Did anyone else experience a Level 3 outage in the last couple of days? Seems like we've been affected with quite a few VPNV4 outages (one that lasted for upto 9 hrs) and didn't get resolved until they rebuilt their vpnv4 address family on their PE router(s)? On Thu, Mar 26, 2015 at 8:00 AM, <nanog-request@nanog.org> wrote:
Send NANOG mailing list submissions to nanog@nanog.org
To subscribe or unsubscribe via the World Wide Web, visit http://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request@nanog.org
You can reach the person managing the list at nanog-owner@nanog.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..."
Today's Topics:
1. godaddy contact (Tim) 2. Frontier: Blocking port 22 because of illegal files? (Aaron C. de Bruyn) 3. Re: Frontier: Blocking port 22 because of illegal files? (Eygene Ryabinkin) 4. Re: Frontier: Blocking port 22 because of illegal files? (Jon Lewis) 5. Re: Frontier: Blocking port 22 because of illegal files? (Stephen Satchell) 6. Re: Frontier: Blocking port 22 because of illegal files? (Seth Mos) 7. booster to gain distance above 60km (Rodrigo Augusto) 8. Re: Frontier: Blocking port 22 because of illegal files? (Jens Link) 9. Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 10. Re: Frontier: Blocking port 22 because of illegal files? (Livingood, Jason) 11. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 12. Re: Frontier: Blocking port 22 because of illegal files? (Jeff Richmond) 13. Re: Frontier: Blocking port 22 because of illegal files? (Daniel Corbe) 14. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 15. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca) 16. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 17. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 18. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 19. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Pierre Emeriaud) 20. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Paul S.) 21. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Chuck Anderson) 22. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christian Teuschel) 23. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Andree Toonk) 24. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca) 25. Charter Engineer (Shawn L) 26. RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] (Randy)
----------------------------------------------------------------------
Message: 1 Date: Wed, 25 Mar 2015 16:41:50 -0600 From: Tim <timphp@progressivemarketingnetwork.com> To: nanog@nanog.org Subject: godaddy contact Message-ID: <551339AE.8010203@progressivemarketingnetwork.com> Content-Type: text/plain; charset=utf-8
Anyone from godaddy on here or have contact details for them? We are having a routing issue to them.
------------------------------
Message: 2 Date: Wed, 25 Mar 2015 19:31:35 -0700 From: "Aaron C. de Bruyn" <aaron@heyaaron.com> To: NANOG mailing list <nanog@nanog.org> Subject: Frontier: Blocking port 22 because of illegal files? Message-ID: <CAEE+rGqimJYAfgmzm9AJ72+gcmJxfZLM7n4Rf03vynxKN= Qfeg@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
------------------------------
Message: 3 Date: Thu, 26 Mar 2015 07:21:45 +0300 From: Eygene Ryabinkin <rea+nanog@grid.kiae.ru> To: "Aaron C. de Bruyn" <aaron@heyaaron.com> Cc: NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <nwCOvNPJTWOEp6pB7jt97dzYZ/0@xD7c2HZfPDzIruDUr3Qm9QhN1kk> Content-Type: text/plain; charset=us-ascii
Wed, Mar 25, 2015 at 07:31:35PM -0700, Aaron C. de Bruyn wrote:
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
Can't help to add that there are
- port 21 that allow users to give commands to examine the existence and initiate transfers of illegal files;
- ports 1025 - 65535 that allow users to create data streams to actually transfer illegal files in an (oh my) passive mode.
;) -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute"
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
------------------------------
Message: 4 Date: Thu, 26 Mar 2015 00:56:21 -0400 (EDT) From: Jon Lewis <jlewis@lewis.org> To: "Aaron C. de Bruyn" <aaron@heyaaron.com> Cc: NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <Pine.LNX.4.61.1503260052100.10544@soloth.lewis.org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Wed, 25 Mar 2015, Aaron C. de Bruyn wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
I wonder if their support is just confused, and Frontier is really blocking outbound tcp/22 to stop complaints generated by infected customers with sshd scanners. After all, most of their customers probably don't know what SSH is.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
------------------------------
Message: 5 Date: Thu, 26 Mar 2015 04:24:38 -0700 From: Stephen Satchell <list@satchell.net> To: nanog@nanog.org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <5513EC76.5060306@satchell.net> Content-Type: text/plain; charset=UTF-8
On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.
