AsI think as we all know the deficiency is the design of the DNS system overall.
No disrespect to anybody, but lots of companies make money off of the design
deficiencies and try to position themselves as offering 'value add services' or
something similar. Basically they make money because the
On Mar 27, 2013, at 10:11 PM, Michael DeMan wrote:
> AsI think as we all know the deficiency is the design of the DNS system
> overall.
One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire
OID sub-trees (with spoofed source addresses) across thousands of CPEs that
defa
On (2013-03-27 22:27 -1000), David Conrad wrote:
> One of the largest DDoS attacks I've witnessed was SNMP-based, walking entire
> OID sub-trees (with spoofed source addresses) across thousands of CPEs that
> defaulted to allowing SNMP queries over the WAN interface. "Oops". Topped out
> around
I think this would be a good time for me to quote the best thing
I've ever read on NANOG:
If you give people the means to hurt you, and they do it, and
you take no action except to continue giving them the means to
hurt you, and they take no action except to keep hurting yo
Dear James, all,
On 3/27/13 1:49 PM, James Smith wrote:
Getting reports from a third party vendor that there's been a line
cut in the Mediterranean that is affecting some Internet traffic.
Anyone have any details?
a view from RIPEstat (interface to the routing data collected by RIS /
RIPE NC
> If you are doing strict BGP prefix-filter, it's either very easy to
generate ACL while at it
Yes and that is exactly what needs to become a habit for all the operators.
We all do care what our neighbors advertise to us or what prefixes we accept
from them.
But only a few really do care whether
So we all have heard the breathless news reports of how the recent
urinating contest between Spamhaus and a butthurt ISP was the "biggest
in history".
Where would you guys put it, if measured as "percent of total worldwide
available Internet bandwidth/resources"? My gut feeling is that by that
me
It's interesting, this just came up on gizmodo. As I said in another
forum, take it for what it's worth:
http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie
Cheers,
Harry
On 03/28/2013 09:23 AM, Valdis Kletnieks wrote:
> So we all have heard the breathless news reports of how the re
On Thu Mar 28, 2013 at 09:29:04AM -0400, Harry Hoffman wrote:
> It's interesting, this just came up on gizmodo. As I said in another
> forum, take it for what it's worth:
>
> http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie
And there's a (semi-)public response from one of Cloudfar
On Mar 28, 2013, at 8:29 PM, Harry Hoffman wrote:
> http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie
Yes and no.
There's been quite a bit of exaggerated (and unhelpful, IMHO) hype around this
entire episode from the outset; by the same token, the attacks did produce
non-inco
On Thu, Mar 28, 2013 at 8:20 AM, Adam Vitkovsky wrote:
> It's a pity that rpf is not "on" by default for interfaces over which the
> ebgp session is configured.
Hi Adam,
Considering that's one of the key scenarios for which RPF is known to
NOT WORK reliably, I would have to disagree with that st
On Mar 28, 2013, at 9:29 AM, Harry Hoffman wrote:
> It's interesting, this just came up on gizmodo. As I said in another
> forum, take it for what it's worth:
>
> http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie
I can't comment in detail, but there are some "lost in translation
On Mar 28, 2013, at 7:20 PM, Adam Vitkovsky wrote:
> It's a pity that rpf is not "on" by default for interfaces over which the
> ebgp session is configured.
As has been noted here and on cisco-nsp several times, unfortunately, there are
too many instances in which enabling uRPF automagically w
You should get yourself a lawyer.
This is what happened the last time someone from this community
attempted to report a security/data breach issue to a mobile provider:
http://en.wikipedia.org/wiki/Weev
Drive Slow,
Paul Wall
On 3/27/13, nick hatch wrote:
> Hi all,
>
> I just discovered a somewh
On 28/03/2013 13:41, "Jared Mauch" wrote:
>If you look at externally observable data, something surely happened at
>LINX on the 23rd:
>
>https://stats.linx.net/cgi-pub/aggregate/week
Yes, the polling server couldn't reach one of the networks - remember that
there are two networks at LINX.
