swinog

swinog@lists.swinog.ch

2933 discussions

Swisscom IPv6 Routing weirdness
by Jean-Pierre Schwickerath 25 Feb '21

25 Feb '21

Dear Swisscom Routing-Experts Are you not peeing at swissIX anymore? Your webserver www.swisscom.ch (2a02:a90:c400:4001::2) gives me a hard time to be reached. Either it wants it traffic to be routed from Berne via NL, UK, US and ends in a sinkhole or it uses what looks like using private peering from tineo/netrics/finecom to the same sinkhole: tracepath6 2a02:a90:c400:4001::2 1?: [LOCALHOST] 0.367ms pmtu 1500 1: sv96.hilotec.net 0.776ms 1: sv96.hilotec.net 0.740ms 2: 2a00:c38::1:0:2a 1.538ms 3: lo0.01.p.cbn.ch.as15576.nts.ch 1.725ms 4: lo0.01.p.czh.ch.as15576.nts.ch 4.075ms 5: lo0.02.p.czh.ch.as15576.nts.ch 4.354ms 6: zayog.swissix.ch 10.184ms 7: no reply 8: ae2.cs1.ams17.nl.eth.zayo.com 151.857ms asymm 25 9: no reply 10: no reply 11: no reply 12: ae5.cs1.lhr11.uk.eth.zayo.com 153.354ms asymm 21 13: no reply 14: 2001:438:ffff::407d:1d13 151.202ms asymm 19 15: ae6.cs1.sjc2.us.eth.zayo.com 159.227ms asymm 18 16: ae9.mpr1.pao1.us.zip.zayo.com 152.345ms 17: 2001:438:fffe::2456 153.873ms asymm 10 18: 2001:c10:80:1::e51 259.737ms asymm 10 19: 2001:c10:80:1::b96 265.511ms asymm 11 20: 2001:c10:80:2::ad2 243.109ms asymm 10 21: geb-030-lo0-0.ip6.ip-plus.net 247.019ms asymm 9 22: geb-015-loo6.ip6.ip-plus.net 236.957ms asymm 8 23: gem-005-loo6.ip6.ip-plus.net 242.943ms asymm 8 24: 2001:918:100:63::1 230.491ms asymm 7 25: 2001:918:100:4c::1 240.121ms asymm 8 26: 2001:918:100:52::1 247.741ms asymm 7 27: 2001:918:ce::49 241.013ms asymm 8 28: 2a02:a90:4024:fff::14 247.804ms asymm 9 29: 2a02:a90:4024:fff::15 234.473ms asymm 8 30: no reply Too many hops: pmtu 1500 Resume: pmtu 1500 tracepath 2a02:a90:c400:4001::2 1?: [LOCALHOST] 0.030ms pmtu 1500 1: router.3550.ch 0.418ms 1: router.3550.ch 0.410ms 2: bd4.lar01.lna001.bb.fcom.ch 4.561ms 3: no reply 4: no reply 5: 2001:4d98:a000::1b4 3.218ms asymm 4 6: zhh-015-lo0-0.ip6.ip-plus.net 11.088ms asymm 5 7: 2001:918:ce::45 6.146ms asymm 6 8: 2a02:a90:4024:fff:8000::15 5.452ms 9: no reply 10: no reply 11: no reply 12: no reply 13: no reply 14: no reply 15: no reply 16: no reply 17: no reply 18: no reply 19: no reply 20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply Too many hops: pmtu 1500 Resume: pmtu 1500 Is that a management decision or a technical issue? Cheers Jean-Pierre -- HILOTEC Engineering + Consulting AG - Langnau im Emmental IT für KMUs: Netzwerke, Server, PCs, Linux, Telefonanlagen, VOIP, Hosting, Datenbanken, Entwicklung, WLAN, Cloud, Firewalls Tel: +41 34 408 01 00 - https://www.hilotec.com/

