Laurence F. Sheldon, Jr. wrote:
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Ok.
Being resposible as network manager, if I think something is strange and I nor my staff
can fix it. I call for help.
Ok back to the previous premise..
Linux with an IPSEC server load..
IPSEC to the Linux box, use Telnet or ???
to connect to the routers on the management VLAN/Net
and your done
Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to
that to say 1 SSH enabled router or
..and you can deploy SONET without a protect.
-and telcos usually do. but they almost always tell you it's protected.
-force them to test, or pull one side yourself. and repeat the test every
-quarter.
-randy
And if you find it is on a fiber mux-- DDM 1000, good luck..
a few years ago
-i think you only need to wait until 30 days before, not 11
-hours before.
-
-ARIN in my experience responds with reasonable promptness to
-ASN requests,
-and assuming your paperwork is in order, you really are
-worrying unnecessarily.
-
I second that..
When we multihomed, I gave the info
Well,
CERT thought it was
Jim
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Technical Cyber Security Alert TA04-111A archive
Vulnerabilities in TCP
Original release date: April 20, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Systems that rely on persistent
Summary (in no particular order, well almost ;)
1. Sure do it, We will list you on RFC Ignorant,
will you give me your domain list and save me some time?
2. Forward to the holder of the domain, bouncing webmaster and listing contacts on
website in reply.
3. All Abuse to go to one
All,
My company has a large # of divisions, each with their own domain.
Currently we are maintaining hostmaster, webmaster, postmaster, security, and abuse
accounts for nearly all domains.
After our recent testing of some new spam filtering software, I am really wondering
about the operational
-Joshua Brady wrote:
- The Child you speak of caused destruction over a network, the same
- applied for the 2 hackers here who were sent over without even
- questioning the UK. If the US Government is Satan then I
-suppose I am
- going to hell, because I sure as hell support it.
-
-Do you
Look at it this way:
If Multi-homing to ensure maximum reliabilty was not a good thing:
why would XYZ isp do it?
Take this example:
Remember last year (or year before?) when MCI had the routing issue
on the east coast? I had a friend that had 2 T-1's to MCI, he lost all reachability
for over 5
Take a look at Kiwi-cattools. It has some great Cisco Automation ability..
Well, Cisco, Entersys, Redhat etc.
www.kiwisyslog.com
You can run commands on hundreds of devices on a schedule..
I use to pull config backups and certain reports I want directly from the
devices..
Jim
--Original
Ejay,
I found a great link some time ago:
www.dnsstuff.com
http://www.dnsstuff.com/pages/expert.htm
This one has an option to do a lookup to any public DNS server...
Pick some of the random Internation DNS servers and try it out..
It helped me out awhile back when an old DNS hoster still had us
-
- Why is that bad? I have no objection to giving vendors a reasonable
- amount of time to fix problems before announcing the whole.
- Or is your
- point that two days hardly seems like enough time to develop -- and
- *test* -- a fix?
HMMM,
If I was a real hacker, and I found the problem,
I wonder if Someone from Microsoft is here and will add this to an update for the
Active Directory DNS that will most likely be the user of the old addresses in
5 years.
FROM: Bill
I wonder how many systems will _still_ be trying to get to b.root-servers.net
at the old address in 5 or
-Perhaps ARIN (or others) could supply their respective portions of
-unallocated space to a common BOGON project?
-
-pt
-
Great idea..
HMM.. Rob, how about it?
Say take in BGP feed from ARIN, APNIC etc. And then use that for
redis?
Or go even farther IANA-- Could you give a feed and make
Ok, I am often outgunned and off target here.
But I have to ask this:
1. If filtering is used, as suggested by someone, what happens to the
small/mid-sized company that is multi-homed out of an ISP's
/20 or larger block? In this case, I can see an ISP with a /20
bust
hi,
I am seing root shell attempts and SNMP (Approx 1200 in an hour)
sweeps coming from what appears to be a netops system at Sprint.