I can
Surely the question is what was the impact?
If I had just installed 3 new 100G iinks the day before then its going to
be a lot bigger than if I didn't haven them.
In my view this was a minor blip, but very well sniper rifled at
Cloudflare - they have a lot of pissed off customers looking the blo
Yes I see now I have worded it miserably :)
What I got on my mind was an eBGP session to stub site /single homed
customer.
Now that I think about it I believe it could have been "on" by default on
all the router interfaces and would have to be turned off manually(or
automatically if mpls is enabl
On Thu, Mar 28, 2013 at 10:51 AM, Adam Vitkovsky wrote:
> What I got on my mind was an eBGP session to stub site /single homed
> customer.
Hi Adam,
"Single homed stub site" is not a configuration option in any BGP
setup I'm aware of, so how would the router select RPF as the default
for a single
In a message written on Thu, Mar 28, 2013 at 11:39:45AM -0400, William Herrin
wrote:
> "Single homed stub site" is not a configuration option in any BGP
> setup I'm aware of, so how would the router select RPF as the default
> for a single-homed stub site?
I'm not sure if this is what the OP was
- Original Message -
> From: "Paul Ferguson"
> As I mentioned on another list earlier today, let's face it -- this is
> going to require a large-scale, very public, and probably multi-year
> education & awareness effort (as if 13+ years isn't enough already!).
>
> How long did it take to
Once upon a time, Leo Bicknell said:
> The feature I would like is to set the _packet filter_ based on the
> _received routes_ over BGP.
On JUNOS, you can use
routing-options {
forwarding-table {
unicast-reverse-path feasible-paths;
}
}
to get that behavior (although it is a gl
In the current BCP38/DDoS discussions, I've seen a lot of people suggesting
that it's practical to do ingress filtering at places other than the edge.
My understanding has always been different from that, based on the idea
that the carrier to which a customer connects is the only one with which
t
- Original Message -
> From: "Simon Lockhart"
> And there's a (semi-)public response from one of Cloudfare's
> upstreams:
>
> http://cluepon.net/ras/gizmodo
Money quote:
"""
In defense of the claims in other articles, there is a huge difference
between "taking down the entire Internet"
On Thu, Mar 28, 2013 at 12:19 PM, Leo Bicknell wrote:
> If you think about a simple multi-homing situation where a person
> has their own IP space, their own ASN, and connects to two providers
> they will announce all of their routes to both providers.
>
> The feature I would like is to set the _p
is there a clear understanding of "the edge" in the network operations
community? in a simpler world, it was not that difficult, but interconnect
has blossomed and grown all sorts of noodly appendages/extentions. I fear
that edge does not mean what you think it means anymore.
/bill
On Thu,
On Thu, 28 Mar 2013 17:16:48 -, bmann...@vacation.karoshi.com said:
>
> is there a clear understanding of "the edge" in the network operations
> community? in a simpler world, it was not that difficult, but interconnect
> has blossomed and grown all sorts of noodly appendages/extentions. I f
On Thu, Mar 28, 2013 at 1:07 PM, Jay Ashworth wrote:
> My understanding has always been different from that, based on the idea
> that the carrier to which a customer connects is the only one with which
> that end-site has a business relationship, and therefore (frex), the only
> one whom that end-
On Thu, Mar 28, 2013 at 01:47:45PM -0400, valdis.kletni...@vt.edu wrote:
> On Thu, 28 Mar 2013 17:16:48 -, bmann...@vacation.karoshi.com said:
> >
> > is there a clear understanding of "the edge" in the network operations
> > community? in a simpler world, it was not that difficult, but inter
In a message written on Thu, Mar 28, 2013 at 01:10:53PM -0400, William Herrin
wrote:
> Since you've configured a prefix list to specify what BGP routes
> you're willing to accept from the simple multihomed customer (you
> have, right?) why set a source filter from the same data instead of
> trying
I wanted to share PER-ASN data for those that are interested in this generally.
