Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. Thanks Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO
On Thu, Apr 9, 2015 at 11:31 AM, Sameer Khosla <skhosla@neutraldata.com> wrote:
Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider.
are you sure they aren't engaged with a wider SP community? (the dictionary seems relevant for: "Oh crap, my root account DOES have password123 as the password :(")
Can anyone else get to http://blogs.cisco.com ? I can't seem to reach it and was wondering if there was a counterattack of some type. Traceroute takes me to Rackspace in Dallas but the web site is not up. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher Morrow Sent: Thursday, April 09, 2015 10:48 AM To: Sameer Khosla Cc: nanog@nanog.org Subject: Re: Cisco/Level3 takedown On Thu, Apr 9, 2015 at 11:31 AM, Sameer Khosla <skhosla@neutraldata.com> wrote:
Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider.
are you sure they aren't engaged with a wider SP community? (the dictionary seems relevant for: "Oh crap, my root account DOES have password123 as the password :(")
Websites up for me. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Apr 9, 2015 7:55 PM, "Naslund, Steve" <SNaslund@medline.com> wrote:
Can anyone else get to http://blogs.cisco.com ? I can't seem to reach it and was wondering if there was a counterattack of some type. Traceroute takes me to Rackspace in Dallas but the web site is not up.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Christopher Morrow Sent: Thursday, April 09, 2015 10:48 AM To: Sameer Khosla Cc: nanog@nanog.org Subject: Re: Cisco/Level3 takedown
Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one
On Thu, Apr 9, 2015 at 11:31 AM, Sameer Khosla <skhosla@neutraldata.com> wrote: provider.
are you sure they aren't engaged with a wider SP community? (the dictionary seems relevant for: "Oh crap, my root account DOES have password123 as the password :(")
Sorry, I’m getting it now too. False alarm. Steve From: Josh Luthman [mailto:josh@imaginenetworksllc.com] Sent: Thursday, April 09, 2015 6:56 PM To: Naslund, Steve Cc: NANOG list Subject: RE: Cisco/Level3 takedown Websites up for me. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Apr 9, 2015 7:55 PM, "Naslund, Steve" <SNaslund@medline.com<mailto:SNaslund@medline.com>> wrote: Can anyone else get to http://blogs.cisco.com ? I can't seem to reach it and was wondering if there was a counterattack of some type. Traceroute takes me to Rackspace in Dallas but the web site is not up. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>] On Behalf Of Christopher Morrow Sent: Thursday, April 09, 2015 10:48 AM To: Sameer Khosla Cc: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Cisco/Level3 takedown On Thu, Apr 9, 2015 at 11:31 AM, Sameer Khosla <skhosla@neutraldata.com<mailto:skhosla@neutraldata.com>> wrote:
Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider.
are you sure they aren't engaged with a wider SP community? (the dictionary seems relevant for: "Oh crap, my root account DOES have password123 as the password :(")
Reading the article, I assumed that perhaps Level 3 was an upstream carrier, but RIPE stats shows that the covering prefix (103.41.120.0/22) is announced by AS63509, an Indonesian organization. It looks like they're fighting back by announcing their own /24 now. I love the AS's address: descr:Jl. Marcedes Bens No.258 descr:Gunung Putri, Bogor descr:Jawa Barat 16964 country:ID While a Level 3 /24 announcement will certainly have a world wide impact, I agree that it seems misguided when the originating AS can announce their own /24. It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). --Blake Sameer Khosla wrote on 4/9/2015 10:31 AM:
Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider.
Thanks
Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO
I was wondering why a non-allocated AS was being allowed to announce the blocks but it appears that APNIC has revoked the 63854 ASN? http://wq.apnic.net/apnic-bin/whois.pl?searchtext=AS63854&object_type=aut-num Based on google's cache, it was still there late March. BGP routing table entry for 103.41.125.0/24, version 108425142 Paths: (1 available, best #1, table default) Not advertised to any peer 6939 4134 36678 26484 63854 Blake Hudson wrote:
Reading the article, I assumed that perhaps Level 3 was an upstream carrier, but RIPE stats shows that the covering prefix (103.41.120.0/22) is announced by AS63509, an Indonesian organization. It looks like they're fighting back by announcing their own /24 now.
