AT&T. Layer 6-8 needed.

jamie j at arpa.com
Sun Jul 26 23:44:49 CDT 2009


I must have misinterpreted "send us something confirming the AT&T 4Chan
outage / isc.sans.org" message.

My bad.



On Sun, Jul 26, 2009 at 11:39 PM, John Bambenek <bambenek at gmail.com> wrote:

> SANS ISC isn't soliciting technical reports, we're interested and looking
> at the issue with a particular eye to 4chan's history of pulling pranks.
>
> Then there is the blocking because of the DoS angle, which I admit, doesn't
> seem to fit the facts in this case.
>
> There are AT&T people on this list, I presume, who can speak to the issue
> if need be.
>
> I'd prefer the SANS ISC not get "name dropped" as if we lend credibility to
> this.  We're looking, sure.  That's it.
>
> j
>
>
> jamie wrote:
>
>> 'Wireless backbone'?
>>
>> K.
>>
>> I have a dozen confirmations off list in every time zone.  SANS ISC is
>> soliciting technical reports on this; It's on the EFF's Radar.
>>
>> "This is not a drill"
>>
>> If any ISP of mine filtered my (where my = brick-and-mortar-corp) access
>> to
>> any destination because of another customer (there are *always* technical
>> solutions to problems you describe, the one you implemented wouldn't even
>> make my list), you'd have one less customer and quite likely a Tortious
>> Interference claim..
>>
>> And, as a (wired) backbone arch, if I ever filtered a host (btw: there are
>> five IPs in that /24 being filtered by T) that cut off every customer's
>> access to that host or group, I'd expect to not have a job anymore.
>>
>> If I wanted filtered Internet, I'd sign up for Prodigy.
>>
>> Check http://status.4chan.org - they're not moving anything at the
>> moment,
>> and confirm the filtering.
>>
>> Debate away, I'm off to bed.
>>
>> I think 4chan's reaction to this will be bigger than the story itself - No
>> need for me to argue what will soon be in the News Cycle.
>>
>> -j
>>
>>
>>
>>
>> On Sun, Jul 26, 2009 at 10:20 PM, Shon Elliott <shon at unwiredbb.com>
>> wrote:
>>
>>
>>
>>> Jamie,
>>>
>>> Unfortunately, that's not easy with wireless backbones. The customers
>>> don't
>>> have
>>> their own "port". I also know for fact that 4chan is in the process of
>>> moving,
>>> so what you're seeing could just be that. Them moving.
>>>
>>>
>>> Regards,
>>> Shon Elliott
>>> Senior Network Engineer
>>> unWired Broadband, Inc.
>>>
>>>
>>> jamie wrote:
>>>
>>>
>>>> It should be blocked at the complaining customer port.
>>>>
>>>> Not nationwide, and certainly not without announcement.
>>>>
>>>>
>>>> On Sun, Jul 26, 2009 at 10:05 PM, Shon Elliott <shon at unwiredbb.com
>>>> <mailto:shon at unwiredbb.com>> wrote:
>>>>
>>>>    There has been alot of customers on our network who were complaining
>>>>    about ACK
>>>>    scan reports coming from 207.126.64.181. We had no choice but to
>>>>    block that
>>>>    single IP until the attacks let up. It was a decision I made with
>>>>    the gentleman
>>>>    that owns the colo facility currently hosts 4chan. There was no
>>>>    other way around
>>>>    it. I'm sure AT&T is probably blocking it for the same reason. 4chan
>>>>    has been
>>>>    under attack for over 3 weeks, the attacks filling up an entire
>>>>    GigE. If you
>>>>    want to blame anyone, blame the script kiddies who pull this kind of
>>>>    stunt.
>>>>
>>>>    Regards,
>>>>    Shon Elliott
>>>>    Senior Network Engineer
>>>>    unWired Broadband, Inc.
>>>>
>>>>
>>>>    jamie wrote:
>>>>    > All,
>>>>    >
>>>>    >   It appears at AT&T (including DSL, and my own home service via
>>>>    u-verse)
>>>>    > has unilaterally and without explanation started blocking websites.
>>>>    >
>>>>    >   I have confirmed this with multiple tests.  (It actually appears
>>>>    that
>>>>    > these sites are being blocked at a local-global scale -- that is,
>>>>
>>>>
>>> each
>>>
>>>
>>>>    > city/hub seems to have blackholes for the sites).
>>>>    >
>>>>    >   The sites I know of I'll list below (see Reddit for a
>>>>    discussion), but
>>>>    > this is clearly and absolutely unacceptable.  Please, comments on
>>>>    the nature
>>>>    > of the sites are OT.. Let's keep this thread that way.  (Away from
>>>>    being OT,
>>>>    > that is).
>>>>    >
>>>>    >   If any T folk are around, and have gotten wind of this (all
>>>>    comments /
>>>>    > direct emails will be off record), a reply would be appreciated.
>>>>    >
>>>>    >   No ears enclosing clue will be reached via normal channels at
>>>>    ~950E on a
>>>>    > Sunday, but this is clearly a problem needing addressing,
>>>>    resolution, action
>>>>    > and, who knows - suit?
>>>>    >
>>>>    >   Thanks in advance all for insight, comments,
>>>>    >
>>>>    > -jamie
>>>>    >
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>



More information about the NANOG mailing list