Re: inauguration streams review

* Adam Greene: > Hi, quick question ... > > Most people here said they saw most of the inauguration traffic on > TCP1935 to Limelight and UDP8247 to CNN. However, we were seeing it > simply as "http" traffic (i.e. port 80), which made it very difficult > to manage. Our inbound bandwidth was effect

Re: Are we really this helpless? (Re: isprime DOS in progress)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 valdis.kletni...@vt.edu wrote: > Well, we *could* hunt down the perpetrators, pool some $$, and hire 3 or 4 > baseball-bat wielding professional explainers to go explain our position to > them. Figuring out how to do so without breaking any laws is t

Re: inauguration streams review

On Sat, Jan 24, 2009 at 8:58 AM, Florian Weimer wrote: > * Adam Greene: > >> Hi, quick question ... >> >> Most people here said they saw most of the inauguration traffic on >> TCP1935 to Limelight and UDP8247 to CNN. However, we were seeing it >> simply as "http" traffic (i.e. port 80), which made

Re: Are we really this helpless? (Re: isprime DOS in progress)

Seth Mattinen wrote: Jeffrey Lyon wrote: I respectfully disagree. Network engineers have to keep up with many tasks and preventing DoS/DDoS should be the responsibility of everyone. I see more folks worried about spam than they are actual security. Back to my original question: is there reall

Re: inauguration streams review

Obama inauguration sets Web traffic record, Akamai says http://www.networkworld.com/news/2009/012109-obama-inauguration-web-traffic.html -Hank

Re: Are we really this helpless? (Re: isprime DOS in progress)

J.D. Falk wrote: Seth Mattinen wrote: Jeffrey Lyon wrote: I respectfully disagree. Network engineers have to keep up with many tasks and preventing DoS/DDoS should be the responsibility of everyone. I see more folks worried about spam than they are actual security. Back to my original questi

Re: isprime DOS in progress

On Jan 23, 2009, at 12:20 PM, Luke Sheldrick wrote: Looks to me like the target has moved, anyone else seeing similar? It's switched again. The new target is 206.71.158.30 . Over night it cycled through several different IPs (testing the waters?), and finally started on this one around 1

Re: Are we really this helpless? (Re: isprime DOS in progress)

> > > But if they were in eastern Europe or Russia, wouldn't that solution be > considered standard business practice and thus be legal? > Assuming that you really believe such an outrageous statement, I went to to search for stories about people being arr

The Cidr Report

This report has been generated at Fri Jan 23 21:13:36 2009 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date

BGP Update Report

BGP Update Report Interval: 22-Dec-08 -to- 22-Jan-09 (32 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS638990009 1.1% 20.4 -- BELLSOUTH-NET-BLK - BellSouth.net Inc. 2 - AS4323

Re: Are we really this helpless? (Re: isprime DOS in progress)

Jack, On Jan 23, 2009, at 9:34 PM, Jack Bates wrote: David Conrad wrote: Sad fact is that there are zillions of excuses. Unfortunately I suspect the only way we're going to make any progress on this will be for laws to be passed (or lawsuits to be filed) that impose a financial penalty on

Tracking the DNS amplification attacks (was: isprime DOS in progress)

Caveat: my PERL is _terrible_. http://www.smtps.net/pub/dns-amp-watch.pl This assumes you're using BIND. My logs roll on the hour, so I run it from cron at 1 minute before the hour. Depending on how long it takes to process your logs, you might need to tweak. -- bk CA cert: http://www.

Re: Are we really this helpless? (Re: isprime DOS in progress)

In message <8c5f1fec-ff51-4ba2-a762-c13bc275e...@virtualized.org>, David Conrad writes: > It would seem that as ISPs implement DPI and protocol-specific traffic > shaping, they damage the arguments that they can make claiming they > have "common carrier" status with the inherent immunities th

Re: Are we really this helpless? (Re: isprime DOS in progress)

On Sat, Jan 24, 2009 at 8:01 PM, Mark Andrews wrote: > > In message <8c5f1fec-ff51-4ba2-a762-c13bc275e...@virtualized.org>, David > Conrad writes: > > It would seem that as ISPs implement DPI and protocol-specific traffic > > shaping, they damage the arguments that they can make claiming they > >

Re: Are we really this helpless? (Re: isprime DOS in progress)

In message , Marti n Hannigan writes: > On Sat, Jan 24, 2009 at 8:01 PM, Mark Andrews wrote: > > > > > In message <8c5f1fec-ff51-4ba2-a762-c13bc275e...@virtualized.org>, David > > Conrad writes: > > > It would seem that as ISPs implement DPI and protocol-specific traffic > > > shaping, they dama

Re: Are we really this helpless? (Re: isprime DOS in progress)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Jan 24, 2009 at 6:05 PM, Mark Andrews wrote: >> BCP 38 isn't a license, it's a technique. > >There are plenty of cases in common law where as a owner >of something and you havn't taken reasonable steps to protect >or p

RE: Tracking the DNS amplification attacks (was: isprime DOS in progress)

I would not recommend sucking in your dns log into array, rather, read line by line and iterate over the file, line by line. Frank -Original Message- From: Brian Keefer [mailto:ch...@smtps.net] Sent: Saturday, January 24, 2009 6:50 PM To: nanog@nanog.org Subject: Tracking the DNS amplifi

massive routes hijack at AS48400, up to 6000 AS affected?

Hi all, Jan 24 23:20 - Jan 25 01:45 UK time, from LINX peers I have seen major performance degradation on unusually strange route to some eastern Europe countries - see MTR at the bottom of this email. If this is true, it is exactly what few people told us(and we knew) last year. Probably AS

RE: Tracking the DNS amplification attacks (was: isprime DOS in progress)

Frank Bulk wrote: I would not recommend sucking in your dns log into array, rather, read line by line and iterate over the file, line by line. Agreed. Python and Pytailer are particularly good tools for this application, running as a daemon and implementing

Re: massive routes hijack at AS48400, up to 6000 AS affected?

On Jan 24, 2009, at 9:47 PM, AKK wrote: Hi all, Jan 24 23:20 - Jan 25 01:45 UK time, from LINX peers I have seen major performance degradation on unusually strange route to some eastern Europe countries - see MTR at the bottom of this email. If this is true, it is exactly what few people

Re: isprime DOS in progress

I extracted all logs from one of my dns servers that reflected an "'./NS/IN' denied" message, pumped them into a database and ran a few queries. The first query shows the number of "denied" messages on my dns server, sorted by date. The amount of traffic definitely picked up on January 21st: +--