I love the AS's address: descr:Jl. Marcedes Bens No.258 descr:Gunung Putri, Bogor descr:Jawa Barat 16964 country:ID
While a Level 3 /24 announcement will certainly have a world wide impact, I agree that it seems misguided when the originating AS can announce their own /24. It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484).
--Blake
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net range is blocked non the less since bad traffic from Russia network ranges. Colin
How its weird? All these chars allowed in DNS records. On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
On Tue, Apr 14, 2015 at 02:26:48PM +0100, Colin Johnston <colinj@gt86car.org.uk> wrote a message of 19 lines which said:
Best practice says avoid such info in records as does not aid debug since mix of dec and hex
No. Pure imagination on your side. There is no such "best practice". And it's not hex or dec, it is letters and digits.
Comic Book Guy would probably declare: "Worst Naming Convention Ever" Chuck -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
Are Roman numerals allowed in DNS? Because I know some people also do them. dig -x 217.199.208.190 On 14/04/15 16:45, Chuck Church wrote:
Comic Book Guy would probably declare:
"Worst Naming Convention Ever"
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
Hello! What about IDN encoded PTR records? I sure it's nice idea and I will implement they in my network shortly. On Tue, Apr 14, 2015 at 4:54 PM, Nikolay Shopik <shopik@inblock.ru> wrote:
Are Roman numerals allowed in DNS? Because I know some people also do them.
dig -x 217.199.208.190
On 14/04/15 16:45, Chuck Church wrote:
Comic Book Guy would probably declare:
"Worst Naming Convention Ever"
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
-- Sincerely yours, Pavel Odintsov
This is probably worse then hexadecimal PTR records :). No traceroute actually convert punycode, so why bother? As it usually intended audience already know how to read English letters. On 14/04/15 17:00, Pavel Odintsov wrote:
What about IDN encoded PTR records? I sure it's nice idea and I will implement they in my network shortly.
Hi Nikolay, I have obvious hit a cultural nerve here, if so I am sorry. At least there is communication on some level, Chinese colleagues would not even bother to respond to aid debug. Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ? Colin
On 14 Apr 2015, at 14:54, Nikolay Shopik <shopik@inblock.ru> wrote:
Are Roman numerals allowed in DNS? Because I know some people also do them.
dig -x 217.199.208.190
On 14/04/15 16:45, Chuck Church wrote:
Comic Book Guy would probably declare:
"Worst Naming Convention Ever"
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
* colinj@gt86car.org.uk (Colin Johnston) [Tue 14 Apr 2015, 16:05 CEST]:
Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ?
I actually thought it was quite clever and the implied meaning was pretty clear to me (with the caveat that I'm probably not the intended audience, which would be their own NOC during troubleshooting). -- Niels.
Hello, Colin! We use hexademical numbers in PTR for VPS/Servers because PTR's like "host-87.118.199.240.domain.ru" so often banned by weird antispam systems by mask \d+\.\d+\.\d+\d+ as home ISP subnets which produce bunch of spam. On Tue, Apr 14, 2015 at 5:00 PM, Colin Johnston <colinj@gt86car.org.uk> wrote:
Hi Nikolay, I have obvious hit a cultural nerve here, if so I am sorry. At least there is communication on some level, Chinese colleagues would not even bother to respond to aid debug.
Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ?
Colin
On 14 Apr 2015, at 14:54, Nikolay Shopik <shopik@inblock.ru> wrote:
Are Roman numerals allowed in DNS? Because I know some people also do them.
dig -x 217.199.208.190
On 14/04/15 16:45, Chuck Church wrote:
Comic Book Guy would probably declare:
"Worst Naming Convention Ever"
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
-- Sincerely yours, Pavel Odintsov
so fix the spam hosts, don’t mask the problem and make more complicated for folks trying their best to solve Colin
On 14 Apr 2015, at 15:09, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
Hello, Colin!
We use hexademical numbers in PTR for VPS/Servers because PTR's like "host-87.118.199.240.domain.ru" so often banned by weird antispam systems by mask \d+\.\d+\.\d+\d+ as home ISP subnets which produce bunch of spam.
On Tue, Apr 14, 2015 at 5:00 PM, Colin Johnston <colinj@gt86car.org.uk> wrote:
Hi Nikolay, I have obvious hit a cultural nerve here, if so I am sorry. At least there is communication on some level, Chinese colleagues would not even bother to respond to aid debug.
Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ?
Colin
On 14 Apr 2015, at 14:54, Nikolay Shopik <shopik@inblock.ru> wrote:
Are Roman numerals allowed in DNS? Because I know some people also do them.
dig -x 217.199.208.190
On 14/04/15 16:45, Chuck Church wrote:
Comic Book Guy would probably declare:
"Worst Naming Convention Ever"
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
-- Sincerely yours, Pavel Odintsov
But I'm not a spam source. I banned for netmask which similar to ISP subnet. On Tue, Apr 14, 2015 at 5:34 PM, Colin Johnston <colinj@gt86car.org.uk> wrote:
so fix the spam hosts, don’t mask the problem and make more complicated for folks trying their best to solve
Colin
On 14 Apr 2015, at 15:09, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
Hello, Colin!
We use hexademical numbers in PTR for VPS/Servers because PTR's like "host-87.118.199.240.domain.ru" so often banned by weird antispam systems by mask \d+\.\d+\.\d+\d+ as home ISP subnets which produce bunch of spam.
On Tue, Apr 14, 2015 at 5:00 PM, Colin Johnston <colinj@gt86car.org.uk> wrote:
Hi Nikolay, I have obvious hit a cultural nerve here, if so I am sorry. At least there is communication on some level, Chinese colleagues would not even bother to respond to aid debug.
Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ?
Colin
On 14 Apr 2015, at 14:54, Nikolay Shopik <shopik@inblock.ru> wrote:
Are Roman numerals allowed in DNS? Because I know some people also do them.
dig -x 217.199.208.190
On 14/04/15 16:45, Chuck Church wrote:
Comic Book Guy would probably declare:
"Worst Naming Convention Ever"
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote: > never saw hex in host dns records before. > host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net > > range is blocked non the less since bad traffic from Russia network ranges. > > Colin >
-- Sincerely yours, Pavel Odintsov
-- Sincerely yours, Pavel Odintsov
On Tue, Apr 14, 2015 at 10:09 AM, Pavel Odintsov <pavel.odintsov@gmail.com> wrote:
We use hexademical numbers in PTR for VPS/Servers because PTR's like "host-87.118.199.240.domain.ru" so often banned by weird antispam systems by mask \d+\.\d+\.\d+\d+ as home ISP subnets which produce bunch of spam.
Hi Pavel, Actually, the anti-spammers figure that only local (authenticated) computers and other mail servers should talk to their mail servers. The IP form of RDNS is recognized as a declaration by the service owner that the computer at that address is not intended to host Internet services including email. The hex form is viewed the same and yes, there are antispam products that look for that and a few other naming structures that imply dynamic IPs are in use. If you want to run an email server, assign it a name. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Hi Colin, Well some people get creative when creating PTR records. Maybe they really want encode something like netmask as Stephane said to provide some additional info for their own helpdek? Chinese don't bother for multiply reasons, same probably apply to Russian part net, cheap Internet access. So when you asking them to fix bad traffic coming from home user they don't bother do anything with it as it cost money for them. On 14/04/15 17:00, Colin Johnston wrote:
Hi Nikolay, I have obvious hit a cultural nerve here, if so I am sorry. At least there is communication on some level, Chinese colleagues would not even bother to respond to aid debug.
Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ?
Colin
On 14 Apr 2015, at 14:54, Nikolay Shopik <shopik@inblock.ru> wrote:
Are Roman numerals allowed in DNS? Because I know some people also do them.
dig -x 217.199.208.190
On 14/04/15 16:45, Chuck Church wrote:
Comic Book Guy would probably declare:
"Worst Naming Convention Ever"
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
costs more money in long term not fixing the bad traffic as have to spend more for transit doing the bother and fixing the problem is best practice Colin
Chinese don't bother for multiply reasons, same probably apply to Russian part net, cheap Internet access. So when you asking them to fix bad traffic coming from home user they don't bother do anything with it as it cost money for them.
On 14/04/15 17:00, Colin Johnston wrote:
Hi Nikolay, I have obvious hit a cultural nerve here, if so I am sorry. At least there is communication on some level, Chinese colleagues would not even bother to respond to aid debug.
Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ?
