Here's the FAQ on this topic:
https://support.google.com/websearch/answer/873?hl=en
It links to a contact form where you can ask for some redress.
Cheers,
jof
On Fri, Feb 7, 2014 at 7:20 AM, Praveen Unnikrishnan wrote:
> Hi,
>
> We are an ISP based in UK. We have got an ip block from RIPE whic
This is going to be tricky to do, as DNS packets don't necessarily contain
entire query values or FQDNs as complete strings due to packet label
compression (remember, original DNS only has 512 bytes to work with).
You can use those u32 module matches to find some known-bad packets if
they're suffi
For testing, I've had good luck with
https://github.com/titanous/heartbleeder and
https://gist.github.com/takeshixx/10107280
Both are mostly platform-independent, so they should be able to work even
if you don't have a modern OpenSSL to test with.
Cheers and good luck (you're going to need it),
j
Peter, it's a bit difficult to tell what's going on without seeing the
rest of the syslog-ng configuration and your script's source code.
However, a couple possibilities come to mind:
- Your script is only reading one line at a time. syslog-ng starts a
program() output persistently and expects tha
On Tue, Jun 24, 2014 at 12:59 AM, Pieter Hulshoff wrote:
> On 24-6-2014 8:37, Saku Ytti wrote:
>>
>> On (2014-06-23 11:13 +0200), Pieter Hulshoff wrote:
>>
>>> feature and market information for such a device, and I would welcome
>>> some
>>> feedback from interested people. Discussion about other
Wow -- be careful playing with public eBGP sessions unless you know
what you're doing. It can affect the entire Internet.
Since you're just connecting to a single upstream ISP, you wont
qualify for a public AS number. So, you'll have to work with your
upstream ISP to agree on a private AS number y
An Anycasting node. For example, as part of a reliable DNS service.
A /24 is usually the smallest prefix length that is portably accepted.
Also, applications where connections need to appear to be coming from many
source IPs.
On Saturday, July 19, 2014, Suresh Ramasubramanian
wrote:
> A single
m/
It's only ~250 small pages.
To practice and experiment, emulate some example configurations with
GNS3 and Dynamips, or some Linux VMs with Quagga or BIRD.
>
>
> On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff wrote:
>>
>> An Anycasting node. For example, as pa
It really depends on what constraints you have. Do you care about:
cost? performance? support?
Personally, for cost-constrained applications of 1 Gbit/s or less
(assuming modestly-sized packets, not all-DNS for example), I like
OpenBSD/pf or Linux/netfilter and generic x86 64-bit servers.
It's che
On Wed, Nov 9, 2011 at 5:24 AM, Nick Hilliard wrote:
> On 09/11/2011 12:22, Richard Kulawiec wrote:
>> You will find it very difficult to beat pf on OpenBSD for efficiency,
>> features, flexibility, robustness, and security. Maintenance is very
>> easy: edit a configuration file, reload, done.
>
On Wed, Nov 9, 2011 at 12:44 PM, Nick Hilliard wrote:
> On 09/11/2011 19:07, C. Jon Larsen wrote:
>>
>> put the main portion of the conf in subversion as an include file and
>> factor out local differences in the configs with macros that are defined
>> in
>> pf.conf
>>
>> Easy.
>
> As I said, it's
On Mon, Nov 14, 2011 at 7:12 AM, Jon Lewis wrote:
> On Mon, 14 Nov 2011, Sam (Walter) Gailey wrote:
>
> My question is this; Is there an appropriate standard to specify for
>> fiber-optic cabling that if it is followed the fiber will be installed
>> correctly? Would specifying TIA/EIA 568-C.3, f
On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler wrote:
> Hey NANOG!
>
> My employer is deploying CIsco ASA firewalls to our clients
> (specifically the 5505, 5510 for our smaller clients). We are having
> problems finding a decent log viewer. Several products seem to mean
> well, but they all fall
On Sat, Nov 19, 2011 at 5:32 PM, Duane Toler wrote:
> On Sat, Nov 19, 2011 at 20:04, Jay Ashworth wrote:
> > - Original Message -
> >> From: "Duane Toler"
> >
> >> My employer is deploying CIsco ASA firewalls to our clients
> >> (specifically the 5505, 5510 for our smaller clients). We
On Sat, Nov 19, 2011 at 5:46 PM, Duane Toler wrote:
> On Sat, Nov 19, 2011 at 20:30, Jonathan Lassoff wrote:
> > On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler wrote:
> >>
> >> Hey NANOG!
