We got two of these yesterday for addresses that are not ours. One was
sort of adjacent... and seemed plausibly fat-fingered.
204.144.161.0 ≠ 204.144.151.0
We will definitely filter out anything further. Thanks for the heads-up.
On May 30, 2024, at 10:12 AM, Christopher Paul via NANOG
wrote:
>
> I propose that there be a national LDAP service, with OUs for each zipcode
> (ou=20500,dc=us,dc=gov). A household could register at USPS.gov and then be
> given
> write access to a household OU ("ou=1600 Pennsylvania Ave
> NW
That postal database is especially problematic for those who live in rural
areas with no postal delivery. We need a better database system than the one
that USPS maintains because it affects a wider range of services.
Two years ago I moved to a house with no postal service, so I got a PO box in
On Tue, 05 Mar 2024 12:17 -0700, Michael Rathbun wrote:
> What I found intriguing was that I was logged out by Google Docs at the same
> moment FB logged me out. Downdetector showed a number of other supposedly
> unrelated services with large outage report spikes at roughly the same time.
I w
I can confirm we started seeing this on Nov 9th at 19:10 UTC across all markets
from a variety of sources.
If you want to filter it with ingress ACLs they need to include subnet base and
broadcast addresses in addition to interface address, so a router at
192.168.1.1/30 with a customer potentia
> We are using Okta's RADIUS service for 2fa to network gear currently,
> but looking to switch to tacacs+ for many reasons. Would prefer to
> implement tacacs+ with two-factor if possible.
tac_plus-ng from https://www.pro-bono-publico.de/projects/tac_plus-ng.html has
LDAP and PAM backends, amo
> https://www.shrubbery.net/tac_plus/
That tac_plus has python 2 dependencies and so has been removed from Debian
packages. That's not surprising given the last update was 2015 and Python 2 was
EOL in 2020: https://www.python.org/doc/sunset-python-2/
Currently I favor this one which is still b
Ooof.
https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc
Some hope here: "The ping process runs in a capability mode sandbox on all
affected versions of FreeBSD and is thus very constrainted in how it can
interact with the rest of the system at the point where the bug can occ
Precedent?
https://blog.codinghorror.com/revisiting-the-black-sunday-hack/
> Do you know if this was codified prior to 1.1.1.1 being taken over by
> Cloudflare?
Yes, I'm sure it was.
On a related note, I just discovered a NID that has 1.1.1.1 assigned to the
outband interface by default, and it is apparently not user modifiable. So, not
only can these devices never use 1.1.1.1 for name resolution, but attempts to
determine "is the circuit up" by pinging it will always return
> What else is like that and easy to remember and isn’t 1.1.1.1 ?
4.2.2.1, which IIRC predates both 8.8.8.8 and 1.1.1.1.
Muscle memory still favors it. I think 4.2.2.2 might be anycast the same but
never really looked hard at it.
Anyone swinging a clue-by-four it going to hit Meraki real hard.
https://community.meraki.com/t5/Switching/Switch-Constantly-Pings-8-8-8-8/m-p/31491
I can confirm this issue exists at several sites in the Denver area with this
same IPSEC issue, all routing between Level3/Lumen and Comcast.
I was told by one customer that it resolved late yesterday afternoon but I
haven't been able to confirm that.
Mike
-Original Message-
From: NAN
Nick Hilliard wrote:
> forgot to re-sign the zone on dlv.isc.org or forgot to remove
> dnssec-lookaside from the config?
>
> Not kidding here. People need to take responsibility for their
> configurations.
Anyone running BIND provided with CentOS 6 has a release from ~2012 (bind
9.8.2) and it
> In any regard, <1 Gbps is pretty piss poor for an amplification attack too.
We've observed a customer receiving relative low volume attacks in the last
week (so low they didn't trigger our alarms).
My working theory is that with the Dec 3rd release of Halo Reach for PC, there
are gamers attem
Question: is anyone who is currently suffering this issue also doing 1:many
NAT? Or running a proxy server that might cause multiple clients to all appear
from the same IP address? I believe NAT might be the cause of one of our
customer's complaints wrt content provider blocking.
Dylan Ebner wrote:
Does anyone know if it is the policy of Qwest (or ISPs) to have lower
> uptime metrics for BGP customers or am I just experiancing lots of
> downtime with an ISP that is known for having lots
of problems?
We do BGP to Qwest Internet and they've been as reliable as any oth
William McCall wrote:
I should have clarified. Third party physical control isn't necessarily the
issue, but third party administration and delivery (in the context of
twitter) is.