If you are a contact for these ASNs, you can e-mail me from your corporate
address to get access to the list.
Thank you for many of you that have secured hosts
COUNT ASN#
1357979 4134
1144551 8151
1089464 9121
On Thu, Mar 28, 2013 at 1:58 PM, Leo Bicknell wrote:
> But the real power here comes by applying this filter further up the
> food chain. Consider peering with a regional entity at an IX. Most
> [...]
>
> That doesn't turn into a useful packet filter for the peer, but using my
> method the peer
Could someone from Google contact me off list to discuss the public
resolvers?
I'm getting NXDOMAIN and then a proper response literally one second later.
And from there it's just 20 GOTO 10...the resolver seems to be having a
psychotic episode, or...at the very least...an identity crisis.
Other
On (2013-03-28 13:07 -0400), Jay Ashworth wrote:
> The edge carrier's *upstream* is not going to know that it's reasonable
> for their customer -- the end-site's carrier -- to be originating traffic
> with those source addresses, and if they ingress filter based on the
> prefixes they route down
- Original Message -
> From: "Valdis Kletnieks"
> On Thu, 28 Mar 2013 17:16:48 -, bmann...@vacation.karoshi.com
> said:
> >
> > is there a clear understanding of "the edge" in the network operations
> > community? in a simpler world, it was not that difficult, but interconnect
> > has
- Original Message -
> From: "William Herrin"
> So, you represent to your ISP that you're authorized to use a certain
> range of addresses. He represents to his upstream that he's authorized
> to use them on your behalf, and so on.
The former is a first-hand transaction: if you're lying
On Thu, Mar 28, 2013 at 12:27 PM, Jay Ashworth wrote:
> - Original Message -
>> From: "William Herrin"
>
>> So, you represent to your ISP that you're authorized to use a certain
>> range of addresses. He represents to his upstream that he's authorized
>> to use them on your behalf, and s
- Original Message -
> From: "Saku Ytti"
> On (2013-03-28 13:07 -0400), Jay Ashworth wrote:
>
> > The edge carrier's *upstream* is not going to know that it's reasonable
> > for their customer -- the end-site's carrier -- to be originating traffic
> > with those source addresses, and if
- Original Message -
> From: "Paul Ferguson"
> > The former is a first-hand transaction: if you're lying to your edge
> > carrier, he can cut you off with no collateral damage.
>
> Of course, he has to notice it first. :-)
Sure.
> ObOpinion: It's best to *enforce* a policy which disal
On Thu, Mar 28, 2013 at 2:46 AM, Randy Bush wrote:
> nyt reports capture of scuba divers attempting to cut telecom egypt
> undersea fiber.
>
>
> http://www.nytimes.com/aponline/2013/03/27/world/middleeast/ap-ml-egypt-internet.html
how likely is it that a diver can cut an armored cable close
On Thu, Mar 28, 2013 at 4:44 PM, Christopher Morrow
wrote:
> On Thu, Mar 28, 2013 at 2:46 AM, Randy Bush wrote:
>> nyt reports capture of scuba divers attempting to cut telecom egypt
>> undersea fiber.
>>
>>
>> http://www.nytimes.com/aponline/2013/03/27/world/middleeast/ap-ml-egypt-internet.
On Thu, 28 Mar 2013 14:16:58 -0400, Jared Mauch said:
>
> I wanted to share PER-ASN data for those that are interested in this
> generally. If you are a contact for these ASNs, you can e-mail me from your
> corporate address to get access to the list.
>
> Thank you for many of you that have secu
On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
> - Original Message -
> > From: "Valdis Kletnieks"
> > For 5 9's worth of eyeball networks hanging off consumer-grade ADSL and
> > cable
> > connections, it's still the edge and still trivially filterable. If that's a
> > problem, th
I'm trying to make sense of this..
- Welding Gear is expensive, underwater gear is insanely expensive.
- Welding is pretty difficult..
- Underwater welding requires knowledge of SCUBA *AND* welding techniques
under water.