Colin
On 14 Apr 2015, at 14:54, Nikolay Shopik <shopik@inblock.ru> wrote:
Are Roman numerals allowed in DNS? Because I know some people also do them.
dig -x 217.199.208.190
On 14/04/15 16:45, Chuck Church wrote:
Comic Book Guy would probably declare:
"Worst Naming Convention Ever"
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: <nanog@nanog.org> Subject: Re: macomnet weird dns record
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
Transit traffic isn't issue, as upload/download ratio usually 1:2 or more. As I said before when you already on edge of your profits, you don't bother fixing these clients. Its not about best practice which I agree, but business you are running, which is suppose to be profitable. And fixing these bad machines doesn't give you any profits. On 14/04/15 17:37, Colin Johnston wrote:
costs more money in long term not fixing the bad traffic as have to spend more for transit
doing the bother and fixing the problem is best practice
Colin
There becomes a point though that doing nothing allows larger problems which could have been nipped in the bud if sorted when issue was a smaller magnitude. Profit when there is known bad traffic as a percentage and you known ignore it is bad profit and does not help the greater good. most folks would welcome help if they know network would be more reliable and faster without the bad traffic always being present. Colin
On 14 Apr 2015, at 15:47, Nikolay Shopik <shopik@inblock.ru> wrote:
Transit traffic isn't issue, as upload/download ratio usually 1:2 or more.
As I said before when you already on edge of your profits, you don't bother fixing these clients. Its not about best practice which I agree, but business you are running, which is suppose to be profitable. And fixing these bad machines doesn't give you any profits.
On 14/04/15 17:37, Colin Johnston wrote:
costs more money in long term not fixing the bad traffic as have to spend more for transit
doing the bother and fixing the problem is best practice
Colin
Sounds like a textbook economics case of a network externality. The benefit to the provider is far less than the benefit to the entire affected community. Private benefit is less than social (sum of private benefits across all affected parties) benefit. Roderick Beck Sales Director/Europe and the Americas Hibernia Networks http://www.hibernianetworks.com Budapest and New York 36-30-859-5144 rod.beck@hibernianetworks.com This e-mail and any attachments thereto is intended only for use by the addressee(s) named herein and may be proprietary and/or legally privileged. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, without the prior written permission of the sender is strictly prohibited. If you receive this e-mail in error, please immediately telephone or e-mail the sender and permanently delete the original copy and any copy of this e-mail, and any printout thereof. All documents, contracts or agreements referred or attached to this e-mail are SUBJECT TO CONTRACT. The contents of an attachment to this e-mail may contain software viruses that could damage your own computer system. While Hibernia Networks has taken every reasonable precaution to minimize this risk, we cannot accept liability for any damage that you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment.
User complain that his network slow and reliable. Check if its saturated his link and tell him buy additional 10mbps/s, here is your profit. If you really want fight bots, you need to track down and fight C&C in first place. Otherwise you are fighting windmills. http://arstechnica.com/tech-policy/2011/05/a-way-to-take-out-spammers-3-bank... On 14/04/15 17:58, Colin Johnston wrote:
most folks would welcome help if they know network would be more reliable and faster without the bad traffic always being present.
Colin, I understand that you would like everyone on the Internet to behave in a way that you consider normal and tailor their reverse DNS so as not to offend your aesthetic sense. It is frustrating when other people do things differently, my deepest sympathies. Also if you have ever used a BSD system you will know that writing netmasks in hex is prefectly normal. -w -- William Waites <wwaites@tardis.ed.ac.uk> | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh http://www.hubs.net.uk/ | HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Then best practice, that naming should be helpful for owners of network in first place and only afterwards everyone else. On 14/04/15 16:26, Colin Johnston wrote:
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
Get real, why make is hard for others to debug abuse issues, another reason why blocks in place as no technical cooperation. Colin
On 14 Apr 2015, at 14:48, Nikolay Shopik <shopik@inblock.ru> wrote:
Then best practice, that naming should be helpful for owners of network in first place and only afterwards everyone else.
On 14/04/15 16:26, Colin Johnston wrote:
Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Colin
On 14 Apr 2015, at 14:09, Nikolay Shopik <shopik@inblock.ru> wrote:
How its weird? All these chars allowed in DNS records.