If someone from there is online, Please drop me a line offlist...
Thanks,
Jim
RFC 2182 Section 7 covers this as Randy Bush mentioned earlier..
If They do serial # updates, in a scripted manner or they just change the serial
number to 4000
let it propagate and then change to 100 something all will be fine...
The RFC above explains it well, no need to repost
Microsoft Mail server is configureable so as not to send the out of
office
emails out to the internet for the entire server..
This is an ADMIN config..
ALSO if a user goes to the out of office attendent in Outlook, they has
the option
of creating rules..
RULE #1: If from [EMAIL PROTECTED]
Move
-Must really suck to put ALL those rules on and take them off
-every time you go
-on vacation. (Yes, I'm on at least 65 mailing lists - and
-that's just the ones
-high-volume enough to warrant filtering to their own folder).
- And even if you're
-on only 4 or 5 lists, that's enough work to
If you are really just looking for changes and change comparison's check out
Kiwi Cat tools..
www.kiwisyslog.com
This software can connect via SSH, Telnet etc, and even do non-Cisco, Linux etc..
Works good as a backup for configs...
Later,
Jim
CiscoWorks also polls the devices for
Thought this is on topic for the group with all the new
virii and new problems out there.
Would anyone here consider sending this out to all customers?
Later,
Jim
Last week at the Comdex show in Las Vegas, Computer Associates
International, Inc. (known to the world as CA) teamed up with
Google:
http://www.google.com/search?as_q=tcp+udp+41170num=10hl=enie=UTF-8oe=UTF-8btnG=Google+Searchas_epq=as_oq=as_eq=lr=as_ft=ias_filetype=as_qdr=allas_occt=anyas_dt=ias_sitesearch=safe=images
http://cert.uni-stuttgart.de/archive/incidents/2003/06/msg00130.html
It appears to be a file
On Fri, 14 Nov 2003, Suresh Ramasubramanian wrote:
Stephen J. Wilcox writes on 11/14/2003 7:16 AM:
So anyway, was discussing the cidr report at the last
nanog.. I was pointing out
that deaggregation is discouraged by the naming and
shaming and then someone
else pointed
All,
I hate to agree but he is right.
With companies like godaddy out there.
Does it make sense to pay Verislime money to fund sitefinder and our headaches?
To change this: what else can we do to prevent this? Does the last BIND version truly
break sitefinder?
Later,
Jim
--Original
--Original Message-
-From: Phil Rosenthal [mailto:[EMAIL PROTECTED]
-As long as it's provider assigned, and your provider announces the
-supernet that the /24 is from, it will still work. If you
-announce PI
-space out of the old class A space in /24's, many networks
-wont be able
IMHO, I think we should create a route-set obj like call
it... RS-DEAGGREGATES and list all the major irresponsible
providers's specific /24's in it...
CASE: Business has a /24 from X provider in order to multihome.
That /24 is de-aggregated from a /19, with this policy that
/24 may not
-
-I found one of these today, as a matter of fact. The spam was
-advertising an anti-spam package, of course.
-
-The domain name is vano-soft.biz, and looking up the address, I get
-
-Name:vano-soft.biz
-Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168,
-193.165.6.97
-
this is not without precedent..
Anyone from Cable and Wireless listening?
If I remember correctly, Cable and Wireless was blocked last year
or earlier this year by a similiar ploy.
And I also seem to remember them making major
complaints over on the SPAM-L list..
Later,
J
-Original
good from ATT and Broadwing
J
-Original Message-
From: Haesu [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 17, 2003 9:46 PM
To: Henry Yen; [EMAIL PROTECTED]
Subject: Re: Route failures to behosting.com
Also accessible no problem from Qwest and Nlayer.
-hc
--
-On Thursday, August 28, 2003 4:18 PM, Matthew Crocker [EMAIL PROTECTED]
-wrote:
-
- Shouldn't customers that purchase IP services from an ISP use the ISPs
- mail server as a smart host for outbound mail?
