two seperate sites. It's in the reserved for extreme emergencies zone at the top of each assigned block. As per house practice it is tcpdumped 24/7, and has been for the last 4 years. Zero traffic from it at the perimiter. Go figure. Gord -- Order of Magnitude delayed due to lack of stock, please call Despatch
Re: Senderbase is offbase, need some help
On 4/18/2010 16:02, Matthew Petach wrote: On Sun, Apr 18, 2010 at 10:15 AM, gordon b slater gordsla...@ieee.org wrote: On Sat, 2010-04-17 at 16:45 -0400, William Herrin wrote: Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only 0.48 for both but still, they shouldn't even appear. Yep, same here, at two seperate sites. It's in the reserved for extreme emergencies zone at the top of each assigned block. As per house practice it is tcpdumped 24/7, and has been for the last 4 years. Zero traffic from it at the perimiter. Go figure. Gord Have you checked cyclops and other BGP announcement tracking systems to see if it might have been a short-lived whack-a-mole short prefix hijack (pop up, announce block, send burst of spam, remove announcement, disappear again)? Maybe I'm just tired and cranky or too old to understand.if the addresses in question never send traffic, who cares? And if senderbase is so bad, why use it? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Senderbase is offbase, need some help
On Sun, 18 Apr 2010, Larry Sheldon wrote: Have you checked cyclops and other BGP announcement tracking systems to see if it might have been a short-lived whack-a-mole short prefix hijack (pop up, announce block, send burst of spam, remove announcement, disappear again)? Maybe I'm just tired and cranky or too old to understand.if the addresses in question never send traffic, who cares? He's suggesting that maybe mail came from those IPs while someone else was using them without your knowledge. Given the available info, I think its far more likely senderbase has some glich causing bogus 0.48 scores for IPs that really haven't sent anything in recent history. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Senderbase is offbase, need some help
* Mike: I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect. Could you share technical details on your filters, please? If you only filter incoming TCP packets from your customers with destination port 25, these filters might well be insufficient.
Re: Senderbase is offbase, need some help
I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect. Unfortunately, senderbase refuses to acknowledge the problem in their database nor back up their claims with any evidence to the contrary other than these ips are listed in their database and that's that. I realise this may not strictly be the domain of nanog but I would think that quality of services such like senderbase, as measured in both false positives as well as their abillity to act on them, would be, since many here use and depend on these services. I don't understand how or why senderbase would list unrouted address space and further give me grief over the reporting of it Unless the daily volume magnitude shows something 1, I would not be too worried, but accuracy counts and you won't have my business unless you can demonstrate some. Mike-
Re: Senderbase is offbase, need some help
On Fri, Apr 16, 2010 at 6:25 PM, Mike mike-na...@tiedyenetworks.com wrote: I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect. Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only 0.48 for both but still, they shouldn't even appear. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Senderbase is offbase, need some help
On Sat, 17 Apr 2010, William Herrin wrote: On Fri, Apr 16, 2010 at 6:25 PM, Mike mike-na...@tiedyenetworks.com wrote: I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect. Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only 0.48 for both but still, they shouldn't even appear. I suspect a bug in their system. I checked a handful of unrouted blocks from our address space and eventually hit a /24 from which senderbase lists an IP with magnitude 0.48, but the space hasn't been routed for 13 months. They say they saw something from it on 2010-04-06...which I'd say is highly unlikely. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Senderbase is offbase, need some help