On 14/04/15 15:36, Colin Johnston wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
On Tue, 14 Apr 2015 14:26:48 +0100, Colin Johnston said:
Best practice says avoid such info in records as does not aid debug since mix of dec and hex
Odd. All the hex and decimal have proper indicators (initial 1-9 or 0x), and should be easily understood by anybody who actually knows their number systems. Be glad they didn't throw in octal without a leading 0. :) Would host-242.strgz.87.118.199.240.slash28.macomnet.net have confused you less?
perfectly legal… the octal records confuse me more than the hex. /bill PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 14April2015Tuesday, at 5:36, Colin Johnston <colinj@gt86car.org.uk> wrote:
never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfffffff0.macomnet.net
range is blocked non the less since bad traffic from Russia network ranges.
Colin
It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484).
vigilantes always wear white hats. randy
Wrong. Batman, for example, wears a black hat. -mel via cell On Apr 9, 2015, at 11:17 AM, "Randy Bush" <randy@psg.com> wrote:
It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484).
vigilantes always wear white hats.
randy
Just to add to the noise.... I think batman wears a black mask/helmet, but I've never considered it a mask. I didn't look at the details on this, but did L3 sink the routes at their border or did they expressly announce the route to sink it? -jim On Thu, Apr 9, 2015 at 3:35 PM, Randy Bush <randy@psg.com> wrote:
Wrong. Batman, for example, wears a black hat.
vigilantes always wear white hats.
i stand corrected
folk are getting kinda bent out of shape about this, and about L3 doing 'something' but look at: <https://stat.ripe.net/widget/bgplay#w.resource=23.234.60.140> what's 4134 doing there? This one as well: <https://stat.ripe.net/widget/bgplay#w.resource=103.41.124.0&w.ignoreReannouncements=true&w.starttime=1427910000&w.endtime=1428601200&w.instant=null&w.type=bgp&w.rrcs=0,1,6,7,11,14,3,4,5,10,12,13,15> wowsa! howdy 4134, having fun there? On Thu, Apr 9, 2015 at 2:39 PM, jim deleskie <deleskie@gmail.com> wrote:
Just to add to the noise.... I think batman wears a black mask/helmet, but I've never considered it a mask. I didn't look at the details on this, but did L3 sink the routes at their border or did they expressly announce the route to sink it?
-jim
On Thu, Apr 9, 2015 at 3:35 PM, Randy Bush <randy@psg.com> wrote:
Wrong. Batman, for example, wears a black hat.
vigilantes always wear white hats.
i stand corrected
On Thu, Apr 9, 2015 at 2:52 PM, Jeff Shultz <jeffshultz@sctcweb.com> wrote:
I think that, properly, Batman wears a cowl, not a hat.
<http://en.wikipedia.org/wiki/Batsuit> "... the details of his costume from time to time, it is most often depicted as consisting of: matching black (or blue) scalloped cape, bat-like cowl, gloves with a series of scalloped, fin-like protuberances, boots, and outerwear briefs; a yellow utility belt; and, a skintight gray body suit..."
On 4/9/2015 11:29 AM, Mel Beckman wrote:
Wrong. Batman, for example, wears a black hat.
-mel via cell
Warrior Nun Areala wears a black hat. http://en.wikipedia.org/wiki/Warrior_Nun_Areala -b On April 9, 2015 at 18:29 mel@beckman.org (Mel Beckman) wrote:
Wrong. Batman, for example, wears a black hat.
-mel via cell
On Apr 9, 2015, at 11:17 AM, "Randy Bush" <randy@psg.com> wrote:
It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484).
vigilantes always wear white hats.
randy
In response to Sameer Khosla's comment that we should work with the entire service provider community: Talos is the threat intelligence group within Cisco. We absolutely welcome discussions with any network operator on how we can improve the state of security on the Internet. Please contact me directly via email and we can have a discussion about how we can work together going forward. Thank you in advance, Matthew Olney Manager, Talos Threat Intelligence Analytics Cisco
On Apr 9, 2015, at 3:01 PM, Matt Olney (molney) <molney@cisco.com> wrote:
In response to Sameer Khosla's comment that we should work with the entire service provider community:
Talos is the threat intelligence group within Cisco. We absolutely welcome discussions with any network operator on how we can improve the state of security on the Internet. Please contact me directly via email and we can have a discussion about how we can work together going forward.
