NANOG Digest, Vol 8, Issue 38

Bruno VAZ bvaz at ipercast.net
Wed Sep 10 16:12:17 CDT 2008


--- 
[Message envoyé a partir d'un mobile]

Bruno VAZ

Ipercast Operations

40, Rue de PARIS / 92100 Boulogne-Billancourt

Tel +33 1 72 77 70 87
Mailbvaz at ipercast.net
  

-----Original Message-----
From: nanog-request at nanog.org

Date: Wed, 10 Sep 2008 19:59:40 
To: <nanog at nanog.org>
Subject: NANOG Digest, Vol 8, Issue 38


Send NANOG mailing list submissions to
	nanog at nanog.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://mailman.nanog.org/mailman/listinfo/nanog
or, via email, send a message with subject or body 'help' to
	nanog-request at nanog.org

You can reach the person managing the list at
	nanog-owner at nanog.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of NANOG digest..."


Today's Topics:

   1. RE: duplicate packet  (Darden, Patrick S.)
   2. RE: duplicate packet  (Eric Van Tol)
   3. Re: duplicate packet  (Jon Lewis)
   4. Re: duplicate packet (Sebastian Abt)
   5. RE: duplicate packet  (Tim Sanderson)
   6. Re: duplicate packet (Laurence F. Sheldon, Jr.)
   7. Re: Yahoo! mail admins? (Matthew Petach)
   8. Re: ingress SMTP (*Hobbit*)
   9. New (2-byte) ASN Allocation for RIPE NCC (Leo Vegoda)
  10. Teleglobe appears to be spam-source zombie network? (Jo Rhett)
  11. Re: Teleglobe appears to be spam-source zombie network?
      (Nuno Vieira - nfsi telecom)
  12. Re: Teleglobe appears to be spam-source zombie network?
      (Marshall Eubanks)


----------------------------------------------------------------------

Message: 1
Date: Wed, 10 Sep 2008 08:01:32 -0400
From: "Darden, Patrick S." <darden at armc.org>
Subject: RE: duplicate packet 
To: "chloe K" <chloekcy2000 at yahoo.ca>,	<nanog at nanog.org>
Message-ID: <CBE22E5FF427B149A272DD1DDE107524023688B6 at EX2K3.armc.org>
Content-Type: text/plain;	charset="iso-8859-1"


Check your ARP tables, local and on intervening switches/routers.  Make sure there are no duplicate entries for that IP.  If you note the response time, the second packet is always higher which might be indicative.  I would also check for a botched MITM a la C&A.

Even if there is no obvious ARP table manglement, you might try flushing the local and intervening caches.

Try the ping from another host, another subnet, another segment, get more info.

--p

-----Original Message-----
From: chloe K [mailto:chloekcy2000 at yahoo.ca]
Sent: Wednesday, September 10, 2008 6:46 AM
To: nanog at nanog.org
Subject: duplicate packet 


Hi all

When I ping the ip, I get the duplicate 

I check the ip is just one. Why it happens?

Thank you

64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms
64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!)
64 bytes from 192.168.0.95: icmp_seq=2 ttl=63 time=0.296 ms
64 bytes from 192.168.0.95: icmp_seq=2 ttl=63 time=0.328 ms (DUP!)
64 bytes from 192.168.0.95: icmp_seq=3 ttl=63 time=0.291 ms
64 bytes from 192.168.0.95: icmp_seq=3 ttl=63 time=0.316 ms (DUP!)
64 bytes from 192.168.0.95: icmp_seq=4 ttl=63 time=0.279 ms
64 bytes from 192.168.0.95: icmp_seq=4 ttl=63 time=0.309 ms (DUP!)
64 bytes from 192.168.0.95: icmp_seq=5 ttl=63 time=0.271 ms
64 bytes from 192.168.0.95: icmp_seq=5 ttl=63 time=0.299 ms (DUP!)

