Re: BCP38.info

On Feb 3, 2014, at 2:55 PM, Dobbins, Roland wrote: > It would be useful to know whether there are in fact NATs, or are 'DNS > forwarders' . . . Another question is whether or not it's possible that in at least some cases, MITMing boxes on intermediary networks are grabbing these queries and t

Re: BCP38.info, RELATING: TWC (AS11351) blocking all NTP?

Hi, I think I might have already deleted subject matter a few days ago in re: BCP38. What exactly are you trying to do? I agree my general comment about the recent NTP weaknesses should be addressed via IPv6 RFC may have been mis-understood. I meant mostly that with IPv6 NAT goes away, all devi

Re: BCP38.info, RELATING: TWC (AS11351) blocking all NTP?

On Feb 3, 2014, at 3:24 PM, Michael DeMan wrote: > I meant mostly that with IPv6 NAT goes away, I don't know if this is true or not - and even if it is true, it's going to be a long, long time before the IPv4 Internet goes away (like, maybe, pretty much forever, heh). > An NTPv5 solution tha

Re: TWC (AS11351) blocking all NTP?

On Sun, Feb 02, 2014 at 02:49:49PM -0800, Matthew Petach wrote a message of 49 lines which said: > If NTP responded to a single query with a single equivalently sized > response, its effectiveness as a DDoS attack would be zero; with > zero amplification, the volume of attack traffic would be

Re: TWC (AS11351) blocking all NTP?

On Mon, Feb 03, 2014 at 04:09:39AM +, Dobbins, Roland wrote a message of 20 lines which said: > I also think that restricting your users by default to your own > recursive DNS servers, plus a couple of well-known, well-run public > recursive services, is a good idea - as long as you allow

Re: TWC (AS11351) blocking all NTP?

On Feb 3, 2014, at 4:55 PM, Stephane Bortzmeyer wrote: > I agree with you but I'm fairly certain that most ISP who deny their users > the ability to do DNS requests directly > (or to run their own DNS resolver) have no such opt-out (or they make it > expensive and/or complicated). There are s

Re: BCP38.info, RELATING: TWC (AS11351) blocking all NTP?

On Mon, 03 Feb 2014 00:24:08 -0800, Michael DeMan said: > An NTPv5 solution that could be done with NTP services already Doesn't matter - the same people that aren't upgrading to a correctly configured NTPv4 aren't going to upgrade to an NTPv5. No need at all for a protocol increment (and actuall

Re: TWC (AS11351) blocking all NTP?

How about this - I have proposed to NIST we start filtering - realize that the NIST ITS program itself was setup to run NTP in an open access mode - we host a dozen or so of those systems and so we get hit all the time. The solution is actually not running timing services across UDP because

Re: TWC (AS11351) blocking all NTP?

On Mon, 03 Feb 2014 06:14:30 -0800, TGLASSEY said: > My suggestion is that for those that need access we set up VLAN trunked > private networking models to your ISP MPOE as it were in a digital context. That's going to be one big VLAN. /me makes popcorn. pgp0cVq4AACgv.pgp Description: PGP sign

Re: TWC (AS11351) blocking all NTP?

Or a whole bunch of small ones Vladis - and yes we are capable of handling the loads. :-) Todd On 2/3/2014 6:34 AM, valdis.kletni...@vt.edu wrote: On Mon, 03 Feb 2014 06:14:30 -0800, TGLASSEY said: My suggestion is that for those that need access we set up VLAN trunked private networking mo

Re: TWC (AS11351) blocking all NTP?

On Mon, 03 Feb 2014 06:50:56 -0800, TGLASSEY said: > Or a whole bunch of small ones Vladis - and yes we are capable of > handling the loads. 38,917 vlans later... /me makes even *more* popcorn... pgphM_JWCrh3v.pgp Description: PGP signature

Re: TWC (AS11351) blocking all NTP?

On 2/3/14, 1:02 AM, "Dobbins, Roland" wrote: >All that broadband access operators need to do is to a) enforce >antispoofing as close to their customers as possible, Many probably do so already. But as well all know, it only takes a few that don¹t to create a large scale issue. IMHO if we want to

Do network diagnostic tools need upgrade?

