next hop packet loss

Keith Medcalf kmedcalf at dessus.com
Sat Aug 11 13:20:43 CDT 2012


Works fine in Firefox for me, and always has (within the limits of the shoddily designed website that is).  Nonetheless, I'd never buy anything from them since they are an anti-security organization.  Their Web site uses so much gratuitous javascript crap and hard-coded assumptions about character cell sizes and pixel density that it is completely unuseable.  I have no reason to believe that any other product they sell is any better designed -- if you can't create a web site that does not require increasing attack surface in order to use it, then I would assume that all their products work and are designed the same way, and that deployment of any of their products increases attack surface rather than decreasing it.

On the other hand they are probably four-colour-glossy-brochure and buzzword compliant.  Then again I'm an curmudgeonly old fart that can't even spell dot Snot.

---
()  ascii ribbon campaign against html e-mail
/\  www.asciiribbon.org


> -----Original Message-----
> From: Jim Ray [mailto:jim at neuse.net]
> Sent: Saturday, 11 August, 2012 10:36
> To: SMBManagedServices at yahoogroups.com
> Cc: nanog at nanog.org; david.herring at twcable.com
> Subject: RE: [SMBManagedServices] RE: next hop packet loss
> 
> Get a load of this:
> 
> New version of Firefox works fine. Methinks Mozilla released a turd.
> 
> 
> -----Original Message-----
> From: SMBManagedServices at yahoogroups.com
> [mailto:SMBManagedServices at yahoogroups.com] On Behalf Of James_TDS
> Sent: Friday, August 10, 2012 11:47 AM
> To: SMBManagedServices at yahoogroups.com
> Subject: RE: [SMBManagedServices] RE: next hop packet loss
> 
> As I said I suspect Checkpoint is "breaking the Internet" in an attempt
> to block various DDOS attacks. The failure of tracert and ICMP is not
> isolated to Checkpoint and Above.net as I had a similar problem with a
> local TW customer on a static IP. Because their in house router was down
> and not responding to anything TW would drop the Tracert long before it
> even came close to my client. I gave them heck about this as it made it
> impossible to remotely monitor the customer because when the customer
> calls and says the "Internet is down" the first thing I do is tracert to
> their IP. When I see the route die in another city that tells me the ISP
> is having issues vs. the route dying one hop out from my customer's IP.
> They gave me some crap about active routing and such. Put anything on
> that IP and have it respond to pings and the route will complete.
> 
> As I said Telnet checkpoint.com 80 fails for me but SLChecker works so
> again it's probably some DDOS thing and they are checking user agents
> before replying and I assume SLCheck mimics IE or something. Handy tool.
> 
> 
> 
> -----Original Message-----
> From: SMBManagedServices at yahoogroups.com
> [mailto:SMBManagedServices at yahoogroups.com] On Behalf Of Jim Ray
> Sent: Friday, August 10, 2012 8:23 AM
> To: SMBManagedServices at yahoogroups.com
> Subject: RE: [SMBManagedServices] RE: next hop packet loss
> 
> I am stumped why http://www.checkpoint.com won't resolve with Firefox
> yet will with Internet Explorer and Safari. I know Microsoft won't let
> you do what you need to do with Firefox yet am surprised with Check
> Point.
> 
> Above.net is not echoing ICMP, though, before one reaches Check Point.
> 
> >From the NANOG group, I found out it is possible to use command line
> switch to specify type of traffic and to get around ICMP issue.
> Apparently, TCP works; however, another person said UDP is preferred
> embodiment.
> 
> This test resolved web site yet resulted in lost connection:
> 
> telnet www.checkpoint.com 80
> GET / HTTP/1.1
> Host: www.checkpoint.com
> 
> I captured packets with Wireshark yet did not see anything that jumped
> out at me as root cause for failure.
> 
> Meanwhile back at the ranch, my friend brought over business card for
> Check Point representative, and I plan to pick up the phone and call
> thereby bypassing TCP/IP in its entirety.
> 
> 
> -----Original Message-----
> From: SMBManagedServices at yahoogroups.com
> [mailto:SMBManagedServices at yahoogroups.com] On Behalf Of James_TDS
> Sent: Thursday, August 09, 2012 10:50 AM
> To: SMBManagedServices at yahoogroups.com
> Subject: RE: [SMBManagedServices] RE: next hop packet loss
> 
> Go back a few post and see where I mentioned that the hop in question
> was not responding to the ICMP request, it wasn't down they just refuse
> to echo.
> 
> Probably a more valid test would have been:
> 
> telnet checkpoint.com 80
> GET
> 
> However I just tested that as well and Checkpoint doesn't respond
> correctly. Not sure what they are doing on the frontend but they are
> breaking Internet "rules" probably in an effort to not be DDOS'd. I
> checked again with SLChecker and it responds correctly so they are
> likely not responding to Telnet because it doesn't send a user agent ID.
> 
> 
> -----Original Message-----
> From: SMBManagedServices at yahoogroups.com
> [mailto:SMBManagedServices at yahoogroups.com] On Behalf Of Jim Ray
> Sent: Thursday, August 09, 2012 8:39 AM
