All: Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The real problem is that there were plenty of problems on the cable network to deal with, so it was impossible to tell between a problem that a customer was having with their CPE versus a real problem in my network. Much of that has been cleared up on my side now, but customers were used to blaming us for everything so that they don't even consider that their equipment could be to blame. I want to be able to point out a third party list of all (most) broadband routers that rates them by performance. Or that rates them by crappiness that I can send them to so they can look up their own router and determine if other users have had problems with that router and what can be done to fix it. So far my search has been in vain. Any thoughts? Thanks in advance. Lorell Hathcock Sent from my iPad
Have the customer bypass the router. Why suggest another router that may have problems in the future that you ended up getting blamed for? Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Wed, Dec 23, 2015 at 9:49 PM, Lorell Hathcock <lorell@hathcock.org> wrote:
All:
Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The real problem is that there were plenty of problems on the cable network to deal with, so it was impossible to tell between a problem that a customer was having with their CPE versus a real problem in my network.
Much of that has been cleared up on my side now, but customers were used to blaming us for everything so that they don't even consider that their equipment could be to blame.
I want to be able to point out a third party list of all (most) broadband routers that rates them by performance. Or that rates them by crappiness that I can send them to so they can look up their own router and determine if other users have had problems with that router and what can be done to fix it.
So far my search has been in vain.
Any thoughts?
Thanks in advance.
Lorell Hathcock
Sent from my iPad
Josh: That's a good troubleshooting technique when the customer is cooperative and technically competent. I am looking for a third party list to which I may point that rates all/most routers on the market. This list would not have my input on it at all. If a router from the list winds up being bad, it is not my fault because it is third party. Such a list would help shift the conversation from blaming us at the ISP by default to casting doubt on the CPE device where the blame now rightly resides. I've checked the primary search engine for such a thing a list. I get a lot of ads for broadband routers. A search on dslreports.com yields nothing useful. pcmag.com wants to tell me about $150-$300 routers new to the market in 2015. I just need a comprehensive list of routers with ratings. A couple of user reviews about routers going bad would also be nice! Thanks, Lorell Hathcock Sent from my iPad
On Dec 23, 2015, at 8:52 PM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
Have the customer bypass the router. Why suggest another router that may have problems in the future that you ended up getting blamed for?
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Wed, Dec 23, 2015 at 9:49 PM, Lorell Hathcock <lorell@hathcock.org> wrote: All:
Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The real problem is that there were plenty of problems on the cable network to deal with, so it was impossible to tell between a problem that a customer was having with their CPE versus a real problem in my network.
Much of that has been cleared up on my side now, but customers were used to blaming us for everything so that they don't even consider that their equipment could be to blame.
I want to be able to point out a third party list of all (most) broadband routers that rates them by performance. Or that rates them by crappiness that I can send them to so they can look up their own router and determine if other users have had problems with that router and what can be done to fix it.
So far my search has been in vain.
Any thoughts?
Thanks in advance.
Lorell Hathcock
Sent from my iPad
For a place to find reviews about specific models, I'd just point them to the product pages on Amazon and emphasize the ratings and narrative descriptions. Maybe not the most "scientific" method, but as long as the reviews posted align with your observations/assessment of a particular model, you've got a starting point there. Maybe compile a list of direct links for models you often see customers trying, so your CSRs can copy/paste them without research. Unfortunately, I'm not aware of a repository like you're describing with your request, though. Dan On Wed, Dec 23, 2015 at 10:38 PM, Lorell Hathcock <lorell@hathcock.org> wrote:
Josh:
That's a good troubleshooting technique when the customer is cooperative and technically competent.
I am looking for a third party list to which I may point that rates all/most routers on the market. This list would not have my input on it at all. If a router from the list winds up being bad, it is not my fault because it is third party.
Such a list would help shift the conversation from blaming us at the ISP by default to casting doubt on the CPE device where the blame now rightly resides.
I've checked the primary search engine for such a thing a list. I get a lot of ads for broadband routers. A search on dslreports.com yields nothing useful. pcmag.com wants to tell me about $150-$300 routers new to the market in 2015.
I just need a comprehensive list of routers with ratings. A couple of user reviews about routers going bad would also be nice!
Thanks,
Lorell Hathcock
Sent from my iPad
On Dec 23, 2015, at 8:52 PM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
Have the customer bypass the router. Why suggest another router that may have problems in the future that you ended up getting blamed for?
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
On Wed, Dec 23, 2015 at 9:49 PM, Lorell Hathcock <lorell@hathcock.org> wrote: All:
Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The real problem is that there were plenty of problems on the cable network to deal with, so it was impossible to tell between a problem that a customer was having with their CPE versus a real problem in my network.
Much of that has been cleared up on my side now, but customers were used to blaming us for everything so that they don't even consider that their equipment could be to blame.
I want to be able to point out a third party list of all (most) broadband routers that rates them by performance. Or that rates them by crappiness that I can send them to so they can look up their own router and determine if other users have had problems with that router and what can be done to fix it.
So far my search has been in vain.
Any thoughts?
Thanks in advance.
Lorell Hathcock
Sent from my iPad
On Dec 23, 2015, at 10:38 PM, Lorell Hathcock <lorell@hathcock.org> wrote:
That's a good troubleshooting technique when the customer is cooperative and technically competent.
... and has ethernet on anything in the house, which is increasingly a bad thing to rely on. Got an iPad, a smart phone, and a MacBook Air (any revision)? Two of the three have substantially no support for hardwired Ethernet. The third requires an external USB adaptor. "Go out and buy this $24 gizmo so we can confirm that your $29 router/wireless device is indeed crap" is a hard thing to get most people to do. -r
I have reasonable success with simply lending the customer a router. In most cases they will then buy it afterwards, because it turns out that their old router was indeed bad. But you can not win them all. Sometimes it is the other equipment that is bad, or the customer is clueless. They might even be lying because everyone knows you have to pretend it is worse than it actually is to get the doctor to take you seriously. Also who here can honestly say you never pretended to power cycle your Windows 95 when asked by the support bot on the phone, while actually running Linux, because that is the only way to get passed on to second tier support? Just last week I had a customer complaining his router was bad. I went out there and found it in the basement, on the floor, under a bed with a ton of crap on top. He said it was so much worse than his old internet, where he had the router in the center of the house in his living room. Not too surprisingly? He claimed the routers were located the same place until I turned up at his house and asked to see it... I do not think you will have much success at pointing to a list of supposedly bad routers. The world is just too complex. A bad experience can be due to anything really. Most likely they are on 2,4 GHz and the spectrum is crowded. Combine with an old computer (or even brand new!) that has crap 2,4 GHz wifi - nothing a router can do about that. I demonstrate that it can work with my own computer and then advise the customer on what to buy. Regards, Baldur
The trend is a managed router service. This way the ISP can control the customer experience a little better. It also gives the ISP a DMARC point to test from, which is not as reliant on getting the customer involved. Mikrotik makes the hAP lite, which has a retail of $21.95. http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-poin... <http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html> . This is *nix based router you can cheaply deploy even if a customer doesn’t want a managed router. I have clients who deploy this as a “modem” if the customer chooses their own router. By doing this the ISP can run pings, traceroutes, see usage, and other useful tools from the customer side. Once you figure on your average support call on troubleshooting a customer router $21.95 is a drop in the bucket. Having a place to test from the customer side is invaluable. Tons of tricks you can do too. Turn on the wireless and have the customer connect to it. Block out all traffic except what the customer is using for tests (i.e. wireless) so you can see if there are devices hogging the pipe. You can do frequency scans to see how bad 2.4 is. You can get a dual band hAP router with AC. It is more expensive so deploying one of those at every customer might not be feasible. Justin Wilson j2sw@mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman
On Dec 24, 2015, at 10:05 AM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
I have reasonable success with simply lending the customer a router. In most cases they will then buy it afterwards, because it turns out that their old router was indeed bad.
But you can not win them all. Sometimes it is the other equipment that is bad, or the customer is clueless. They might even be lying because everyone knows you have to pretend it is worse than it actually is to get the doctor to take you seriously. Also who here can honestly say you never pretended to power cycle your Windows 95 when asked by the support bot on the phone, while actually running Linux, because that is the only way to get passed on to second tier support?
Just last week I had a customer complaining his router was bad. I went out there and found it in the basement, on the floor, under a bed with a ton of crap on top. He said it was so much worse than his old internet, where he had the router in the center of the house in his living room. Not too surprisingly? He claimed the routers were located the same place until I turned up at his house and asked to see it...
I do not think you will have much success at pointing to a list of supposedly bad routers. The world is just too complex. A bad experience can be due to anything really. Most likely they are on 2,4 GHz and the spectrum is crowded. Combine with an old computer (or even brand new!) that has crap 2,4 GHz wifi - nothing a router can do about that. I demonstrate that it can work with my own computer and then advise the customer on what to buy.
Regards,
Baldur
+1. Here's one managed option that non-Calix customers, such as WISPs, have found interesting: https://www.calix.com/systems/gigafamily-overview/GigaCenters.html Frank -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Justin Wilson Sent: Thursday, December 24, 2015 9:40 AM To: nanog@nanog.org Subject: Re: Broadband Router Comparisons The trend is a managed router service. This way the ISP can control the customer experience a little better. It also gives the ISP a DMARC point to test from, which is not as reliant on getting the customer involved. Mikrotik makes the hAP lite, which has a retail of $21.95. http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-poin... <http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html> . This is *nix based router you can cheaply deploy even if a customer doesn’t want a managed router. I have clients who deploy this as a “modem” if the customer chooses their own router. By doing this the ISP can run pings, traceroutes, see usage, and other useful tools from the customer side. Once you figure on your average support call on troubleshooting a customer router $21.95 is a drop in the bucket. Having a place to test from the customer side is invaluable. Tons of tricks you can do too. Turn on the wireless and have the customer connect to it. Block out all traffic except what the customer is using for tests (i.e. wireless) so you can see if there are devices hogging the pipe. You can do frequency scans to see how bad 2.4 is. You can get a dual band hAP router with AC. It is more expensive so deploying one of those at every customer might not be feasible. Justin Wilson j2sw@mtin.net --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman
On Dec 24, 2015, at 10:05 AM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
I have reasonable success with simply lending the customer a router. In most cases they will then buy it afterwards, because it turns out that their old router was indeed bad.
But you can not win them all. Sometimes it is the other equipment that is bad, or the customer is clueless. They might even be lying because everyone knows you have to pretend it is worse than it actually is to get the doctor to take you seriously. Also who here can honestly say you never pretended to power cycle your Windows 95 when asked by the support bot on the phone, while actually running Linux, because that is the only way to get passed on to second tier support?
Just last week I had a customer complaining his router was bad. I went out there and found it in the basement, on the floor, under a bed with a ton of crap on top. He said it was so much worse than his old internet, where he had the router in the center of the house in his living room. Not too surprisingly? He claimed the routers were located the same place until I turned up at his house and asked to see it...
I do not think you will have much success at pointing to a list of supposedly bad routers. The world is just too complex. A bad experience can be due to anything really. Most likely they are on 2,4 GHz and the spectrum is crowded. Combine with an old computer (or even brand new!) that has crap 2,4 GHz wifi - nothing a router can do about that. I demonstrate that it can work with my own computer and then advise the customer on what to buy.
Regards,
Baldur
Providing a managed service is the direction we're going. In our case, since we're a Calix shop, we're using their GigaCenters, but I'm sure there are other vendor options out there. Early indications are that 95+% of our residential customers would rather pay a nominal "maintenance" fee and use our managed router than purchase their own. From our end, we get a little more revenue, we ensure our customers aren't blaming us for problems caused by junk routers, and we provide a level of service and support that the big guys can't even come close to matching. On Thu, Dec 24, 2015 at 9:40 AM, Justin Wilson <lists@mtin.net> wrote:
The trend is a managed router service. This way the ISP can control the customer experience a little better. It also gives the ISP a DMARC point to test from, which is not as reliant on getting the customer involved.
Mikrotik makes the hAP lite, which has a retail of $21.95. http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-poin... < http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html> . This is *nix based router you can cheaply deploy even if a customer doesn’t want a managed router. I have clients who deploy this as a “modem” if the customer chooses their own router. By doing this the ISP can run pings, traceroutes, see usage, and other useful tools from the customer side.
Once you figure on your average support call on troubleshooting a customer router $21.95 is a drop in the bucket. Having a place to test from the customer side is invaluable. Tons of tricks you can do too. Turn on the wireless and have the customer connect to it. Block out all traffic except what the customer is using for tests (i.e. wireless) so you can see if there are devices hogging the pipe. You can do frequency scans to see how bad 2.4 is. You can get a dual band hAP router with AC. It is more expensive so deploying one of those at every customer might not be feasible.
Justin Wilson j2sw@mtin.net
--- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth
http://www.midwest-ix.com COO/Chairman
On Dec 24, 2015, at 10:05 AM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
I have reasonable success with simply lending the customer a router. In most cases they will then buy it afterwards, because it turns out that their old router was indeed bad.
But you can not win them all. Sometimes it is the other equipment that is bad, or the customer is clueless. They might even be lying because everyone knows you have to pretend it is worse than it actually is to get the doctor to take you seriously. Also who here can honestly say you never pretended to power cycle your Windows 95 when asked by the support bot on the phone, while actually running Linux, because that is the only way to get passed on to second tier support?
Just last week I had a customer complaining his router was bad. I went out there and found it in the basement, on the floor, under a bed with a ton of crap on top. He said it was so much worse than his old internet, where he had the router in the center of the house in his living room. Not too surprisingly? He claimed the routers were located the same place until I turned up at his house and asked to see it...
I do not think you will have much success at pointing to a list of supposedly bad routers. The world is just too complex. A bad experience can be due to anything really. Most likely they are on 2,4 GHz and the spectrum is crowded. Combine with an old computer (or even brand new!) that has crap 2,4 GHz wifi - nothing a router can do about that. I demonstrate that it can work with my own computer and then advise the customer on what to buy.