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          



------------------------------

Message: 2
Date: Wed, 10 Sep 2008 08:06:02 -0400
From: Eric Van Tol <eric at atlantech.net>
Subject: RE: duplicate packet 
To: 'chloe K' <chloekcy2000 at yahoo.ca>, "nanog at nanog.org"
	<nanog at nanog.org>
Message-ID:
	<2C05E949E19A9146AF7BDF9D44085B86350AECC45F at exchange.aoihq.local>
Content-Type: text/plain; charset="us-ascii"

> -----Original Message-----
> From: chloe K [mailto:chloekcy2000 at yahoo.ca]
> Sent: Wednesday, September 10, 2008 6:46 AM
> To: nanog at nanog.org
> Subject: duplicate packet
>
> Hi all
>
> When I ping the ip, I get the duplicate
>
> I check the ip is just one. Why it happens?
>
> Thank you
>
> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms
> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!)
> 64 bytes from 192.168.0.95: icmp_seq=2 ttl=63 time=0.296 ms
> 64 bytes from 192.168.0.95: icmp_seq=2 ttl=63 time=0.328 ms (DUP!)
> 64 bytes from 192.168.0.95: icmp_seq=3 ttl=63 time=0.291 ms
> 64 bytes from 192.168.0.95: icmp_seq=3 ttl=63 time=0.316 ms (DUP!)
> 64 bytes from 192.168.0.95: icmp_seq=4 ttl=63 time=0.279 ms
> 64 bytes from 192.168.0.95: icmp_seq=4 ttl=63 time=0.309 ms (DUP!)
> 64 bytes from 192.168.0.95: icmp_seq=5 ttl=63 time=0.271 ms
> 64 bytes from 192.168.0.95: icmp_seq=5 ttl=63 time=0.299 ms (DUP!)

Check to see whether or not the port connected to that host is mirrored or in a SPAN VLAN.  Misconfiguration on an analyzer server can cause duplicate traffic to be generated.

-evt



------------------------------

Message: 3
Date: Wed, 10 Sep 2008 08:11:18 -0400 (EDT)
From: Jon Lewis <jlewis at lewis.org>
Subject: Re: duplicate packet 
To: chloe K <chloekcy2000 at yahoo.ca>
Cc: nanog at nanog.org
Message-ID: <Pine.LNX.4.61.0809100808070.5503 at soloth.lewis.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Wed, 10 Sep 2008, chloe K wrote:

> When I ping the ip, I get the duplicate
>
> I check the ip is just one. Why it happens?
>
> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms
> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!)

Not enough information has been given.

Just hope it's not being caused by a Level3/Sprint circuit...ours is still 
doing this (when I change back to HDLC) and they just don't freaking care.
Sometimes I wish I worked for a big telco so I could leave things broken 
and say "hey, I'm the telco, I don't have to care."

Maybe we should refuse to pay for the affected DS3 and see if that gets 
more attention.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



------------------------------

Message: 4
Date: Wed, 10 Sep 2008 14:11:48 +0200
From: Sebastian Abt <sabt at sabt.net>
Subject: Re: duplicate packet
To: chloe K <chloekcy2000 at yahoo.ca>
Cc: nanog at nanog.org
Message-ID: <20080910121148.GA4491 at sephina.sabt.net>
Content-Type: text/plain; charset=us-ascii

* chloe K wrote:
> When I ping the ip, I get the duplicate 
> 
> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms
> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!)
                ^^^^^^^^^^^^
What's your netmask?  Is 192.168.0.95 your net's broadcast address?

sebastian

-- 
SABT-RIPE   PGPKEY-D008DA9C



------------------------------

Message: 5
Date: Wed, 10 Sep 2008 08:26:52 -0400
From: Tim Sanderson <tims at donet.com>
Subject: RE: duplicate packet 
To: "nanog at nanog.org" <nanog at nanog.org>
Message-ID:
	<C8780EC81EAFB24B94943243BA5BCC54292289670F at intexch07.internal.donet.com>
	
Content-Type: text/plain; charset="us-ascii"

Instead, dispute the bill and then when they won't credit you for not giving you what you ordered, open a complaint with the state public utilities commission. It may get you some movement on the issue.

--
Tim Sanderson, network administrator
tims at donet.com


-----Original Message-----
From: Jon Lewis [mailto:jlewis at lewis.org]
Sent: Wednesday, September 10, 2008 8:11 AM
To: chloe K
Cc: nanog at nanog.org
Subject: Re: duplicate packet

On Wed, 10 Sep 2008, chloe K wrote:

> When I ping the ip, I get the duplicate
>
> I check the ip is just one. Why it happens?
>
> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms
> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!)

Not enough information has been given.

Just hope it's not being caused by a Level3/Sprint circuit...ours is still
doing this (when I change back to HDLC) and they just don't freaking care.
Sometimes I wish I worked for a big telco so I could leave things broken
and say "hey, I'm the telco, I don't have to care."