> To: SMBManagedServices at yahoogroups.com
> Cc: Herring, David
> Subject: [SMBManagedServices] RE: next hop packet loss
> 
> Hey, I get the idgit award for this one. Time Warner's next hop that was
> dropping packets was really a situation where next hop was not
> responding to ICMP from tracert. Neither of us was able to diagnose the
> problem until last night when I found out Safari pulled up
> http://www.checkpoint.com from same network and Firefox on PC did not.
> 
> So, apparently, Check Point does not like Firefox. Internet Explorer
> worked.
> 
> Meanwhile back at the ranch, I have learned about TCP switch in tracert
> thanks to peers here and on NANOG and have gotten down and dirty with
> Wireshark.
> 
> Regards,
> 
> Jim Ray, President
> Neuse River Networks
> 2 Davis Drive, PO Box 13169
> Research Triangle Park, NC 27709
> 919-838-1672 x100
> www.NeuseRiverNetworks.com
> 
> 
> -----Original Message-----
> From: Herring, David [mailto:david.herring at twcable.com]
> Sent: Thursday, August 09, 2012 7:54 AM
> To: Jim Ray; Adrian Bool
> Subject: RE: next hop packet loss
> 
>   Got it.. no worries.. I know we are not always the best either!
> 
>   What would be great- that you let the below be known to your user
> group?
>   I know we let them know when we thought it was Business class
> problem...
> 
> 
> 
> David Herring
> Channel Manager | Channel Partner Program, East Region TWC Business
> Class
> 101 Innovation Avenue| Morrisville, NC 27560
> 919.573.7635
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Jim Ray [mailto:jim at neuse.net]
> Sent: Wednesday, August 08, 2012 7:48 PM
> To: Adrian Bool
> Cc: Herring, David
> Subject: RE: next hop packet loss
> 
> Dude...don't laugh too hard when I tell you I found the problem:
> 
> http://www.CheckPoint.com not compatible with Firefox, only with Safari
> and Internet Explorer or possibly others.
> 
> David, apparently, tracert is not a valid test if ICMP is not active.
> So, my apologies.
> 
> Regards,
> 
> Jim Ray, President
> Neuse River Networks
> 2 Davis Drive, PO Box 13169
> Research Triangle Park, NC 27709
> 919-838-1672 x100
> www.NeuseRiverNetworks.com
> 
> 
> -----Original Message-----
> From: Adrian Bool [mailto:aid at logic.org.uk]
> Sent: Tuesday, August 07, 2012 9:22 AM
> To: Jim Ray
> Subject: Re: next hop packet loss
> 
> 
> Oh, if you do get a connect on the telnet session, type,
> 
> GET / HTTP/1.1
> Host: www.checkpoint.com
> <return>
> <return>
> 
> 
> aid
> 
> 
> 
> On 7 Aug 2012, at 14:14, "Jim Ray" <jim at neuse.net> wrote:
> 
> > Ah, good eyes :-)
> >
> > Thank you, sir. Will try again.
> >
> > Regards,
> >
> > Jim Ray, President
> > Neuse River Networks
> > 2 Davis Drive, PO Box 13169
> > Research Triangle Park, NC 27709
> > 919-838-1672 x100
> > www.NeuseRiverNetworks.com
> >
> >
> >
> > -----Original Message-----
> > From: Adrian Bool [mailto:aid at logic.org.uk]
> > Sent: Tuesday, August 07, 2012 9:14 AM
> > To: Jim Ray
> > Subject: Re: next hop packet loss
> >
> >
> > Hi Jim,
> >
> > It looks like you just used telnet on its own (so it used port 23,
> > which
> > *will* be blocked by Checkpoint).  Instead you need to specify the
> > HTTP port as well,
> >
> >       telnet www.checkpoint.com 80
> >
> > If you give that a go again; whilst capturing with Wireshark & see
> > what happens.
> >
> > Cheers,
> >
> > aid
> >
> 
> 
> This E-mail and any of its attachments may contain Time Warner Cable
> proprietary information, which is privileged, confidential, or subject
> to copyright belonging to Time Warner Cable. This E-mail is intended
> solely for the use of the individual or entity to which it is addressed.
> If you are not the intended recipient of this E-mail, you are hereby
> notified that any dissemination, distribution, copying, or action taken
> in relation to the contents of and attachments to this E-mail is
> strictly prohibited and may be unlawful. If you have received this
> E-mail in error, please notify the sender immediately and permanently
> delete the original and any copy of this E-mail and any printout.
> 
> 
> ------------------------------------
> 
> Moderated and managed Amy LubyYahoo! Groups Links
> 
> 
> 
> 
> 
> ------------------------------------
> 
> Moderated and managed Amy LubyYahoo! Groups Links
> 
> 
> 
> 
> 
> ------------------------------------
> 
> Moderated and managed Amy LubyYahoo! Groups Links
> 
> 
> 
> 
> 
> ------------------------------------
> 
> Moderated and managed Amy LubyYahoo! Groups Links
> 
> <*> To visit your group on the web, go to:
>     http://groups.yahoo.com/group/SMBManagedServices/
> 
> <*> Your email settings:
>     Individual Email | Traditional
> 
> <*> To change settings online go to:
>     http://groups.yahoo.com/group/SMBManagedServices/join
>     (Yahoo! ID required)
> 
> <*> To change settings via email:
>     SMBManagedServices-digest at yahoogroups.com
>     SMBManagedServices-fullfeatured at yahoogroups.com
> 
> <*> To unsubscribe from this group, send an email to:
>     SMBManagedServices-unsubscribe at yahoogroups.com
> 
> <*> Your use of Yahoo! Groups is subject to:
>     http://docs.yahoo.com/info/terms/
> 







More information about the NANOG mailing list