-
-At least here in DE there are resellers of DTAG which offer DSL connections
-without
On Tue, 19 Aug 2003, Scott Weeks wrote:
- on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most
- likely, though, they did not create security zones to keep problems
- contained within certain network segments and not let them out to destroy
- other networks.
-Luck is very
-| -Original Message-
-| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
-Of
-| Chris Todd
-| Sent: Wednesday, August 20, 2003 12:33 PM
-| To: '[EMAIL PROTECTED]'
-| Subject: virus or hacked?
-|
-|
-| Good morning:
-| I was wondering if anyone has seen this message on a
-RBOCs (note, not ILECs) cannot move inter-lata traffic without being
-approved by PUC in each state for interstate long distance. (I believe
-this is part of 1984 MFJ).
-CLECs have no restrictions on that. Neither do non-CLEC ISPs.
---alex
I thought this only applied to VOICE traffic.
AS far
--Huh ? Where in the physics of ohms law is Hz a factor ? Having lived off
--the grid, where systems are often at max 48v, yes the wires have to be
--several 0's of gage to carry the lagre amperages. Much the same in A/B DC legs in
--a colo. Up the volts and the amps go down to produce the same
-So, the US Government wants to classify Sean Gorman's student project.
-The question is did Mr. Gorman's maps divulge the vulnerability in the
-East Coast power grid that resulted in the blackouts this week?
-Would it be better to know about these vulnerabilities, and do something
-about them;
ut all those SONET hubs in basements, SLC's in the burbs and such
-- they don't have generators. They have X hours of batteries. In
the fine print, it says the LEC will have a portable generator
on site before they die.
That's doable if the failure is local; say a semi taking out
a power pole.
good here thru ATT and Broadwing..
Jim
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Friday, August 15, 2003 10:16 AM
To: Robbie Foust
Cc: Bryan Heitman; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Chris Horry
Subject: Re: microsoft.com
No problems here, UUNET
From: Scott McGrath [mailto:[EMAIL PROTECTED]
No answer on that one, However Mac OS X also includes a built in firewall.
On the configuration angle, the Microsoft ICF (Internet Connection
Firewall) blocks everything by default.
I just worked on a friends computer last night.
The XP ICF
Jack,
This is that RPC flaw in MicroSoft.
I noticed it too.. Got about 20K in 15 hours
Jim
-Original Message-
From: Jack Bates [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 4:12 PM
To: NANOG
Subject: RPC errors
I'm showing signs of an RPC sweep across one of my networks
Title: Road runner contact?
Does anyone have a good contact over at Road Runner?
I used to have one, but lost it..
Thanks,
Jim
FROM CNN website
NEW YORK (CNN) -- A major power outage simultaneously struck several large cities in
the United States and Canada late Thursday afternoon.
Cities affected include New York; Boston, Massachusetts; Cleveland, Ohio; Detroit,
Michigan; Toronto, Ontario; and Ottawa, Ontario.
OK..
I have lurked enough on this one..
$60 Billion plus for microsoft..
and 600 millions lines of code.
thousands of employee programmers...
$1 million for *NIX
less than a million lines of code.
rewritten on a whim, and source given to
millions..
Bugs will be found and squashed easier.
Less
So give up trying to control the actions of the end nodes by
destroying the edge. Make sure that complaints reach the correct
responsible person. Limit your involvement to careful excerpts from
your customer/IP-address database, or better yet, register them in
the RIR registry so that others
Jack, et al.
As a larger than average end user and what could
be called a small ISP, I really can not image
legitimate traffic on 135..
who in there right mind would pass NB traffic in the wild?
I dunno, may it is just that Old military security mindset
creeping into my brain housing group.
Jack Bates Wrote:
In the US, the pipe is limited in any number of ways in attempts to
limit how many people share their broadband with their neighbor at a
reduced rate.