- There are 8 undersea cables located near the cable that was being cut.
- T
On 3/28/13 1:50 PM, Andrew Latham wrote:
On Thu, Mar 28, 2013 at 4:44 PM, Christopher Morrow
wrote:
On Thu, Mar 28, 2013 at 2:46 AM, Randy Bush wrote:
nyt reports capture of scuba divers attempting to cut telecom egypt
undersea fiber.
http://www.nytimes.com/aponline/2013/03/27/world/mi
Yeah, that's what I meant: ingress filter all edge connections except maybe
BGP, and accept optout requests.
valdis.kletni...@vt.edu wrote:
>On Thu, 28 Mar 2013 15:05:57 -0400, Jay Ashworth said:
>> - Original Message -
>> > From: "Valdis Kletnieks"
>> > For 5 9's worth of eyeball netwo
On Thu, Mar 28, 2013 at 11:51 AM, Blair Trosper wrote:
> Could someone from Google contact me off list to discuss the public
> resolvers?
>
> I'm getting NXDOMAIN and then a proper response literally one second later.
> And from there it's just 20 GOTO 10...the resolver seems to be having a
> psy
On (2013-03-28 15:47 -0400), Jay Ashworth wrote:
> > You can't do it at top-level nor it's not practical to hope that some
> > day BCP38 is done in reasonably many last-mile port.
>
> I don't know that that's true, actually; unicast-rpf does, as I understand
> it, most of the work, and is in most
Saku,
> all these 100s of millions of ports configured correctly does not strike as
> practical goal.
It is practical, IMO, similar to configuring IP address/prefix (or QoS
policies) on every port.
In fact, what makes it easier is that uRPF can be part of the template that can
be universally
On (2013-03-28 23:45 +), Rajiv Asati (rajiva) wrote:
> In fact, what makes it easier is that uRPF can be part of the template that
> can be universally applied to every edge port.
There is incredible amount of L3 interfaces in the last mile, old ghetto
stuff, latest gen Cisco, which does no
On 3/28/2013 7:49 PM, Saku Ytti wrote:
> On (2013-03-28 23:45 +), Rajiv Asati (rajiva) wrote:
> In fact, what makes it easier is that uRPF can be part of the template that
> can be universally applied to every edge port.
> There is incredible amount of L3 interfaces in the last mile, old ghet
On 3/28/13, Jay Ashworth wrote:
> My understanding has always been different from that, based on the idea
> that the carrier to which a customer connects is the only one with which
> that end-site has a business relationship, and therefore (frex), the only
> one whom that end-site could advise th
On Thu, 28 Mar 2013, Jay Ashworth wrote:
C'mon guys: the edge is where people who *source and sink* packets
connect to people who *move* packets. There may be some edges *inside*
carriers, but there is certainly an edge where carriers hook up customers.
And no, this should apply to business-gr
Hi All
Should major social networking sites like Facebook,Google and Amazon
operate an IP looking glass ?
i think they should , here is a short justification write-up i did ,
using a real life troubleshooting scenario.
http://www.slideshare.net/peterehiwe/why-major-content-providers-need-an-ip
See below
Jared Mauch
On Mar 28, 2013, at 5:04 PM, Jimmy Hess wrote:
> Ingress source addresses should optimally ideally be filtered at
> turnup to the list of authorized prefixes, if uRPF cannot be
> implemented (uRPF is convenient, but not necessarily necessary to
> implement ingress filte
On Thu, 28 Mar 2013, Jon Lewis wrote:
It's time for people to stop passing the buck on BCP38 (we don't do it,
because it really ought to be done at that other level) and start
implementing it where possible.
An economic factor will be required for BCP38 to be effective.
It will have to cost m
On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:
> On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach wrote:
>
> > On Tue, Mar 26, 2013 at 6:06 PM, John Levine wrote:
> > >>As a white-hat attempting to find problems to address through legitimate
> > means, how
> > >>do you …
> > >
> > > Y
56 matches
Mail list logo
