Re: NANOG Digest, Vol 8, Issue 38
--- [Message envoyé a partir d'un mobile] Bruno VAZ Ipercast Operations 40, Rue de PARIS / 92100 Boulogne-Billancourt Tel +33 1 72 77 70 87 Mailbvaz@ipercast.net -----Original Message----- From: nanog-request@nanog.org Date: Wed, 10 Sep 2008 19:59:40 To: <nanog@nanog.org> Subject: NANOG Digest, Vol 8, Issue 38 Send NANOG mailing list submissions to nanog@nanog.org To subscribe or unsubscribe via the World Wide Web, visit http://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request@nanog.org You can reach the person managing the list at nanog-owner@nanog.org When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..." Today's Topics: 1. RE: duplicate packet (Darden, Patrick S.) 2. RE: duplicate packet (Eric Van Tol) 3. Re: duplicate packet (Jon Lewis) 4. Re: duplicate packet (Sebastian Abt) 5. RE: duplicate packet (Tim Sanderson) 6. Re: duplicate packet (Laurence F. Sheldon, Jr.) 7. Re: Yahoo! mail admins? (Matthew Petach) 8. Re: ingress SMTP (*Hobbit*) 9. New (2-byte) ASN Allocation for RIPE NCC (Leo Vegoda) 10. Teleglobe appears to be spam-source zombie network? (Jo Rhett) 11. Re: Teleglobe appears to be spam-source zombie network? (Nuno Vieira - nfsi telecom) 12. Re: Teleglobe appears to be spam-source zombie network? (Marshall Eubanks) ---------------------------------------------------------------------- Message: 1 Date: Wed, 10 Sep 2008 08:01:32 -0400 From: "Darden, Patrick S." <darden@armc.org> Subject: RE: duplicate packet To: "chloe K" <chloekcy2000@yahoo.ca>, <nanog@nanog.org> Message-ID: <CBE22E5FF427B149A272DD1DDE107524023688B6@EX2K3.armc.org> Content-Type: text/plain; charset="iso-8859-1" Check your ARP tables, local and on intervening switches/routers. Make sure there are no duplicate entries for that IP. If you note the response time, the second packet is always higher which might be indicative. I would also check for a botched MITM a la C&A. Even if there is no obvious ARP table manglement, you might try flushing the local and intervening caches. Try the ping from another host, another subnet, another segment, get more info. --p -----Original Message----- From: chloe K [mailto:chloekcy2000@yahoo.ca] Sent: Wednesday, September 10, 2008 6:46 AM To: nanog@nanog.org Subject: duplicate packet Hi all When I ping the ip, I get the duplicate I check the ip is just one. Why it happens? Thank you 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!) 64 bytes from 192.168.0.95: icmp_seq=2 ttl=63 time=0.296 ms 64 bytes from 192.168.0.95: icmp_seq=2 ttl=63 time=0.328 ms (DUP!) 64 bytes from 192.168.0.95: icmp_seq=3 ttl=63 time=0.291 ms 64 bytes from 192.168.0.95: icmp_seq=3 ttl=63 time=0.316 ms (DUP!) 64 bytes from 192.168.0.95: icmp_seq=4 ttl=63 time=0.279 ms 64 bytes from 192.168.0.95: icmp_seq=4 ttl=63 time=0.309 ms (DUP!) 64 bytes from 192.168.0.95: icmp_seq=5 ttl=63 time=0.271 ms 64 bytes from 192.168.0.95: icmp_seq=5 ttl=63 time=0.299 ms (DUP!) --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ------------------------------ Message: 2 Date: Wed, 10 Sep 2008 08:06:02 -0400 From: Eric Van Tol <eric@atlantech.net> Subject: RE: duplicate packet To: 'chloe K' <chloekcy2000@yahoo.ca>, "nanog@nanog.org" <nanog@nanog.org> Message-ID: <2C05E949E19A9146AF7BDF9D44085B86350AECC45F@exchange.aoihq.local> Content-Type: text/plain; charset="us-ascii"
-----Original Message----- From: chloe K [mailto:chloekcy2000@yahoo.ca] Sent: Wednesday, September 10, 2008 6:46 AM To: nanog@nanog.org Subject: duplicate packet
Hi all
When I ping the ip, I get the duplicate
I check the ip is just one. Why it happens?
Thank you
64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!) 64 bytes from 192.168.0.95: icmp_seq=2 ttl=63 time=0.296 ms 64 bytes from 192.168.0.95: icmp_seq=2 ttl=63 time=0.328 ms (DUP!) 64 bytes from 192.168.0.95: icmp_seq=3 ttl=63 time=0.291 ms 64 bytes from 192.168.0.95: icmp_seq=3 ttl=63 time=0.316 ms (DUP!) 64 bytes from 192.168.0.95: icmp_seq=4 ttl=63 time=0.279 ms 64 bytes from 192.168.0.95: icmp_seq=4 ttl=63 time=0.309 ms (DUP!) 64 bytes from 192.168.0.95: icmp_seq=5 ttl=63 time=0.271 ms 64 bytes from 192.168.0.95: icmp_seq=5 ttl=63 time=0.299 ms (DUP!)