Another issue is that handing out IP addresses to the home at this point
is foolish. User's, in general, can't protect
I tend to agree here.
I have noticed so many attacks etc coming from
APNIC as of recent that on our corp network we have an ACL
to block a number of APNIC blocks.
If there was a dynamic method to add null0 routes to
identified zombies, I think that would help.
IE. security company A provides a
But isn't that the purpose of NANOG?
To fix the major problems before the world knows about them.
I would much rather discuss a problem here and solve it and
tell a reported, Yes (sir,or mam) the Internet commnity worked
togather to solve the problem.. Than say, I don't it just cleared up
Paul Vixie said:
lots of late night pondering tonight.
the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of every host for itself but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?
if *all* dsl and cablemodem plants
Interesting.
Did any of you note last month or so that
Sprint US came out with a notice that they
are no longer going to router /30 ptp
subnets unless the customer specifically
asks for it?
Could that be why 10.x.y.z is showing up here?
Sprint??? you out there?
-Original Message-
to specifically request that they not do this.
However, there was a link:
http://www.sprint.net/faq/serialip.html
That explains that you can keep using your ptp IP if you request it, but
in either case, they will no longer route their end of the IP.
On Thu, 24 Jul 2003, McBurnett, Jim wrote
Quick solution to this bug, as well as any future bug(s) replace all
routers with PCs running Zebra.
That is good until Zebra get's a bug and then someone will say
go to XYZ...
Jim
EXACTLY!!
Company A fired the wrong person. DDoS internally.
Company B has a Business partner that has VPN access,
that get's infected.
Company C has a home user that uses VPN on a cable modem.
he gets infected
Virus writers will see this and use it...
What better DDoS method is
With the idea below. What is the current opinion about upgraded switches behind a
firewall
on a private lan?
I suspect upgrade later or not at all.
But curious about other's opinions..
Later,
J
-Original Message-
From: Chris Griffin [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003
got it here too..
And on 30+ publicly annouced mail accounts
Hitting big.. sobig virus once again...
Jim
-Original Message-
From: Anne P. Mitchell, Esq. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2003 11:05 PM
To: '[EMAIL PROTECTED]'
Subject: Re: Weird email messages with
Sean,
of the scans I get and have seen..
60% APNIC region
Most noteably- Taiwan, China, and Korea (north)
20% RIPE
Most noteable- Former Soviet Block nations then
Scandanavian countries...
20% ARIN/LACNIC
This is a rough estimate from the last 3 weeks...
Not sure how relevent this may be but:
Interland has recently been in a major network
move
They boight out Communitech and are in the
process of moving datacenters to the Interland
centers..
This could explain it
But they should be doing a better job of it though...
Jim
-Original
HMMM...
Well, in the US, there is even the threat of lawsuit from an Employee that
get pornographic SPAM email... should the employer not make
efforts to block it, the employee can sue.. BUT it is the same argument..
Do we take the bad with the good? do we allow P2P when it can create security
guys.. I have a thought...
I am a charter fiber customer..
AND they use lots of 1918 address for management even some customer links.
I have seen this on all the cable providers..
unlike Sprint/MCI/ATT they don't use 100% RW on all their equipment..
then they leak because the BGP is not
, McBurnett, Jim wrote:
guys.. I have a thought...
I am a charter fiber customer..
AND they use lots of 1918 address for management even some
customer links.
I have seen this on all the cable providers..
unlike Sprint/MCI/ATT they don't use 100% RW on all their equipment..
then they leak because
Let me say this:
I am former military.. Worked in Military IT.
AND worst case situation, use www.cert.mil
Or if not that bad.. Call the public affairs officer at the branch
of service..
Tell him you need help, tell him to put you in contact with the
local Info systems type. and away u go..
