Lane Patterson wrote:
> While I agree that publicly open route-views routers should not allow
> display of "sho ip bgp nei" information, this is only giving away 4-tuple
> info regarding non-production BGP sessions, right? So folks could
> potentially flap the route-views sessions, but this will
Paul Jakma wrote:
> On Wed, 21 Apr 2004, Iljitsch van Beijnum wrote:
>
> > On 21-apr-04, at 21:17, Paul Jakma wrote:
> >
> > > > I'm not recommending this for "small" peers as the crypto DoS risk
> > > > is worse than what happens when the attack is executed
> > > > successfully.
> >
> > > Why wo
It's not the general case, however...
Some looking glass CGIs (in some cases, into production routers)
permit "sh ip bgp nei " -- try typing "sum" and then "nei x.x.x.x"
into the "show ip bgp" box on a looking glass CGI, or using the
command on a route server with CLI access.
This gives you:
Lo
Michael,
> > David Luyer wrote:
> > Have done around 100 of these in the past 24 hours. It's
> > not related to platform AFAIK - we've successfully done
> > the changes on a lowly 2651 and 3620 without outages, but
> > a 7200 with older IOS did have an
Michael Py wrote:
> Christopher / Patrick,
>
> > Christopher L. Morrow wrote:
> > I wasn't clear and for that I'm sorry. Except in the later
> > code trains, or until the recent past (1 year or so) changing
> > the BGP MD5 auth bits required the session to be reset.
>
> Then I'm the one sorry be
> > A significant number of BGP sessions will be with a source
> > port of 11000, 11001 or 11002; BGP sessions are generally
> > quite stable and Cisco routers start the source port at
> > 11000. So attackers could cause enough disruption just
> > targeting these three source ports. The other th
> You missed the "(assuming the attacker can accurately guess both
> ports)" part.
>
> This is BY NO MEANS a given. In fact, it is pretty much guaranteed to
> not be a given on any router which has not recently been rebooted. (Or
> at least that the attacker doesn't know has been recently reboo
> (Yes, that's an operational issue - if they are harvesting and selling a
> list of known-good From: addresses on misrouted mail, this will eventually
> end up adding to spam - and that's operational)
Site Finder on its own added to spam; spam volumes increased as the number
of "sender domain d
Luke Starrett wrote (quoting me):
> > PXF is found in the 7400 (old) and 7300 (newer) series.
>
> Not true. 7401 has a PXF. It's essentially an NSE-1 with GE/IO in a
> pizza box. 7301 is based on the NPE-G1 and doesn't have a PXF anywhere
> in sight.
OK, more precisely (I did refer to the r
On Fri, Jan 30, 2004 at 03:29:41PM -0200, Rubens Kuhl Jr. wrote:
> > * The 7206VXR prior to the NPE-G1 could only do around 560Mbps
> > per bus typically, due to PCI limitations.
>
> Which usually was not a problem with i-mix traffic or ddos-traffic, because
> pps limitation would hit soo
Michel Py wrote:
> My limited experience with the 7206
> says that it might eventually be able to push _one_ gig from one PA to
> another, but not aggregate: say you have 4 or 5 OC3s aggregating into a
> GigE with some ACLs (which would run distributed on a 7500) I don't
> think that even the NPE-
Christopher Wolff wrote:
> Several weeks ago there was a lively debate on Nanog regarding cisco
> performance, if I recall correctly, one party indicated that they upgraded
> from a 7206 NPE400 to a GSR and only saw a 30% improvement in CPU
> utilization. That's a lot of bling bling for 30%...
E
> This lovely little worm will start beating on the door at www.sco.com come
> Feb 1/04. Interesting huh?
Wonder if we should all be proactive to prevent the DoS attack,
and drop the A records for www.sco.com now? Just in case any
customers' clocks are set forward ;-)
This virus, so far, has be
Daryl G. Jurbala wrote:
> I guess that means vendor C has no excuse on the 7200 VXR
> series (and I believe a few of the newer models). But I
> still don't see anthing fantastically IPv6 happening there.
The 7206VXR (along with all 7200/7400) supports IPv6
in IOS 12.2S, 12.2T and 12.3.
12.2S is
Petri Helenius wrote:
> The inventors of tag-switching^H^H^H^H^H^H^H^H^H MPLS seem to be
> firm believers in that if they donĀ“t deliver the goods, the world will
> stand still and wait.
And of course you can tag^H^H^Hlabel switch IPv6 through a non-IPv6-aware
core, it just breaks traceroute (as e
> > But not to be a pest but what are the odds
> > the IANA would ever allocate the 1 and 100
> > nets to someone?
>
> 99%
I can't imagine 100.0.0.0/8 remaining reserved - there's nothing
particularly special about it (100=0x64... a number which represented
in hex has digits which form a power o
> Does anyone know of case studies of companies collapsing
> multiple ASes
> into one on their network? I have the Allegiance Telecom
> presentation from
> NANOG 27 but I would like to hear how other people have done
> it as well.
We have to date collapsed 6 AS numbers into 1.