Check to see whether or not the port connected to that host is mirrored or in a SPAN VLAN. Misconfiguration on an analyzer server can cause duplicate traffic to be generated. -evt ------------------------------ Message: 3 Date: Wed, 10 Sep 2008 08:11:18 -0400 (EDT) From: Jon Lewis <jlewis@lewis.org> Subject: Re: duplicate packet To: chloe K <chloekcy2000@yahoo.ca> Cc: nanog@nanog.org Message-ID: <Pine.LNX.4.61.0809100808070.5503@soloth.lewis.org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Wed, 10 Sep 2008, chloe K wrote:
When I ping the ip, I get the duplicate
I check the ip is just one. Why it happens?
64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!)
Not enough information has been given. Just hope it's not being caused by a Level3/Sprint circuit...ours is still doing this (when I change back to HDLC) and they just don't freaking care. Sometimes I wish I worked for a big telco so I could leave things broken and say "hey, I'm the telco, I don't have to care." Maybe we should refuse to pay for the affected DS3 and see if that gets more attention. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ------------------------------ Message: 4 Date: Wed, 10 Sep 2008 14:11:48 +0200 From: Sebastian Abt <sabt@sabt.net> Subject: Re: duplicate packet To: chloe K <chloekcy2000@yahoo.ca> Cc: nanog@nanog.org Message-ID: <20080910121148.GA4491@sephina.sabt.net> Content-Type: text/plain; charset=us-ascii * chloe K wrote:
When I ping the ip, I get the duplicate
64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!) ^^^^^^^^^^^^ What's your netmask? Is 192.168.0.95 your net's broadcast address?
sebastian -- SABT-RIPE PGPKEY-D008DA9C ------------------------------ Message: 5 Date: Wed, 10 Sep 2008 08:26:52 -0400 From: Tim Sanderson <tims@donet.com> Subject: RE: duplicate packet To: "nanog@nanog.org" <nanog@nanog.org> Message-ID: <C8780EC81EAFB24B94943243BA5BCC54292289670F@intexch07.internal.donet.com> Content-Type: text/plain; charset="us-ascii" Instead, dispute the bill and then when they won't credit you for not giving you what you ordered, open a complaint with the state public utilities commission. It may get you some movement on the issue. -- Tim Sanderson, network administrator tims@donet.com -----Original Message----- From: Jon Lewis [mailto:jlewis@lewis.org] Sent: Wednesday, September 10, 2008 8:11 AM To: chloe K Cc: nanog@nanog.org Subject: Re: duplicate packet On Wed, 10 Sep 2008, chloe K wrote:
When I ping the ip, I get the duplicate
I check the ip is just one. Why it happens?
64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!)
Not enough information has been given. Just hope it's not being caused by a Level3/Sprint circuit...ours is still doing this (when I change back to HDLC) and they just don't freaking care. Sometimes I wish I worked for a big telco so I could leave things broken and say "hey, I'm the telco, I don't have to care." Maybe we should refuse to pay for the affected DS3 and see if that gets more attention. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ------------------------------ Message: 6 Date: Wed, 10 Sep 2008 08:10:20 -0500 From: "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net> Subject: Re: duplicate packet Cc: nanog@nanog.org Message-ID: <48C7C73C.7000900@cox.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sebastian Abt wrote:
* chloe K wrote:
When I ping the ip, I get the duplicate
64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!) ^^^^^^^^^^^^ What's your netmask? Is 192.168.0.95 your net's broadcast address?
Ohhh! Nice catch! ------------------------------ Message: 7 Date: Wed, 10 Sep 2008 06:13:18 -0700 From: "Matthew Petach" <mpetach@netflight.com> Subject: Re: Yahoo! mail admins? To: "Paul Kelly :: Blacknight" <paul@blacknight.com> Cc: "nanog@nanog.org" <nanog@nanog.org> Message-ID: <63ac96a50809100613k3f9f2499p9270dbc5b7a82533@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On 9/10/08, Paul Kelly :: Blacknight <paul@blacknight.com> wrote:
Hi There,
Are there any Yahoo! e-mail admins on the list? We're having some issues at times delivering e-mail to yahoo.co.uk and sometimes some of the other yahoo networks.