I
I tell ya, what really gets me in a bad mood is when my PIX logs
show the same IP address hitting port 80 on 25 different IP's
and the time line is 2 seconds start to finish.
And then you report it, and it continues after a week every single day.
Substitute port 80 here with 1433, 139,135, and
Title: Abuse.cc ???
I just made a number of abuse complaints to a provider and then after contacting the abuse #.
I got told that they don't use abuse@ anymore. that abuse.cc is the new email address.
Correct me if I am wrong, but isn't this against RFC current practice?
I won't name
Title: AOL---
Is there anyone lurking out there from the AOL NOC?
I have an issue I need to discuss with you without the
voice mail roulette or number extension jeopardy..
Please respond off-list.
Jim
Title: AOL---
Thanks
to those that responded off-list I believe the issue has been
handled...
Jim
-Original Message-From: McBurnett, Jim
Sent: Wednesday, April 02, 2003 8:24 AMTo:
[EMAIL PROTECTED]Subject: AOL---
Is there anyone lurking out there from the AOL
NOC? I
And to use NAT to circumvent this should be illegal. It is theft of
service. The ISP has the right to setup a business model
and sell as it
wishes. Technology has allowed ways to bypass or steal
extra service.
This law now protects the ISP. There will be some ISPs that
continue
I agree...Partially
Legal issues are important, but those below a
management level, mostly don't care..
I would not necessarily want another list to watch..
But, it sometimes get's overly consuming to look at topics I care less about...
anyway, that's my 10 cents worth.. Inflation ya know..
]
Subject: RE: State Super-DMCA Too True
JM Date: Sun, 30 Mar 2003 10:34:28 -0500
JM From: McBurnett, Jim
JM NAT-- HMMM - In my eyes that is a security precaution for the
JM ignorant.. Think of this: Joe user goes to Wally World, or
JM Staples and get's a Linksys BEFSR11 cable/dsl
, IMHO
Jim
-Original Message-
From: William Devine, II [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 30, 2003 5:15 PM
To: McBurnett, Jim; 'Jack Bates'; 'Rafi Sadowsky'
Cc: [EMAIL PROTECTED]
Subject: RE: NANOG Splinter List (Was: State Super-DMCA Too True) (why
not nanog-legal
Well, if it is that big.. no IPSEC.. then I suspect Cisco, Checkpoint, and others
to stand up ASAP..
This is no right As I see it a growing percentage of companies are
moving to IPSEC VPNs and leaving dedicated ckts behind..
I can't believe that legislators would be so un-informed, and
Title: Wierd...
Okay,
Here is a wierd one...
69.6.32.100 - allocated by Arin accessed through Hong Kong.
H... Global Crossing? do you have a routing issue?
Anyway,
Later,
J
03/30/03 22:14:24 Fast traceroute 69.6.32.100
Trace 69.6.32.100 ...
1 10.129.32.1 40ms 50ms 30ms TTL: 0
Michael,
Do you have a packet sniff of the traffic?
Possibly a sniff of at least 1 packets?
HMMM..
I have seen some increase at our Corp DNS, but not that much...
drop me a note offlist with the sniff.. I would like to look at this..
Jim
-Original Message-
From: Support Team
Jason,
If this is important to you, check out using your W2K pro or WXP machines SMTP relay
and use it to send the mail.. It can send directly out of it to the destin server..
Since you are a CCNP I am sure you are most likely running a firewall of some kind and
little risk of you having an
One more thought:
If the company is a SPAM or other less than popular type,
I would keep a watch on SPAM-L and spamhaus.org
Look for you IP block.. Some networks flat out put
IP Access lists to block ranges for SPAM/..
J
-Original Message-
From: Daniel Abbey [mailto:[EMAIL
look at the location too... 61/8 is APNIC and 69 ARIN..
J
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 19, 2003 5:02 PM
To: Stephen Sprunk
Cc: Scott Granados; Rick Ernst; North American Noise and Off-topic
Gripes
Subject: Re: 69/8 revisited
Title: Code red- Returning?