Hello NANOG list members, I have a question for you, are you happy with the current network diagnostic tools, like ping, trace route .. etc, don't you think it's time to have an upgraded version of icmp protocol? from my side there is a lot that I can NOT do with current tools and protocols, here

RE: Updated ARIN allocation information

Tore Anderson wrote: [...] > It's not exactly new. Like I've mentioned earlier in this thread, the > RIPE NCC has granted assignments smaller than /24 to requestors since, > well, "forever". There are currently 238 such assignments listed in > delegated-ripencc-extended-latest.txt. However, these

Re: BGP multihoming

* Tore Anderson > * Baldur Norddahl > >> Is assigning a /24 from my own PA space for the purpose of BGP >> multihoming considered sufficient "need"? > > Not with current policies, no That was then. With current policies: yes. To elaborate a bit, the RIPE Community just reached consensus on a p

BGP peer traffic monitoring

I have a router with about 20 peers, most are all on a single port (local exchange), how is everyone monitoring traffic to individual peers? Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS- Second Edition " Link Tec

Re: TWC (AS11351) blocking all NTP?

Why burn the village when only one house is the problem? I thought there might be some interest in hearing about work being done to use SDN to automatically configure filtering in existing switches and routers to mitigate flood attacks. Real-time analytics based on measurements from switches/route

Re: BGP peer traffic monitoring

On Mon, Feb 03, 2014 at 11:48:04AM -0600, Dennis Burgess wrote: > I have a router with about 20 peers, most are all on a single port > (local exchange), how is everyone monitoring traffic to individual > peers? Use something like IPFIX, NetFlow, sFlow and take a look at these two tools:

Re: Do network diagnostic tools need upgrade?

Oldies, but goodies: shaperprobe (1st), pchar (3rd), tcptrace.org, lft (4th), iftop, nsping (2nd), iperf, sjitter, pathneck (3rd) These are newer -- http://www.internet2.edu/products-services/performance-monitoring/performance-tools/ (OWAMP, 2nd) -- http://paris-traceroute.net (4th) -- http://pack

Re: Do network diagnostic tools need upgrade?

On Mon, 03 Feb 2014 16:33:34 +0300, Ammar Salih said: > I have a question for you, are you happy with the current network > diagnostic tools, like ping, trace route .. etc, don't you think it's time > to have an upgraded version of icmp protocol? from my side there is a lot > that I can NOT do wi

Re: TWC (AS11351) blocking all NTP?

On Mon, Feb 3, 2014 at 12:42 PM, Peter Phaal wrote: > Why burn the village when only one house is the problem? I thought > there might be some interest in hearing about work being done to use > SDN to automatically configure filtering in existing switches and > routers to mitigate flood attacks. >

BCP38 [Was: Re: TWC (AS11351) blocking all NTP?]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/2/2014 2:17 PM, Cb B wrote: > And, i agree bcp38 would help but that was published 14 years ago. But what? Are you somehow implying that because BCP38 was "...published 14 years ago" (RFC2267 was initially published in 1998, and it was subsequ

Re: TWC (AS11351) blocking all NTP?

>In regards to anti-spoofing measures - I think there a couple of vectors about >the latest NTP attack >where more rigorous client-side anti-spoofing could help but will not solve it >overall. Most NTP servers only send legitimate traffic to a handful of masters, often in the ntp.org pool, and t

RE: BGP peer traffic monitoring

We perform MAC Based accounting on our IX interface and that allows us to monitor / graph traffic based off MAC address instead of being limited to the aggregate data of a single interface. Here's the JUNOS way of doing it, I'm sure other vendors have their equivalent. http://www.juniper.net/

Re: TWC (AS11351) blocking all NTP?

On 03 Feb 2014 18:23:31 +, "John Levine" said: > It seems thata hosts sending large amounts of NTP traffic over the > public Internet can be safely filtered if you don't already know that > it's one of the handful that's in the ntp.org pools or another well > known NTP master. You have that b

Re: TWC (AS11351) blocking all NTP?