Regards,
Baldur
see http://map.norsecorp.com We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ? Colin
On Thu, 24 Dec 2015 23:44:10 +0000, Colin Johnston said:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
Well, first off, it isn't like China or Russia are just one ASN. You'd have to de-peer a bunch of ASN's - and also eliminate any paid transit connections. Note that even North Korea has managed to land at least a small presence on the Internet. Are you going to ban them too? While we're banning countries, how about the country that's known for widespread surveillance both foreign and domestic, has one of the strongest cyber warfare arsenals around, and has been caught multiple times diverting and backdooring routers sold to foreign countries? Oh wait, that's the US. Maybe we better rethink this? Obviously, there's a lot of organizations that think that being able to communicate with China and Russia outweighs the security issues. You are of course welcome to make a list of all Russian and Chinese ASNs and block their prefixes at your border.
On 25 Dec 2015, at 00:48, Valdis.Kletnieks@vt.edu wrote:
On Thu, 24 Dec 2015 23:44:10 +0000, Colin Johnston said:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
Well, first off, it isn't like China or Russia are just one ASN. You'd have to de-peer a bunch of ASN's - and also eliminate any paid transit connections.
Note that even North Korea has managed to land at least a small presence on the Internet. Are you going to ban them too?
While we're banning countries, how about the country that's known for widespread surveillance both foreign and domestic, has one of the strongest cyber warfare arsenals around, and has been caught multiple times diverting and backdooring routers sold to foreign countries?
Oh wait, that's the US. Maybe we better rethink this?
Obviously, there's a lot of organizations that think that being able to communicate with China and Russia outweighs the security issues. You are of course welcome to make a list of all Russian and Chinese ASNs and block their prefixes at your border.
So therefore we must somehow engage and enforce best practice for abuse alerts and action issues Colin
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
On Dec 24, 2015, at 6:44 PM, Colin Johnston <colinj@gt86car.org.uk> wrote:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
Colin
On 12/24/2015 04:50 PM, Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries retail. If *they* don't need access to certain third world countries, it would be their decision, not the operator's decision. For example, here on my little network we have no need for connectivity to much of Asia, Africa, or India. We do have need to talk to Europe, Australia, and some countries in South America.
I am afraid people are already doing this. Every time I bring a new IP series into production, my users will complain that they are locked out from sites including many government sites. This is because people will load IP location lists into their firewall and drop packets at the border. Of course they will not update said lists and load year old lists into their firewalls. So now my users can not access government sites because the IP ranges were owned by a company in a different country two years ago. Take a guess on how responsive site owners are when we complain about their firewall. Most refuse to acknowledge they do any blocking and insist the problem is at our end. That is if they respond at all. Regards, Baldur On 25 December 2015 at 02:25, Stephen Satchell <list@satchell.net> wrote:
On 12/24/2015 04:50 PM, Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries retail. If *they* don't need access to certain third world countries, it would be their decision, not the operator's decision.
For example, here on my little network we have no need for connectivity to much of Asia, Africa, or India. We do have need to talk to Europe, Australia, and some countries in South America.
On 12/24/15, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
I am afraid people are already doing this. Every time I bring a new IP series into production, my users will complain that they are locked out from sites including many government sites. This is because people will load IP location lists into their firewall and drop packets at the border. Of course they will not update said lists and load year old lists into their firewalls.
Enable IPv6 for your users. 1) it's not going to have any "history" & 2) ipv6 probably isn't blocked.
So now my users can not access government sites because the IP ranges were owned by a company in a different country two years ago.
Find one of your users that's a citizen of said gov't & forward their complaint to the gov't sites. Non-citizen complaints are much easier to ignore.. Regards, Lee
Take a guess on how responsive site owners are when we complain about their firewall. Most refuse to acknowledge they do any blocking and insist the problem is at our end. That is if they respond at all.
Regards,
Baldur
On 25 December 2015 at 02:25, Stephen Satchell <list@satchell.net> wrote:
On 12/24/2015 04:50 PM, Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries retail. If *they* don't need access to certain third world countries, it would be their decision, not the operator's decision.
For example, here on my little network we have no need for connectivity to much of Asia, Africa, or India. We do have need to talk to Europe, Australia, and some countries in South America.
On 25 December 2015 at 20:06, Lee <ler762@gmail.com> wrote:
Enable IPv6 for your users. 1) it's not going to have any "history" & 2) ipv6 probably isn't blocked.
I am not aware of just one single government site in this country (Denmark) that is IPv6 enabled. There are zero danish news sites that are IPv6 enabled. In fact, nothing here is IPv6 enabled - with the exception of all major ISP sites. For some strange reason all ISPs have IPv6 on their websites (but they do not provide IPv6 to their customers). It is sad really.
So now my users can not access government sites because the IP ranges were owned by a company in a different country two years ago.
Find one of your users that's a citizen of said gov't & forward their complaint to the gov't sites. Non-citizen complaints are much easier to ignore..
I am a citizen and yes, they do ignore us. If you can manage to find the right guy, he can probably fix it in a few minutes. It is just that there is no way to get to that guy. The front desk has no clue what you are talking about. To these people we should just stop sending traffic from Romania and it would all be fixed, no? To make it worse it is a really boring game of whack a mole. The users are constantly finding new sites that are either blocking us or are showing the site in the wrong language. Each time we open up a new IP series, it all starts over again. We do not have enough cash on hand to simply buy a real large chunk of IPv4, so we have multiple smaller blocks. With regards to this thread, I am finding a worrying trend for websites to block out of country IP-addresses at the firewall. In the past you could expect that some content would not play or that your credit card payment would be blocked. But now you never get to that stage because sites are dropping the packets at the firewall. Regards, Baldur
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines Sent from my iPhone
On 25 Dec 2015, at 19:43, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On 25 December 2015 at 20:06, Lee <ler762@gmail.com> wrote:
Enable IPv6 for your users. 1) it's not going to have any "history" & 2) ipv6 probably isn't blocked.
I am not aware of just one single government site in this country (Denmark) that is IPv6 enabled. There are zero danish news sites that are IPv6 enabled. In fact, nothing here is IPv6 enabled - with the exception of all major ISP sites. For some strange reason all ISPs have IPv6 on their websites (but they do not provide IPv6 to their customers). It is sad really.
So now my users can not access government sites because the IP ranges were owned by a company in a different country two years ago.
Find one of your users that's a citizen of said gov't & forward their complaint to the gov't sites. Non-citizen complaints are much easier to ignore..
I am a citizen and yes, they do ignore us. If you can manage to find the right guy, he can probably fix it in a few minutes. It is just that there is no way to get to that guy. The front desk has no clue what you are talking about. To these people we should just stop sending traffic from Romania and it would all be fixed, no?
To make it worse it is a really boring game of whack a mole. The users are constantly finding new sites that are either blocking us or are showing the site in the wrong language. Each time we open up a new IP series, it all starts over again. We do not have enough cash on hand to simply buy a real large chunk of IPv4, so we have multiple smaller blocks.
With regards to this thread, I am finding a worrying trend for websites to block out of country IP-addresses at the firewall. In the past you could expect that some content would not play or that your credit card payment would be blocked. But now you never get to that stage because sites are dropping the packets at the firewall.
Regards,
Baldur
On 25 December 2015 at 21:10, Colin Johnston <colinj@gt86car.org.uk> wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machine
They do not speak the same language as you. They barely understand your complaint and you would not understand their reply (in chinese!) - or do you expect everyone to know english? Why does everyone expect the chinese to use Google Translate? Try it yourself before sending off your complaint in Mandarin... Regards, Baldur
been there, done that 网络滥用 fix you ntp reflection servers :) Sent from my iPhone
On 25 Dec 2015, at 20:29, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On 25 December 2015 at 21:10, Colin Johnston <colinj@gt86car.org.uk> wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machine
They do not speak the same language as you. They barely understand your complaint and you would not understand their reply (in chinese!) - or do you expect everyone to know english?
Why does everyone expect the chinese to use Google Translate? Try it yourself before sending off your complaint in Mandarin...
Regards,
Baldur
I think that even in the US, a provider would want a more specific complaint than “The network abuses”. Owen
On Dec 25, 2015, at 12:40 , Colin Johnston <colinj@gt86car.org.uk> wrote:
been there, done that 网络滥用 fix you ntp reflection servers :)
Sent from my iPhone
On 25 Dec 2015, at 20:29, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On 25 December 2015 at 21:10, Colin Johnston <colinj@gt86car.org.uk> wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machine
They do not speak the same language as you. They barely understand your complaint and you would not understand their reply (in chinese!) - or do you expect everyone to know english?
Why does everyone expect the chinese to use Google Translate? Try it yourself before sending off your complaint in Mandarin...
Regards,
Baldur
On Fri, 25 Dec 2015, Colin Johnston wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines
This is not a chinese problem, this is a general ISP problem. Most ISPs do not respond to abuse reports. -- Mikael Abrahamsson email: swmike@swm.pp.se
Just an off the cuff thought but if the format of the abuse messages could be standardized so handling them would be semi-automated somewhat like ACNS notices, it might improve response. Maybe such a format already exists and just isn't widely used. Sent from my iPhone
On Dec 25, 2015, at 4:52 PM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
On Fri, 25 Dec 2015, Colin Johnston wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines
This is not a chinese problem, this is a general ISP problem. Most ISPs do not respond to abuse reports.
-- Mikael Abrahamsson email: swmike@swm.pp.se
Just in case I missed the /s on there:
Maybe such a format already exists and just isn't widely used.
It does and it isn't. http://www.x-arf.org/ -- Hugo hugo@slabnet.com: email, xmpp/jabber also on Signal ---- From: Clayton Zekelman <clayton@mnsi.net> -- Sent: 2015-12-25 - 14:12 ----
Just an off the cuff thought but if the format of the abuse messages could be standardized so handling them would be semi-automated somewhat like ACNS notices, it might improve response.
Maybe such a format already exists and just isn't widely used.
Sent from my iPhone
On Dec 25, 2015, at 4:52 PM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
On Fri, 25 Dec 2015, Colin Johnston wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines
This is not a chinese problem, this is a general ISP problem. Most ISPs do not respond to abuse reports.
-- Mikael Abrahamsson email: swmike@swm.pp.se
ARF (http://www.rfc-editor.org/rfc/rfc5965.txt <http://www.rfc-editor.org/rfc/rfc5965.txt>, https://www.rfc-editor.org/rfc/rfc6650.txt) and X-ARF (http://www.x-arf.org/index.html <http://www.x-arf.org/index.html>) are used quite alot and many, like Yahoo, only accept ARF reports on abusive emails. you might want to read MAAWG’s BCP: https://www.m3aawg.org/sites/default/files/document/M3AAWG_Feedback_Reportin... <https://www.m3aawg.org/sites/default/files/document/M3AAWG_Feedback_Reporting_Recommendation_BP-2014-02.pdf> Tom
On Dec 25, 2015, at 5:12 PM, Clayton Zekelman <clayton@mnsi.net> wrote:
Just an off the cuff thought but if the format of the abuse messages could be standardized so handling them would be semi-automated somewhat like ACNS notices, it might improve response.
Maybe such a format already exists and just isn't widely used.
Sent from my iPhone
On Dec 25, 2015, at 4:52 PM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
On Fri, 25 Dec 2015, Colin Johnston wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines
This is not a chinese problem, this is a general ISP problem. Most ISPs do not respond to abuse reports.
-- Mikael Abrahamsson email: swmike@swm.pp.se
Speaking as a former DNSBL operator, NANOG has a poor history of dealing with those who report abuse as well. On Fri, Dec 25, 2015 at 4:52 PM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
On Fri, 25 Dec 2015, Colin Johnston wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines
This is not a chinese problem, this is a general ISP problem. Most ISPs do not respond to abuse reports.
-- Mikael Abrahamsson email: swmike@swm.pp.se
On Dec 25, 2015, at 3:10 PM, Colin Johnston <colinj@gt86car.org.uk> wrote:
why do the chinese network folks never reply and action abuse reports, normal slow speed network abuse is tolerated, but not high speed deliberate abuse albeit compromised machines
Biggest reason I’ve seen is the same reason I delete spam in Chinese/Japanese/charset that is foreign to me. When I know I’m supposed to be reading something I toss it into google translate, when I don’t expect it, it may not even reach my $inbox. I’d expect writing to people in their non-native language is more likely to result in things being ignored or misclassified[1]. I work for a part of a multinational that doesn’t use the roman alphabet and mails are sometimes missed for this reason between our groups. This is far more of a two way street than people realize. When you find that person who speaks both languages it can remove hurdles. - Jared 1 - Think of the setting ok_languages in spamassassin.
Hmm, has anyone at all kept count of the number of times such a discussion has started up in just the last year, and how many more times in the past 16 or so years? Mind you, back in say 2004, this discussion would have run to 50 or 60 emails at a bare minimum, in no time at all. --srs On 25-Dec-2015, at 6:55 AM, Stephen Satchell <list@satchell.net> wrote:
On 12/24/2015 04:50 PM, Daniel Corbe wrote: Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries retail.
Yes… Isn’t it impressive just how persistent the bad idea fairy can be? Owen
On Dec 24, 2015, at 19:25 , Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Hmm, has anyone at all kept count of the number of times such a discussion has started up in just the last year, and how many more times in the past 16 or so years?
Mind you, back in say 2004, this discussion would have run to 50 or 60 emails at a bare minimum, in no time at all.
--srs
On 25-Dec-2015, at 6:55 AM, Stephen Satchell <list@satchell.net> wrote:
On 12/24/2015 04:50 PM, Daniel Corbe wrote: Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries retail.
Well, at least she's here rather than sprinkling eggnog and brandy flavoured pixie dust on our gear over the Christmas break. --srs
On 25-Dec-2015, at 9:08 AM, Owen DeLong <owen@delong.com> wrote:
Yes… Isn’t it impressive just how persistent the bad idea fairy can be?
Owen
On Fri 2015-Dec-25 08:55:24 +0530, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Hmm, has anyone at all kept count of the number of times such a discussion has started up in just the last year...