People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select.
------------------------------
Message: 6 Date: Thu, 26 Mar 2015 12:56:31 +0100 From: Seth Mos <seth.mos@dds.nl> To: nanog@nanog.org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <5513F3EF.2080805@dds.nl> Content-Type: text/plain; charset=utf-8
Stephen Satchell schreef op 26-3-2015 om 12:24:
On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.
People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select.
Ahem, just to clarify, he is not talking about inbound on the Frontier connection, but outbound *from* the Frontier network.
Akin to the "Let's block outbound port 25 (smtp)".
This is just a really really bad idea m'kay.
Cheers
------------------------------
Message: 7 Date: Thu, 26 Mar 2015 09:07:39 -0300 From: Rodrigo Augusto <rodrigo@1telecom.com.br> To: nanog <nanog@nanog.org> Subject: booster to gain distance above 60km Message-ID: <D1397CDB.35C0B%rodrigo@1telecom.com.br> Content-Type: text/plain; charset="ISO-8859-1"
Hi folksŠ we have a point and have a 63km between point A to point BŠ. We have a sigle fiber ( only one fiber) and use a fiberstore sfp+ 10GB dibi 1270/1330 module to connect these sites. All attenuation are okŠI don¹t have any trouble on fiber Š. I have received this signal on my sfp+:
Receiver signal average optical power : 0.0026 mW / -25.85 dBm
Does anyone know if have some possible to amplifier this scenario to get more 7db ? Is it possible to put any booster or any way to solve this? I think to use a optical PreAmlifierŠbut I don¹t know if is possible because my scenario have just one fiberŠor, use a ROPA- remote optical pumping amplifier) because I have 63kmŠ Does anyone have some idea?
Rodrigo Augusto Gestor de T.I. Grupo Connectoway http://www.connectoway.com.br <http://www.connectoway.com.br/> http://www.1telecom.com.br <http://www.1telecom.com.br/> * rodrigo@connectoway.com.br <mailto:rodrigo@connectoway.com.br> ( (81) 3497-6060 ( (81) 8184-3646 ( INOC-DBA 52965*100
------------------------------
Message: 8 Date: Thu, 26 Mar 2015 13:10:35 +0100 From: Jens Link <lists@quux.de> To: nanog@nanog.org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <87mw30hscj.fsf@pc8.berlin.quux.de> Content-Type: text/plain
Stephen Satchell <list@satchell.net> writes:
It's been a while since I did this, but you can select an additional port to accept SSH connections.
That's easy:
jens@screen:~$ grep Port /etc/ssh/sshd_config Port 22 Port 443
Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.
I always have at least one sshd listening on port 443. For all the hotel, coffee house, customer networks blocking ssh.
You can even multiplex and run ssh and ssl on the same port:
http://www.rutschle.net/tech/sslh.shtml
Jens --
---------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink@jabber.quux.de | --------------- |
----------------------------------------------------------------------------
------------------------------
Message: 9 Date: Thu, 26 Mar 2015 07:08:20 -0700 From: Randy <amps@djlab.com> To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <b8636bc52cdc7f7f595ff96c7b078445@mailbox.fastserv.com> Content-Type: text/plain; charset=US-ASCII; format=flowed
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 10 Date: Thu, 26 Mar 2015 14:09:52 +0000 From: "Livingood, Jason" <Jason_Livingood@cable.comcast.com> To: "Aaron C. de Bruyn" <aaron@heyaaron.com>, NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <D1398B6B.FDE9E%jason_livingood@cable.comcast.com> Content-Type: text/plain; charset="Windows-1252"
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277
On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto: aaron@heyaaron.com>> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
------------------------------
Message: 11 Date: Thu, 26 Mar 2015 10:27:21 -0400 From: Christopher Morrow <morrowc.lists@gmail.com> To: amps@djlab.com Cc: nanog list <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <CAL9jLaY17-8nVwXDDs1dncU= 252pBSEFpdi1QaGXq5ZEJ-AyvA@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
On Thu, Mar 26, 2015 at 10:08 AM, Randy <amps@djlab.com> wrote:
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 12 Date: Thu, 26 Mar 2015 07:28:57 -0700 From: Jeff Richmond <jeff.richmond@gmail.com> To: "Livingood, Jason" <Jason_Livingood@cable.comcast.com> Cc: "Aaron C. de Bruyn" <aaron@heyaaron.com>, NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <006E35AD-00E6-4B61-890F-29E580CE91C9@gmail.com> Content-Type: text/plain; charset=windows-1252
All, I have reached out to Aaron privately for details, but we do not block port 22 traffic unless it is in direct response to an attack or related item. Please let me know directly if you have any specific questions.