Dedicated servers are cheap and you can maintain control of the content.
But useless if the customer's data conn
Suresh Ramasubramanian wrote:
If your email and phone communications are down due to a connectivity
break, and your customers get connectivity from you [assume no backup
links, by default .. you'd be surprised at how many smaller customers
get by with a single link and no backups at all. If the
We're experimenting with Twitter as a means to communicate anytime there
are system-wide outages (in addition to regular maintenance
notifications). Adoption is slow but I foresee growth once we really get
the word out.
Being a data and VoIP provider, certain events can effect both email and
Shane Ronan wrote:
Very simple, just do it.
Ha! We have some legacy IP space in continous use here at ASN13345 for
over 12 years now that was recently "revoked" for a few weeks (only to
be later restored via a transfer once the exact definition of
"ownership" in a member-owned cooperative wa
Paul Ferguson wrote:
Most likely SQL injection. At any given time, there are hundreds of
thousands of "legitimate" websites out there that are unwittingly harboring
malicious code.
Most of the MS-SQL injection attacks we see write malicious javascript
into the DB itself so all query results i
chandrashakher pawar wrote:
We are level one ISP. one of my customer is connected to fast ethernet.
His link speed 100,000 kbps. while downloading any thing from net he
downloading speed donot go above 200 kbps.
While doing multiple download he get aroung 200 kbps in every window. But
when he cl
Deepak Jain wrote:
I don't mean to jump in here and state the obvious, but wireless links are
not a panacea. At least a few folks have presented that fiber grooming has
affected their *region*. It's not difficult to imagine that wherever the
"head" link side (or agg point) of these regional wire
Joe Greco wrote:
My point was more the inverse, which is that a determined, equipped,
and knowledgeable attacker is a very difficult thing to defend against.
"The Untold Story of the World's Biggest Diamond Heist" published
recently in Wired was a good read on that subject:
http://www.wired
Rod Beck wrote:
Hold on. Who says this sabotage?
By the time the second plane hit WTC, intent was apparent. I think in
this case intent is also apparent based on proximity (and the previously
mentioned reward AT&T has posted for the capture of "vandals").
Mike
Subba Rao wrote:
Can someone explain why Nipper is saying "Rlogin is enabled" when
> I do not see it in the configuration file? Is there something
> else that I need to be looking at?
It's been my experience that the routers are all listening on that port
by default, and we notice it as a re
Within an hour of making this post I received a call from a very helpful
engineer at Earthlink. The problem has been identified and a resolution
is in the works.
Mike
Mike Lewinski wrote:
One of our mail servers can't talk to any of the earthlink MX servers
and after two weeks of trying
k this from the other angle. All she got was "Earthlink has been
blocking port 25 for years you should now this by now!"
Mike Lewinski
--
m...@rockynet.com
POTS: 303-629-2860
INOC-DBA: 13345*mjl
valdis.kletni...@vt.edu wrote:
You *do* realize that "has a public address" does not actually mean that
the machine is reachable from random addresses, right? There *are* these
nice utilities called iptables and ipf - even Windows and Macs can be configured
to say "bugger off" to unwanted traff
Joe Greco wrote:
A quick scan of the reverse mapping for your address space in DNS reveals
that you have basically your entire network on public addresses. No wonder
you're worried about portscans when the printer down the hall and the
receptionists machine are sitting on public addresses. I th
Jack Bates wrote:
Just to reconfirm. The issue arrives with sending an update, not
receiving? So if an ISP does not have a limit and their IOS cannot
handle this, they will send an invalid BGP UPDATE to the downstream
peers causing them to reset regardless of their max as-path settings?
Just
German Martinez wrote:
Workaround: Configure the bgp maxas limit command in such
as way that the maximum length of the AS path is a value below 255. When the
router receives an update with an excessive AS path value, the prefix is
rejected and recorded the event in the log.
This workaround has
There are issues between Google and Comcast in the Denver area for at
least the last 12 hours. Pages are sporadically stalling before load
(indefinitely as far as I can tell). I found a gmail message I'd sent
more than 30 minutes prior still processing. This is affecting all
google services tha
David W. Hankins wrote:
On Thu, Oct 30, 2008 at 03:55:01PM +, Andy Davidson wrote:
Do you think that industry should be working to some kind of well supported
/ worldwide flag day when lots of popular resources add v6 records at the
same time ?