Not on an ongoing basis, but I was curious as well, so a quick mailbox search for 2015: http://mailman.nanog.org/pipermail/nanog/2015-January/072841.html subject: Facebook outage? author: Colin Johnston <colinj@gt86car.org.uk> http://mailman.nanog.org/pipermail/nanog/2015-February/073556.html subject: AOL Postmaster author: Colin Johnston <colinj@gt86car.org.uk> http://mailman.nanog.org/pipermail/nanog/2015-March/074251.html http://mailman.nanog.org/pipermail/nanog/2015-March/074241.html subject: Getting hit hard by CHINANET author: Colin Johnston <colinj@gt86car.org.uk> http://mailman.nanog.org/pipermail/nanog/2015-April/074432.html subject: BGP offloading (fixing legacy router BGP scalability issues) author: Colin Johnston <colinj@gt86car.org.uk> http://mailman.nanog.org/pipermail/nanog/2015-July/077790.html subject: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours author: Colin Johnston <colinj@gt86car.org.uk> http://mailman.nanog.org/pipermail/nanog/2015-December/083104.html subject: de-peering for security sake author: Colin Johnston <colinj@gt86car.org.uk> I tried to be pretty wide in the search and filter through a decent chunk of false positives manually, though of course I could have missed some. It does skip a few of the "all of their traffic is crap and abuse reports are ignored" messages that don't *explicitly* call for wholesale country-level blocks or de-peering.
...and how many more times in the past 16 or so years?
I was curious, but not masochistic ;) -- Hugo hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure & redphone)
Mind you, back in say 2004, this discussion would have run to 50 or 60 emails at a bare minimum, in no time at all.
--srs
On 25-Dec-2015, at 6:55 AM, Stephen Satchell <list@satchell.net> wrote:
On 12/24/2015 04:50 PM, Daniel Corbe wrote: Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries retail.
interesting:) but useful to make a attempt at cleaning up traffic from china and russia colin Sent from my iPhone
On 27 Dec 2015, at 06:32, Hugo Slabbert <hugo@slabnet.com> wrote:
On Fri 2015-Dec-25 08:55:24 +0530, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Hmm, has anyone at all kept count of the number of times such a discussion has started up in just the last year...
Not on an ongoing basis, but I was curious as well, so a quick mailbox search for 2015:
http://mailman.nanog.org/pipermail/nanog/2015-January/072841.html subject: Facebook outage? author: Colin Johnston <colinj@gt86car.org.uk>
http://mailman.nanog.org/pipermail/nanog/2015-February/073556.html subject: AOL Postmaster author: Colin Johnston <colinj@gt86car.org.uk>
http://mailman.nanog.org/pipermail/nanog/2015-March/074251.html http://mailman.nanog.org/pipermail/nanog/2015-March/074241.html subject: Getting hit hard by CHINANET author: Colin Johnston <colinj@gt86car.org.uk>
http://mailman.nanog.org/pipermail/nanog/2015-April/074432.html subject: BGP offloading (fixing legacy router BGP scalability issues) author: Colin Johnston <colinj@gt86car.org.uk>
http://mailman.nanog.org/pipermail/nanog/2015-July/077790.html subject: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours author: Colin Johnston <colinj@gt86car.org.uk>
http://mailman.nanog.org/pipermail/nanog/2015-December/083104.html subject: de-peering for security sake author: Colin Johnston <colinj@gt86car.org.uk>
I tried to be pretty wide in the search and filter through a decent chunk of false positives manually, though of course I could have missed some. It does skip a few of the "all of their traffic is crap and abuse reports are ignored" messages that don't *explicitly* call for wholesale country-level blocks or de-peering.
...and how many more times in the past 16 or so years?
I was curious, but not masochistic ;)
-- Hugo
hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
(also on textsecure & redphone)
Mind you, back in say 2004, this discussion would have run to 50 or 60 emails at a bare minimum, in no time at all.
--srs
On 25-Dec-2015, at 6:55 AM, Stephen Satchell <list@satchell.net> wrote:
On 12/24/2015 04:50 PM, Daniel Corbe wrote: Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries retail.
On Dec 24, 2015, at 17:25 , Stephen Satchell <list@satchell.net> wrote:
On 12/24/2015 04:50 PM, Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
While you thing you are making a snarky response, it would be handy for end users to be able to turn on and off access to other countries retail. If *they* don't need access to certain third world countries, it would be their decision, not the operator's decision.
For example, here on my little network we have no need for connectivity to much of Asia, Africa, or India. We do have need to talk to Europe, Australia, and some countries in South America.
Yes… Balkanization has been such a wonderful and useful strategy in the physical world, let’s bring it to cyberspace and we should be able to expect the same level of success… Oh, wait, that wouldn’t be so good. Maybe this should be rethought. One of the definitions of insanity is doing the same thing over and over again, expecting different results. This would seem to me to fit that particular definition. Owen
Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?
What an enormously silly idea. Seasons greetings to all, Nick
On Dec 25, 2015, at 7:14 AM, Nick Hilliard <nick@foobar.org> wrote:
Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?
What an enormously silly idea.
Seasons greetings to all,
Nick
It was a stupid idea even before you corrected me.
To the thread, not necessarily Daniel, if blocking countries\continents is a bad thing (not saying I disagree), how do you deal with the flood of trash? Just take it on the chin? The degree of splash damage by blocking this way will vary based upon what kind of network you are. Residential eyeballs? You could probably block most of a lot of things and people wouldn't notice or care, as long as it wasn't Google, Facebook, Netflix, etc. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Daniel Corbe" <dcorbe@hammerfiber.com> To: "Nick Hilliard" <nick@foobar.org> Cc: "NANOG" <nanog@nanog.org> Sent: Friday, December 25, 2015 8:11:55 AM Subject: Re: de-peering for security sake
On Dec 25, 2015, at 7:14 AM, Nick Hilliard <nick@foobar.org> wrote:
Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?
What an enormously silly idea.
Seasons greetings to all,
Nick
It was a stupid idea even before you corrected me.
On 12/25/2015 06:18 AM, Mike Hammett wrote:
To the thread, not necessarily Daniel, if blocking countries\continents is a bad thing (not saying I disagree), how do you deal with the flood of trash? Just take it on the chin?
The degree of splash damage by blocking this way will vary based uponwhat kind of network you are. Residential eyeballs? You could probably block most of a lot of things and people wouldn't notice or care, as long as it wasn't Google, Facebook, Netflix, etc.
In my networks, different users have different requirements. So I have to be careful in my ACLs to allow what they need, while reducing access by those who view the Internet as a sewer, and not as a privilege. (Used to be a BOFH in the NSF days.) So my blocking list has grown, as I have identified bad actors from the information in my logs. Keeping in mind that people with one bad habit will most likely have other bad habits as well, I keep it simple: if you don't play nice, you are blocked at the demarc. For of the majority of my users, I provide access behind a router with the block list shown below. For those customers who want an unblocked feed, I provide that by having the edge bypass the filtering router. (No one has asked yet for custom filters -- 1841s are cheap and easy, and don't take much power.) I don't intend to provide this list for others to use. I provide this list as an example of how I exercise my right of Internet Freedom of Assocation, and keep my own network safe from intruders. Abuse reports? I've given up on them, frankly. My logs don't include enough information for some admins, so they drop my reports without further comment. When there is an admin listed. The nice thing about IPTABLES is that I can pull a report, if I want to, of which of these blocks are still generating traffic. As we go farther down the IPv4-split road, I may just set up a database of the blocks, and monitor the traffic to see which ones have gone silent and thus can be removed. Or not -- that's a lot of work and time, both of which I can direct to activities that bring in revenue.
1.93.34.222/32 china ssh abuser 2014 August 5.79.75.0/24 netherlands spam 2015 January 8.27.235.155 Microsoft 2015 September 14.139.172.0/24 india ssh abuser 2015 April 23.19.26.250 ubiquityservers.com ssh 2015 January 23.90.39.0/24 eonix.net spam 2014 October 23.90.51.0/24 eonix.net spam 2014 October 23.227.196.0/24 Swiftway.com spammer 2014 October 23.228.74.0/24 globalfrag.com spam 2015 January 23.228.78.0/24 Blanckeart (NY) spam 2014 September 23.228.96.0/24 globalfrag.com spam 2015 January 23.228.103.0/24 spam 2015 April 23.229.2.0/24 servermania.com spam 2015 January 23.229.97.0/24 servermania.com spam 2015 January 23.247.12.0/24 globalfrag.com spam 2015 January 23.254.59.0/24 spam 2015 April 31.184.194.114 russia ssh 2015 January 36.72.228.0/24 India ssh abuser 2014 October 38.113.188.0/24 cogent.net spam 2015 January 41.186.0.0/16 Rwanda ssh 2015 May 43.229.52.0/24 unknown ssh 2015 May 43.229.53.0/24 unknown ssh 2015 September 43.255.189.0/24 unknown ssh 2015 June 46.166.136.0/24 spam 2015 April 46.166.189.0/24 spam 2015 April 50.2.0.0/15 eonix.net spam 2014 October 50.7.38.0/24 fdcservers.net spam 2015 January 50.162.224.109 comcast.net ssh 2015 January 52.28.227.79 amazonaws ssh 2015 September 58.208.0.0/12 china ssh abuser 2015 May 58.217.106.0/24 china ssh 2014 November 58.218.166.241/24 china ssh abuser 2015 April 58.218.204.241/24 china ssh abuser 2015 April 60.173.8.0/24 china shellshock 2014 September 60.173.9.0/24 china shellshock 2014 September 60.173.10.0/24 china shellshock 2014 September 60.173.11.0/24 china shellshock 2014 September 60.173.14.0/24 china shellshock 2014 September 60.173.26.0/24 china shellshock 2014 September 60.174.233.0/24 china shellshock 2014 September 60.184.82.0/24 china spam 2014 October 61.153.105.0/24 china ssh abuser 2014 August 61.153.110.0/24 china ssh abuser 2014 August 61.174.49.0/24 china smtp abuser 2014 August 61.174.50.0/24 china ssh abuser 2014 August 61.174.51.0/24 china ssh abuser 2014 August 61.168.229.114/24 china ssh abuser 2015 February 62.210.78.0/24 french ssh abuser 2014 October 63.223.110.0/24 sentris.com spam 2014 October 64.4.54.253 Microsoft 2015 September 64.16.210.0/23 sagonet.com spam 2015 January 66.37.4.0/24 omnis.com mail 2014 October 66.70.34.113 superfish 2015 May 66.148.122.0/24 superb.net spam 2015 January 66.55.93.168/29 gigenet.com spam 2014 October 68.233.128.0/20 yesmail.com spam 2014 October 69.58.3.0/24 spam 2015 April 69.60.127.172 slantcoil.info 2014 August 69.65.41.30/32 online market media 2014 August 69.65.46.56/29 online market media 2014 August 69.65.53.0/24 Hd-gaming.com spam 2015 January 69.168.184.210 xplornet.com ssh 2015 January 70.39.86.0/24 spam 2015 April 70.39.122.0/24 sharktech.net spam 2015 January 71.245.177.204 Verizon ssh 2015 July 74.208.0.0/16 1on1 mail abuse 2014 October 75.99.22.136/29 NY ssh abuse 2014 August 75.140.42.118 china nmap 2014 August 76.191.64.0/18 vanoppen.biz spam 2014 October 76.191.112.0/22 sentris.com spam 2014 October 78.129.180.0/24 rapidswitch.com spam 2015 January 78.138.127.0/24 poland spam 2015 January 79.142.65.0/24 Netherlands spam 2014 October 80.82.66.0/24 netherlands spam 2015 January 80.82.70.0/24 Spybot proxy abuse 2014 August 80.82.79.0/24 Spybot proxy abuse 2014 August 80.242.123.0/24 Boznia ssh abuse 2015 May 82.102.176.0/21 ssh abuse 2015 June 83.234.174.0/24 Charger ssh 2015 September 86.34.224.0/24 Romania spam 2014 October 89.248.172.0/24 Netherlands shellshock 2014 September 93.174.89.0/24 netherlands spam 2015 January 95.211.155.0/24 Netherlands spammer 2014 October 95.211.158.0/24 leaseweb.com spam 2014 October 95.211.197.0/24 leaseweb.com spam 2014 October 103.6.151.0/24 Signapore ssh 2015 September 103.41.124.0/24 Hong Kong ssh abuser 2015 March 103.252.99.0/24 relay.pttag.com spam 2014 October 104.36.86.0/24 servercrate.com spam 2015 January 104.140.56.0/24 spam 2015 April 104.148.71.0/24 domain phising spam 2015 May 106.4.0.0/14 china spammer 2014 October 107.158.0.0/16 eonix.net spam 2014 October 107.182.141.0/24 cloudshards.com spam 2015 January 108.168.211.0/24 softlayer.com spam 2014 October 109.63.0.0/16 WiMax core ssh abuser 2015 May 109.161.128.0/18 WiMax ssh abuser 2015 May 109.161.192.0/18 WiMax ssh abuser 2015 May 109.169.75.64/24 belfast ssh abuser 2015 February 110.76.47.0/24 china ssh abuser 2014 October 111.1.46.125/24 china ssh abuser 2015 April 111.74.238.0/24 china ssh abuser 2014 October 111.192.0.0/12 china ssh abuser 2015 June 112.93.254.128/29 china smtp abuser 2014 August 113.106.63.0/24 china ssh abyser 2014 September 113.163.32.0/19 vietnam ssh abuser 2015 December 113.171.10.0/24 vietnam ssh abuser 2014 August 115.153.142.0/23 china spammer 2014 October 115.239.228.14/24 china ssh abuser 2015 February 115.239.248.0/24 china ssh abuset 2014 October 116.10.191.0/24 china ssh abuser 2014 August 117.21.173.0/24 china ssh 2015 January 117.21.191.0/24 china ssh abuser 2014 October 117.27.158.0/24 china ssh abuser 2014 October 117.224.0.0/16 WiMax ssh abuser 2015 May 117.235.194.0/24 india spammer 2014 October 117.244.0.0/16 WiMax ssh abuser 2015 May 117.245.0.0/18 WiMax ssh abuser 2015 September 117.245.64.0/19 WiMax ssh abuser 2015 September 117.253.0.0/16 WiMax ssh abuser 2015 May 117.255.208.0/20 WiMax ssh abuser 2015 May 117.255.224.0/19 WiMax ssh abuser 2015 May 118.123.166.0/24 china ssh abuser 2015 April 121.12.109.0/24 china mail-relay 2015 January 122.224.32.0/24 china ssh abuser 2014 October 122.225.97.64/26 china ssh abuser 2014 October 122.225.103.0/24 china ssh abuser 2014 December 122.225.109.0/24 china ssh abuser 2014 August 122.226.102.0/23 china ssh abuser 2014 October 122.231.69.0/24 china spammer 2014 October 123.157.150.0/24 china ssh abuser 2014 October 123.242.229.75/24 hong kong ssh abuser 2015 February 124.35.69.0/24 Japan ssh 2015 January 134.19.180.0/24 netherlands spam 2015 January 