> >>
> >> My employer is deploying CIsco ASA firewalls to our
On Mon, Nov 28, 2011 at 10:43 PM, wrote:
> On Tue, 29 Nov 2011 00:15:02 EST, Jeff Wheeler said:
>
> > Owen and I have discussed this in great detail off-list. Nearly every
> > time this topic comes up, he posts in public that neighbor table
> > exhaustion is a non-issue. I thought I'd mention t
I would argue that collapsing all of your policy evaluation and routing for
a size/zone/area/whatever into one box is actually somewhat detrimental to
stability (and consequently, security to a certain extent).
Cramming every little feature under the sun into one appliance makes for
great glossy b
My hunch is that this is fallout and repairs from Juniper PR839412.
Only fix is an upgrade. Not sure why they're not able to do a hitless
upgrade though; that's unfortunate.
Specially-crafted TCP packets that can get past RE/loopback filters
can crash the box.
--j
On Tue, Feb 5, 2013 at 7:39 AM,
my part; I don't know their
network from an internal perspective.
--j
>
> Should an upgrade be performed? Yes, but certainly doesn't have to have
> right away or without notice to customers.
>
> On Tue, Feb 5, 2013 at 11:23 AM, Jonathan Lassoff wrote:
>
>> My h
These appear to be an anycasted service, as I reach different destinations
based on my source address.
Hopefully each deployment has unique origin IPs for their recursive queries.
I would recommend against looking at RIR registration data to determine IP
location. There's often little to no corre
On Tue, Feb 5, 2013 at 1:10 PM, Jonathan Lassoff wrote:
> These appear to be an anycasted service, as I reach different destinations
> based on my source address.
>
> Hopefully each deployment has unique origin IPs for their recursive
> queries.
>
Just confirmed this.
I would think that in such a deployment scenario, microtrenching might
not be the best bet.
Part of the appeal (IMO) of microtrenching in existing pavement is
that once filled, the pavement slab provides for some protection and
rigidity.
If making a small trench into packed dirt, you're much more
s
Personally, I would just use BGP on a PC to collect this information.
Place some import/input policy on your eBGP sessions on your edge
routers to add communities to the routes such that you can recognize
which peers gave you the route.
Then, use an iBGP session to a BIRD or Quagga instance from w
I'm not sure of your specific application, but it sounds to me like
netflow/sflow exports would be the most scalable way to do this.
For small applications, ntop or bandwidthd can do this.
http://www.ntop.org/products/ntop/
http://bandwidthd.sourceforge.net/
Cheers,
jof
On Mon, Apr 8, 2013 at 12
I could suggest a few places. Might want to call ahead to make sure
they'll have what you need:
- Central Computer. Has locations in San Francisco and San Mateo. SF
maybe closer, but will take longer with traffic and parking.
-- http://www.centralcomputers.com/commerce/misc/sanfrancisco.jsp
-- http
Those are some truly perplexing graphs. Quite strange that it appears
linear, as if something is slightly changing over time or
growing/shrinking at a constant-ish rate.
Do you have throughput or PPS graphs for the intermediate links as
well? Any similar correlations in the derivative slope?
My o
Agreed. I can already pretty much just assume this widespread
surveillance is going on.
The Bluffdale, Utah facility isn't being built to store nothing.
It's happening whether we like it or not.
When I care about my privacy, I know that I have to take matters into
my own hands.
GnuPG and TLS are m
On Sat, Dec 10, 2011 at 11:49 AM, NetSecGuy wrote:
> I have a Linode VPS in Japan that I can't access from Verizon FIOS,
> but can access from other locations. I'm not sure who to blame.
>
> The host, 106.187.34.33, is behind the gateway 106.187.34.1:
>
> From FIOS to 106.187.34.1 (this works).
The best applications for analyzing paths, that I've seen, have been
in-house development projects. So, admittedly, I don't have much experience
with commercial products for route optimization.
Projects I've seen that analyze "best" paths to Internet destinations via
multiple ISPs add instrumentat
On Sat, Dec 24, 2011 at 6:48 AM, Glen Kent wrote:
> >
> > SLAAC only works with /64 - yes - but only if it runs on Ethernet-like
> > Interface ID's of 64bit length (RFC2464).
>
> Ok, the last 64 bits of the 128 bit address identifies an Interface ID
> which is uniquely derived from the 48bit MAC
On Tue, Jan 10, 2012 at 2:43 PM, Deric Kwok wrote:
> Hi all
>
> When we get newip, we should let the upstream know to expor it as
> there should have rule in their side.
>
> how about upstream provider, does they need to let their all bgp
> interconnect to know those our newip?
>
> If no, Can I k
On Thu, Jan 12, 2012 at 1:02 PM, Paul Stewart wrote:
> Hey folks. just curious what people are using for automating updates to
> Linux boxes?
