Category Archives: Infrastructure

John Quarterman on Mapping Spam and Politics (audio)

At a meeting on a completely different subject, I was interviewed about SpamRankings.net. Here's the audio, and here's the blurb they supplied:

John S. Quarterman, long time Internet denizen, wrote one of the seminal books about networking prior to the commercialization of the Internet. He co-founded the first Internet consulting firm in Texas (TIC) in 1986, and co-founded one of the first ISPs in Austin (Zilker Internet Park, since sold to Jump Point). He was a founder of TISPA, the Texas ISP Association. Quarterman was born and raised in Lowndes County, where he married his wife Gretchen. They live on the same land where he grew up, and participate in local community and government.

Quarterman took some time during Georgia River Network's Weekend for Rivers to speak with the Nonprofit Snapshot about spam-mapping and small town politics.

More about Elinor Ostrom's Nobel-prize-winning work on organizing the commons, and how that applies to SpamRankings.net.

The water organization has since been incorporated as the Georgia non-profit WWALS Watershed Coalition:

WWALS is an advocacy organization working for watershed conservation of the Willacoochee, Withlacoochee, Alapaha, and Little River Systems watershed in south Georgia and north Florida through awareness, environmental monitoring, and citizen advocacy.

-jsq

What other ASNs were affected by botnet Ogee in February 2012?

Previously we determined that nine ASNs that showed spam surges in the U.S. and Canadian top 10 SpamRankings.net for February 2012 were infested by the botnet Ogee and that spam came from that botnet. What other ASNs were affected by Ogee in the same time period?

Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:


Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)

It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.

New here are these three: Continue reading

Did the February 2012 spam surge come from one botnet?

SpamRankings.net saw
AS 21788NOC
AS 27229WEBHOST-ASN1
AS 46475LIMESTONENETWORKS
AS 33055BCC-65-182-96-0-PHX
AS 15149EZZI-101-BGP
AS 13768PEER1
AS 10439CARINET
AS 7796ATMLINK
a huge surge in spam from some U.S. ASNs, mostly from ones that hadn’t even been in the top 10 before, with possible correlations in one ASN each from Peru and Canada. Did all this spam come from the same botnet?

Maybe not all, but most. Eight out of the U.S. top 10 for February show very close correlation with one botnet, Ogee. They are listed in the table on the right and shown in the chart below:


Left Axis: ASN volume (spam messages); Right Axis: Botnet volume (dotted curves)

The chart also shows some ASNs reacted quickly and stopped the spamming, while others got worse. It’s a busy chart, so let’s look at simpler charts for one example each of resilient and susceptible ASNs.

AS 21788 NOC was one of the first and worst affected by this spam surge: Continue reading

Egypt Returns

Egypt returned to the Internet about 09:30 GMT today (2 February 2011). This sudden return after being as suddenly disconnected one week ago (27 January 2011) is obviously not due to ordinary causes such as congestion, cable cut, or router failure. This political disconnection of an entire country does not seem to have helped the regime responsible for it; quite the opposite.

-jsq

NANOG: load-balancing facebook and interfacing IPV6 using LISP

Donn Lee talked about LISP Deployment at Facebook. No, not that LISP. This one:
In the current Internet routing and addressing architecture, the IP address is used as a single namespace that simultaneously expresses two functions about a device: its identity and how it is attached to the network. One very visible and detrimental result of this single namespace is manifested in the rapid growth of the Internet’s DFZ (default-free zone) as a consequence of multi-homing, traffic engineering (TE), non-aggregatable address allocations, and business events such as mergers and acquisitions.

LISP changes this by separating IP addresses into two new namespaces: Endpoint Idenfitiers (EIDs), which are assigned to end-hosts, and Routing Locators (RLOCs), which are assigned to devices (primarily routers) that make up the global routing system.

So Lee used that to load-balance facebook, which you can try out here:

http://www.lisp4.facebook.com/.

If I understood him, he said his group of network engineers did all this without needing to involve software development, because facebook is still “a small, scrappy company” that permits and encourages such things.

-jsq

NANOG: The Impacts of Adding Undersea Capacity to East Africa

Keven Chege of KENET at NANOG 50 talked about rapid deployment of cable for Internet use throughout east Africa, despite vandalism including copper theft and sabotage by competing ISPs. Many national research and eduction networks (NRENs) at least planned in the area. KENET in Kenya has “Made the big leap from VSAT to fiber” and is helping coordinate the region; slides include proposed regional mesh map. Also talking to google and Akamai.

Akamai guy stood up immediately afterwards and said he hear KENET was talking to google and asked that they should talk to Akamai as well.

-jsq

NANOG: Submarine adopts 40G and 100G

Per Hansen of Ciena at NANOG 50 talked about growing capacity not by adding more data cables under the sea, rather by increasing spectral density. Eventually new cables will be needed, but meanwhile he thinks we can get up from about 2 bits to to 5 or 6 bits per Hertz. It does require more power: same energy per bit, but more bits.

Plus mesh networks for rerouting, even if it means rerouting backwards around the world, he notes. We’ve observed that sort of emergency backwards routing as long ago as January 2008, in the U.A.E. Cable Cut.

-jsq

NANOG: Coping with Relentless Demand Growth

David G. Ross ofThe David Ross Group Inc. at NANOG 50 talked about data cables under the sea, in which he revealed that Internet growth has not only not paused during the recession, it has increased, and it continues to increase in every region in which his company operates, including Asia, Middle East, and Africa. North Atlantic hasn’t had any new submarine capacity in years, in “the most competitive capacity market on Earth”. It will probably run out in a few years, so now there is demand to build new cables there. Each cable costs about $200 million to install.

Slight downside: early remark that he was sure things were the same as they were when he worked for a telephone company.

-jsq

Quis custodiet ipsos medici?

Internet security is in a position similar to that of safety in the medical industry. Many doctors have an opinion like this one, quoted by Kent Bottles:
“Only 33% of my patients with diabetes have glycated hemoglobin levels that are at goal. Only 44% have cholesterol levels at goal. A measly 26% have blood pressure at goal. All my grades are well below my institution’s targets.” And she says, “I don’t even bother checking the results anymore. I just quietly push the reports under my pile of unread journals, phone messages, insurance forms, and prior authorizations.”

Meanwhile, according to the CDC, 99,000 people die in the U.S. per year because of health-care associated infections. That is equivalent of an airliner crash every day. It’s three times the rate of deaths by automobile accidents.

The basic medical error problems observed by Dennis Quaid when his twin babies almost died due to repeated massive medically-administered overdoses and due to software problems such as ably analysed by Nancy Leveson for the infamous 1980s Therac-25 cancer-radiation device are not in any way unique to computing in medicine. The solutions to those problems are analogous to some of the solutions IT security needs: measurements plus six or seven layers of aggregation, analysis, and distribution.

As Gardiner Harris reported in the New York Times, August 20, 2010, another problem is that intravenous and feeding tubes are not distinguished by shape or color: Continue reading

Data, Reputation, and Certification Against Spam

I’m giving a talk today at the Internet2 workshop on Collaborative Data-Driven Security for High Performance Networks at WUSTL, St. Louis, MO. You can follow along with the PDF.

There may be some twittering on #DDCSW.

-jsq