144.0.0.0/24 china ssh abuser 2014 August 153.120.25.0/24 japan ssh abuser 2014 September 162.217.99.0/24 Internap spam 2014 October 162.219.27.0/24 alnitech.com spammer 2014 October 162.221.201.0/24 esecuredata spammer 2014 October 162.246.57.0/24 spam 2015 April 162.246.58.0/24 spam 2015 April 162.250.120.0/21 spam 2015 June 162.251.160.0/24 1gservers.com 2014 October 171.111.153.0/24 china ShellShock 2014 October 173.44.157.0/24 serverhub.com spam 2015 January 173.22.177.0/24 spam 2015 April 173.44.253.0/24 spam 2015 April 173.45.90.0/24 ee.net spammers 2014 October 173.213.70.224/27 falldare.net 2014 August 173.213.94.0/24 spam 2015 April 173.213.100.0/24 eonix.net spam 2015 January 173.213.103.224/27 slantcoil.info 2014 August 173.224.121.0/24 spam 2015 April 173.224.123.0/24 dedicatedserver4u spam 2014 October 173.224.126.0/24 dedicatedserver4u spam 2014 October 173.232.112.0/24 learn2speak.info 2014 October 173.232.249.0/24 eonix.net spam 2015 January 173.244.147.0/24 spam 2015 April 175.101.0.0/16 excellmedia.net india 2014 August 176.51.227.0/24 russian spam 2014 October 177.54.144.57 eonix.net ssh 2015 January 178.251.230.0/24 spam 2015 April 183.57.57.0/24 china SSH abuser 2014 October 185.42.240.32/24 ssh 2015 April 183.82.10/24 India SSH abuser 2014 October 184.170.244.0/24 coloat.com 2014 October 185.44.107.0/24 spam 2015 April 186.216.247.0/24 Brazil ssh 2015 September 186.216.249.0/24 Brazil ssh 2015 September 186.216.250.0/24 Brazil ssh 2015 September 186.216.251.0/24 Brazil ssh 2015 September 188.40.248.0/24 German spammer 2014 October 188.234.136.0/22 Russia ssh 2015 September 193.107.16.0/24 Seychelles ssh abuser 2014 August 192.3.108.0/24 colocrossing.com spam 2014 October 193.104.41.53/24 modolvia ssh abuse 2015 April 198.89.90.0/24 spam 2015 April 199.34.124.0/24 baremetalcloud.com spam 2014 October 199.115.228.0/22 VolumeDrive spam 2014 October 199.182.161.0/24 serverel.net 2014 October 199.189.115.71/24 Antigua and Barbuda SSH 2015 February 199.202.216.0/24 spam 2015 April 200.30.170.0 Nicaragua SSH 2015 January 200.162.4.0/26 Brazil spam (exe) 2014 October 202.85.213.203/24 China ssh abuser 2015 February 202.137.9.53/24 link.net.id ssh 2015 January 202.137.225.0/24 ssh 2015 April 202.109.143.0/24 china ssh abuser 2014 October 202.146.220.0/24 hong kong domain phish 2015 May 204.45.208.0/24 fdcservers.net spam 2015 January 206.222.18.0/24 ee.net spam 2015 January 208.94.21.0/24 E-dialog.com spam 2015 January 208.94.244.144/28 joedatacenter.com spam 2014 October 209.95.38.0/24 mpcustomer.com spam 2014 October 209.95.40.0/24 spam 2015 April 209.160.24.0/24 hopone.net spam 2015 January 210.32.200.0/21 China ssh 2015 December 210.211.118.0/24 Vietnam ssh abuse 2015 December 213.163.66.0/24 netherlands spam 2015 January 211.143.243.0/24 china ssh abuser 2014 August 213.163.66.0/24 netherlands spam 2015 January 213.163.72.0/24 i3d.net spammer 2014 October 216.77.79.0/24 china nmap 2014 August 216.99.158.150/24 psychz.net ssh abuse 2015 March 218.2.0.0/16 china ssh abuser 2014 October 218.3.0.0/16 china ssh abuser 2015 December 218.4.0.0/16 china ssh abuser 2015 December 218.64.0.0/16 china ssh abuser 2015 July 218.65.0.0/17 china ssh abuser 2015 July 218.199.144.0/24 china ssh abuser 2015 November 219.138.135.0/24 china ssh abuser 2014 August 219.141.254.244/24 china ssh abusert 2015 April 220.163.0.0/16 china domain phishing 2015 May 220.164.0.0/16 china domain phishing 2015 May 220.165.0.0/16 china domain phishing 2015 May 220.177.198.0/24 china ssh abuser 2014 October 220.184.0.0/16 china ssh abuser 2015 May 220.185.0.0/16 china ssh abuser 2015 May 220.186.0.0/16 china ssh abuser 2015 May 220.187.0.0/16 china ssh abuser 2015 May 220.188.0.0/16 china ssh abuser 2015 May 220.189.0.0/16 china ssh abuser 2015 May 220.190.0.0/16 china ssh abuser 2015 May 220.191.0.0/16 china ssh abuser 2015 May 221.194.47.0/24 china ssh abuser 2014 October 221.224.0.0/13 china ssh abuser 2015 May 221.229.160.223/24 china ssh abuser 2015 April 221.229.160.241/24 china ssh abuser 2015 April 221.235.188.0/24 china ssh abuser 2014 November 222.34.30.0/24 china shellshock 2014 November 222.163.192.0/24 china ssh abuser 2014 August (2014 Sep) 222.184.0.0/13 china ssh abuser 2015 May 223.73.110.0/24 china spam 2015 January
On Dec 25, 2015, at 9:18 AM, Mike Hammett <nanog@ics-il.net> wrote:
To the thread, not necessarily Daniel, if blocking countries\continents is a bad thing (not saying I disagree), how do you deal with the flood of trash? Just take it on the chin?
If you as an end user want to be the cyber-equivalent of a xenophobe because OMG BAD INTERNETS then be my guest. On the other hand, I’m a network operator so I don’t have the luxury of dictating to my users what they can and cannot reach.
The degree of splash damage by blocking this way will vary based upon what kind of network you are. Residential eyeballs? You could probably block most of a lot of things and people wouldn't notice or care, as long as it wasn't Google, Facebook, Netflix, etc.
As a residential ISP with many first and second generation American immigrants in my service footprint I can assure you this notion is patently false. People will definitely notice and care if they can’t communicate with their relatives and consume content in their home countries.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
----- Original Message -----
From: "Daniel Corbe" <dcorbe@hammerfiber.com> To: "Nick Hilliard" <nick@foobar.org> Cc: "NANOG" <nanog@nanog.org> Sent: Friday, December 25, 2015 8:11:55 AM Subject: Re: de-peering for security sake
On Dec 25, 2015, at 7:14 AM, Nick Hilliard <nick@foobar.org> wrote:
Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?
What an enormously silly idea.
Seasons greetings to all,
Nick
It was a stupid idea even before you corrected me.
You know, without actually looking I’m willing to lay money down that the people beating the blocklist drum are the same people who scream the loudest about net neutrality when they can’t actually get to the content they want.
On Dec 25, 2015, at 11:25 AM, Daniel Corbe <dcorbe@hammerfiber.com> wrote:
On Dec 25, 2015, at 9:18 AM, Mike Hammett <nanog@ics-il.net> wrote:
To the thread, not necessarily Daniel, if blocking countries\continents is a bad thing (not saying I disagree), how do you deal with the flood of trash? Just take it on the chin?
If you as an end user want to be the cyber-equivalent of a xenophobe because OMG BAD INTERNETS then be my guest. On the other hand, I’m a network operator so I don’t have the luxury of dictating to my users what they can and cannot reach.
The degree of splash damage by blocking this way will vary based upon what kind of network you are. Residential eyeballs? You could probably block most of a lot of things and people wouldn't notice or care, as long as it wasn't Google, Facebook, Netflix, etc.
As a residential ISP with many first and second generation American immigrants in my service footprint I can assure you this notion is patently false. People will definitely notice and care if they can’t communicate with their relatives and consume content in their home countries.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest Internet Exchange http://www.midwest-ix.com
----- Original Message -----
From: "Daniel Corbe" <dcorbe@hammerfiber.com> To: "Nick Hilliard" <nick@foobar.org> Cc: "NANOG" <nanog@nanog.org> Sent: Friday, December 25, 2015 8:11:55 AM Subject: Re: de-peering for security sake
On Dec 25, 2015, at 7:14 AM, Nick Hilliard <nick@foobar.org> wrote:
Daniel Corbe wrote:
Let’s just cut off the entirety of the third world instead of having a tangible mitigation plan in place.
You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?
What an enormously silly idea.
Seasons greetings to all,
Nick
It was a stupid idea even before you corrected me.
On Dec 25, 2015, at 06:18 , Mike Hammett <nanog@ics-il.net> wrote:
To the thread, not necessarily Daniel, if blocking countries\continents is a bad thing (not saying I disagree), how do you deal with the flood of trash? Just take it on the chin?
Allowing hate speech is the price of having free speech. I will decry, denounce, and object to all of the statements promoting racism or banning entry of people based on religion, or other forms of discrimination, but I will not claim that any person has no right to make those statements. In fact, I will strongly defend the right of those people to make fools of themselves in public every bit as strongly as I will defend my right to make opposing statements. Unless we tolerate unpopular speech, we risk a tyranny of the majority which is both detrimental to society overall and antithetical to freedom of speech, the principles of democracy, and the entire concept of a free society. To some extent, some of the trash we take on the chin on the internet is the price of having a free and open internet. I’m not opposed to localized depeering or blockage when warranted, but it is important to keep such actions as granular as practicable. Otherwise, the collateral damage to the free and open internet becomes greater than the damage done by the miscreants we are attempting to block. Surely blocking an entire nation is well beyond “as granular as practicable”. I realize that reactionary overreach has become fashionable in the US since 9/11. Some great examples include the U.S.A.P.A.T.R.I.O.T. act, warrantless wiretapping and the associated unconstitutional laws of ex post facto granting retroactive immunity to the phone companies that lacked the will to say no. Examples abound even today in the surveillance bill that got buried in the recent budget act.
The degree of splash damage by blocking this way will vary based upon what kind of network you are. Residential eyeballs? You could probably block most of a lot of things and people wouldn't notice or care, as long as it wasn't Google, Facebook, Netflix, etc.
That may be true, but even if it is, it still doesn’t make broad censorship a concept we should support or accept in practice. The extent to which it is true reminds me of the story (apocryphal as it is) of the frog in a pot of water with the temperature being raised slowly. Merely because people are asleep at the switch does not give those of us in a position to understand the consequences license to abuse our position. Owen
On 25/Dec/15 14:14, Nick Hilliard wrote:
You mean, cut off Sweden, Ireland, Finland, Switzerland and Israel?
And watch the transit per-Mbps price go up? Who do we think funds the low bandwidth costs of the "first world"? Mark.
While you have a great deal of control over what prefixes you choose to accept... You have very little control over your advertised prefixes once they exit your ASN. Maybe your transits offer communities to control their peer advertisements. In general assuming you're paying for the Internet cone, you have a vested interest in them propagating everywhere otherwise the party that is partitioned is you. Sent from my iPhone
On Dec 24, 2015, at 15:44, Colin Johnston <colinj@gt86car.org.uk> wrote:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
Colin
Come on, keep calm and wait a year: Russia and China will de-peer with all the world for their security (AKA censorship) reasons! ;) On 25.12.15 01:44, Colin Johnston wrote:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
Colin
Purposefully hosting an "inflammatory" site that the Russians or Chinese object to is a valid way to get your AS null routed inside those countries. Same goes for Turkey, India, Australia... Solves the DDoS and malware problem inside their borders, not yours. On Dec 25, 2015 4:43 AM, "Max Tulyev" <maxtul@netassist.ua> wrote:
Come on, keep calm and wait a year: Russia and China will de-peer with all the world for their security (AKA censorship) reasons! ;)
On 25.12.15 01:44, Colin Johnston wrote:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
Colin
Purposefully hosting an "inflammatory" site that the Russians or Chinese object to is a valid way to get your AS null routed inside those countries. Same goes for Turkey, India, Australia...
luckily this is not true in the US. oh wait.
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
luckily all american and ukranian isps respond to abuse in minutes. moving right along ... randy
On Thu, Dec 24, 2015 at 11:44:10PM +0000, Colin Johnston wrote:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
One could ask the exact same question about Amazon -- which, as of the moment, is the worst spam-supporting operation on the planet: https://www.spamhaus.org/statistics/networks/ Are they merely incompetent? negligent? stupid? lazy? Or are they taking payoffs and bribes from spammers? Of course from outside there's no way to know. But this is not how responsible, ethical, professional operations behave: those operations promptly read, analyze, answer, and act on every single abuse report that they get. ---rsk
On Saturday, January 16, 2016, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Dec 24, 2015 at 11:44:10PM +0000, Colin Johnston wrote:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
One could ask the exact same question about Amazon -- which, as of the moment, is the worst spam-supporting operation on the planet:
https://www.spamhaus.org/statistics/networks/
Are they merely incompetent? negligent? stupid? lazy? Or are they taking payoffs and bribes from spammers? Of course from outside there's no way to know. But this is not how responsible, ethical, professional operations behave: those operations promptly read, analyze, answer, and act on every single abuse report that they get.
---rsk
I really like what spamhaus has done here. I see a great deal of folks on nanog clamoring to buy ddos gear. Packets are starting to become like spam email, where 90% are pure rubbish, and us good guys have to spend a lot of money and time sorting signal from noise. Can Cloudflare, Akamai, and the others in the ddos protection racket please do as spamhaus has done? It would really be a great service to aggregate and release high level data on where these ddos bots are hosted. The pessimistic side of me believes cloudflare and akamai want the internet to be choked with bots such that everyone must pay their toll, so the information on the bots is a trade secret... But please prove me wrong so we can drive higher accountability on the internet.