Gang, I've tried to get the attention of senderbase, which is claiming activity from my address space which is in fact either un-routed or within dynamic subscriber blocks that have outbound smtp filtering in effect. Unfortunately, senderbase refuses to acknowledge the problem in their database nor back up their claims with any evidence to the contrary other than these ips are listed in their database and that's that. I realise this may not strictly be the domain of nanog but I would think that quality of services such like senderbase, as measured in both false positives as well as their abillity to act on them, would be, since many here use and depend on these services. I don't understand how or why senderbase would list unrouted address space and further give me grief over the reporting of it Unless the daily volume magnitude shows something 1, I would not be too worried, but accuracy counts and you won't have my business unless you can demonstrate some. Mike-
NEED Some HELP
Hi Nanog Members, I've been troubleshooting this problem for a few days already but i'm still unable to fix it. I think it's now time to ask some help from Nanog members. I cannot ping the IP on my Cisco 6509 from the internet. Here are the setup: *Internet*---(copper)--*GSR*(fiber)---* Cisco 6509* This setup is NOT OK - I cannot ping *Internet*---(copper)--*GSR*(copper)--- *Cisco 6509*This setup is OK - I can ping(this is directly connected to the PRP2) NOTES: - I am using PRP2 on my GSR and the fiber is connected to the 4xGE module - I have a default route from Cisco 6509 to GSR - From the 6509 I can only ping the IP addresses on the GSR, addresses outside the GSR are not reachable - From the internet, I can only ping up to the GSR - I can ping from GSR to 6509 and vise versa - The IP on the 6509 is configured on the interface that is directly connected to the GSR. Thanks, -bong
Re: NEED Some HELP
On Oct 10, 2009, at 4:12 PM, Bong Barnido wrote: I cannot ping the IP on my Cisco 6509 from the internet. Quite out of the context of the connectivity issue you're trying to troubleshoot, it's in fact extremely desirable to have your 6509 (and all your routers, for that matter) unpingable from the outside your own network. The BCP is to use iACLs, CoPP, et. al. to keep out all unsolicited traffic headed to, as opposed to through (like traceroute, pinging customer hosts, etc.), your network infrastructure. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sorry, sometimes I mistake your existential crises for technical insights. -- xkcd #625
Re: NEED Some HELP
Hi Roland, My GSR and 6509 are newly installed and no ACLs in place. You can try to ping 180.178.73.1 and 180.178,73.2. 180.178.73.1 - GSR 180.178,73.2 - 6509 I can only reach 180.178.73.1 from outside. I cannot reach 180.178.73.2 which is the IP of my 6509. Not sure if this has something to do with the hardware. I am just wondering why I can't reach 180.178,73.2. Like I said earlier in my email, I have the default route from my 6509 to te GSR. My GE module is inserted to the GSR slot 1. Is the hw-module config requred on the GSR? Please help. Thanks, -bong -- Message: 7 Date: Sat, 10 Oct 2009 16:24:35 +0700 From: Roland Dobbins rdobb...@arbor.net Subject: Re: NEED Some HELP To: NANOG list nanog@nanog.org Message-ID: 0d85644f-a83f-461b-a9fb-eebf54259...@arbor.net Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes On Oct 10, 2009, at 4:12 PM, Bong Barnido wrote: I cannot ping the IP on my Cisco 6509 from the internet. Quite out of the context of the connectivity issue you're trying to troubleshoot, it's in fact extremely desirable to have your 6509 (and all your routers, for that matter) unpingable from the outside your own network. The BCP is to use iACLs, CoPP, et. al. to keep out all unsolicited traffic headed to, as opposed to through (like traceroute, pinging customer hosts, etc.), your network infrastructure. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sorry, sometimes I mistake your existential crises for technical insights. -- xkcd #625 -- Message: 6 Date: Sat, 10 Oct 2009 17:12:13 +0800 From: Bong Barnido bong.barn...@gmail.com Subject: NEED Some HELP To: nanog@nanog.org Message-ID: 16a26ba20910100212i2158e929peef5952061315...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Hi Nanog Members, I've been troubleshooting this problem for a few days already but i'm still unable to fix it. I think it's now time to ask some help from Nanog members. I cannot ping the IP on my Cisco 6509 from the internet. Here are the setup: *Internet*---(copper)--*GSR*(fiber)---* Cisco 6509* This setup is NOT OK - I cannot ping *Internet*---(copper)--*GSR*(copper)--- *Cisco 6509*This setup is OK - I can ping(this is directly connected to the PRP2) NOTES: - I am using PRP2 on my GSR and the fiber is connected to the 4xGE module - I have a default route from Cisco 6509 to GSR - From the 6509 I can only ping the IP addresses on the GSR, addresses outside the GSR are not reachable - From the internet, I can only ping up to the GSR - I can ping from GSR to 6509 and vise versa - The IP on the 6509 is configured on the interface that is directly connected to the GSR. Thanks, -bong