Thanks, -Jeff
On Mar 26, 2015, at 7:09 AM, Livingood, Jason < Jason_Livingood@cable.comcast.com> wrote:
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277
On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto: aaron@heyaaron.com>> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
------------------------------
Message: 13 Date: Thu, 26 Mar 2015 10:32:31 -0400 From: Daniel Corbe <corbe@corbe.net> To: "Livingood\, Jason" <Jason_Livingood@cable.comcast.com> Cc: "Aaron C. de Bruyn" <aaron@heyaaron.com>, NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <874mp7hls0.fsf@corbe.net> Content-Type: text/plain; charset=utf-8
Nothing helps promote a free and open Internet more than micromanaging your users' download activity.
Not really sure how someone comes to the conclusion that nobody really *needs* ssh for anything.
"Livingood, Jason" <Jason_Livingood@cable.comcast.com> writes:
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277
On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto: aaron@heyaaron.com>> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
------------------------------
Message: 14 Date: Thu, 26 Mar 2015 07:38:08 -0700 From: Randy <amps@djlab.com> To: Christopher Morrow <morrowc.lists@gmail.com> Cc: christopher.morrow@gmail.com, nanog list <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <d9f578bfd7e75bf125e26a2911c670bb@mailbox.fastserv.com> Content-Type: text/plain; charset=US-ASCII; format=flowed
On 03/26/2015 7:27 am, Christopher Morrow wrote:
is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)
Sorry, we're 29889.
------------------------------
Message: 15 Date: Thu, 26 Mar 2015 14:43:20 +0000 From: Peter Rocca <rocca@start.ca> To: "nanog@nanog.org" <nanog@nanog.org> Subject: RE: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <44c3b7398b0c46b8a842c44da3f379be@APP02.start.local> Content-Type: text/plain; charset="us-ascii"
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 16 Date: Thu, 26 Mar 2015 10:44:28 -0400 From: Christopher Morrow <morrowc.lists@gmail.com> To: amps@djlab.com Cc: nanog list <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <CAL9jLaYvGYc6s4uhAqfKG+qikWSa4U3Mp= Xo6UUVfAz_4gGR9w@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
On Thu, Mar 26, 2015 at 10:38 AM, Randy <amps@djlab.com> wrote:
On 03/26/2015 7:27 am, Christopher Morrow wrote:
is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)
Sorry, we're 29889.
ok, and it looks like the path you clipped is: 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
possibly LAIX is passing along your /24 you didn't mean them to pass on?
------------------------------
Message: 17 Date: Thu, 26 Mar 2015 10:45:09 -0400 From: Christopher Morrow <morrowc.lists@gmail.com> To: Peter Rocca <rocca@start.ca> Cc: "nanog@nanog.org" <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: < CAL9jLaaLxcncc4uyTKz7SuDUks4B+VjzA56NO6n_tdHRmhJsZA@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca@start.ca> wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
common point looks like LAIX ? their routeserver go crazy perhaps? or did they change in/out prefix management information?
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 18 Date: Thu, 26 Mar 2015 07:46:31 -0700 From: Randy <amps@djlab.com> To: Christopher Morrow <morrowc.lists@gmail.com> Cc: christopher.morrow@gmail.com, nanog list <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <78c55aee9b1853c827c78adb8527fafb@mailbox.fastserv.com> Content-Type: text/plain; charset=US-ASCII; format=flowed
All,
Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack.
-- ~Randy
------------------------------
Message: 19 Date: Thu, 26 Mar 2015 15:46:51 +0100 From: Pierre Emeriaud <petrus.lt@gmail.com> To: amps@djlab.com Cc: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: < CA+PSOpyoEOAsWgQ1mzG+mLs0zrMOw35o7YTRE_R5YsSM8uCAxA@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
Hi,
2015-03-26 15:08 GMT+01:00 Randy <amps@djlab.com>:
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
We (as3215) are seeing almost the same path with 40633 18978 3257 3215, for some quite a lot of prefixes.
