Seems like QWEST doesn't have any edge ACL's in place to deal
with this lovely worm issue.
Count Source Prexix, rounded up to a /16
144 208.46.0.0
199 65.114.0.0
347 208.45.0.0
462 65.118.0.0
486 65.119.0.0
702 208.44.0.0
Not sure how many places you intend to post this or related
messages, but if you've got a problem vote with your money.
Whining to NANOG and a slew of other mailing lists and still
giving money to Qwest seems silly to me...
Likewise, the Qwest folks likely aren't quite as clueless as
you've attempted to portray them over the last few days, silly
policies (policies that are clearly in place for a reason) can
be fixed -- and I assure you, above all else, money talks...
-danny
Sorry to those that may be on other lists.
Given general operational nature, I posted to NANOG, so that:
1. money can talk, others will see one view of this provider
2. operationally maybe something will get done
3. policy wise maybe this provider will change its policy
4. Qwest said their people had installed the ACL's properly
my evidence is to the contrary.
The customer that was impacted is certainly considering
their options. I suspect they will vote with their checkbook.
PS: Slew == 1 Private email list, 1, Well known public list
1 Local Public-ish list.
Slew != as large as it may have sounded...
Policies are sometimes in place for good reasons, sometimes
because the makers of said policy are void clue. To assume
they are inplace for good reason is a leap imho.
Some Qwest people I've worked with on this issue are rich
with clue, others (ergo via the nice normal paths) are not.
My thanks to those that have clue, and my suggestion to
management that they help those without clue.
The other thing I learned from QWEST IP-NOC was that it seems
managment decided *NOT TO* filter packets related to this worm
issue at the edge......
an isp of any non-trivial size, has one or more customers who
are either in the security business or in security research.
also ip behavior business or research. or ...
the job of isps is to deliver packets, not to alter or drop them.
if a custumer wishes there traffic shaped, dropped, mangled, ...
at the edge, that's a nice [sellable] extra service.
randy, who is right now trying to chase down what and why an
upstream has done to stop some traffic i was measuring,
harumph!
Not sure how many places you intend to post this or related
messages, but if you've got a problem vote with your money.
Whining to NANOG and a slew of other mailing lists and still
giving money to Qwest seems silly to me...
Agreed...
Likewise, the Qwest folks likely aren't quite as clueless as
you've attempted to portray them over the last few days, silly
policies (policies that are clearly in place for a reason) can
be fixed -- and I assure you, above all else, money talks...
I dunno... in my experience, Qwest is pretty clue-free.
Of course money talks, but it takes a LOT of defections to make a significant impact.
I dunno... in my experience, <isp> is pretty clue-free.
when folk want to pay $50/mb, how much clue do we think
isps can pay for, especially to deal with peak clue loads
such as this last week or two?
yes, money talks. but in many ways.
randy
Given general operational nature, I posted to NANOG, so that:
1. money can talk, others will see one view of this provider
Don't talk with other peoples money, talk with your own. If
you plan to post to NANOG, it'd be a wise assumption that a
significant subset of the folks here reside on other lists
you post to as well.
2. operationally maybe something will get done
Perhaps. Though if/when it does, it'll be Qwest and
you that will be involved, no one here.
3. policy wise maybe this provider will change its policy
Perhaps, though given the discussions on this and a
hundred other lists in the last three weeks, I'm not
sure providers know what to do. As Sean points out,
every other email contradicts the previous.
If I filter, I'm responsive, clueful & saving the Internet.
When something breaks as a result, I'm clueless and trying
to play netpolice, violating my SLA, plain suck, and need
to just worry about delivering packets.
4. Qwest said their people had installed the ACL's properly
my evidence is to the contrary.
Hence the need to further engage with Qwest, folks here
will be of little benefit at the end of the day.
The customer that was impacted is certainly considering
their options. I suspect they will vote with their checkbook.PS: Slew == 1 Private email list, 1, Well known public list
1 Local Public-ish list.Slew != as large as it may have sounded...
Correct me if I'm wrong, but I seem to recall a strikingly
similar message posted to several mailing lists regarding
very similar topics and the same provider within the past
.. 4 days (no, it was 2 days)? Had it not been for that I
wouldn't have bothered posting. One attempt to humiliate
your provider in order to trigger some action is perhaps
arguable, two or more is just plain annoying.
Policies are sometimes in place for good reasons, sometimes
because the makers of said policy are void clue. To assume
they are inplace for good reason is a leap imho.
So providers should play netpolice or Internet-Firewall-provider
some amount of time, depending on _your gauge of the activity of
a given incident? Folks need to realize that if large networks
didn't have policies of this sort in place they'd be blocking pretty
much every port on every interface by now..
You can't have it both ways...
-danny
Doesn't work this way. It is much better to have one clueful guy than to
keep three clueless ones. Costs the same, the results are strikingly
different.
--vadim
Anyone that works for Qwest (Spirit of Service…HA HA HA HA HA) and can actually stop having your clueless NOC personnel from calling me at the flipping early hours of the morning because your non working proactive monitoring system keeps opening pro active tickets. No one has yet to verify that at any of the countless times (yes this little ordeal has been going on for months now) that your so called pro active monitoring system opens a ticket that it has ever been right.
Ever heard of false positives???
Funny that your pro active ticket has never really detected an actual issue, because when these do happen it takes over a couple of hours to get anyone to begin the troubleshooting process.
Is it customary for Qwest to call customers at 2, 3, 4, or 5 AM to tell them that they have a ticket opened by their pro active system?
Here is a concept…get the proactive ticket, pull the interface, or look at the circuit before calling your customers…now that would be a Spirit of Service.
What you are doing now is the spirit of laziness…
Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)
I apologize to the list for including a subject line in all caps regarding my attempt to contact someone at Qwest to fix this "pro active monitoring" issue I have.
I hope that someone from that network contacts me since all other normal channels of communication that they provide to their customers has not provided a solution in the months that this issue has been going on.
So far, opening tickets, calling the NOC, escalating to managers, and the local Qwest team have provided no solution to these erroneous alarms. I am just given the ol' "We took care of it" until the next 2 AM pro active ticket gets opened, and once again am roused from my sleep because of a false alarm that they could not bother veryfing first.
My apologies for the All Caps subject line.
Rico
Gerardo Gregory writes:
Anyone that works for Qwest (Spirit of Service.....HA HA HA HA HA) and can actually stop having your clueless NOC personnel from calling me at the flipping early hours of the morning because your non working proactive monitoring system keeps opening pro active tickets. No one has yet to verify that at any of the countless times (yes this little ordeal has been going on for months now) that your so called pro active monitoring system opens a ticket that it has ever been right.
Ever heard of false positives???
Funny that your pro active ticket has never really detected an actual issue, because when these do happen it takes over a couple of hours to get anyone to begin the troubleshooting process.
Is it customary for Qwest to call customers at 2, 3, 4, or 5 AM to tell them that they have a ticket opened by their pro active system?
Here is a concept....get the proactive ticket, pull the interface, or look at the circuit before calling your customers...now that would be a Spirit of Service.
What you are doing now is the spirit of laziness........Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)
------------------------------------------------
Affinitas - Latin for "Relationship"
Helping Businesses Acquire, Retain, and Cultivate
Customers
Visit us at http://www.affinitas.net
Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)