>
>
>
> Today, we manually do YUM updates to all the CentOS servers . just an
> example but a good one. I have heard there are some open source solutions
>
On Sun, Jan 15, 2012 at 3:36 PM, Greg Ihnen wrote:
> Since we're already top-posting…
>
> I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n
> starts to fall apart with more than 30 clients associated if they're all
> reasonably active. I believe this is a limitation of 80
On Wed, Jan 18, 2012 at 5:58 AM, Deric Kwok wrote:
> ls it supporting equally multipath in different bgp connections?
Most software routing protocols have support for this in their RIBs,
but the actual forwarding ability of the underlying kernel will
determine the support for this.
What platform
On Mon, Jan 23, 2012 at 12:46 PM, Eric C. Miller wrote:
> Hi all,
>
> I'm looking for a best practice sort of answer, plus maybe comments on why
> your network may or may not follow this.
>
> First, when running a small ISP with about the equivilent of a /18 or /19 in
> different blocks, how sho
On Mon, Jan 30, 2012 at 12:46 PM, Jim Gonzalez wrote:
> Hi,
>
> I am looking for a Wireless bridge or Router that will
> support 600 wireless clients concurrently (mostly cell phones). I need it
> for a proof of concept.
I've had some great luck with a variety of vendors, though n
On Tue, Jan 31, 2012 at 10:19 AM, Grant Ridder wrote:
> Hi,
>
> What is keeping you from advertising a more specific route (i.e /25's)?
Most large transits and NSPs filter out prefixes more specific than a /24.
Conventionally, at least in my experience, /24's are the most-specific
prefix you can
On Tue, Jan 31, 2012 at 10:00 AM, Kelvin Williams
wrote:
> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet
> Exchange) immediately filter out network blocks that are being advertised
> by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA.
>
> [ ...snip...]
U
On Tue, Feb 7, 2012 at 11:19 AM, Arzhel Younsi wrote:
> Xirrus say that they can support 640 clients with this device:
> http://www.xirrus.com/Products/Wireless-Arrays/XR-Series/XR-4000-Series
> I heard about it a couple weeks ago, didn't try it yet.
That's a pretty neat product -- it seems like
On Wed, Feb 15, 2012 at 7:50 PM, Faisal Imtiaz wrote:
> Is that because of Channel Spacing ? or some other reason ?
I would presume channel spacing. In FCC-land, there are only 3
non-overlapping 20 Mhz bandwidths available.
--j
On Wed, Feb 15, 2012 at 8:41 PM, Joel jaeggli wrote:
> On 2/15/12 20:14 , Mario Eirea wrote:
>> This is my guess too, i guess there is some bleed over from their antenna
>> arrays.
>
> Even the most directional sector antenna in the world has a back lobe...
> and there there's the clients...
Agr
On Wed, Feb 15, 2012 at 8:13 PM, Jeremy wrote:
> I'm doing some research on 802.11 quality of service, congestion control,
> etc. I'm trying to find some information on the Point Coordination
> Function, a polling based access control method, but I'm having a hard time
> finding much in the way of
On Fri, Feb 17, 2012 at 10:35 AM, Jay Ashworth wrote:
> Please post your top 3 favorite components/parts you'd like to see in a
> vending machine at your colo; please be as specific as possible; don't
> let vendor specificity scare you off.
This is a riot! I'd love to have something like this at
On Fri, Feb 17, 2012 at 10:55 AM, Leo Bicknell wrote:
> In a message written on Fri, Feb 17, 2012 at 01:35:15PM -0500, Jay Ashworth
> wrote:
>> Please post your top 3 favorite components/parts you'd like to see in a
>> vending machine at your colo; please be as specific as possible; don't
>> let
On Sat, Mar 10, 2012 at 10:45 AM, Bill Woodcock wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
> On Mar 10, 2012, at 8:05 AM, Suresh Ramasubramanian wrote:
>> Sure, if you can find a datacenter that's capable of handling all the
>> traffic, and has staff who are able to provide eff
On Thu, Mar 29, 2012 at 12:33 PM, Oliver Garraux wrote:
> I was at Ubiquiti's conference. I don't disagree with what you're
> saying. Ubiquiti's take on it seemed to be that 24 Ghz would likely
> never be used to the extent that 2.4 / 5.8 is. They are seeing 24 Ghz
> as only for backhaul - no c
On Thu, Mar 29, 2012 at 2:37 PM, Joel jaeggli wrote:
> Cost will continue to drop, fact of the matter is the beam width is
> rather narrow and they attenuate rather well so you can have a fair
> number of them deployed without co-channel interference. if you pack a
> tower full of them you're goin
On Sun, Apr 22, 2012 at 9:05 PM, Md.Jahangir Hossain
wrote:
> Dear valued member:
>
>
> Wishes all are fine.