On Feb 3, 2014, at 12:45 AM, Michael DeMan wrote: > The recently publicized mechanism to leverage NTP servers for amplified DoS > attacks is seriously effective. > I had a friend who had a local ISP affected by this Thursday and also another > case where just two asterisk servers saturated a 1

Re: [NANOG-announce] NANOG On The Road - San Diego

This event sounds like a lot of fun, and I look forward to attending. :) Just curious if anyone wants to participate in an informal PGP key signing activity while we're there? I'm thinking an old fashioned "everyone brings their own slips of paper" type thing, but if there is sufficient intere

Re: Do network diagnostic tools need upgrade?

On 02/03/2014 05:33 AM, Ammar Salih wrote: > Hello NANOG list members, > > I have a question for you, are you happy with the current network > diagnostic tools, like ping, trace route .. etc, What tools are you referring to by "..."? There are many others. I like tcptraceroute (there are two var

Re: TWC (AS11351) blocking all NTP?

Huh? The issue with NTP relates to the monlist command (and a few others). These are management queries, and are not critical to the operation of a NTP server. You can disable these quite easily, and still run a NTP server that provides accurate time services. On 2/3/2014 9:14 AM, TGLASSEY

Re: Do network diagnostic tools need upgrade?

On Feb 3, 2014, at 1:59 PM, Octavio Alvarez wrote: > On 02/03/2014 05:33 AM, Ammar Salih wrote: >> Hello NANOG list members, >> >> I have a question for you, are you happy with the current network >> diagnostic tools, like ping, trace route .. etc, > > What tools are you referring to by "..."?

Re: TWC (AS11351) blocking all NTP?

On Feb 4, 2014, at 12:42 AM, Peter Phaal wrote: > Real-time analytics based on measurements from switches/routers > (sFlow/PSAMP/IPFIX) can identify large UDP flows and integrated hybrid > OpenFlow, I2RS, REST, NETCONF APIs, etc. can be used to program the > switches/routers to selectively fil

Re: TWC (AS11351) blocking all NTP?

It seems thata hosts sending large amounts of NTP traffic over the public Internet can be safely filtered if you don't already know that it's one of the handful that's in the ntp.org pools or another well known NTP master. Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy

Re: TWC (AS11351) blocking all NTP?

On Mon, Feb 3, 2014 at 10:16 AM, Christopher Morrow wrote: > On Mon, Feb 3, 2014 at 12:42 PM, Peter Phaal wrote: >> Why burn the village when only one house is the problem? I thought >> there might be some interest in hearing about work being done to use >> SDN to automatically configure filterin

Re: TWC (AS11351) blocking all NTP?

On Feb 4, 2014, at 12:11 AM, Brian Rak wrote: > You can disable these quite easily, and still run a NTP server that provides > accurate time services. Concur 100% - although it should be noted that 1:1 reflection without any amplification is also quite useful to attackers. --

Re: TWC (AS11351) blocking all NTP?

On 2/3/2014 2:46 PM, Dobbins, Roland wrote: On Feb 4, 2014, at 12:11 AM, Brian Rak wrote: You can disable these quite easily, and still run a NTP server that provides accurate time services. Concur 100% - although it should be noted that 1:1 reflection without any amplification is also quit

Re: TWC (AS11351) blocking all NTP?

On Feb 4, 2014, at 3:09 AM, Brian Rak wrote: > It's pretty much the same issue with DNS, even authoritative-only servers can > be abused for reflection. They are, every minute of every day - and they provide amplification, too. ;> -

Re: Do network diagnostic tools need upgrade?

I like observium for monitoring gear, tons of information, great way to find erroring fiber over thousands of devices and caught some memory leaks prior to impacting things.This is in addition to flow data of course. Bryan DigitalOcean We're Hiring

Re: TWC (AS11351) blocking all NTP?

It seems thata hosts sending large amounts of NTP traffic over the public Internet can be safely filtered if you don't already know that it's one of the handful that's in the ntp.org pools or another well known NTP master. Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy t

Re: TWC (AS11351) blocking all NTP?

On Mon, Feb 3, 2014 at 2:42 PM, Peter Phaal wrote: > On Mon, Feb 3, 2014 at 10:16 AM, Christopher Morrow > wrote: >> On Mon, Feb 3, 2014 at 12:42 PM, Peter Phaal wrote: >> There's certainly the case that you could drop acls/something on >> equipment to selectively block the traffic that matters

Re: TWC (AS11351) blocking all NTP?

