Re: SEA-ME-WE-4 cut ?

"SMW4 Cable segment 1.1 cable fault A cable fault was observed on SMW4 Seg. 1.1 (Singapore - Branching Unit #1A) at 03:15GMT on 26-May. The fault point is about 46km from TUAS Singapore cable station. Services will resume upon cable repair complete. Cable ship Asean Restorer was mobilized for

Re: META: duplicate posts?

> Date: Tue, 27 May 2008 12:30:09 -0400 > From: "Jay R. Ashworth" <[EMAIL PROTECTED]> > To: nanog@nanog.org, NANOG <[EMAIL PROTECTED]> > Subject: META: duplicate posts? > > On Tue, May 27, 2008 at 11:50:50AM -0400, Jay R. Ashworth wrote: > > Date: Tue, 27 May 2008 11:50:50 -0400 > > From: "Jay R.

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008 11:02:32 CDT, Gadi Evron said: > On Tue, 27 May 2008, Jared Mauch wrote: > > *yawn* > > I guess we will wait for the next one before waking up, than. No Gadi. What Jared is saying is that there are exactly *ZERO* routers (for some infinitesimally small value of zero) that wil

RE: amazonaws.com?

> If the address-space owner won't police it's own property, > there is no reason for the rest of the world to spend the > time/effort to _selectively_ police it for them. Exactly!!! If an SMTP server operator is not willing to police their server by implementing a list of approved email partne

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, May 27, 2008, [EMAIL PROTECTED] wrote: > There's basically 2 classes of Cisco routers out there: > > 1) Ones managed by Jared and similarly clued people, who can quite rightfully > yawn because the specter of "IOS rootkits" changes nothing in their actual > threat model - they put stuff i

RE: IOS Rookit: the sky isn't falling (yet)

> This seems like such a non-event because what is the exploit > path to load the image? There needs to be a primary exploit > to load the malware image. Hmmm. Get a job servicing/installing data centre HVAC systems, wait until you get called out to a mostly empty data center, lift some floor ti

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, Gadi Evron wrote: Perhaps the above should be simplified. Running a hacked/modded IOS version is a dangerous prospect. This seems like such a non-event because what is the exploit path to load the image? There needs to be a primary exploit to load the malware image. *yaw

Re: IOS Rookit: running hacked binaries certainly places you at risk!

On May 27, 2008, at 12:02 PM, Gadi Evron wrote: On Tue, 27 May 2008, Jared Mauch wrote: On May 27, 2008, at 8:42 AM, Alexander Harrowell wrote: An alternative rootkit ? Privilege level 16 used by the Lawful Intercept [12] feature could be abused to do some of this too. Or the other way a

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, May 27, 2008 at 11:13 AM, Adrian Chadd <[EMAIL PROTECTED]> wrote: > > Bloody network people, always assuming their network security stops at > their router. > > So nowthat someone's done the hard lifting to backdoor an IOS binary, > and I'm assuming you all either upgrade by downloading fro

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, May 27, 2008, Chris Grundemann wrote: > > Sure, its not all fire and brimstone, but the bar -was- dropped a little, > > and somehow you need to make sure that the IOS thats sitting on your > > network management site is indeed the IOS that you put there in the > > first place.. > > Like M

unsubscribe

<>

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said: > Like MD5 File Validation? - "MD5 values are now made available on > Cisco.com for all Cisco IOS software images for comparison against > local system image values." That does wonders for catching a corruption in the FTP that wasn't caught

RE: unsubscribe

Really now ... why we using [EMAIL PROTECTED] instead of [EMAIL PROTECTED] Totally messed up my mail filtering system. Sometime last week people started sending TO or CC'ing [EMAIL PROTECTED] instead of [EMAIL PROTECTED] Can we go back? Thanks, mkay. Kris -Original Message- From: Delun

IPV6 network feeds

Hey all, I am looking for a IPV6 internet feed for our testing labs in Southern California, I know this is off subject but I am a little exasperated in trying to locate one. if anyone on the list knows of a provider please contact me off list. Thanks! Mike Linsenmayer Sr. Manager Labs

RE: unsubscribe

Same gripe here... -- Tim Sanderson, network administrator [EMAIL PROTECTED] -Original Message- From: Pederson, Krishna [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2008 1:38 PM To: Delung Jr, Frank; [EMAIL PROTECTED] Subject: RE: unsubscribe Really now ... why we using [EMAIL PROTE