Agreed. A "Top 10" report would be awesome. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Ca By" <cb.list6@gmail.com> To: "Rich Kulawiec" <rsk@gsp.org> Cc: nanog@nanog.org Sent: Saturday, January 16, 2016 7:43:56 AM Subject: Re: de-peering for security sake On Saturday, January 16, 2016, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Dec 24, 2015 at 11:44:10PM +0000, Colin Johnston wrote:
We really need to ask if China and Russia for that matter will not take abuse reports seriously why allow them to network to the internet ?
One could ask the exact same question about Amazon -- which, as of the moment, is the worst spam-supporting operation on the planet:
https://www.spamhaus.org/statistics/networks/
Are they merely incompetent? negligent? stupid? lazy? Or are they taking payoffs and bribes from spammers? Of course from outside there's no way to know. But this is not how responsible, ethical, professional operations behave: those operations promptly read, analyze, answer, and act on every single abuse report that they get.
---rsk
I really like what spamhaus has done here. I see a great deal of folks on nanog clamoring to buy ddos gear. Packets are starting to become like spam email, where 90% are pure rubbish, and us good guys have to spend a lot of money and time sorting signal from noise. Can Cloudflare, Akamai, and the others in the ddos protection racket please do as spamhaus has done? It would really be a great service to aggregate and release high level data on where these ddos bots are hosted. The pessimistic side of me believes cloudflare and akamai want the internet to be choked with bots such that everyone must pay their toll, so the information on the bots is a trade secret... But please prove me wrong so we can drive higher accountability on the internet.
On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
I see a great deal of folks on nanog clamoring to buy ddos gear. Packets are starting to become like spam email, where 90% are pure rubbish, and us good guys have to spend a lot of money and time sorting signal from noise.
I've said this many times: abuse does not magically fall out of the sky. It comes from hosts, on networks, run by people. It is time -- well past time -- to hold those people *personally* acountable. Not doing so leaves us where we are today: millions -- heck, hundreds of millions -- of dollars are being spent on defenses THAT WOULD NOT BE NECESSARY if those people performed their jobs at a mere baseline level of competence and diligence. ---rsk
On Jan 16, 2016, at 9:53 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
I see a great deal of folks on nanog clamoring to buy ddos gear. Packets are starting to become like spam email, where 90% are pure rubbish, and us good guys have to spend a lot of money and time sorting signal from noise.
I've said this many times: abuse does not magically fall out of the sky. It comes from hosts, on networks, run by people. It is time -- well past time -- to hold those people *personally* acountable.
Not doing so leaves us where we are today: millions -- heck, hundreds of millions -- of dollars are being spent on defenses THAT WOULD NOT BE NECESSARY if those people performed their jobs at a mere baseline level of competence and diligence.
Shared fate systems suck in some ways. But I disagree that “a mere baseline level of competence and diligence” is even close to what is required. Making the owner of the host responsible for an attack -personally- responsible would require every grandma & 6 year old to have insurance before buying a laptop or Xbox. And would bankrupt your favorite startup no matter how smart & competent the first time a zero-day caught them by surprise. Of course, forcing Uncle Bob to call his insurance carrier before buying a smartphone, and having San Hill Road take even greater risks when investing, and giving lawyers yet another vector for frivolous lawsuits, wouldn’t have the slightest effect on the global economy. On the other hand, that 100s of millions of dollars is a rounding error in the wealth & public good created by that same shared fate system. Overall, I think we’re doing well. Before anyone pounces on me, I hate spam, dos, etc. as much as anyone else. (You know how much personal, unpaid time I’ve put into fighting both, Rich.) If we can find the originators of these things, we should hang them by their thumbs and beat them senseless. We should do everything we can to make ISPs implement BCP38, get software vendors to QA better, and educate users to be less, well, idiotic. But I am also pragmatic. Life sucks, it is not fair. But the idea of making either grandma or the network engineer at an ISP or even the CEO of a hosting company personally responsible for things like zero-days or minor errors which can be exploited to the tune of greater than their personal wealth or even their corporate market cap is a recipe for bringing everything to a screeching halt. I kinda like the ride we’re on, bumps and all. Let’s not bring it to a screeching halt. -- TTFN, patrick
On Saturday, January 16, 2016, Patrick W. Gilmore <patrick@ianai.net> wrote:
On Jan 16, 2016, at 9:53 AM, Rich Kulawiec <rsk@gsp.org <javascript:;>> wrote:
On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
I see a great deal of folks on nanog clamoring to buy ddos gear. Packets are starting to become like spam email, where 90% are pure rubbish, and us good guys have to spend a lot of money and time sorting signal from noise.
I've said this many times: abuse does not magically fall out of the sky. It comes from hosts, on networks, run by people. It is time -- well past time -- to hold those people *personally* acountable.
Not doing so leaves us where we are today: millions -- heck, hundreds of millions -- of dollars are being spent on defenses THAT WOULD NOT BE NECESSARY if those people performed their jobs at a mere baseline level of competence and diligence.
Shared fate systems suck in some ways. But I disagree that “a mere baseline level of competence and diligence” is even close to what is required.
Making the owner of the host responsible for an attack -personally- responsible would require every grandma & 6 year old to have insurance before buying a laptop or Xbox. And would bankrupt your favorite startup no matter how smart & competent the first time a zero-day caught them by surprise.
Of course, forcing Uncle Bob to call his insurance carrier before buying a smartphone, and having San Hill Road take even greater risks when investing, and giving lawyers yet another vector for frivolous lawsuits, wouldn’t have the slightest effect on the global economy.
On the other hand, that 100s of millions of dollars is a rounding error in the wealth & public good created by that same shared fate system.
Overall, I think we’re doing well.
Before anyone pounces on me, I hate spam, dos, etc. as much as anyone else. (You know how much personal, unpaid time I’ve put into fighting both, Rich.) If we can find the originators of these things, we should hang them by their thumbs and beat them senseless. We should do everything we can to make ISPs implement BCP38, get software vendors to QA better, and educate users to be less, well, idiotic.
But I am also pragmatic. Life sucks, it is not fair. But the idea of making either grandma or the network engineer at an ISP or even the CEO of a hosting company personally responsible for things like zero-days or minor errors which can be exploited to the tune of greater than their personal wealth or even their corporate market cap is a recipe for bringing everything to a screeching halt.
I kinda like the ride we’re on, bumps and all. Let’s not bring it to a screeching halt.
-- TTFN, patrick
Tar and feather bad, yes. Name and shame so i can sick my "enterpise account manager" on the shamed = good. For example, i have an aws account manager. He likes to come in quartly and tell me and the exec team about how great aws is and how we need to buy more reserved instances. Like with ipv6, I will make his life hell with my execs on our quartly business review citing spamhaus. My account manager will squeel in a very unsatifying way, but he will muster his sales org muscle to pass on the discomfort to the folks who can increase accountability and address abuse internally. That is how transparency and accountability work, put $ and reputation on the line with big spenders. So, thanks Spamhaus. Now, looking at the ddos protection folks to do something similar so we can get to the root of this ddos epidemic instead of constantly applying network chemo CB
On Jan 16, 2016, at 07:15 , Patrick W. Gilmore <patrick@ianai.net> wrote:
On Jan 16, 2016, at 9:53 AM, Rich Kulawiec <rsk@gsp.org <mailto:rsk@gsp.org>> wrote:
On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
I see a great deal of folks on nanog clamoring to buy ddos gear. Packets are starting to become like spam email, where 90% are pure rubbish, and us good guys have to spend a lot of money and time sorting signal from noise.
I've said this many times: abuse does not magically fall out of the sky. It comes from hosts, on networks, run by people. It is time -- well past time -- to hold those people *personally* acountable.
Not doing so leaves us where we are today: millions -- heck, hundreds of millions -- of dollars are being spent on defenses THAT WOULD NOT BE NECESSARY if those people performed their jobs at a mere baseline level of competence and diligence.
Shared fate systems suck in some ways. But I disagree that “a mere baseline level of competence and diligence” is even close to what is required.
Making the owner of the host responsible for an attack -personally- responsible would require every grandma & 6 year old to have insurance before buying a laptop or Xbox. And would bankrupt your favorite startup no matter how smart & competent the first time a zero-day caught them by surprise.
Agreed… I think, instead, that the commercial purveyors of vulnerable software should be held liable.
Of course, forcing Uncle Bob to call his insurance carrier before buying a smartphone, and having San Hill Road take even greater risks when investing, and giving lawyers yet another vector for frivolous lawsuits, wouldn’t have the slightest effect on the global economy.
On the other hand, that 100s of millions of dollars is a rounding error in the wealth & public good created by that same shared fate system.
Overall, I think we’re doing well.
While I agree with you (scary, huh) about most of this, I do think that there is legitimate liability to be had by commercial software vendors that have so far held themselves immune to prosecution. We have already seen that vulnerabilities in open source software tend to get corrected much faster than in closed commercial software. We’ve also seen that opening up source code to inspection by the community tends to make the vulnerabilities known faster (which is a double-edge sword to be certain). I’m not saying we should eliminate closed commercial software, but I do think giving it a free pass on the liability for the damage it inflicts is something that should no longer be tolerated.
Before anyone pounces on me, I hate spam, dos, etc. as much as anyone else. (You know how much personal, unpaid time I’ve put into fighting both, Rich.) If we can find the originators of these things, we should hang them by their thumbs and beat them senseless. We should do everything we can to make ISPs implement BCP38, get software vendors to QA better, and educate users to be less, well, idiotic.
+1
But I am also pragmatic. Life sucks, it is not fair. But the idea of making either grandma or the network engineer at an ISP or even the CEO of a hosting company personally responsible for things like zero-days or minor errors which can be exploited to the tune of greater than their personal wealth or even their corporate market cap is a recipe for bringing everything to a screeching halt.
Agreed. Perhaps liability with some sort of safe harbor provision for corrections released within 30 days of notification of vulnerability would be a better choice than outright complete liability. However, if you want to sell software without giving users the ability to plug the holes you created, whether by design or by accident, should come with a responsibility to plug them on a timely basis.
I kinda like the ride we’re on, bumps and all. Let’s not bring it to a screeching halt.
Meh… If we did, a new ride would soon take its place. Owen
On Sat, 16 Jan 2016 11:09:27 -0800, Owen DeLong said:
Making the owner of the host responsible for an attack -personally- responsible would require every grandma & 6 year old to have insurance before buying a laptop or Xbox. And would bankrupt your favorite startup no matter how smart & competent the first time a zero-day caught them by surprise.
Agreed… I think, instead, that the commercial purveyors of vulnerable software should be held liable.
And this is another one that needs *really* careful definitions. How much time does Redhat get to patch a bug in (say) OpenSSH or the kernel or any other package from upstream, before you want to hold them liable?
When all you have is a hammer the whole world looks like a nail. That's what "de-peering for security sake" sounds like to me. Sure, you have your hands on BGP etc, so what router commands (hammer) can effect international policy (nail)? This is fundamentally a social and political issue and needs to be dealt with on that level, not with changes in router configs. We need an effective forum with effective participation perhaps eventually leading to signed contractual obligations agreed to by all parties. Perhaps way at the end of that process router commands can be used to enforce agreed contracts and respond to adjudicated breeches, if and when necessary. Otherwise it's just rule by an angry mob. The internet has gotten way too big and critical for that sort of approach. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sun, 17 Jan 2016, bzs@theworld.com wrote:
Sure, you have your hands on BGP etc, so what router commands (hammer) can effect international policy (nail)?
This is fundamentally a social and political issue and needs to be dealt with on that level, not with changes in router configs.
bgp blackhole fed by rbl? at the very least, scavenger queue packets by rbl. complacency / willful negligence needs to have a monetary cost. -Dan
On Sunday, January 17, 2016, Dan Hollis <goemon@sasami.anime.net> wrote:
On Sun, 17 Jan 2016, bzs@theworld.com wrote:
Sure, you have your hands on BGP etc, so what router commands (hammer) can effect international policy (nail)?
This is fundamentally a social and political issue and needs to be dealt with on that level, not with changes in router configs.
bgp blackhole fed by rbl?
at the very least, scavenger queue packets by rbl.
If you are not already scoring packets by reputation, you are at very least behind what AWS is doing for volumetric ddos mitigation Check out around minute 12 and 13 http://youtu.be/Ys0gG1koqJA As stated earlier, ip packets are going the way of spam mail :( complacency / willful negligence needs to have a monetary cost.
-Dan
On January 17, 2016 at 13:06 goemon@sasami.anime.net (Dan Hollis) wrote:
On Sun, 17 Jan 2016, bzs@theworld.com wrote:
Sure, you have your hands on BGP etc, so what router commands (hammer) can effect international policy (nail)?
This is fundamentally a social and political issue and needs to be dealt with on that level, not with changes in router configs.
bgp blackhole fed by rbl?
at the very least, scavenger queue packets by rbl.
complacency / willful negligence needs to have a monetary cost.
How well is this approach working so far? -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 1/17/2016 12:44 PM, bzs@theworld.com wrote:
We need an effective forum with effective participation perhaps eventually leading to signed contractual obligations agreed to by all parties.
Not gonna help. The same people who have no incentive to do the right thing now will still have no incentive to join the group you propose. I've said it before, and it's an unpopular option, but the only way that this will change is to make it more expensive to do the wrong thing than it is to do the right thing. That means lawsuits filed by companies that have been harmed as a result of those that are not doing the right thing. That will produce the incentives which will be recognized and understood by all layers of management, and result in real action for the better. As nice as it would be if everyone were to do the right thing because it's the right thing, we already have ample evidence that won't happen. Time to stop pretending otherwise. Doug
On Sun, 17 Jan 2016, Doug Barton wrote:
On 1/17/2016 12:44 PM, bzs@theworld.com wrote:
We need an effective forum with effective participation perhaps eventually leading to signed contractual obligations agreed to by all parties. Not gonna help. The same people who have no incentive to do the right thing now will still have no incentive to join the group you propose.
I've said it before, and it's an unpopular option, but the only way that this will change is to make it more expensive to do the wrong thing than it is to do the right thing.
I think it can happen without lawsuits. look at RBLs and spamhaus. a bit sad that spamhaus has to exist in order to motivate operators to clean up their cesspools, but it does work to a certain extent. -Dan
On January 17, 2016 at 13:09 dougb@dougbarton.us (Doug Barton) wrote:
On 1/17/2016 12:44 PM, bzs@theworld.com wrote:
We need an effective forum with effective participation perhaps eventually leading to signed contractual obligations agreed to by all parties.