On Feb 3, 2014, at 3:29 PM, John R. Levine wrote: >>> It seems thata hosts sending large amounts of NTP traffic over the >>> public Internet can be safely filtered if you don't already know that >>> it's one of the handful that's in the ntp.org pools or another well >>> known NTP master. >> >>

Re: TWC (AS11351) blocking all NTP?

I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic. www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic should their clock be available and accurate. I believe you, but I d

Re: TWC (AS11351) blocking all NTP?

> >> I was thinking that the ntp.org servers on any particular network are a > >> small set of exceptions to a general rule to rate limit outgoing NTP > >> traffic. > > > > www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic > > should their clock be available and accurate.

-48VDC supply for home lab?

Greetings NANOG'ers! I have a small home lab which I mostly use for learning and testing. I'm likely to receive some gear that needs negative 48VDC (ie: positive ground). Mains is a typical 120VAC, 60Hz. Can anyone recommend a power supply, reasonably priced, to go from 120VAC down to -48VDC@10

Re: -48VDC supply for home lab?

On 2/3/2014 1:02 PM, Mark Leonard wrote: > Greetings NANOG'ers! > > I have a small home lab which I mostly use for learning and testing. I'm > likely to receive some gear that needs negative 48VDC (ie: positive > ground). Mains is a typical 120VAC, 60Hz. > > Can anyone recommend a power supply, r

Re: TWC (AS11351) blocking all NTP?

On Mon, 03 Feb 2014 11:29:21 -0600, Joe Greco said: > There's a bootstrap issue here. I'm guessing that you may be picturing > a scenario where a network operator simply queries to obtain the list of > ntp.org servers and special-cases their own. However, I believe that > the system won't add NT

Re: TWC (AS11351) blocking all NTP?

On 02/03/2014 12:50 PM, John R. Levine wrote: I was thinking that the ntp.org servers on any particular network are a small set of exceptions to a general rule to rate limit outgoing NTP traffic. www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic should their clock be ava

Re: TWC (AS11351) blocking all NTP?

On Mon, Feb 3, 2014 at 12:38 PM, Christopher Morrow wrote: > On Mon, Feb 3, 2014 at 2:42 PM, Peter Phaal wrote: >> On Mon, Feb 3, 2014 at 10:16 AM, Christopher Morrow >> wrote: >>> On Mon, Feb 3, 2014 at 12:42 PM, Peter Phaal wrote: > >>> There's certainly the case that you could drop acls/some

Re: TWC (AS11351) blocking all NTP?

On Mon, 03 Feb 2014 16:49:37 +1300 Geraint Jones wrote: > We block all outbound UDP for our ~200,000 Users for this very reason > (with the exception of some whitelisted NTP and DNS servers). So far > we have had 0 complaints I've heard this sort of absence of complaint statement used to justify

Re: TWC (AS11351) blocking all NTP?

On Mon, 3 Feb 2014 07:08:25 + "Dobbins, Roland" wrote: > There's nothing in IPv6 which makes any difference. The ultimate > solution is antispoofing at the customer edge. There is at least one small thing that may change some part of this and similar problems. If the threat vector were onl

Re: -48VDC supply for home lab?

Tellabs stuff seems to work reasonably well: I've got a model 8001 -48VDC PDU in my lab rack at home, although it only supplies @ 1A, it does a fine enough job for what I need. Have a look at the Tellabs PS-1478 or so, which should do 10A. They're not explicitly rackmountable, but look like they'

Re: TWC (AS11351) blocking all NTP?

On Feb 4, 2014, at 5:38 AM, John Kristoff wrote: > I do realize in practice there are ways to discover systems, but the change > in address architecture could change things, not perfectly, but I'll venture > to suggest noticeably in some not so difficult to imagine > scenarios. I know you're

Re: TWC (AS11351) blocking all NTP?

wait, so the whole of the thread is about stopping participants in the attack, and you're suggesting that removing/changing end-system switch/routing gear and doing something more complex than: deny udp any 123 any deny udp any 123 any 123 permit ip any any is a good plan? I'd direct you at

Re: -48VDC supply for home lab?