Some alerts from bgpmon: 193.251.32.0/20 271 6939 40633 18978 3257 3215 193.251.32.0/20 271 6939 40633 18978 3257 3215
We are not directly connected to 3257. Looks like 18978 deaggregated to /20 and reannounced to 40633 (LAIX).
Rgds, pierre
------------------------------
Message: 20 Date: Thu, 26 Mar 2015 23:48:12 +0900 From: "Paul S." <contact@winterei.se> To: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <55141C2C.40706@winterei.se> Content-Type: text/plain; charset=UTF-8; format=flowed
Same here. These Indosat guys can't seem to catch a break =/
On 3/26/2015 午後 11:43, Peter Rocca wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
------------------------------
Message: 21 Date: Thu, 26 Mar 2015 11:00:31 -0400 From: Chuck Anderson <cra@WPI.EDU> To: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <20150326150030.GO9776@angus.ind.WPI.EDU> Content-Type: text/plain; charset=us-ascii
We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as well:
130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326 130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326
On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote:
On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca@start.ca> wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
common point looks like LAIX ? their routeserver go crazy perhaps? or did they change in/out prefix management information?
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 22 Date: Thu, 26 Mar 2015 16:02:00 +0100 From: Christian Teuschel <christian.teuschel@ripe.net> To: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <55141F68.9060900@ripe.net> Content-Type: text/plain; charset="windows-1252"
Hi Randy,
Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast Serv Networks, LLC) none of the mentioned more specifics are currently seen from the RIPE NCC's RIS network, see the Looking Glass widget:
https://stat.ripe.net/198.98.180.0/23#tabId=routing https://stat.ripe.net/198.98.182.0/23#tabId=at-a-glance
though there has been some BGP activity going on since 11:49:42, see the BGPlay and BGP Update Activity widget. In both cases the originating ASN was AS29889.
Cheers, Christian
On 26/03/15 15:46, Randy wrote:
All,
Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack.
Yes, see this thread: https://puck.nether.net/pipermail/outages/2015-March/007687.html Frank -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Debottym Mukherjee Sent: Friday, March 27, 2015 10:14 AM To: nanog@nanog.org Subject: Level 3 Outage Did anyone else experience a Level 3 outage in the last couple of days? Seems like we've been affected with quite a few VPNV4 outages (one that lasted for upto 9 hrs) and didn't get resolved until they rebuilt their vpnv4 address family on their PE router(s)? On Thu, Mar 26, 2015 at 8:00 AM, <nanog-request@nanog.org> wrote:
Send NANOG mailing list submissions to nanog@nanog.org
To subscribe or unsubscribe via the World Wide Web, visit http://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request@nanog.org
You can reach the person managing the list at nanog-owner@nanog.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..."
Today's Topics:
1. godaddy contact (Tim) 2. Frontier: Blocking port 22 because of illegal files? (Aaron C. de Bruyn) 3. Re: Frontier: Blocking port 22 because of illegal files? (Eygene Ryabinkin) 4. Re: Frontier: Blocking port 22 because of illegal files? (Jon Lewis) 5. Re: Frontier: Blocking port 22 because of illegal files? (Stephen Satchell) 6. Re: Frontier: Blocking port 22 because of illegal files? (Seth Mos) 7. booster to gain distance above 60km (Rodrigo Augusto) 8. Re: Frontier: Blocking port 22 because of illegal files? (Jens Link) 9. Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 10. Re: Frontier: Blocking port 22 because of illegal files? (Livingood, Jason) 11. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 12. Re: Frontier: Blocking port 22 because of illegal files? (Jeff Richmond) 13. Re: Frontier: Blocking port 22 because of illegal files? (Daniel Corbe) 14. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 15. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca) 16. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 17. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 18. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 19. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Pierre Emeriaud) 20. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Paul S.) 21. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Chuck Anderson) 22. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christian Teuschel) 23. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Andree Toonk) 24. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca) 25. Charter Engineer (Shawn L) 26. RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] (Randy)
----------------------------------------------------------------------
Message: 1 Date: Wed, 25 Mar 2015 16:41:50 -0600 From: Tim <timphp@progressivemarketingnetwork.com> To: nanog@nanog.org Subject: godaddy contact Message-ID: <551339AE.8010203@progressivemarketingnetwork.com> Content-Type: text/plain; charset=utf-8
Anyone from godaddy on here or have contact details for them? We are having a routing issue to them.