While I agree that the (at least temporary) mitigation of the threat was overall a good thing, I'm not really happy with the method used. Decisions to drop/block/filter traffic should be done locally. I would have appreciated Talos coming to the various *nog lists and saying something like "Hey, there's some really bad guys here. Here's the evidence of their bad behavior, you really should block them." That probably would have had a wider reach than just going to Level3. --Chris
Le 09/04/2015 22:39, Chris Boyd a écrit :
On Apr 9, 2015, at 3:01 PM, Matt Olney (molney) <molney@cisco.com> wrote:
In response to Sameer Khosla's comment that we should work with the entire service provider community:
Talos is the threat intelligence group within Cisco. We absolutely welcome discussions with any network operator on how we can improve the state of security on the Internet. Please contact me directly via email and we can have a discussion about how we can work together going forward. While I agree that the (at least temporary) mitigation of the threat was overall a good thing, I'm not really happy with the method used. Decisions to drop/block/filter traffic should be done locally. I would have appreciated Talos coming to the various *nog lists and saying something like "Hey, there's some really bad guys here. Here's the evidence of their bad behavior, you really should block them." That probably would have had a wider reach than just going to Level3.
--Chris
Seconded this kind of decision should be left to the various providers, and be taken openly. while i am sure the decision has been taken with the best intention, i'd prefer not seeing this kind of power wielded in a discretionary fashion. 'tis a road that can lead to places i'm pretty sure nobody wants to go.
On 9 April 2015 at 19:16, Randy Bush <randy@psg.com> wrote:
It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484).
vigilantes always wear white hats.
randy
It seems to me from reading the article that the "defence" to this is to set up a legitimate hosting company in the same IP space, even if it only has 1 customer. Then if you get blocked you turn around and shout and scream that level3 are abusing their market dominance to prevent a rival firms customers (this legitimate hosting company) being able to use the Internet. How screwed would they be in in court? I suspect it won't be a US court that gets to side with a US company and ignore everyone else, I suspect it would be an EU court case where there are actual consequences to a company trying to abuse their market dominance to force others to do what they want. This specific group might not have the balls to try sueing level3, but if they make a habit of blocking peoples access to the internet then ambulance chasing lawyers will likely try to trick them in to screwing up and blocking their clients. - Mike
Oh well. Don't do business with dirtbags. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Mike Jones" <mike@mikejones.in> To: "Randy Bush" <randy@psg.com> Cc: nanog@nanog.org Sent: Saturday, April 11, 2015 2:37:07 AM Subject: Re: Cisco/Level3 takedown On 9 April 2015 at 19:16, Randy Bush <randy@psg.com> wrote:
It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484).
vigilantes always wear white hats.
randy
It seems to me from reading the article that the "defence" to this is to set up a legitimate hosting company in the same IP space, even if it only has 1 customer. Then if you get blocked you turn around and shout and scream that level3 are abusing their market dominance to prevent a rival firms customers (this legitimate hosting company) being able to use the Internet. How screwed would they be in in court? I suspect it won't be a US court that gets to side with a US company and ignore everyone else, I suspect it would be an EU court case where there are actual consequences to a company trying to abuse their market dominance to force others to do what they want. This specific group might not have the balls to try sueing level3, but if they make a habit of blocking peoples access to the internet then ambulance chasing lawyers will likely try to trick them in to screwing up and blocking their clients. - Mike
Seems like it this is pretty ineffective. The group already moved subnets once, they will likely do this again, all Cisco/L3 have done is slow them down a bit. Stephen Mikulasik -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Sameer Khosla Sent: Thursday, April 09, 2015 9:31 AM To: nanog@nanog.org Subject: Cisco/Level3 takedown Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables. Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary. It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider. Thanks Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO
participants (30)
-
Barry Shein -
Bill Woodcock -
Blake Hudson -
Chris Boyd -
Christopher Morrow -
Chuck Church -
Colin Johnston -
Edouard Chamillard -
Jeff Shultz -
jim deleskie -
Josh Luthman -
manning bill -
Matt Olney (molney) -
Mel Beckman -
Mike Hammett -
Mike Jones -
Naslund, Steve -
Niels Bakker -
Nikolay Shopik -
Octavio Alvarez -
Pavel Odintsov -
Randy Bush -
Rod Beck -
Sameer Khosla -
Stephane Bortzmeyer -
Steve Mikulasik -
Steve Noble -
Valdis.Kletnieks@vt.edu -
William Herrin -
William Waites