I am using this: http://www.newark.com/xp-power/jpm160ps48/psu-160w-48v-3-3a/dp/97K2572 Locally it is available here for about $50 USD as new. I found it in a shop selling electronics for disco - don't tell them you are doing networks, that info will multiply the price by 10 :-). Regards, Baldur

Re: -48VDC supply for home lab?

I use: http://www.mastechpowersupply.com/dc-power-supply/switching-power-supply/volteq-power-supply-hy5020ex-50v-20a-over-voltage-over-current-protection/prod_61.html The output is changable from positive to negative ground by moving the shorting bar to ground from the - output to the + side. If

Re: TWC (AS11351) blocking all NTP?

On 4 Feb 2014, at 9:28 am, Christopher Morrow wrote: > wait, so the whole of the thread is about stopping participants in the > attack, and you're suggesting that removing/changing end-system > switch/routing gear and doing something more complex than: > deny udp any 123 any > deny udp any 123

Re: TWC (AS11351) blocking all NTP?

On Mon, Feb 3, 2014 at 2:58 PM, Christopher Morrow wrote: > wait, so the whole of the thread is about stopping participants in the > attack, and you're suggesting that removing/changing end-system > switch/routing gear and doing something more complex than: > deny udp any 123 any > deny udp an

Re: TWC (AS11351) blocking all NTP?

On Mon, Feb 03, 2014 at 03:50:03PM -0500, John R. Levine wrote: > I believe you, but I don't believe that the set of ntp.org servers > changes so rapidly that it is beyond the ability of network > operators to handle the ones on their own networks as a special > case. I think you'd be surp

Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?]

On Feb 3, 2014 10:23 AM, "Paul Ferguson" wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 2/2/2014 2:17 PM, Cb B wrote: > > > And, i agree bcp38 would help but that was published 14 years ago. > > But what? Are you somehow implying that because BCP38 was > "...published 14 years

Re: TWC (AS11351) blocking all NTP?

On Mon, Feb 3, 2014 at 7:40 PM, Glen Turner wrote: > > On 4 Feb 2014, at 9:28 am, Christopher Morrow wrote: > >> wait, so the whole of the thread is about stopping participants in the >> attack, and you're suggesting that removing/changing end-system >> switch/routing gear and doing something mor

Re: TWC (AS11351) blocking all NTP?

-larry directly since I'm sure he's either tired of this, or already reading it via the nanog subscription. On Mon, Feb 3, 2014 at 7:54 PM, Peter Phaal wrote: > On Mon, Feb 3, 2014 at 2:58 PM, Christopher Morrow > wrote: >> wait, so the whole of the thread is about stopping participants in the >

Re: BCP38 [Was: Re: TWC (AS11351) blocking all NTP?]

- Original Message - > From: "Cb B" > I completely agree. My sphere of influence is bcp38 compliant. And, > networks that fail to support some form of bcp38 are nothing short of > negligent. > > That said, i spend too much time taking defensive action against ipv4 amp > udp attacks. And

looking for a tool...

Hello, I was wondering if anyone could point me in the direction of a tool capable of sniffing (or reading pcap files), and reporting on lan station thruput in terms of bits per second. Ideally I'd like to be able to generate a sorted report of the top users and top thruputs observed and

Re: looking for a tool...

Similar discussion not long ago mentioned tcptrace.org dre -- Forwarded message -- From: Andre Gironda Date: Mon, Feb 3, 2014 at 9:05 PM Subject: Re: Do network diagnostic tools need upgrade? To: "nanog@nanog.org" Cc: Ammar Salih Oldies, but goodies: shaperprobe (1st), pchar (

Re: TWC (AS11351) blocking all NTP?

- Original Message - > From: "Glen Turner" > On 4 Feb 2014, at 9:28 am, Christopher Morrow > wrote: > > > wait, so the whole of the thread is about stopping participants in > > the attack, and you're suggesting that removing/changing end-system > > switch/routing gear and doing somethin

Re: TWC (AS11351) blocking all NTP?

On 02/03/2014 05:10 PM, Majdi S. Abbas wrote: NTP works best with a diverse set of peers. You know, outside your little bubble, or walled garden, or whatever people in this thread appear to be trying to build. I'm not sure what to call it, but it's definitely not the Internet. "The In