>
>
> i need suggestion from you about Juniper MX10 router performance. i want
> to buy this router for IP Transit provider where i received all global
> routes .
Do you have some spec
On Sun, Apr 22, 2012 at 9:48 PM, Md.Jahangir Hossain
wrote:
> Thanks jonathan for your reply .
>
> Actually i have not specific question , i need suggestion about this product
> if i purchase this as IP Transit provider.
Only someone with the knowledge of your business and requirements can
answe
On Tue, Apr 24, 2012 at 10:32 AM, wrote:
> Anyone have any tips for getting IPs from ARIN? For an end-user allocation
> they are requesting that we provide customer names for existing allocations,
> which is information that will take a while to obtain. They are insisting
> that this is standard
On Tue, Apr 24, 2012 at 11:14 AM, Owen DeLong wrote:
> That's not entirely true. What you say applies to one possible way for an
> ISP to get an allocation. It does not apply at all to end-users.
Even for end-user allocations, they would still need to fulfill the
requirements of 4.3.3 in the ARIN
On Wed, Apr 25, 2012 at 8:46 AM, Kenneth McRae
wrote:
> I have never provided the names of end users.. How the address space
> would be utilized? Definitely.. But not the names of end users...
>
Probably because you are an "end user".
If you're talking about AS26347, I don't think there is any
On Thu, May 3, 2012 at 12:25 PM, Luke S. Crawford wrote:
> On Thu, May 03, 2012 at 10:59:47AM -0400, Brandt, Ralph wrote:
>> One of the first things cellular companies can do is stop overselling
>> cellular. The second is end or raise the price significantly on
>> unlimited plans, both voice and
On Sat, May 19, 2012 at 3:23 AM, Anurag Bhatia wrote:
> Was wondering if there's anyone from Server Beach/Peer1 here. We have a
> dedicated server with them which we primarily use for DNS. I am adding
> support for anycasting on that one but seems like Peer1 is not supporting
> BGP at all. NOC sup
On Thu, Jun 28, 2012 at 1:50 PM, Christopher Morrow
wrote:
> of course, but you aren't supposed to be doing that on their network
> anyway... so says the nice man from sprint 4 nanogs ago.
That, and if you are tunneling in, it's good practice to forward over
any DNS traffic as well (or all, depen
On Wed, Jul 18, 2012 at 8:43 AM, Chris Grundemann wrote:
> I am currently working on a BCOP for IPv6 Peering and Transit and
> would very much appreciate some expert information on why using
> PeeringDB is a best practice (or why its not). All opinions are
> welcome, but be aware that I plan on us
On Wed, Jul 18, 2012 at 9:59 AM, Zaid Ali wrote:
> The goal is "Source of truth" for any peer to know information at the
> Exchange points as well as peering coordinator information. I think it is
> a great tool for the peering community and definitely useful. Cons: Will
> it be the next RADB? The
On Thu, Sep 6, 2012 at 7:55 AM, wrote:
> A while back we had a customer colocated vpn router (2911) come in and we put
> it
> on our main vlan for initial set up and testing. Once that was done, I
> created a
> separate VLAN for them and a dot1q subinterface on an older, somewhat
> overloaded
On Thu, Oct 11, 2012 at 5:01 PM, shawn wilson wrote:
> in the past, i've done many different things to create entropy -
> encode videos, watch youtube, tcpdump -vvv > /dev/null, compiled a
> kernel. but, what is best? just whatever gets your cpu to peak or are
> some tasks better than others?
Per
On Thu, Oct 11, 2012 at 5:20 PM, Jimmy Hess wrote:
> On 10/11/12, shawn wilson wrote:
>> in the past, i've done many different things to create entropy -
>> encode videos, watch youtube, tcpdump -vvv > /dev/null, compiled a
>> kernel. but, what is best? just whatever gets your cpu to peak or are
On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote:
> Gentlemen,
>
> An issue has come up in my organization recently with rogue access points.
> So far it has manifested itself two ways:
>
> 1. A WAP that was set up specifically to be transparent and provided
> unprotected wireless access to
On Thu, Nov 8, 2012 at 8:13 PM, Mikael Abrahamsson wrote:
> On Thu, 8 Nov 2012, Phil wrote:
>
>> The major vendors have figured it out for the most part by moving to
>> stateful synchronization between control plane modules and implementing
>> non-stop routing.
>
>
> NSR isn't ISSU.