Probably not--but folks can probably get the message to the right ears. Let me know off list the nature of the issue (layer 3 reachability vs layer 7 application error messages) and I'll see what I can do to get the message to the right recipients. Thanks! Matt
Thanks,
Paul
Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353 (0) 59 9183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091
e-mail: paul@blacknight.ie web: http://www.blacknight.ie
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland
Company No.: 370845
------------------------------ Message: 8 Date: Wed, 10 Sep 2008 12:35:24 +0000 (GMT) From: hobbit@avian.org (*Hobbit*) Subject: Re: ingress SMTP To: nanog@nanog.org Message-ID: <20080910123524.3D97E7808@relayer.avian.org> I am completely convinced that abuse@ in most big providers is a black hole with an autoresponder hung off it, and nothing ever gets done with complaints. NO HUMAN ever sees them, and even if they did, most of the humans at these outfits wouldn't recognize a Received: header if it bit them in the ass. I invite and welcome anyone from the "big boyz" I named in the original question -- verizon, comcast, roadrunner, charter, bellsouth/SBC, and now Google -- *especially* Gmail, given that counterproductive "privacy" policy we noted -- to inform me otherwise. _H* ------------------------------ Message: 9 Date: Wed, 10 Sep 2008 07:38:44 -0700 From: Leo Vegoda <leo.vegoda@icann.org> Subject: New (2-byte) ASN Allocation for RIPE NCC To: Leo Vegoda <leo.vegoda@icann.org> Message-ID: <C4EDA894.1EC4C%leo.vegoda@icann.org> Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, This is to confirm that the IANA has allocated one 2-byte ASN block to the RIPE NCC: 48128-49151 Assigned by RIPE NCC whois.ripe.net 2008-09-09 A note of the allocation has been made at: http://www.iana.org/assignments/as-numbers/as-numbers.xml http://www.iana.org/assignments/as-numbers/as-numbers.xhtml http://www.iana.org/assignments/as-numbers/as-numbers.txt Thank you and best regards, Leo Vegoda leo.vegoda@icann.org ******************************************* Internet Assigned Numbers Authority (IANA) 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292 Phone: +1-310-823-9358 Fax: +1-310-823-8649 ******************************************* -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFIx9suvBLymJnAzRwRAgnkAKDDxJCilYy0aErDQtQQFEcsCKG/QwCgi+Ao 029EI3Ful4LKPXMJEUGKs3g= =7EeD -----END PGP SIGNATURE----- ------------------------------ Message: 10 Date: Wed, 10 Sep 2008 12:47:26 -0700 From: Jo Rhett <jrhett@netconsonance.com> Subject: Teleglobe appears to be spam-source zombie network? To: nanog <nanog@nanog.org> Message-ID: <03F411FC-74D6-48CA-84FC-16706B05BADE@netconsonance.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes We started getting a flood of autobot spam to our listed abuse mailbox about an hour ago out of Teleglobe. Trying to find someone to shut this down has found that 1. Teleglobe has no listed abuse contacts for any of their netblocks 2. The few of their records which have listed e-mail addresses all bounce 3. All listed phone numbers on any netblocks we can find are invalid Any chance that RIPE is more strigent than ARIN and would pull their netblocks until they fix this stuff? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ------------------------------ Message: 11 Date: Wed, 10 Sep 2008 20:51:09 +0100 (WEST) From: Nuno Vieira - nfsi telecom <nuno.vieira@nfsi.pt> Subject: Re: Teleglobe appears to be spam-source zombie network? To: Jo Rhett <jrhett@netconsonance.com> Cc: nanog <nanog@nanog.org> Message-ID: <823080104.21701221076269458.JavaMail.root@zimbra.nfsi.pt> Content-Type: text/plain; charset=utf-8 Try reach them at CAbuse@tatacommunications.com cheers, --- Nuno Vieira nfsi telecom, lda. nuno.vieira@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ ----- "Jo Rhett" <jrhett@netconsonance.com> wrote:
We started getting a flood of autobot spam to our listed abuse mailbox
about an hour ago out of Teleglobe. Trying to find someone to shut this down has found that
1. Teleglobe has no listed abuse contacts for any of their netblocks 2. The few of their records which have listed e-mail addresses all bounce 3. All listed phone numbers on any netblocks we can find are invalid
Any chance that RIPE is more strigent than ARIN and would pull their
netblocks until they fix this stuff?
-- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
------------------------------ Message: 12 Date: Wed, 10 Sep 2008 15:59:35 -0400 From: Marshall Eubanks <tme@multicasttech.com> Subject: Re: Teleglobe appears to be spam-source zombie network? To: Nuno Vieira - nfsi telecom <nuno.vieira@nfsi.pt> Cc: nanog <nanog@nanog.org> Message-ID: <0B1059FF-6187-4212-A666-3124BFB38E88@multicasttech.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes On Sep 10, 2008, at 3:51 PM, Nuno Vieira - nfsi telecom wrote:
Try reach them at CAbuse@tatacommunications.com
Yes - all my teleglobe contacts went over to Tata email addresses during the summer. Regards Marshall
cheers, --- Nuno Vieira nfsi telecom, lda.
nuno.vieira@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/
----- "Jo Rhett" <jrhett@netconsonance.com> wrote:
We started getting a flood of autobot spam to our listed abuse mailbox
about an hour ago out of Teleglobe. Trying to find someone to shut this down has found that
1. Teleglobe has no listed abuse contacts for any of their netblocks 2. The few of their records which have listed e-mail addresses all bounce 3. All listed phone numbers on any netblocks we can find are invalid
Any chance that RIPE is more strigent than ARIN and would pull their
netblocks until they fix this stuff?
-- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
------------------------------ _______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog End of NANOG Digest, Vol 8, Issue 38 ************************************
participants (1)
-
Bruno VAZ