Maybe we should refuse to pay for the affected DS3 and see if that gets
more attention.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




------------------------------

Message: 6
Date: Wed, 10 Sep 2008 08:10:20 -0500
From: "Laurence F. Sheldon, Jr." <LarrySheldon at cox.net>
Subject: Re: duplicate packet
Cc: nanog at nanog.org
Message-ID: <48C7C73C.7000900 at cox.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Sebastian Abt wrote:
> * chloe K wrote:
>> When I ping the ip, I get the duplicate 
>>
>> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.344 ms
>> 64 bytes from 192.168.0.95: icmp_seq=1 ttl=63 time=0.401 ms (DUP!)
>                 ^^^^^^^^^^^^
> What's your netmask?  Is 192.168.0.95 your net's broadcast address?

Ohhh!  Nice catch!



------------------------------

Message: 7
Date: Wed, 10 Sep 2008 06:13:18 -0700
From: "Matthew Petach" <mpetach at netflight.com>
Subject: Re: Yahoo! mail admins?
To: "Paul Kelly :: Blacknight" <paul at blacknight.com>
Cc: "nanog at nanog.org" <nanog at nanog.org>
Message-ID:
	<63ac96a50809100613k3f9f2499p9270dbc5b7a82533 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 9/10/08, Paul Kelly :: Blacknight <paul at blacknight.com> wrote:
> Hi There,
>
>  Are there any Yahoo! e-mail admins on the list? We're having some issues at times delivering e-mail to yahoo.co.uk and sometimes some of the other yahoo networks.
>

Probably not--but folks can probably get the message to the right ears.
Let me know off list the nature of the issue (layer 3 reachability vs
layer 7 application error messages) and I'll see what I can do to
get the message to the right recipients.

Thanks!

Matt

>  Thanks,
>
>  Paul
>
>  Paul Kelly
>  Technical Director
>  Blacknight Internet Solutions ltd
>  Hosting, Colocation, Dedicated servers
>  IP Transit Services
>  Tel: +353 (0) 59 9183072
>  Lo-call: 1850 929 929
>  DDI: +353 (0) 59 9183091
>
>  e-mail: paul at blacknight.ie
>  web: http://www.blacknight.ie
>
>  Blacknight Internet Solutions Ltd,
>  Unit 12A,Barrowside Business Park,
>  Sleaty Road,
>  Graiguecullen,
>  Carlow,
>  Ireland
>
>  Company No.: 370845
>
>



------------------------------

Message: 8
Date: Wed, 10 Sep 2008 12:35:24 +0000 (GMT)
From: hobbit at avian.org (*Hobbit*)
Subject: Re: ingress SMTP
To: nanog at nanog.org
Message-ID: <20080910123524.3D97E7808 at relayer.avian.org>

I am completely convinced that abuse@ in most big providers is a
black hole with an autoresponder hung off it, and nothing ever
gets done with complaints.  NO HUMAN ever sees them, and even if
they did, most of the humans at these outfits wouldn't recognize
a Received: header if it bit them in the ass.

I invite and welcome anyone from the "big boyz" I named in the
original question -- verizon, comcast, roadrunner,  charter,
bellsouth/SBC, and now Google -- *especially* Gmail, given that
counterproductive "privacy" policy we noted -- to inform me
otherwise.

_H*



------------------------------

Message: 9
Date: Wed, 10 Sep 2008 07:38:44 -0700
From: Leo Vegoda <leo.vegoda at icann.org>
Subject: New (2-byte) ASN Allocation for RIPE NCC
To: Leo Vegoda <leo.vegoda at icann.org>
Message-ID: <C4EDA894.1EC4C%leo.vegoda at icann.org>
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

This is to confirm that the IANA has allocated one 2-byte ASN block
to the RIPE NCC:

48128-49151     Assigned by RIPE NCC     whois.ripe.net
2008-09-09

A note of the allocation has been made at:

http://www.iana.org/assignments/as-numbers/as-numbers.xml
http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
http://www.iana.org/assignments/as-numbers/as-numbers.txt

