> On 1 Nov 2016, at 00:15, Rod Beck wrote:
>
> I am trying to determine the physical diversity of the Zayo and Level3
> networks vis-a-vis each other on the European racetrack -
> London/Amsterdam/Frankfurt/Paris/London. It is for a client of mine.
try Telegeography.com
best regards
Wolfgang
Does anyone have an IP that involves a load balancing router to test with?
On Mon, Oct 31, 2016 at 5:54 PM, Bryan Holloway wrote:
> On 10/31/16 4:20 PM, Olivier Benghozi wrote:
>
>> Hi Randy,
>>
>>
>> ECMP loadbalancing is most frequently done on layer3+layer4 headers, and
>> unixlike tracerou
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of White, Andrew
>
> There are two competing drafts for synthetic rule-based PTR responses
> for IPv6 rDNS:
>
> Howard Lee, Time Warner Cable (now Charter)
> https://tools.ietf.org/html/draft-howard-isp-ip6rdns-08
>
>
> Hi John,
>
> Thanks for the info and background.
>
> One operational suggestion I have is … why link synthesis rules to a
> specific DNS zone?
>
> Most larger operators of auth DNS use an IP management tool, like BT
> Diamond IPAM, BlueCat, or Infoblox. Oftentimes, allocations of IP space
> will
Hello,
A couple of cuts from tcpdump output:
21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq
1376379765, win 8192, length 0
21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq
2254756684, win 8192, length 0
21:27:50.413927 IP 95.131.188.179.80 > 10
01.11.2016, 22:06, "Eric Tykwinski" :
> Oleg,
>
> I'm seeing the same to a single client here source IPs seem to be matching up
> as well.
> I attached a pcap, just so you can compare.
>
And the same sources:
141.138.128.0 - 141.138.135.255
194.73.173.0 - 194.73.173.127
95.131.184.0 - 95.131.1
seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts
flickering
on and off as the service throttled itself at a couple client sites I manage.
I see 540 unique source IPs hitting 32 destinations on my network in
Not sure why reflected RSTs are the goal here, they're not much of an
amplification
to the original syn size. Additionally causing a mild dos of my clients' stuff
when it begins throttling # of connections, ie noticeable. (not that i want to
help scriptkids improve their attacks...). Im guessing p
Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take).
Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at boundary, 502
unique sources to 10 destination hosts on our AS.
Obligatory data should this be of use to anyone listening in.
-Original Message-
Fr
Does the synflood have tcp option headers?
I am seeing this same activity at our forward observation system, however
it's not showing any tcp options like mss,sack,timestamps etc, was curious
if others were seeing the same
[root@oakridge-intercept(~)]> tcpdump -nn -i eth0 'tcp and (tcp[13] == 2)'
> Does the synflood have tcp option headers?
Not seeing any here. From this morning.
12:45:46.180665 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok]
1158156467:1158156467(0) win 8192 (DF) (ttl 60, id 18499, len 40)
12:45:46.180667 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok]
115815
yeah it looks like the person behind the flood may have scanned for active
ftp servers, not seeing any activity on other observation subnets of this
flood, and so far the only servers showing this port 80 to port 21 is ones
that do have actual ftp servers, however, the connection is not actually
es
I think Ken has nailed it. I think the source addresses are spoofed so you
reflect the connection (tcp syn ack) to those source addresses. Get enough of
those connections and the server is dead.
Since your port 21 is open
telnet 109.72.248.114 21
Trying 109.72.248.114...
Connected to 109.72.24
Yeah it is an odd ball attack for sure, here is a 5000 packet sample of
what I was seeing in connection to this attack
https://mystagic.io/80to21.pcap , don't think it's the entire /0 for ftp
port as I am not seeing it on many other subnets, which is why I am
thinking someone did a pre-scan before
what's the density of open port 21s on the planet though? trying to estimate
the traffic resulting against the two target /21s.
Your dump only has 2 ip's in it though, on your /19 so not representative.
My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This would
give
128M ftp r
Hello,
In the spirit of Ken's script below, I've started development of a tool
which I called NetCalc:
https://github.com/israel-lugo/netcalc (source code)
https://pypi.python.org/pypi/netcalc (Python package)
Currently, NetCalc allows one to add (aggregate) multiple networks,
subtract a networ
Most of those networks are served by Prolexic DDOS mitigation (AS 32787),
and according to BGPlay have been for a while. (AS carrying untoward material,
like a Tor exit node or onion router?)
But a couple /24s in the 95.* block are AS14537 Mohawk Internet Tech. in
Quebec Canada such as 95.131.188
Thanks everyone for their response. We are going to use the Azure Zone Service.
Cheers
Ryan
From: Matthieu Michaud [mailto:matth...@nxdomain.fr]
Sent: Friday, August 12, 2016 1:34 PM
To: Ryan Finnesey
Cc: nanog@nanog.org
Subject: Re: DNS Services for a registrar
Hi,
I have been very happy wi
Route 53 have IPv6 now handled out of the .co.uk zones though they
still don't do EDNS. Azure also mishandles EDNS.
Route 53 returns plain DNS responses when presented with a EDNS(1)
query. This breaks validating EDNS(1) clients getting answers from
a signed zone.
Azure echoes back unknown EDN
20 matches
Mail list logo