Not gonna help. The same people who have no incentive to do the right thing now will still have no incentive to join the group you propose.
How about if backed by an agreement with the 5 RIRs stating no new resource allocations or transfers etc unless a contract is signed and enforced? Or similar. Anyhow the point is that the same methods can be used, it's just that if one uses a contractual obligation (or refusal to sign thereto) and some process for adjudication at least it can take on the appearance of transparent fair play and violation of rules everyone has agreed to abide by rather than vigilantism.
I've said it before, and it's an unpopular option, but the only way that this will change is to make it more expensive to do the wrong thing than it is to do the right thing. That means lawsuits filed by companies that have been harmed as a result of those that are not doing the right thing. That will produce the incentives which will be recognized and understood by all layers of management, and result in real action for the better.
Lawsuits are just looking for some external authority (a court, of what jurisdiction?) to do what should have been done within the industry itself. So now we'd have a court, and a jury of bus drivers and senior citizens, trying to figure out what the problem really is? I thought a lot of this started over international problems. Ever tried to get a court order or subpoena enforced in Lower Slobbovia? (no, because there is no such place as Lower Slobbovia, but you can fill in that blank I'm sure.)
As nice as it would be if everyone were to do the right thing because it's the right thing, we already have ample evidence that won't happen. Time to stop pretending otherwise.
Might have something to do with the unsophisticated way this is being approached? -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Sun, 17 Jan 2016 19:39:52 -0500, bzs@theworld.com said:
How about if backed by an agreement with the 5 RIRs stating no new resource allocations or transfers etc unless a contract is signed and enforced? Or similar.
Then they'd just resort to hijacking address space. Oh wait, they already do that and get away with it.... (And a threat of withholding IP address space from long-haul providers isn't as credible - they have much less need for publicly routed IP addresses than either eyeball farms or content farms, so you'll have to find some other way to motivate them to not accept a hijacked route announcement...)
On January 18, 2016 at 00:21 Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu) wrote:
On Sun, 17 Jan 2016 19:39:52 -0500, bzs@theworld.com said:
How about if backed by an agreement with the 5 RIRs stating no new resource allocations or transfers etc unless a contract is signed and enforced? Or similar.
Then they'd just resort to hijacking address space.
Oh wait, they already do that and get away with it....
I think we're talking about two different problems, both valid. One is legitimate operators who probably mostly want to do the right thing but are negligent, disagree (perhaps with many one this list) on what is an actionable problem, etc. The other are those actors prone to criminality. I was addressing the first problem though I'd assert that progress on the first problem would likely yield progress on the second, or cooperation anyhow.
(And a threat of withholding IP address space from long-haul providers isn't as credible - they have much less need for publicly routed IP addresses than either eyeball farms or content farms, so you'll have to find some other way to motivate them to not accept a hijacked route announcement...)
No man is an island entire of himself -- John Donne. First one has to agree to the concept of creating a network based on contractual agreements. I gave some examples of how to encourage actors to enter into those contracts, my list wasn't intended to be exhaustive, it was intended to be an existence proof, some pressure points exist and are easy to understand even if not complete. Besides, why make the perfect the enemy of the good? If many, perhaps not all (or not at first), agreed to a common set of contractual obligations that would be progress, no? Is there even a document which describes what a "hijacked" net block is and why it is bad? Obvious? No, it is not obvious. The best one can say is there exist obvious cases. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Why do we believe network administrators can advocate perfectly for customer access? I couldn't control my own children's access without making us all miserable. Nation state access control in a free country at the network layer is bound to fail, way too many cats to herd. On Mon, Jan 18, 2016 at 2:31 PM, <bzs@theworld.com> wrote:
On January 18, 2016 at 00:21 Valdis.Kletnieks@vt.edu ( Valdis.Kletnieks@vt.edu) wrote:
On Sun, 17 Jan 2016 19:39:52 -0500, bzs@theworld.com said:
How about if backed by an agreement with the 5 RIRs stating no new resource allocations or transfers etc unless a contract is signed and enforced? Or similar.
Then they'd just resort to hijacking address space.
Oh wait, they already do that and get away with it....
I think we're talking about two different problems, both valid.
One is legitimate operators who probably mostly want to do the right thing but are negligent, disagree (perhaps with many one this list) on what is an actionable problem, etc.
The other are those actors prone to criminality.
I was addressing the first problem though I'd assert that progress on the first problem would likely yield progress on the second, or cooperation anyhow.
(And a threat of withholding IP address space from long-haul providers
credible - they have much less need for publicly routed IP addresses
isn't as than
either eyeball farms or content farms, so you'll have to find some other way to motivate them to not accept a hijacked route announcement...)
No man is an island entire of himself -- John Donne.
First one has to agree to the concept of creating a network based on contractual agreements.
I gave some examples of how to encourage actors to enter into those contracts, my list wasn't intended to be exhaustive, it was intended to be an existence proof, some pressure points exist and are easy to understand even if not complete.
Besides, why make the perfect the enemy of the good? If many, perhaps not all (or not at first), agreed to a common set of contractual obligations that would be progress, no?
Is there even a document which describes what a "hijacked" net block is and why it is bad? Obvious? No, it is not obvious. The best one can say is there exist obvious cases.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- Michael O'Connor ESnet Network Engineering moc@es.net 631 344-7410
On January 19, 2016 at 10:12 moc@es.net (Michael O'Connor) wrote:
Why do we believe network administrators can advocate perfectly for customer access?
Which is why I was advocating for some sort of generally agreed upon standards and process written into contractual agreements. This doesn't mean that someone has any inherent right to a private company's (typically) resources, one could block whatever they please, or nothing. But when there's some agreement that there's been a consistent breech of agreed-upon standards of behavior which should be responded to by the broader community at least there'd be some guidance and process beyond just urging everyone else to "de-peer" some sites on an operations mailing list. The goal would be setting standards for what is reasonable to send (e.g., not DDoS), not what is received.
I couldn't control my own children's access without making us all miserable.
Nation state access control in a free country at the network layer is bound to fail, way too many cats to herd.
On Mon, Jan 18, 2016 at 2:31 PM, <bzs@theworld.com> wrote:
On January 18, 2016 at 00:21 Valdis.Kletnieks@vt.edu ( Valdis.Kletnieks@vt.edu) wrote:
On Sun, 17 Jan 2016 19:39:52 -0500, bzs@theworld.com said:
How about if backed by an agreement with the 5 RIRs stating no new resource allocations or transfers etc unless a contract is signed and enforced? Or similar.
Then they'd just resort to hijacking address space.
Oh wait, they already do that and get away with it....
I think we're talking about two different problems, both valid.
One is legitimate operators who probably mostly want to do the right thing but are negligent, disagree (perhaps with many one this list) on what is an actionable problem, etc.
The other are those actors prone to criminality.
I was addressing the first problem though I'd assert that progress on the first problem would likely yield progress on the second, or cooperation anyhow.
(And a threat of withholding IP address space from long-haul providers
credible - they have much less need for publicly routed IP addresses
isn't as than
either eyeball farms or content farms, so you'll have to find some other way to motivate them to not accept a hijacked route announcement...)
No man is an island entire of himself -- John Donne.
First one has to agree to the concept of creating a network based on contractual agreements.
I gave some examples of how to encourage actors to enter into those contracts, my list wasn't intended to be exhaustive, it was intended to be an existence proof, some pressure points exist and are easy to understand even if not complete.
Besides, why make the perfect the enemy of the good? If many, perhaps not all (or not at first), agreed to a common set of contractual obligations that would be progress, no?
Is there even a document which describes what a "hijacked" net block is and why it is bad? Obvious? No, it is not obvious. The best one can say is there exist obvious cases.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- Michael O'Connor ESnet Network Engineering moc@es.net 631 344-7410
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
cats are nice colin Sent from my iPhone
On 19 Jan 2016, at 15:12, "Michael O'Connor" <moc@es.net> wrote:
Why do we believe network administrators can advocate perfectly for customer access? I couldn't control my own children's access without making us all miserable.
Nation state access control in a free country at the network layer is bound to fail, way too many cats to herd.
On Mon, Jan 18, 2016 at 2:31 PM, <bzs@theworld.com> wrote:
On January 18, 2016 at 00:21 Valdis.Kletnieks@vt.edu ( Valdis.Kletnieks@vt.edu) wrote:
On Sun, 17 Jan 2016 19:39:52 -0500, bzs@theworld.com said:
How about if backed by an agreement with the 5 RIRs stating no new resource allocations or transfers etc unless a contract is signed and enforced? Or similar.
Then they'd just resort to hijacking address space.
Oh wait, they already do that and get away with it....
I think we're talking about two different problems, both valid.
One is legitimate operators who probably mostly want to do the right thing but are negligent, disagree (perhaps with many one this list) on what is an actionable problem, etc.
The other are those actors prone to criminality.
I was addressing the first problem though I'd assert that progress on the first problem would likely yield progress on the second, or cooperation anyhow.
(And a threat of withholding IP address space from long-haul providers
credible - they have much less need for publicly routed IP addresses
isn't as than
either eyeball farms or content farms, so you'll have to find some other way to motivate them to not accept a hijacked route announcement...)
No man is an island entire of himself -- John Donne.
First one has to agree to the concept of creating a network based on contractual agreements.
I gave some examples of how to encourage actors to enter into those contracts, my list wasn't intended to be exhaustive, it was intended to be an existence proof, some pressure points exist and are easy to understand even if not complete.
Besides, why make the perfect the enemy of the good? If many, perhaps not all (or not at first), agreed to a common set of contractual obligations that would be progress, no?
Is there even a document which describes what a "hijacked" net block is and why it is bad? Obvious? No, it is not obvious. The best one can say is there exist obvious cases.
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- Michael O'Connor ESnet Network Engineering moc@es.net 631 344-7410
On Sat, 16 Jan 2016 09:53:40 -0500, Rich Kulawiec said:
I've said this many times: abuse does not magically fall out of the sky. It comes from hosts, on networks, run by people. It is time -- well past time -- to hold those people *personally* acountable.
And who, *exactly*, are you planning to hold *personally* accountable? The Joe Sixpack who didn't patch his system? The guy who's doing as much as he can with the resources he's given? The guy above him who didn't hire 3 more people because his group isn't given the budget for it? The CFO who didn't give budget for 3 more people because 3 qualified people plus benefits would wipe out the small ISP's profits and then somee?
The pessimistic side of me believes cloudflare and akamai want the internet to be choked with bots such that everyone must pay their toll, so the information on the bots is a trade secret... But please prove me wrong so we can drive higher accountability on the internet.
I am not speaking for Akamai here and I have nothing to do with dDOS product development there. However, I will say that there is great expense involved in collecting the kind of data you are now asking them to aggregate and release for free and there is commercial value in selling protection services. However, just as there is great value in providing health care services, I doubt that physicians are out there cheering for disease and affliction. I’m quite certain we would all be happy to market other services in the absence of a need for dDOS mitigation services. However, if you want to see this kind of data captured and disseminated for free, I suggest you build a consortium to do so and find a way to fund it. I have no input into the decision, but I think it would be absurd for a commercial entity to give away data which is so expensive to obtain. Owen
to take you seriously. Also who here can honestly say you never pretended to power cycle your Windows 95 when asked by the support bot on the phone, while actually running Linux, because that is the only way to get passed on to second tier support?
I can honestly say that I have told support droids that I am rebooting "Windows" while actually running zOS. Support droids have a definite problem with comprehending "No Transport" ... I have even called to report a border router down on their network. They complain and want to plug, unplug and reboot. It isn't until 20 minutes later when the call volume exceeds the "geez there must be something wrong with our network" limit that someone actually bother to look and see where the problem is really located.
Paywalled, but http://www.consumerreports.org/cro/wireless-routers/buying-guide.htm On Wed, Dec 23, 2015 at 9:49 PM, Lorell Hathcock <lorell@hathcock.org> wrote:
All:
Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The real problem is that there were plenty of problems on the cable network to deal with, so it was impossible to tell between a problem that a customer was having with their CPE versus a real problem in my network.
Much of that has been cleared up on my side now, but customers were used to blaming us for everything so that they don't even consider that their equipment could be to blame.
I want to be able to point out a third party list of all (most) broadband routers that rates them by performance. Or that rates them by crappiness that I can send them to so they can look up their own router and determine if other users have had problems with that router and what can be done to fix it.
So far my search has been in vain.
Any thoughts?
Thanks in advance.
Lorell Hathcock
Sent from my iPad
-- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast -------------------------------------------------------------- -
On 12/23/2015 06:49 PM, Lorell Hathcock wrote:
All:
Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The real problem is that there were plenty of problems on the cable network to deal with, so it was impossible to tell between a problem that a customer was having with their CPE versus a real problem in my network.
Much of that has been cleared up on my side now, but customers were used to blaming us for everything so that they don't even consider that their equipment could be to blame.
I want to be able to point out a third party list of all (most) broadband routers that rates them by performance. Or that rates them by crappiness that I can send them to so they can look up their own router and determine if other users have had problems with that router and what can be done to fix it.
So far my search has been in vain.
Any thoughts?