Has anyone out there noticed an increase in a Code-Red patterned virus?
I know about the Microsoft bug that came out yesterday/last night.
But I am seeing the same symptoms as Code Red,
800+ hits in the last 12 hours, from the same Class A network I am on.
The
o:
http://www.nwfusion.com/reviews/2003/0303patchrev.html
PatchLink Update Receives Network Computing Editor's Choice
Award for Patch Management
For the article go to:
http://www.patchlink.com/media_room/nwc92002.pdf
-Original Message-From: McBurnett, Jim
[mailto:[EMAIL PROT
I think this shouldgo here..
Mistype nanog
Jim
-Original Message-
From: Johannes Ullrich [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 18, 2003 1:10 PM
To: McBurnett, Jim
Cc: [EMAIL PROTECTED]
Subject: Re: Code red- Returning?
Yes. This month, we are tracking about twice
: McBurnett, Jim
[mailto:[EMAIL PROTECTED]Sent: Tuesday, March 18, 2003 11:38
AMTo: Marty ArmstrongCc:
[EMAIL PROTECTED]Subject: RE: Code red-
Returning?
Marty,
this would be great news, IF I wasn't the
victim..
I
did read the article when I got my NW Fusion
There is so much of it, I liken it to Internet background
radiation. In
fact, if I didnt see a constant stream of this (either by
accident-- SNMP
auto discovery, or design-- lets find all the 'private' routers and
switches out there) I would be more worried as my network
probably
to a web server
J
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 11, 2003 8:50 AM
To: McBurnett, Jim
Cc: chuck goolsbee; [EMAIL PROTECTED]
Subject: RE: Issue with 208.192.0.0/8 - 208.196.93.0/24?
Is anyone from Alter.net lurking
After working at a CLEC for a while, I must say that
I know of very few PBXs that can do this, that the avg
customer can afford.. Of course the
BIG Lucent Definity series, maybe a few of it's peers..
But the Lucent/ATT partner/Magix systems, I am nearly
positive(99.9%) they can't.. And forget
Idea #2..
CNN.com-- Put some of their content.. They would probrably really enjoy
the publicity.. And that would really be an educational point..
Anybody here from there???
Jim
The suggestion of putting Yahoo or Google on a 69/8 IP led me to this
idea:
Google could put their *beta*
I saw it version of this earlier:
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip route clueless
No seriously..
What if that customer has a VPN design with a dial backup behind their firewall.
Using BGP to suck down a default route from the provider,
when that
SNIP
Oh, I agree that there are times when BGP is used in a single uplink
scenario, but it is not common. However, someone pointed me to
ip verify
unicast source reachable-via any which seems to be available
on some of the
cisco Service provider releases. It's an interesting concept
and I'm
From EB Dreger
I suggest a rotation like so:
Jan-Apr: 69.w.w.0
Apr-Jul: 69.x.x.255
Jul-Oct: 70.y.y.0
Oct-Jan: 70.z.z.255
where the middle two octets are predetermined ahead of time.
IIRC, some RFC recommends updating the root zone cache monthly...
following this
IIRC, some RFC recommends updating the root zone cache monthly...
following this would ensure one had proper root/gTLD addresses.
The above also would break DNS for broken networks for a two
month stretch... long enough to flush out bad rules.
You want to move things like gtld
From Chris Adams:
This isn't meant to be a pick on you (we've got some SWIPs filed
incorrectly that we are working on). I've just run into more and more
cases where ARIN (or other RIR, but I'm typically interested in ARIN
info) info is out of date. Maybe ARIN should periodically
send an
See Comments In-line below..
So I'm curious what people think. We have semi centralized
various things in
the past such as IP assignments and our beloved DNS root
servers. Would it
not also make sense to handle common security checks in a
similar manner? In
creating an authority to
88 matches
Mail list logo