------------------------------
Message: 2 Date: Wed, 25 Mar 2015 19:31:35 -0700 From: "Aaron C. de Bruyn" <aaron@heyaaron.com> To: NANOG mailing list <nanog@nanog.org> Subject: Frontier: Blocking port 22 because of illegal files? Message-ID: <CAEE+rGqimJYAfgmzm9AJ72+gcmJxfZLM7n4Rf03vynxKN= Qfeg@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
------------------------------
Message: 3 Date: Thu, 26 Mar 2015 07:21:45 +0300 From: Eygene Ryabinkin <rea+nanog@grid.kiae.ru> To: "Aaron C. de Bruyn" <aaron@heyaaron.com> Cc: NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <nwCOvNPJTWOEp6pB7jt97dzYZ/0@xD7c2HZfPDzIruDUr3Qm9QhN1kk> Content-Type: text/plain; charset=us-ascii
Wed, Mar 25, 2015 at 07:31:35PM -0700, Aaron C. de Bruyn wrote:
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
Can't help to add that there are
- port 21 that allow users to give commands to examine the existence and initiate transfers of illegal files;
- ports 1025 - 65535 that allow users to create data streams to actually transfer illegal files in an (oh my) passive mode.
;) -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute"
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
------------------------------
Message: 4 Date: Thu, 26 Mar 2015 00:56:21 -0400 (EDT) From: Jon Lewis <jlewis@lewis.org> To: "Aaron C. de Bruyn" <aaron@heyaaron.com> Cc: NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <Pine.LNX.4.61.1503260052100.10544@soloth.lewis.org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Wed, 25 Mar 2015, Aaron C. de Bruyn wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
I wonder if their support is just confused, and Frontier is really blocking outbound tcp/22 to stop complaints generated by infected customers with sshd scanners. After all, most of their customers probably don't know what SSH is.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
------------------------------
Message: 5 Date: Thu, 26 Mar 2015 04:24:38 -0700 From: Stephen Satchell <list@satchell.net> To: nanog@nanog.org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <5513EC76.5060306@satchell.net> Content-Type: text/plain; charset=UTF-8
On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.
People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select.
------------------------------
Message: 6 Date: Thu, 26 Mar 2015 12:56:31 +0100 From: Seth Mos <seth.mos@dds.nl> To: nanog@nanog.org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <5513F3EF.2080805@dds.nl> Content-Type: text/plain; charset=utf-8
Stephen Satchell schreef op 26-3-2015 om 12:24:
On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.
People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select.
Ahem, just to clarify, he is not talking about inbound on the Frontier connection, but outbound *from* the Frontier network.
Akin to the "Let's block outbound port 25 (smtp)".
This is just a really really bad idea m'kay.
Cheers
------------------------------
Message: 7 Date: Thu, 26 Mar 2015 09:07:39 -0300 From: Rodrigo Augusto <rodrigo@1telecom.com.br> To: nanog <nanog@nanog.org> Subject: booster to gain distance above 60km Message-ID: <D1397CDB.35C0B%rodrigo@1telecom.com.br> Content-Type: text/plain; charset="ISO-8859-1"
Hi folksŠ we have a point and have a 63km between point A to point BŠ. We have a sigle fiber ( only one fiber) and use a fiberstore sfp+ 10GB dibi 1270/1330 module to connect these sites. All attenuation are okŠI don¹t have any trouble on fiber Š. I have received this signal on my sfp+:
Receiver signal average optical power : 0.0026 mW / -25.85 dBm
Does anyone know if have some possible to amplifier this scenario to get more 7db ? Is it possible to put any booster or any way to solve this? I think to use a optical PreAmlifierŠbut I don¹t know if is possible because my scenario have just one fiberŠor, use a ROPA- remote optical pumping amplifier) because I have 63kmŠ Does anyone have some idea?
Rodrigo Augusto Gestor de T.I. Grupo Connectoway http://www.connectoway.com.br <http://www.connectoway.com.br/> http://www.1telecom.com.br <http://www.1telecom.com.br/> * rodrigo@connectoway.com.br <mailto:rodrigo@connectoway.com.br> ( (81) 3497-6060 ( (81) 8184-3646 ( INOC-DBA 52965*100
------------------------------
Message: 8 Date: Thu, 26 Mar 2015 13:10:35 +0100 From: Jens Link <lists@quux.de> To: nanog@nanog.org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <87mw30hscj.fsf@pc8.berlin.quux.de> Content-Type: text/plain
Stephen Satchell <list@satchell.net> writes:
It's been a while since I did this, but you can select an additional port to accept SSH connections.