As a service provider with largely residential/small business customers, I certainly have some thoughts on broadband routers. Sorry if this is overly long. Firstly, they are all junk. Every last one of them. Period. Broadband routers are designed to be cheap and to appeal to people who don't know any better, and who respond well (eg: make purchasing decisions) based on the shape of the plastic, the color scheme employed, and number of mysterious blinking lights that convey 'something important is happening'. Further, the price point is $45 - $70 thereabouts, putting some definite constraints on the actual quality of the engineering and components that go into them. I feel that we, the service provider, endure a significantly high and undue burden of cost associated with providing ongoing support to customers as a result of the defects contained therein. The laundry list of general operational issues for broadband routers, the ones that seem to be universal to every last one of them, goes something like this: * Device lock ups * Lost Settings * Abysmal device security * Inconsistent forwarding performance I will try to describe these: Device lock up is by far the most damming problem there is. The lights are on, the cables are plugged in, but you aren't going anywhere therefore the Internet must be down. This condition typically can be resolved by powercycling the device, and whaever problem it was encountering is magically remedied and all is well again. The concept of the device developing 'a problem' that can only be resolved by power cycling it, is foreign and completely blows end users minds. And yet, it is very common, and leaves end users stranded since they don't have even the most basic of troubleshooting abilities. We have had people who wait days or even a week or two before calling in to ask for support, because they think the problem will fix itself or that we the provider are simply down (and, in their eyes, we're frequently down anyways and this is just routine...) and so it's out of their hands. We've noted that there are waves of device lockups that occur nearly every time the weather turns, which I attribute to brownouts and other variations in the power grid which occur at these times and when coming into the office after a stormy weekend we know to expect our phones to be lit up all day with enormous numbers of people all screaming about being 'down the whole weekend!' and every last one of them being able restore themselves via powercycling. We try to counsel these customers and educate them that 'power cycling' is always a good "first responder" step to try, and secondly, that they always should employ a good quality standby UPS in order to avoid these types of issues in the future, but they never listen and blame us anyways. Broadband routers are not designed with quality robust power supplies, which certainly lowers the costs, but contributes substantially to this problem. This particular issue, I think, is one of the greatest deficiencies shared by all. Other times, 'lockup' simply resolves to router software problems, such as a kernel panic, a crashed or bugged system process such as pppoe/pppd or dhcp, an overfull nat state table, memory leaks, or other purely software related troubles. The recovery procedure is the same, eg: power cycle the device, but as before, it doesn't actually "fix" the underlaying problem (bugged software), it merely alleviates the current symptom...until next time later when it happens again. Many of these troubles are simply outstanding bugs in the versions of the opensource code that the SDK is built on, which never seems to get updated and instead just uses the same old buggy code. Some custom kits also have just crap buggy protocol implementations that also just never get fixed. And usually, (although this is improving), many of these cheap devices never have updated firmware available for them. 3 months after purchase the product is discontinued and it's on to the next newest thing so if you got bugs, tuff cookies. But even for those devices where firmware updates are made available, you would be hard pressed to find any end user which regularly reviews and applies same. I should point out that an exception to the above are the dd-wrt and variant firmwares which will work on a subset of cpe devices. Generally dd-wrt is maintained much better and usually far superior to stock manufacturer firmware. A downside however is that it may not have that hot new wireless capability for your particular device or only support wireless in a generic way. It also doesn't support any adsl or vdsl modems that I know of, which precludes it from being able to be used in an integrated modem/router combo, forcing you still to have your cpe in bridge mode (and hope at least bridge mode can work well enough for you), and a second device at additional expense to be your router / wireless access point. Lost settings is another very common symptom. One minute everything is great and fine, but then the next time you go to use the service... your wireless network name can't be found (or has been replaced by the ubiquitous ssid 'linksys'), and even if you can connect to your router, you still can't get on... only 20 minutes later when you are on the phone you are told that your device no longer appears to be configured for pppoe as it has a blank username / password credential now. And sometimes worse, the factory default ip range is different than what you use and so now the router is handing out foreign dhcp addresses but your printer with it's static IP is now on a different subnet and you can't print. This problem is even more devastating because it requires black-arts magic to correct; !!! Shudder !! YOU HAVE TO CONFIGURE IT AGAIN! I have observed there seems to be a strong connection between brownouts/blackouts and lost settings (or, more accurately, reset to factory defaults). I suspect that the issue is flash memory corruption and the device firmware deciding it needs to format the flash (perhaps a reasonable assumption). We combat this at least on some of our dsl modem/routers by making the 'customer settings' the 'factory default' settings, which is stored in another bank of flash. But still it happens to other devices with frequent regularity. FURTHERMORE, some customers (a majority it seems), seems to be under the impression that 'if it don't work, reset it!', which means to use the paperclip in the special recessed hole. Usually these people are suffering from the first problem above, lockup, but they engage this factory default restore procedure not knowing they have just compounded their problem and ensured that it won't work now that it's no longer setup appropriately. We also try to ensure that every cpe that leaves our office has a red dot sticker over the hole to discourage this behavior. Sometimes it helps, sometimes the customer swears up and down they didn't touch it but when it's presented we see the tell-tell hole thru the sticker (or remnants of removed sticker). The security of broadband routers is absolutely abysmal and there have been many documented cases now of customer home dsl modems having all sorts of issues, Secret remote root login exploits, default factory passwords. exposed internet facing management interfaces that in the web ui are 'turned off' but still reachable anyways, exploitable deamons such as dns, ntp and ssdp that are participants in DDoS attacks, and more. We have had direct experience with a particular malware that knew (when we didn't!) the default manufacturing passwords to our customer CPE and would change the dns settings of the device so that the resolver IP's handed out would be ones under the control of the bad guys, to support phishing attacks and other goals. Recovering from this was painful but a very good lesson - on my network, I now (per user), filter a list of inbound ports in order to secure by default these devices by denying Internet access to the CPEs themselves. I haven't had any complaints or requests for the filtering to be removed and I can clearly see it's a win. Still however, these kinds of games shouldn't be necessary. Lastly, the forwarding performance of these devices is wildly inconsistent. Some devices slow down the more nat connections they are tracking (and keeping old closed connection info in their tables...blarf!), sometimes other bugs create situations in which pinging the upstream gateway thur the router takes thousands of ms (and that number immediately drops back to normal upon, you guessed it...a power cycle!), sometimes buffer bloat is a factor. As I indicated earlier, there is dd-wrt (and other router firmware replacements) which are available and which will address some of these issues if you need to use consumer hardware. However, some other choices do include Mikrotik as well as aftermarket Cisco such as the 2600 series. But there needs to be a lot more development in this area. The google onhub looks to have a great hardware design as far as it's radio array goes, but it lacks basic features found in low end linksys routers. Im sure it will catch up but for today it's really at 'gee heres what we can do' stage and not really a full featured broadband router device in the current sense of the term. I apologize for length. Mike-
On Sat, 26 Dec 2015, Mike wrote:
As a service provider with largely residential/small business customers, I certainly have some thoughts on broadband routers. Sorry if this is overly long.
Firstly, they are all junk.
Yes, that's correct. We get what we pay for. If the ISP buys the CPE, their procurement department will get bonus for shaving off every cent off of the price possible, meaning the device manufacturer also pressures all their people to come up a way to checkbox all the features requested. For the low price CPEs bought in the electronics store, mostly by people with no technical expertise, we have a similar situation. Shiny box, list of some checkbox features, sell it for 8-12 months until there is a new SOC which is slightly more cost reduced, release a new hardware revision (completely incompatible with the old one but from a black box of view does the same), start selling that rev instead. Margins in this business are super tight and most of the vendors aren't making any money, just like the mobile phone business. Providing security updates is just a cost, there is no upside, because these boxes sit in a closet, unloved until they stop working, and they're thrown out and replaced by a new unloved box that goes into the closet until it stops working again. So the ecosystem is completely broken, and I have no idea how to fix it. If someone like Consumer Reports or similar agency started testing and rating devices on these things like long-time support, automatic updates, software quality etc, and not just testing wifi speed as a factor of distance, we might get somewhere. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Sun, 27 Dec 2015 08:37:25 +0100, Mikael Abrahamsson said:
If someone like Consumer Reports or similar agency started testing and rating devices on these things like long-time support, automatic updates, software quality etc, and not just testing wifi speed as a factor of distance, we might get somewhere.
As finally we come full circle to the original question "who, if anybody, has a list of which things are crap and which aren't" :)
On Sun, 27 Dec 2015, Valdis.Kletnieks@vt.edu wrote:
As finally we come full circle to the original question "who, if anybody, has a list of which things are crap and which aren't" :)
Yep, and as far as I know, this list doesn't exist because people doesn't care enough so that someone would put the effort into creating such a list. -- Mikael Abrahamsson email: swmike@swm.pp.se
On 12/27/2015 02:19, Valdis.Kletnieks@vt.edu wrote:
On Sun, 27 Dec 2015 08:37:25 +0100, Mikael Abrahamsson said:
If someone like Consumer Reports or similar agency started testing and rating devices on these things like long-time support, automatic updates, software quality etc, and not just testing wifi speed as a factor of distance, we might get somewhere.
As finally we come full circle to the original question "who, if anybody, has a list of which things are crap and which aren't" :)
Indeed. Interesting how often that has happened here over the years. Sometimes it seems more like one of those "counseling" cartoons with everybody sitting in a circle learning new words for their problem description. -- sed quis custodiet ipsos custodes? (Juvenal)
On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote:
If someone like Consumer Reports or similar agency started testing and rating devices on these things like long-time support, automatic updates, software quality etc, and not just testing wifi speed as a factor of distance, we might get somewhere.
Just how would a reviewer rate "long-time support" and "software quality"? As for "automatic updates", that's at the whim of the manufacturer down the road, so any evaluation of updates would be dated the second it's printed. Testing WiFi speed as a factor of distance is a repeatable test, so that the chance of a lawsuit over the result is slimmer. Consumer Reports, for example, sends out a survey to its readers to collect information on long-term ownership experience of cars. It's a large enough investment that people are willing to fill out the survey. Not so broadband routers.
On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote:
Providing security updates is just a cost, there is no upside, because these boxes sit in a closet, unloved until they stop working, and they're thrown out and replaced by a new unloved box that goes into the closet until it stops working again.
IMO, this is the real problem, but there's a real opportunity. Routers are for most people the only things which: 1) are always on 2) have internet connectivity Which is pretty cool if you need something that is, oh say, a central controller for your home. Put a headless Android in it, allow 3rd party apps, water the lawn with it. Love ensues. This is, I imagine, why Google bought Nest: they want to be that home central controller. The home router is more ubiquitous though, IMHO. Mike
---- From: Michael Thomas <mike@mtcc.com> -- Sent: 2015-12-27 - 08:49 ----
On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote:
Providing security updates is just a cost, there is no upside, because these boxes sit in a closet, unloved until they stop working, and they're thrown out and replaced by a new unloved box that goes into the closet until it stops working again.
IMO, this is the real problem, but there's a real opportunity. Routers are for most people the only things which:
1) are always on 2) have internet connectivity
Which is pretty cool if you need something that is, oh say, a central controller for your home. Put a headless Android in it, allow 3rd party apps, water the lawn with it. Love ensues.
This is, I imagine, why Google bought Nest: they want to be that home central controller. The home router is more ubiquitous though, IMHO.
Hence: https://on.google.com/hub/
Mike
-- Hugo hugo@slabnet.com: email, xmpp/jabber also on Signal
Nice, but i want my router to have an android environment itself, not just to be controlled by my phone (which i want as well, of course). The proximity sensor for app developers would be fun to play with, for example. Mike On 12/27/2015 09:43 AM, Hugo Slabbert wrote:
---- From: Michael Thomas <mike@mtcc.com> -- Sent: 2015-12-27 - 08:49 ----
Providing security updates is just a cost, there is no upside, because these boxes sit in a closet, unloved until they stop working, and they're thrown out and replaced by a new unloved box that goes into the closet until it stops working again. IMO, this is the real problem, but there's a real opportunity. Routers are for most
On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote: people the only things which:
1) are always on 2) have internet connectivity
Which is pretty cool if you need something that is, oh say, a central controller for your home. Put a headless Android in it, allow 3rd party apps, water the lawn with it. Love ensues.
This is, I imagine, why Google bought Nest: they want to be that home central controller. The home router is more ubiquitous though, IMHO.
Hence: https://on.google.com/hub/
Mike
-- Hugo hugo@slabnet.com: email, xmpp/jabber also on Signal
On Sun 2015-Dec-27 09:58:50 -0800, Michael Thomas <mike@mtcc.com> wrote:
Nice, but i want my router to have an android environment itself, not just to be controlled by my phone (which i want as well, of course).
Sure. My message was strictly in response to:
This is, I imagine, why Google bought Nest: they want to be that home central controller. The home router is more ubiquitous though, IMHO.
...and not specifically about:
Which is pretty cool if you need something that is, oh say, a central controller for your home. Put a headless Android in it, allow 3rd party apps, water the lawn with it. Love ensues.
-- Hugo hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure & redphone)
The proximity sensor for app developers would be fun to play with, for example.
Mike
On 12/27/2015 09:43 AM, Hugo Slabbert wrote:
---- From: Michael Thomas <mike@mtcc.com> -- Sent: 2015-12-27 - 08:49 ----
Providing security updates is just a cost, there is no upside, because these boxes sit in a closet, unloved until they stop working, and they're thrown out and replaced by a new unloved box that goes into the closet until it stops working again. IMO, this is the real problem, but there's a real opportunity. Routers are for most
On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote: people the only things which:
1) are always on 2) have internet connectivity
Which is pretty cool if you need something that is, oh say, a central controller for your home. Put a headless Android in it, allow 3rd party apps, water the lawn with it. Love ensues.
This is, I imagine, why Google bought Nest: they want to be that home central controller. The home router is more ubiquitous though, IMHO.
Hence: https://on.google.com/hub/
Mike
-- Hugo hugo@slabnet.com: email, xmpp/jabber also on Signal
On Dec 27, 2015, at 09:43, Hugo Slabbert <hugo@slabnet.com> wrote:
Hence: https://on.google.com/hub/
The device looks cool, and sounds cool, but what data does google end up with, and what remote management can they do? Their policy pages aren’t exactly clear, and they’ve mishandled personal data a number of times previously.
And now that the new bill has passed, they (along with many others) will be "mishandling" your data often and legally with 3 letter agencies and other corporations. :( On Dec 27, 2015 8:48 PM, "James Downs" <egon@egon.cc> wrote:
On Dec 27, 2015, at 09:43, Hugo Slabbert <hugo@slabnet.com> wrote:
Hence: https://on.google.com/hub/
The device looks cool, and sounds cool, but what data does google end up with, and what remote management can they do? Their policy pages aren’t exactly clear, and they’ve mishandled personal data a number of times previously.
On Sun 2015-Dec-27 20:58:18 -0600, Josh Reynolds <josh@kyneticwifi.com> wrote:
And now that the new bill has passed, they (along with many others) will be "mishandling" your data often and legally with 3 letter agencies and other corporations. :( On Dec 27, 2015 8:48 PM, "James Downs" <egon@egon.cc> wrote:
On Dec 27, 2015, at 09:43, Hugo Slabbert <hugo@slabnet.com> wrote:
Hence: https://on.google.com/hub/
The device looks cool, and sounds cool, but what data does google end up with, and what remote management can they do? Their policy pages aren’t exactly clear, and they’ve mishandled personal data a number of times previously.