>
> ISSU conta
On Wed, Oct 15, 2014 at 12:38 PM, Colton Conor wrote:
> So based on the response I have received so far it seems cable was a
> complicated example with service flows involved. What if we are talking
> about something simpler like keeping track of how much data flows in and
> out of a port on a swi
Zayo owns what used to be Abovenet.
In my experience, your experience will vary from market to market,
depending on the network you're based on.
As of late, we've had repeated capacity issues and packet loss in the San
Francisco Bay Area, however other metros have been perfectly stable.
On Wed,
Logstash and Splunk are both wonderful, in my experience.
What sets them apart from just a plain grep(1) is that they build an
index that points keywords to to logging events (lines).
What if you're looking for events related to a specific interface or LSP?
Not a problem with a modest log volume,
Are you trying to block flows from becoming established, knowing what
you're looking for ahead of time, or are you looking to examine a
stream of flow establishments, and will snipe off some flows once
you've determined that they should be blocked?
If you know a 5-tuple (src/dst IP, IP protocol, s
hat
this can only match against strings contained within a single packet;
this doesn't do L4 stream reconstruction.
You can do some incredibly-parallel stuff with ntop's PF_RING code, if
you blow more traffic through a single core than it can chew through.
It all depends on what you'
The primary point of IPMI for most users is to be able to administer and
control the box when it's not running.
Using the host itself as a firewall is the quickest way to get that BMC
online, but it kinda defeats the purpose.
On Thu, Aug 15, 2013 at 7:46 PM, Jay Ashworth wrote:
> - Original
I don't understand why vendors and operators keep turning to TACACS. It
seems like they're often looking to Cisco as some paragon of best security
practices. It's a vulnerable protocol, but some times the only thing to
choose from.
One approach to secure devices that can support only TACACS or RAD
nsferred to the generator, while apparently
large DCs that are charging premium rates, do not.
Cordially
Patrick Giagnocavo
[EMAIL PROTECTED]
--
Jonathan Lassoff
echo thejof | sed 's/^/jof@/;s/$/.com/'
http://thejof.com
GPG: 0xC8579EE5
Querying from here (inside 69.59.128.0/18), I see sen-dmzp.senate.gov
(156.33.195.40) and sen-dmzs.senate.gov (156.33.195.41) returning
authoritatively for senate.gov:
--
[EMAIL PROTECTED]:~$ dig @156.33.195.40 senate.gov. in a
; <<>> DiG 9.3.4 <<>> @156.33.195.40 senate.gov. in a
; (1
Excerpts from David Coulson's message of Thu Nov 12 13:07:35 -0800 2009:
> You could route /32s within your L3 environment, or maybe even leverage
> something like VPLS - Not sure of any TOR-level switches that MPLS
> pseudowire a port into a VPLS cloud though.
I was recently looking into this (
Excerpts from Charles Wyble's message of Thu Dec 03 10:44:49 -0800 2009:
> 8.8.8.8 6.6.6.6 would have been really really funny. :)
Nice IPs from Level 3, huh?
6.6.6.6 belongs to the US Army.
--j
Excerpts from Dobbins, Roland's message of Tue Jan 05 20:23:28 -0800 2010:
Roland,
On many of the points you've made, I totally agree. Well-managed
hardware routers that have support for ACLs in hardware are a great
firewall for things that have a relatively small set of rules (e.g.
"any:any -> s
Excerpts from Christopher Morrow's message of Thu Jan 28 08:55:34 -0800 2010:
> On Thu, Jan 28, 2010 at 10:00 AM, Jeffrey Lyon
> wrote:
> > IntruGuard is highly customizable both from the GUI and CLI with the
> > engineer's assistance. Its the highest performance, reasonably priced box
> > that we
Excerpts from Jaren Angerbauer's message of Thu Mar 18 09:22:40 -0700 2010:
> Thanks all for the on / off list responses on this. I acknowledge I'm
> playing in territory I'm not familiar with, and was a bad idea to jump
> to the conclusion that this range was private. I made that assumption
> or
Excerpts from John Peach's message of Sun Apr 04 08:17:28 -0700 2010:
> On Sun, 4 Apr 2010 11:10:56 -0400
> David Andersen wrote:
>
> > There are some classical cases of assigning the same MAC address to every
> > machine in a batch, resetting the counter used to number them, etc.;
> > unless
On Mon, May 23, 2011 at 4:39 PM, Ryan Rawdon wrote:
> I've heard some mixed reports of XO's IPv6 availability - some that they have
> full deployment/availability, but others like the answer back from our XO
> reseller that XO does not offer IPv6 on circuits under 45mbit/s.
>
> What is the exper
78 matches
Mail list logo