Re: IPV6 network feeds

What kind of existing connectivity do you have? Who provides your local loop? Verizon provides ipv6 connectivity according to their website. At&t most likely does as well. Charles Sent via BlackBerry from T-Mobile -Original Message- From: "Mike Linsenmayer" <[EMAIL PROTECTED]> Date

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said: Like MD5 File Validation? - "MD5 values are now made available on Cisco.com for all Cisco IOS software images for comparison against local system image values." That does wonders for catching

Re: unsubscribe

On May 27, 2008, at 1:37 PM, Pederson, Krishna wrote: Really now ... why we using [EMAIL PROTECTED] instead of [EMAIL PROTECTED] Totally messed up my mail filtering system. Sometime last week people started sending TO or CC'ing [EMAIL PROTECTED] instead of [EMAIL PROTECTED] Can we go back

RE: unsubscribe

> Subject: RE: unsubscribe > Date: Tue, 27 May 2008 10:37:35 -0700 > From: "Pederson, Krishna" <[EMAIL PROTECTED]> > To: "Delung Jr, Frank" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > > Really now ... why we using [EMAIL PROTECTED] instead of [EMAIL PROTECTED] > Totally messed up my mail filtering

Re: Fake-alert: VERIFY YOUR MERIT.EDU WEBMAIL ACCOUNT

On Sat, 24 May 2008 17:14:33 +0100 Graeme Fowler <[EMAIL PROTECTED]> wrote: On Sat, 2008-05-24 at 17:02 +0200, Peter Dambier wrote: I dont trust it: Quite right too, it's a spear-phishing attack. This is currently an almost daily occurrence for .edu domains. The compromised accounts are freq

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008 10:47:08 PDT, [EMAIL PROTECTED] said: > What you want is cisco hardware that verifies firmware signatures in > hardware. Yes, but that requires new hardware. Understanding the security risk in accepting an unsigned MD5 signature from the same place that you accepted the file

RE: unsubscribe

-- [EMAIL PROTECTED] wrote: -- From: Tim Sanderson <[EMAIL PROTECTED]> Same gripe here... ---Original Message--- From: Pederson, Krishna [mailto:[EMAIL PROTECTED] Really now ... why we using [EMAIL PROTECTED] instead of [EMAIL PROTECTED] Totally messed up my mail filtering syst

Re: unsubscribe

On Tue, May 27, 2008 at 1:55 PM, Scott Weeks <[EMAIL PROTECTED]> wrote: > Should 10,000 folks change what they do to what you ask because of that? How many of those 10,000 would need to change, let alone notice a change? I suspect the number is less than 10 (that's ten, not ten thousand). ;-)

RE: unsubscribe

Didn't even notice as my rule is set as [EMAIL PROTECTED] -Original Message- From: Jim Popovitch [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2008 12:03 PM To: [EMAIL PROTECTED] Subject: Re: unsubscribe On Tue, May 27, 2008 at 1:55 PM, Scott Weeks <[EMAIL PROTECTED]> wrote: > Should 1

Re: IOS Rookit: the sky isn't falling (yet)

[EMAIL PROTECTED] wrote: > On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: >> On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said: >>> Like MD5 File Validation? - "MD5 values are now made available on >>> Cisco.com for all Cisco IOS software images for comparison against >>> local system image va

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: What you want is cisco hardware that verifies firmware signatures in hardware. Of course, how do you know your hardware hasn't been compromised? http://www.usdoj.gov/opa/pr/2008/February/08_crm_150.html

Re: Fake-alert: VERIFY YOUR MERIT.EDU WEBMAIL ACCOUNT

We never figured out how the accounts were compromised. I suspect another .edu here .. how we've seen it happen is we get blasted by one of those "verify your email account" messages. despite our countless efforts at user education about responding to this stuff, a dozen or so people always

RE: IOS Rookit: the sky isn't falling (yet)

> Like MD5 File Validation? - "MD5 values are now made > available on Cisco.com for all Cisco IOS software images for > comparison against local system image values." I would expect a real exploit to try to match Cisco's MD5 hashes. By all means, check those hashes after you download them but I

Re: [NANOG] Fiber Cut at 60 Hudson

On May 20, 2008, at 05:33, Robert Blayzor wrote: Does anyone know of any NY fiber cuts going on near/around 60 Hudson Street? I have a Level3 DIA Gig-E that's been out for almost 36 hours and each time I call them I get a different answer on what the problem is and exactly how much longer this

RE: amazonaws.com?