Probably wise to be keep the tinfoil hat within arm's reach, I think. My ref was strictly "yep, they appear to be making a play at the home controller market via a broadband router trojan horse" and not in any way an endorsement or comment on the merits of the device. -- Hugo hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure & redphone)
Based over what has been leaked, announced, or passed as pork barrel since 9/11, its probably time a tin foil hat factory was created to speed up the issuance of said hats. On Dec 27, 2015 10:10 PM, "Hugo Slabbert" <hugo@slabnet.com> wrote:
On Sun 2015-Dec-27 20:58:18 -0600, Josh Reynolds <josh@kyneticwifi.com> wrote:
And now that the new bill has passed, they (along with many others) will be
"mishandling" your data often and legally with 3 letter agencies and other corporations. :( On Dec 27, 2015 8:48 PM, "James Downs" <egon@egon.cc> wrote:
On Dec 27, 2015, at 09:43, Hugo Slabbert <hugo@slabnet.com> wrote:
Hence: https://on.google.com/hub/
The device looks cool, and sounds cool, but what data does google end up with, and what remote management can they do? Their policy pages aren’t exactly clear, and they’ve mishandled personal data a number of times previously.
Probably wise to be keep the tinfoil hat within arm's reach, I think. My ref was strictly "yep, they appear to be making a play at the home controller market via a broadband router trojan horse" and not in any way an endorsement or comment on the merits of the device.
-- Hugo
hugo@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
(also on textsecure & redphone)
On Sun, 27 Dec 2015 22:12:25 -0600, Josh Reynolds said:
Based over what has been leaked, announced, or passed as pork barrel since 9/11, its probably time a tin foil hat factory was created to speed up the issuance of said hats.
https://www.kickstarter.com/projects/shieldapparel/shield-the-world-s-first-...
Based over what has been leaked, announced, or passed as pork barrel since 9/11, its probably time a tin foil hat factory was created to speed up the issuance of said hats.
https://www.kickstarter.com/projects/shieldapparel/shield-the-world-s-first-...
No need to wait, order now: https://www.etsy.com/listing/55473505/knit-tinfoil-hat-made-to-order R's, John
On Sunday, 27 December, 2015 19:46, James Downs <egon@egon.cc> said:
On Dec 27, 2015, at 09:43, Hugo Slabbert <hugo@slabnet.com> wrote:
Hence: https://on.google.com/hub/
The device looks cool, and sounds cool, but what data does google end up with, and what remote management can they do? Their policy pages aren’t exactly clear, and they’ve mishandled personal data a number of times previously.
They end up with ALL the data they can capture; they have COMPLETE management control; and, can execute whatever code they want, without your prior approval or choice, on the device at any time they please, including permanent changes in the software and configuration.
On Dec 27, 2015, at 20:00, Keith Medcalf <kmedcalf@dessus.com> wrote:
They end up with ALL the data they can capture; they have COMPLETE management control; and, can execute whatever code they want, without your prior approval or choice, on the device at any time they please, including permanent changes in the software and configuration.
What’s what I assume as well. This makes it, and the nest, and any related devices unwelcome.
On 12/26/2015 23:49, Mike wrote:
On 12/23/2015 06:49 PM, Lorell Hathcock wrote:
All:
Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The real problem is that there were plenty of problems on the cable network to deal with, so it was impossible to tell between a problem that a customer was having with their CPE versus a real problem in my network.
OK, I have resisted, but now I must ask..... I am coming up on 77 YOA, been un-employed for a long time, have a tiny toy network that supports a couple of lap-tops, a couple of desk-tops, a couple of net-work-connected printers, and a melange of visitor-transported "personal devices" NOS--the latter group, the two lap-tops, one of the printers, and one of the desk-tops supported by 3 wiffy radios (one radio is a port of the "routher"). My network sees the the world via a cable-company provided MODEM (which also supports the telephone service in the house) and a WRT54GL "router", which I guess is what y'all are talking about (although it looks to me more like a 6-port bridge that can do NAT). I've had one "router" fail and replaced it. I have myriad network failures that go away if I wait long enough (I have called in a few times, mostly to confirm that the cable has gone dark and they know it, a couple to have them tell me to reboot everything I rebooted before I called them. In some of those incidents the "trouble came clear while testing", the rest "came clear while waiting for the repair man to get here". Just what is it that I should be doing better? And where is this better equipment available? [tl;dr;wrn] -- sed quis custodiet ipsos custodes? (Juvenal)
On 12/26/2015 23:49, Mike wrote: [snip]
Firstly, they are all junk. Every last one of them. Period. Broadband routers are designed to be cheap and to appeal to people who don't know any better, and who respond well (eg: make purchasing decisions) based on the shape of the plastic, the color scheme employed, and number of mysterious blinking lights that convey 'something important is happening'. Further, the price point is $45 - $70 thereabouts, putting some definite constraints on the actual quality of the engineering and components that go into them. I feel that we, the service provider, endure a significantly high and undue burden of cost associated with providing ongoing support to customers as a result of the defects contained therein.
Why don't you offer an acceptable (to you) device at a price acceptable to me as a part of the service. I'd buy it. -- sed quis custodiet ipsos custodes? (Juvenal)
On 12/27/15, 4:57 PM, Larry Sheldon wrote:
On 12/26/2015 23:49, Mike wrote:
[snip]
Firstly, they are all junk. Every last one of them. Period. Broadband routers are designed to be cheap and to appeal to people who don't know any better, and who respond well (eg: make purchasing decisions) based on the shape of the plastic, the color scheme employed, and number of mysterious blinking lights that convey 'something important is happening'. Further, the price point is $45 - $70 thereabouts, putting some definite constraints on the actual quality of the engineering and components that go into them. I feel that we, the service provider, endure a significantly high and undue burden of cost associated with providing ongoing support to customers as a result of the defects contained therein.
Why don't you offer an acceptable (to you) device at a price acceptable to me as a part of the service. I'd buy it.
NO SUCH DEVICE EXISTS, because you can't afford it. If I were to take you seriously however - and we're talking about eliminating all excuses and simply getting down to it and making a marginally qualified showing at expecting uninterrupted service - the entire environment is what has to be solved. The device would be cisco or juniper branded, internal redundancy / failover features to allow hitless upgrades or module failures, have dual (preferably, triple) power supplies, would be required to be housed in a locked enclosure with air conditioning and online double conversion battery with the addition of an external backup generator with its own separate backup fuel supply, which is further tested weekly and mantained with inspections and oil changes. The router would be under service contract with the manufacturer, would be monitoring by my noc, and would receive appropriate software upgrades as required, and you would pay for this monthly in addition to your internet service. Furthermore, you also would be required to have at least two distinct connections to me and make a deposit to provide credit in the event you falsely claim 'trouble' where no trouble exists. A seperate 'test pc', also in it's own enclosure and normally offlimits to you, and connected to said router and backup power and such, would be agreed upon as the test fixture that we would monitor TO. It would display current network statistics including packet loss and latencies to various on and off-net locations, with current time and date logging on screen. You would agree that you are to blame each and every time you 'can't get on', while the test pc clearly shows on it's local screen to you otherwise. You would be required to forfeit a portion of your deposit each time you called for technical support and were determined to be at fault and to blame for your own issue.
On Sun, 27 Dec 2015 17:56:02 -0800, Mike said:
NO SUCH DEVICE EXISTS, because you can't afford it. If I were to take you seriously however - and we're talking about eliminating all excuses and simply getting down to it and making a marginally qualified showing at expecting uninterrupted service - the entire environment is what has to be solved.
OK. Now repeat the process, but specify something that isn't enterprise quality, but *does* let you do basic diagnostics from the help desk or NOC. Does it answer ping? What's the signal quality? Does it need a push of updated firmware? What traffic load is it seeing? That should get you 95% of the way there, at only 0.5% of the cost.
On Dec 27, 2015, at 17:56, Mike <mike-nanog@tiedyenetworks.com> wrote:
The device would be cisco or juniper branded, internal redundancy / failover features to allow hitless upgrades or module failures, have dual (preferably,
After the last week or so, I wouldn’t trust a service provider who insisted on installing juniper at my site.
After the last week or so, I wouldn’t trust a service provider who insisted on installing juniper at my site.
Gotta be careful with that attitude. You can't have Cisco either if you really mean that. (or most any other enterprise provider really). http://arstechnica.com/security/2015/09/malicious-cisco-router-backdoor-foun... http://www.infoworld.com/article/2608141/internet-privacy/snowden--the-nsa-p... Casey Russell Network Engineer Kansas Research and Education Network 2029 Becker Drive, Suite 282 Lawrence, KS 66047 (785)856-9820 ext 9809 crussell@kanren.net
On 12/27/2015 19:56, Mike wrote:
On 12/27/15, 4:57 PM, Larry Sheldon wrote:
On 12/26/2015 23:49, Mike wrote:
[snip]
Firstly, they are all junk. Every last one of them. Period. Broadband routers are designed to be cheap and to appeal to people who don't know any better, and who respond well (eg: make purchasing decisions) based on the shape of the plastic, the color scheme employed, and number of mysterious blinking lights that convey 'something important is happening'. Further, the price point is $45 - $70 thereabouts, putting some definite constraints on the actual quality of the engineering and components that go into them. I feel that we, the service provider, endure a significantly high and undue burden of cost associated with providing ongoing support to customers as a result of the defects contained therein.
Why don't you offer an acceptable (to you) device at a price acceptable to me as a part of the service. I'd buy it.
NO SUCH DEVICE EXISTS, because you can't afford it. If I were to take you seriously however - and we're talking about eliminating all excuses and simply getting down to it and making a marginally qualified showing at expecting uninterrupted service - the entire environment is what has to be solved. The device would be cisco or juniper branded, internal redundancy / failover features to allow hitless upgrades or module failures, have dual (preferably, triple) power supplies, would be required to be housed in a locked enclosure with air conditioning and online double conversion battery with the addition of an external backup generator with its own separate backup fuel supply, which is further tested weekly and mantained with inspections and oil changes. The router would be under service contract with the manufacturer, would be monitoring by my noc, and would receive appropriate software upgrades as required, and you would pay for this monthly in addition to your internet service. Furthermore, you also would be required to have at least two distinct connections to me and make a deposit to provide credit in the event you falsely claim 'trouble' where no trouble exists. A seperate 'test pc', also in it's own enclosure and normally offlimits to you, and connected to said router and backup power and such, would be agreed upon as the test fixture that we would monitor TO. It would display current network statistics including packet loss and latencies to various on and off-net locations, with current time and date logging on screen. You would agree that you are to blame each and every time you 'can't get on', while the test pc clearly shows on it's local screen to you otherwise. You would be required to forfeit a portion of your deposit each time you called for technical support and were determined to be at fault and to blame for your own issue.
I'll accept the challenge and try to be briefer. If it can't be did at a price I'll accept, then let us stop crying about how bad it is. You don't like it, turn it off. (For the record, I do not require all of that stuff--if I am "grid off" then having a standby power system would be nice to power our CPAPs, but commo is going to be down and it might as well be dark and quiet.) And for the matter of "false" failure reports--there IS a work around for you: From Day ONE, Hour Zero, Minute Zero, Second Zero, supply stuff that WORKS the way your sales people said it would. If you start out peddling crap that does not work, you will establish yourself as a peddler of crap and the first place to call. I used to work for a company that did a pretty good job of doing that so when somebody did call they often sounded apologetic and tended to need to be convinced that, no this one is ours, but we are on it and we hope to be back at HH:MM. For people that purchased large quantities of what we sold we provided alarm displays or ring downs to tell THEM we broke something. -- sed quis custodiet ipsos custodes? (Juvenal)
On Sunday, 27 December, 2015 17:58, Larry Sheldon <larrysheldon@cox.net> said:
On 12/26/2015 23:49, Mike wrote:
[snip]
Firstly, they are all junk. Every last one of them. Period. Broadband routers are designed to be cheap and to appeal to people who don't know any better, and who respond well (eg: make purchasing decisions) based on the shape of the plastic, the color scheme employed, and number of mysterious blinking lights that convey 'something important is happening'. Further, the price point is $45 - $70 thereabouts, putting some definite constraints on the actual quality of the engineering and components that go into them. I feel that we, the service provider, endure a significantly high and undue burden of cost associated with providing ongoing support to customers as a result of the defects contained therein.
Why don't you offer an acceptable (to you) device at a price acceptable to me as a part of the service. I'd buy it.
Cable Companies / Telco's cannot do that. If you bought the device you would want control of it. (PWC do not permit foreign controlled devices on their networks) This is anti-thetical to their (CableCo/TelCo) business model. This is why most PWC (People With Clue) have the CableCo/TelCo configure their crap as a pure bridge with all other features disabled and use their own equipment. The local lan port on the bridge is the Demarc. If there is "no transport" at the demarc port, the problem lies with the CableCo/TelCo. If there is, the problem is your own equipment. Telling where the problem lies is trivial.
participants (44)
-
Andrew Kirch
-
Baldur Norddahl
-
bzs@theworld.com
-
Ca By
-
Casey Russell
-
Clayton Zekelman
-
Colin Johnston
-
Dan Hollis
-
Daniel C. Eckert
-
Daniel Corbe
-
Doug Barton
-
Frank Bulk
-
Hugo Slabbert
-
James Downs
-
Jared Mauch
-
Jason Baugher
-
Joel Jaeggli
-
John Levine
-
Joly MacFie
-
Josh Luthman
-
Josh Reynolds
-
Justin Wilson
-
Keith Medcalf
-
Larry Sheldon
-
Lee
-
Lorell Hathcock
-
Mark Tinka
-
Max Tulyev
-
Michael O'Connor
-
Michael Thomas
-
Mikael Abrahamsson
-
Mike
-
Mike Hammett
-
Nick Hilliard
-
Owen DeLong
-
Patrick W. Gilmore
-
Randy Bush
-
Rich Kulawiec
-
Richard Hesse
-
Rob Seastrom
-
Stephen Satchell
-
Suresh Ramasubramanian
-
TR Shaw
-
Valdis.Kletnieks@vt.edu