Approach was
Stephen J Wilcox wrote:
> On Wed, 12 Mar 2003, David Luyer wrote:
> > Iljitsch van Beijnum wrote:
> > > On Tue, 11 Mar 2003, Owen DeLong wrote:
> > >
> > > > In short, it doesn't. Longer answer, if the ISP configures
> > > >
Iljitsch van Beijnum wrote:
> On Tue, 11 Mar 2003, Owen DeLong wrote:
>
> > In short, it doesn't. Longer answer, if the ISP configures
> > his router correctly, he can actually refuse to accept
> > advertisements from other sessions that are longer versions
> > of prefixes received through this
Iljitsch van Beijnum wrote:
> So if the router uses tunnel mode (as per the RFC) despite the GRE
> tunnel the packet has three IP headers... So that's 160 bits ethernet
> layer 1 + 18 bytes ethernet layer 2 overhead, 24 bytes for the GRE
> tunnel, 20 bytes for the IPsec tunnel mode IP header, 10
David Moore <[EMAIL PROTECTED]> wrote:
> So actually thinking about this a bit more, our numbers count from
> when single well connected or a set of less well connected hosts
> are infected. If a single (or small number) of infected machines
> were on slow links (dsl/cable modem/etc) it
y also require keeping of
the proxy logs. I don't know if it's still the case, but it used to
be that Singapore had a "banned list" for the proxies and China took
things to a further extreme by having an "ok sites list" rather than
a "banned list".
David.
--
Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote:
> But not allowing BGP -> IGP -> BGP might be a good one. On the other hand,
> someone who is determined to screw up could do BGP -> IGP on one router
> and IGP -> BGP on another.
I've seen that done. And usefully. The case involved an AGS+ (BGP
> |I'm looking to improve my connectivity into the AP region, in
> |a cost effective [i.e. for as little as possible :-)]. I have
> |ruled out buying transit as it doesn't help the issue that I'm
> |trying to resolve, so I was wondering if there was a location/IXP
> |in the AP region that would
> I have tended as of late to avoid using the term "class
> A/B/C". Too many
> people at my job do not understand the meaning and make
> themselves look
> stupid. I have instead resorted to using mask be it a /24 or a /27 aka
> "slash 27" it seems to work well with the people who have some
> ex
jnelson wrote:
> Bogon lists? How effective are they? DDoS scripts are abundant to
> those who seek them. Am I going to reep any rewards by taxing my
> edge routers an extra 25 lines of ACL?
If you're using 'access-list compiled', you're not adding any load
whatsoever, since there should be an
Something looks wrong here:
; host ns.eu.sun.com
ns.eu.sun.com A 192.18.1.3
; wget -q -O- http://www.cymru.com/Documents/bogon-dd.html | grep '192.18'
192.18.0.0 255.254.0.0
192.18.0.0 255.254.0.0
192.18.0.0 0.1.255.255
192.18.0.0 0.1.255.255
The bogon list references rfc2455 as
> when this situation has existed in other industries, gov't intervention
> has always resulted. even when the scope is international. i've not
> been able to puzzle out the reason why the world's gov'ts have not
> stepped in with some basic interconnection requirements for IP carriers.
Some g
Scott Francis wrote:
> On Fri, Jun 21, 2002 at 03:37:56PM -0400,
> [EMAIL PROTECTED] said:
> > Hi,
> >
> > How important is the phone to you? I mean, given some situation that
> > arises, can we solve it without the phones?
>
> If the network is down, the phone is critical. For any
> complica
istry. Consult
ARIN, APNIC, RIPE, etc for IP space ownership details. Any RADB
member can register pretty much any route/AS pair and many members
don't bother to put real details when it comes to owner of the route,
etc (putting the ISP instead of the c
255.0 255.255.0.0 0.0.255.0
(might look less clear than a prefix list when you start wanting to
let them permit say /19 thru /22, but then, router configs come from
automated systems now, right? :-))
David.
--
David Luyer Phone: +61 3 9674 7525
Network Dev
o be able to prevent exceeding the limit and reset or restrict prefixes
on your side, so you can fix the problem without having to contact all
your peers and upstreams if something does go majorly wrong.
David.
--
David Luyer Phone: +61 3 9674 7525
Network Developmen
Stephen J. Wilcox wrote (to Ruomei Gao):
> I think your mistaken to believing the Internet is structured and
> organised in some way! :)
The internet was an experiment to design a network resiliant to attack,
seeing as www.gov.ps has gone offline when Palestine was attacked, the
experiment is
> What would work better/faster?
>
> my-noc -> b0rken-noc
>
> or
>
> my-noc -> my-upstream-noc -> b0rken-noc-upstream-noc -> b0rken-noc
>
> ?
OK, rant time (blame the easter long weekend... a 4 day weekend down
here... and associated excessive alcohol)...
General comment: the below isn't m
ven unable to directly communicate, but the good TCP stack in the
middle can
communicate to both of the dodgy TCP stacks at either end as well as
providing
a good window size to receive from the server and splitting the latency
in
half on each TCP connection leg a
35 matches
Mail list logo