> From [EMAIL PROTECTED] Tue May 27 12:06:50 2008 > Subject: RE: amazonaws.com? > Date: Tue, 27 May 2008 18:08:16 +0100 > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > > > If the address-space owner won't police it's own property, > > there is no reason for the rest of the world to spend

Re: IPV6 network feeds

On 27 May 2008, at 17:45, [EMAIL PROTECTED] wrote: Verizon provides ipv6 connectivity according to their website. I mentioned this on another list, but if anybody has tried to actually turn the words referred to above into service, I would be very happy to hear about how they did it. A

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008 19:49:21 BST, [EMAIL PROTECTED] said: > > Like MD5 File Validation? - "MD5 values are now made=20 > > available on Cisco.com for all Cisco IOS software images for=20 > > comparison against local system image values." > > I would expect a real exploit to try to match Cisco's > M

Re: amazonaws.com?

On 27/05/2008 20:53 Robert Bonomi wrote: Because the _privilege_ to send packets to other networks has been, from 'day one', conditional on the presumption that the sending network _is_ a "good neighbor" to the networks receiving their traffic. You need to wake up Dorothy, this isn't Kansas any

Re: [NANOG] Fiber Cut at 60 Hudson

On May 27, 2008, at 2:47 PM, Bill McGonigle wrote: I've also heard contradictory information from Level3 reps on some of the above, so I'm not asserting any accuracy for it; so just FYI. Maybe they finally got to looking into your problem and unplugged the fiber labeled 'Vermont' by accident

Re: IOS Rookit: the sky isn't falling (yet)

Perhaps Cisco and friends should take to periodically printing MD5 checksums in full page ads in the New York Times or similar? Maybe not impossible for an attacker to replicate, but it certainly does raise the bar :) On Tue, May 27, 2008 at 3:07 PM, <[EMAIL PROTECTED]> wrote: > On Tue, 27 May 2

Re: IPV6 network feeds

> > Verizon provides ipv6 connectivity according to their website. > > I mentioned this on another list, but if anybody has tried to actually > turn the words referred to above into service, I would be very happy > to hear about how they did it. > > > At&t most likely does as well. > > The l

AT&T IPv6 Network Initialization/Assignment Contact?

Heya NANOG members, I have a client with AT&T Metro DIA services who are looking to add routable IPv6 services. We need an AT&T contact who will have the knowledge and ability to coordinate IPv6 netblock assignments and delegate static routes to the IPv6 addresses assigned. As well as provide oth

Re: IPV6 network feeds

You didn't say native was required and a tunnel might be ok for testing. Try Hurricane Electric's Tunnel Broker. Your favorite search engine will find it ie 'Hurricane Electric Tunnel Broker' IIRC. -M<. - Original Message - From: Mike Linsenmayer <[EMAIL PROTECTED]> To: [EMAIL PROT

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, Sean Donelan wrote: On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: What you want is cisco hardware that verifies firmware signatures in hardware. Of course, how do you know your hardware hasn't been compromised? http://www.usdoj.gov/opa/pr/2008/February/08_crm_150.html Are

RE: amazonaws.com?

> Thinking about it, I realize that > asking _you_ (an > employee of major telephone company) is a silly question -- you have a > biased viewopoint from a government-regulated monopoly Reductio ad absurdum. Needs no other reply. > "it should be obvious to the meanest intelligence" that > the m

Re: IPV6 network feeds

On 27 May 2008, at 19:19, [EMAIL PROTECTED] wrote: No comment on either Verizon or AT&T since we don't buy transit from them. However, we *do* buy transit from Global Crossing, and have had IPv6 (native, non tunneled) transit from them since at least 2004. Similarly, we have had no problems w

RE: IOS Rookit: the sky isn't falling (yet)

> If you were an attacker, which would you go with: > > 1) The brute-force attack which will require hundreds of > thousands of CPU-years. In this case an attacker would definitely go with this option. Since they can't change most of the IOS bytes because they contain IOS and the exploit, they