That's easy:
jens@screen:~$ grep Port /etc/ssh/sshd_config Port 22 Port 443
Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.
I always have at least one sshd listening on port 443. For all the hotel, coffee house, customer networks blocking ssh.
You can even multiplex and run ssh and ssl on the same port:
http://www.rutschle.net/tech/sslh.shtml
Jens --
---------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink@jabber.quux.de | --------------- |
----------------------------------------------------------------------------
------------------------------
Message: 9 Date: Thu, 26 Mar 2015 07:08:20 -0700 From: Randy <amps@djlab.com> To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <b8636bc52cdc7f7f595ff96c7b078445@mailbox.fastserv.com> Content-Type: text/plain; charset=US-ASCII; format=flowed
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 10 Date: Thu, 26 Mar 2015 14:09:52 +0000 From: "Livingood, Jason" <Jason_Livingood@cable.comcast.com> To: "Aaron C. de Bruyn" <aaron@heyaaron.com>, NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <D1398B6B.FDE9E%jason_livingood@cable.comcast.com> Content-Type: text/plain; charset="Windows-1252"
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277
On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto: aaron@heyaaron.com>> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
------------------------------
Message: 11 Date: Thu, 26 Mar 2015 10:27:21 -0400 From: Christopher Morrow <morrowc.lists@gmail.com> To: amps@djlab.com Cc: nanog list <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <CAL9jLaY17-8nVwXDDs1dncU= 252pBSEFpdi1QaGXq5ZEJ-AyvA@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
On Thu, Mar 26, 2015 at 10:08 AM, Randy <amps@djlab.com> wrote:
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 12 Date: Thu, 26 Mar 2015 07:28:57 -0700 From: Jeff Richmond <jeff.richmond@gmail.com> To: "Livingood, Jason" <Jason_Livingood@cable.comcast.com> Cc: "Aaron C. de Bruyn" <aaron@heyaaron.com>, NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <006E35AD-00E6-4B61-890F-29E580CE91C9@gmail.com> Content-Type: text/plain; charset=windows-1252
All, I have reached out to Aaron privately for details, but we do not block port 22 traffic unless it is in direct response to an attack or related item. Please let me know directly if you have any specific questions.
Thanks, -Jeff
On Mar 26, 2015, at 7:09 AM, Livingood, Jason < Jason_Livingood@cable.comcast.com> wrote:
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277
On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto: aaron@heyaaron.com>> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
------------------------------
Message: 13 Date: Thu, 26 Mar 2015 10:32:31 -0400 From: Daniel Corbe <corbe@corbe.net> To: "Livingood\, Jason" <Jason_Livingood@cable.comcast.com> Cc: "Aaron C. de Bruyn" <aaron@heyaaron.com>, NANOG mailing list <nanog@nanog.org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <874mp7hls0.fsf@corbe.net> Content-Type: text/plain; charset=utf-8
Nothing helps promote a free and open Internet more than micromanaging your users' download activity.
Not really sure how someone comes to the conclusion that nobody really *needs* ssh for anything.
"Livingood, Jason" <Jason_Livingood@cable.comcast.com> writes:
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277
On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto: aaron@heyaaron.com>> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
------------------------------
Message: 14 Date: Thu, 26 Mar 2015 07:38:08 -0700 From: Randy <amps@djlab.com> To: Christopher Morrow <morrowc.lists@gmail.com> Cc: christopher.morrow@gmail.com, nanog list <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <d9f578bfd7e75bf125e26a2911c670bb@mailbox.fastserv.com> Content-Type: text/plain; charset=US-ASCII; format=flowed
On 03/26/2015 7:27 am, Christopher Morrow wrote:
is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)
Sorry, we're 29889.