Thank you and best regards,

Leo Vegoda
leo.vegoda at icann.org

*******************************************
Internet Assigned Numbers Authority (IANA)
4676 Admiralty Way, Suite 330
Marina del Rey, CA  90292
Phone: +1-310-823-9358
Fax: +1-310-823-8649
*******************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFIx9suvBLymJnAzRwRAgnkAKDDxJCilYy0aErDQtQQFEcsCKG/QwCgi+Ao
029EI3Ful4LKPXMJEUGKs3g=
=7EeD
-----END PGP SIGNATURE-----




------------------------------

Message: 10
Date: Wed, 10 Sep 2008 12:47:26 -0700
From: Jo Rhett <jrhett at netconsonance.com>
Subject: Teleglobe appears to be spam-source zombie network?
To: nanog <nanog at nanog.org>
Message-ID: <03F411FC-74D6-48CA-84FC-16706B05BADE at netconsonance.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

We started getting a flood of autobot spam to our listed abuse mailbox  
about an hour ago out of Teleglobe.  Trying to find someone to shut  
this down has found that

1. Teleglobe has no listed abuse contacts for any of their netblocks
2. The few of their records which have listed e-mail addresses all  
bounce
3. All listed phone numbers on any netblocks we can find are invalid

Any chance that RIPE is more strigent than ARIN and would pull their  
netblocks until they fix this stuff?

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness





------------------------------

Message: 11
Date: Wed, 10 Sep 2008 20:51:09 +0100 (WEST)
From: Nuno Vieira - nfsi telecom <nuno.vieira at nfsi.pt>
Subject: Re: Teleglobe appears to be spam-source zombie network?
To: Jo Rhett <jrhett at netconsonance.com>
Cc: nanog <nanog at nanog.org>
Message-ID: <823080104.21701221076269458.JavaMail.root at zimbra.nfsi.pt>
Content-Type: text/plain; charset=utf-8

Try reach them at CAbuse at tatacommunications.com

cheers,
---
Nuno Vieira
nfsi telecom, lda.

nuno.vieira at nfsi.pt
Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
http://www.nfsi.pt/



----- "Jo Rhett" <jrhett at netconsonance.com> wrote:

> We started getting a flood of autobot spam to our listed abuse mailbox
>  
> about an hour ago out of Teleglobe.  Trying to find someone to shut  
> this down has found that
> 
> 1. Teleglobe has no listed abuse contacts for any of their netblocks
> 2. The few of their records which have listed e-mail addresses all  
> bounce
> 3. All listed phone numbers on any netblocks we can find are invalid
> 
> Any chance that RIPE is more strigent than ARIN and would pull their 
> 
> netblocks until they fix this stuff?
> 
> -- 
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source  
> and other randomness



------------------------------

Message: 12
Date: Wed, 10 Sep 2008 15:59:35 -0400
From: Marshall Eubanks <tme at multicasttech.com>
Subject: Re: Teleglobe appears to be spam-source zombie network?
To: Nuno Vieira - nfsi telecom <nuno.vieira at nfsi.pt>
Cc: nanog <nanog at nanog.org>
Message-ID: <0B1059FF-6187-4212-A666-3124BFB38E88 at multicasttech.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes


On Sep 10, 2008, at 3:51 PM, Nuno Vieira - nfsi telecom wrote:

> Try reach them at CAbuse at tatacommunications.com
>

Yes - all my teleglobe contacts went over to Tata email addresses  
during the summer.

Regards
Marshall


> cheers,
> ---
> Nuno Vieira
> nfsi telecom, lda.
>
> nuno.vieira at nfsi.pt
> Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
> http://www.nfsi.pt/
>
>
>
> ----- "Jo Rhett" <jrhett at netconsonance.com> wrote:
>
>> We started getting a flood of autobot spam to our listed abuse  
>> mailbox
>>
>> about an hour ago out of Teleglobe.  Trying to find someone to shut
>> this down has found that
>>
>> 1. Teleglobe has no listed abuse contacts for any of their netblocks
>> 2. The few of their records which have listed e-mail addresses all
>> bounce
>> 3. All listed phone numbers on any netblocks we can find are invalid
>>
>> Any chance that RIPE is more strigent than ARIN and would pull their
>>
>> netblocks until they fix this stuff?
>>
>> -- 
>> Jo Rhett
>> Net Consonance : consonant endings by net philanthropy, open source
>> and other randomness
>




------------------------------

_______________________________________________
NANOG mailing list
NANOG at nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog


End of NANOG Digest, Vol 8, Issue 38
************************************




More information about the NANOG mailing list