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: Are you buying directly from cisco or from resellers? If you are getting counterfeit hardware directly from cisco then I guess we have real problems. According to the FBI presentation, which may not be a reliable source for this topic, Cisco has ver

RE: IPV6 network feeds

> Similarly, we have had no problems with ordering v6 transit > from NTT America, Global Crossing or Teleglobe in North > America (also, Tiscali in Europe, and FLAG in Asia). In each > case v6 transit was treated as a routine provisioning > exercise, with no need for escalation to obscure grey

Oregon/Washington Comcast outage

Looks like I can't reach several of Comcast's fiber/coax customers in Oregon and Washington: grps-edge-rtr-1#trace 75.145.64.XXX Type escape sequence to abort. Tracing the route to 75-145-64-XXX-Oregon.hfc.comcastbusiness.net (75.145.64.XXX) 1 fa-6-0.grps-edge-rtr-2.visp.net (208.74.128.9)

Re: IPV6 network feeds

On Tue, May 27, 2008 at 1:37 PM, Mike Linsenmayer <[EMAIL PROTECTED]> wrote: > I am looking for a IPV6 internet feed for our testing labs in Southern > California, I know this is off subject but I am a little exasperated in > trying to locate one. if anyone on the list knows of a provider please >

Re: IPV6 network feeds

I think HE does native as well. Likely good based on their rep. Best, Marty - Original Message - From: Andrew Dorsett <[EMAIL PROTECTED]> To: nanog@nanog.org Sent: Tue May 27 20:27:42 2008 Subject: Re: IPV6 network feeds On Tue, May 27, 2008 at 1:37 PM, Mike Linsenmayer <[EMAIL P

Re: Oregon/Washington Comcast outage

As a Comcast customer in the NW, I see the same thing outbound. Traceroute to some sites die in glbx, and other sites work via other transit providers. On Tue, May 27, 2008 at 1:21 PM, Kameron Gasso <[EMAIL PROTECTED]> wrote: > Looks like I can't reach several of Comcast's fiber/coax customers in

RE: Oregon/Washington Comcast outage

Here is the reverse view from one of my systems on residential Comcast in the Everett/Mill Creek area (source is 76.121.150.xxx): Tracing route to 208.74.128.9 over a maximum of 30 hops 1<1 ms<1 ms<1 ms 192.168.254.254 2 *** Request timed out. 3 9 ms

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008 20:45:11 BST, [EMAIL PROTECTED] said: > > 1) The brute-force attack which will require hundreds of > > thousands of CPU-years. Millions. Not thousands. See below. > In this case an attacker would definitely go with this option. Since > they can't change most of the IOS bytes

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008 [EMAIL PROTECTED] wrote: On Tue, 27 May 2008 11:02:32 CDT, Gadi Evron said: On Tue, 27 May 2008, Jared Mauch wrote: *yawn* I guess we will wait for the next one before waking up, than. No Gadi. What Jared is saying is that there are exactly *ZERO* routers (for some infi

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, Sean Donelan wrote: On Tue, 27 May 2008, Gadi Evron wrote: Perhaps the above should be simplified. Running a hacked/modded IOS version is a dangerous prospect. This seems like such a non-event because what is the exploit path to load the image? There needs to be a primary

REMINDER: DNS Operations Meeting, Brooklyn NY 4/5th June

This is a reminder that the OARC DNS Operations meeting takes place next Wed 4th PM and Thu 5th AM in Brooklyn NY, USA, immediately after NANOG43. The meeting will be held in Brooklyn College, NY, about 5 miles from the NANOG venue, and is open to all. Meeting information is at: http://pu

Re: IOS Rookit: running hacked binaries certainly places you at risk!

On Tue, 27 May 2008, Jared Mauch wrote: On May 27, 2008, at 12:02 PM, Gadi Evron wrote: On Tue, 27 May 2008, Jared Mauch wrote: On May 27, 2008, at 8:42 AM, Alexander Harrowell wrote: An alternative rootkit ? Privilege level 16 used by the Lawful Intercept [12] feature could be abused to d

Hurricane season starts June 1: Carriers harden networks

[...] The most common threat to communications during a severe storm is not destruction of physical infrastructure but loss of power. Individual cell sites tend to survive high winds and flooding, Walsh said. "That is a testament to the site