This is a sound evolutionary tactic lemmings
Jon Lewis wrote:
Yeah...prepending isn't a big deal...but when someone prepends their own
AS 70+ times, I wonder WTF they're thinking.
I'm sure they get the attention of NOCs around the world as messages
like this show up on consoles
Oct 22 04:34:05 MDT: %BGP-6-BIGCHUNK: Big chunk pool req
Chaim Rieger wrote:
Steve Church wrote:
Who's the hot chick in the bottom right corner?
S
thats my sis, want her number ?
While today may be international CAPS LOCK DAY (http://capslockday.com),
I believe off-topic posting day was last Thursday.
Crist Clark wrote:
9) Turn off DNS services at old-dns1 and old-dns2 (i.e. take out
the firewall rules that allow queries to those addresses).
10) ...
10 ) Use one of the various sanity checking sites to validate some
subset of your hosted domain configurations.
We used to like http://www.
Patrick W. Gilmore wrote:
Anyone have a foolproof way to get grandma to always put "https://"; in
front of "www"?
Some tests from my home Comcast connection tonight showed less than
desirable results from their resolvers.
The first thing I did was to double check that the bookmarks I use wh
Joe Greco wrote:
So, I have to assume that I'm missing some unusual aspect to this attack.
I guess I'm getting older, and that's not too shocking. Anybody see it?
AFAIK, the main novelty is the ease with which bogus NS records can be
inserted. It may be hard to get a specific A record
(www.
Paul Wall wrote:
Isn't that what a routing loop is, when it loops back out to the
transit/interface from which it entered?
Of course.
I think the sensitivity comes in to whether the diagnosis "routing loop"
is one of the cause or effect.
I.E.
"this routing loop appears to show a network pro
Aaron Glenn wrote:
I think it should be clear to those posting here as a last ditch
effort that they should certainly outline the steps they've already
taken -- basically justifying their post to NANOG: "I tried X, waited
Y, got Z, and now I'm here"
To give an example:
http://mailman.nanog.or
I'm very happy to report that my post here found the necessary
clue-holders and resolved both the lame DNS and stale email
configuration issue.
Also, one important followup wrt the whois for their ASN query:
Finally, as an additional note, the whois delegation for their ASN seems
to be broken
We're having some difficulties getting a lame DNS delegation and old
email hosting configuration removed from Cbeyond's servers. According to
their front line tech support "We cannot work on something we do not
host no more".
Jared's NOC list doesn't have anything on them, nor do they appear
Sean Donelan wrote:
1. Separate your authoritative and recursive name servers
2. Recursive name servers should only get replies to their own DNS
queries from the Internet, they can use both UDP and TCP
We've just completed a project to separate our authoritative and
recursive servers and I h
Mike Lewinski wrote:
The TCP/IP stack in Windows XP is broken in this regard, possibly in
Vista as well, though I've yet to have the displeasure of finding out.
A co-worker confirms that his Vista SP1 can access our .255 router via SSH.
David Hubbard wrote:
I remember back in the day of old hardware and operating
systems we'd intentionally avoid using .255 IP addresses
for anything even when the netmask on our side would have
made it fine, so I just thought I'd try it out for kicks
today. From two of four ISP's it worked fine,
Jon Kibler wrote:
UDP is used for queries.
TCP is used for zone transfers.
If my server responded to TCP queries from anyone other than a secondary
server, I would be VERY concerned.
That is a common, but incorrect, assumption.
DNS responses that are larger than the MTU of a single UDP pack
David Coulson wrote:
> Depends - It doesn't help if the DNS server is dead, but the front-end
> is still advertising the routes.
Possibly a good argument for allowing the DNS servers to originate the
routes for them...? I've seen configuration where the routes were
injected based on link state
Frank Bulk wrote:
Q> Does Yahoo! use "greylisting" to reject messages?
A> No.
The most commonly understood form of "greylisting" is where an
SMTP server will reject every message the first time it is
attempted, and then accept it if the sending server retries
later. The theory is
Barry Shein wrote:
Is it just us or are there general problems with sending email to
yahoo in the past few weeks? Our queues to them are backed up though
they drain slowly.
I know that Yahoo does greylisting, and we often have a large queue
backup as a result of mailing lists with a lot of @y
Geo. wrote:
Guys, according to wikipedia over 70 million people fileshare
http://en.wikipedia.org/wiki/Ethics_of_file_sharing
That's not the fat man, that's a significant portion of the market.
Demand is changing, meet the new needs or die at the hands of your
customers. It's not like you hav
53 matches
Mail list logo