------------------------------
Message: 15 Date: Thu, 26 Mar 2015 14:43:20 +0000 From: Peter Rocca <rocca@start.ca> To: "nanog@nanog.org" <nanog@nanog.org> Subject: RE: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <44c3b7398b0c46b8a842c44da3f379be@APP02.start.local> Content-Type: text/plain; charset="us-ascii"
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 16 Date: Thu, 26 Mar 2015 10:44:28 -0400 From: Christopher Morrow <morrowc.lists@gmail.com> To: amps@djlab.com Cc: nanog list <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <CAL9jLaYvGYc6s4uhAqfKG+qikWSa4U3Mp= Xo6UUVfAz_4gGR9w@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
On Thu, Mar 26, 2015 at 10:38 AM, Randy <amps@djlab.com> wrote:
On 03/26/2015 7:27 am, Christopher Morrow wrote:
is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)
Sorry, we're 29889.
ok, and it looks like the path you clipped is: 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
possibly LAIX is passing along your /24 you didn't mean them to pass on?
------------------------------
Message: 17 Date: Thu, 26 Mar 2015 10:45:09 -0400 From: Christopher Morrow <morrowc.lists@gmail.com> To: Peter Rocca <rocca@start.ca> Cc: "nanog@nanog.org" <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: < CAL9jLaaLxcncc4uyTKz7SuDUks4B+VjzA56NO6n_tdHRmhJsZA@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca@start.ca> wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
common point looks like LAIX ? their routeserver go crazy perhaps? or did they change in/out prefix management information?
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 18 Date: Thu, 26 Mar 2015 07:46:31 -0700 From: Randy <amps@djlab.com> To: Christopher Morrow <morrowc.lists@gmail.com> Cc: christopher.morrow@gmail.com, nanog list <nanog@nanog.org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <78c55aee9b1853c827c78adb8527fafb@mailbox.fastserv.com> Content-Type: text/plain; charset=US-ASCII; format=flowed
All,
Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack.
-- ~Randy
------------------------------
Message: 19 Date: Thu, 26 Mar 2015 15:46:51 +0100 From: Pierre Emeriaud <petrus.lt@gmail.com> To: amps@djlab.com Cc: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: < CA+PSOpyoEOAsWgQ1mzG+mLs0zrMOw35o7YTRE_R5YsSM8uCAxA@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
Hi,
2015-03-26 15:08 GMT+01:00 Randy <amps@djlab.com>:
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
We (as3215) are seeing almost the same path with 40633 18978 3257 3215, for some quite a lot of prefixes.
Some alerts from bgpmon: 193.251.32.0/20 271 6939 40633 18978 3257 3215 193.251.32.0/20 271 6939 40633 18978 3257 3215
We are not directly connected to 3257. Looks like 18978 deaggregated to /20 and reannounced to 40633 (LAIX).
Rgds, pierre
------------------------------
Message: 20 Date: Thu, 26 Mar 2015 23:48:12 +0900 From: "Paul S." <contact@winterei.se> To: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <55141C2C.40706@winterei.se> Content-Type: text/plain; charset=UTF-8; format=flowed
Same here. These Indosat guys can't seem to catch a break =/
On 3/26/2015 午後 11:43, Peter Rocca wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
------------------------------
Message: 21 Date: Thu, 26 Mar 2015 11:00:31 -0400 From: Chuck Anderson <cra@WPI.EDU> To: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <20150326150030.GO9776@angus.ind.WPI.EDU> Content-Type: text/plain; charset=us-ascii
We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as well:
130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326 130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326
On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote:
On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca@start.ca> wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
common point looks like LAIX ? their routeserver go crazy perhaps? or did they change in/out prefix management information?
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
------------------------------
Message: 22 Date: Thu, 26 Mar 2015 16:02:00 +0100 From: Christian Teuschel <christian.teuschel@ripe.net> To: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <55141F68.9060900@ripe.net> Content-Type: text/plain; charset="windows-1252"
Hi Randy,
Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast Serv Networks, LLC) none of the mentioned more specifics are currently seen from the RIPE NCC's RIS network, see the Looking Glass widget:
https://stat.ripe.net/198.98.180.0/23#tabId=routing https://stat.ripe.net/198.98.182.0/23#tabId=at-a-glance
though there has been some BGP activity going on since 11:49:42, see the BGPlay and BGP Update Activity widget. In both cases the originating ASN was AS29889.
Cheers, Christian
On 26/03/15 15:46, Randy wrote:
All,
Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack.
participants (2)
-
Debottym Mukherjee
-
Frank Bulk