Re: Hurricane season starts June 1: Carriers harden networks

The official spokespeople don't mention it, but there is also a tendency for local officials to divert fuel delivery trucks for their use instead of maintaining communication facilities. Perhaps a company will get in the business of labeling trucks that normally say fuel to something like

Re: IOS Rookit: the sky isn't falling (yet)

> Date: Tue, 27 May 2008 15:46:34 -0400 (EDT) > From: Sean Donelan <[EMAIL PROTECTED]> > > On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: > > Are you buying directly from cisco or from resellers? If you are getting > > counterfeit hardware directly from cisco then I guess we have real problems. >

Re: Hurricane season starts June 1: Carriers harden networks

> > > > > > The official spokespeople don't mention it, but there is also a tendency > > for local officials to divert fuel delivery trucks for their use instead > > of maintaining communication facilities. > > > > Perhaps a company will get in the business of labeling trucks that > normally

Re: IPV6 network feeds

Mike Linsenmayer wrote: Hey all, I am looking for a IPV6 internet feed for our testing labs in Southern California, I know this is off subject but I am a little exasperated in trying to locate one. if anyone on the list knows of a provider please contact me off list. My queue to spam: =

Re: Hurricane season starts June 1: Carriers harden networks

On May 27, 2008, at 6:09 PM, Tuc at T-B-O-H.NET wrote: The official spokespeople don't mention it, but there is also a tendency for local officials to divert fuel delivery trucks for their use instead of maintaining communication facilities. Perhaps a company will get in the busines

RE: Hurricane season starts June 1: Carriers harden networks

Jared nailed it on the head. It is absolutely critical to get to know who your State JFO POC is, State EOC POC, and have the National Communication Systems Hotline on speed dial or at least in your cell. They can help facilitate needs such as getting human resources from your company or mutual ai

Re: Hurricane season starts June 1: Carriers harden networks

On May 27, 2008, at 6:47 PM, Jerry Dixon wrote: Jared nailed it on the head. It is absolutely critical to get to know who your State JFO POC is, State EOC POC, and have the National Communication Systems Hotline on speed dial or at least in your cell. They can help facilitate needs such a

Re: [Outages] Oregon/Washington Comcast outage

Michael Acosta wrote: As a Comcast customer in the NW, I see the same thing outbound. Traceroute to some sites die in glbx, and other sites work via other transit providers. Looks like whatever the SNAFU between Comcast and GLBX was, it's been resolved for some time now... :) Cheers, -- Kame

RE: Oregon/Washington Comcast outage

I have a Comcast business line, and have bbeen up all day. Here is my trace to the same IP (from Bremerton WA): [EMAIL PROTECTED]:~/tmp$ traceroute 208.74.128.9 traceroute to 208.74.128.9 (208.74.128.9), 30 hops max, 38 byte packets 1 73.96.188.1 (73.96.188.1) 8.051 ms 11.888 ms 6.731 ms 2

Re: Hurricane season starts June 1: Carriers harden networks

> > > On May 27, 2008, at 6:47 PM, Jerry Dixon wrote: > > > Jared nailed it on the head. It is absolutely critical to get to > > know who > > your State JFO POC is, State EOC POC, and have the National > > Communication > > Systems Hotline on speed dial or at least in your cell. They can h

[NANOG-announce] Program Committee Nominations

Attached are all of the the current nominations to the nanog program committee. comments in support (or opposition) to any candidate can be made to the nanog steering committee [EMAIL PROTECTED] (if you submitted a nomination and you do not see it here, please notify me immediately, resend it an

AT&T BGP blackholing

Does anyone have information or a contact at AT&T with regards to setting up BGP blackholing with them? I see that the question has been asked in the past but there was no definitive answer, at least none that I could find. --Philip L.

Re: AT&T BGP blackholing

If you're a direct customer, use your MIS contact. We've used them for nearly 8 years, and I've been consistently impressed. If not, your upstream should be your first point of contact. For maintenance (e.g., prefix-list mods) they tend to take their time unless you insist on expedition; but, f

Re: AT&T BGP blackholing

As a former customer of 7018, I was unable to get anyone with enough clue who understood BGP triggered blackholing. Retries and debates with regular MIS contacts lead to nothing. Perhaps a better contact is available, but I had no luck. On 5/27/08, Philip L. <[EMAIL PROTECTED]> wrote: > Does any