2 1

Bluewin / Swisscom Postmaster Contact
by Michael Naef 25 Feb '21

25 Feb '21

Hi all We (Hostpoint) see increasing problems sending automated Mails to bluewwin recipients (such as account confirmation emails). Respectively we see them identiefd as spam mails. Can a Swisscom/Bluewin Postmaster please get in touch with me/us to identify the cause? Thanks, Michael Naef Head of System Engineering, Hostpoint AG

1 0

Fwd: [ncc-announce] Attack on RIPE NCC Access - Please Enable Two-Factor Authentication
by Massimiliano Stucchi 18 Feb '21

18 Feb '21

-------- Forwarded Message -------- Subject: [ncc-announce] Attack on RIPE NCC Access - Please Enable Two-Factor Authentication Date: Thu, 18 Feb 2021 16:49:59 +0100 From: Ivo Dijkhuis <ivo.dijkhuis(a)ripe.net> To: ncc-announce(a)ripe.net Dear colleagues, Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime. We mitigated the attack, and we are now taking steps to ensure that our services are better protected against such threats in the future. Our preliminary investigations do not indicate that any SSO accounts have been compromised. If we do find that an account has been affected in the course of our investigations, we will contact the account holder individually to inform them. We would like to ask you to enable two-factor authentication on your RIPE NCC Access account if you have not already done so to ensure that your account is secure. In general, using two-factor authentication across all your accounts can help limit your exposure to such attacks. If you notice any suspicious activity in your RIPE NCC Access account, please contact us immediately at <security(a)ripe.net>. Best regards, Ivo Dijkhuis Senior Information Security Officer, RIPE NCC

1 0

Quad9 moves to Switzerland
by Michael Hausding 17 Feb '21

17 Feb '21

Dear Swinog I am very pleased to inform you first-hand that SWITCH and Quad9 are jointly announcing today the relocation of Quad9's headquarters from California to Zurich. Quad9, a public domain name service, will thus offer its users worldwide maximum internet privacy protection. The move to Switzerland is being facilitated in large part by SWITCH. The joint mission of SWITCH and Quad9 - to provide security and robust services to internet users around the world - was a key factor in this collaboration. More information can be found in the joint media release https://www.switch.ch/news/Quad9-moves-to-Switzerland/ and on the Quad9 website https://quad9.net/ Should you have any questions about this, please don't hesitate to contact me or Quad9 directly. Best regards, Michael ------------------------------------ Michael Hausding, Competence Lead DNS & Domain Abuse SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 77, incident phone +41 44 268 15 40 michael.hausding(a)switch.ch http://securityblog.switch.ch

1 0

Bluewin quarantines outgoing mails
by Maxim Samo 09 Feb '21

09 Feb '21

Hi, Sometimes I have users send me email from bluewin. Those emails can be significantly delayed. An example just came in this morning: Received: from quar.lb.bluewin.ch ([195.186.123.234]) by vimdzmsp-sfwd04.bluewin.ch Swisscom AG with ESMTP id 9FbplVkv74QBH9Fc9l0UVW; Tue, 09 Feb 2021 00:06:41 +0100 Received: from vimdzmsp-sfwd04.bluewin.ch ([195.186.227.132]) by vimdzmsp-quar01.bluewin.ch Swisscom AG with SMTP id 82c8lv39dIuiP82c8lqzVg; Fri, 05 Feb 2021 16:01:41 +0100 Delayed from Friday until Tuesday by quar.lb.bluewin.ch. Quar seems to be short for "quarantine". The sending user had no idea that this happened. I previously asked in the Swisscom community about this and they confirmed that this happens when the server suspects it's spam. The questions I have now though are: - How is the sending user supposed to know that this happened? - It seems that they really expect the sending user to call their support line and ask the mail to be released (!). - How did the mail get released in this case? The length of the quarantine seems to change and you could suspect that it's a human looking through those emails. regards, Maxim

1 0

Bluewin / SMTP UTF8
by Rémy DUCHET 04 Feb '21

04 Feb '21

Hello Swinog, Does anybody from Bluewin can check SMTP host configuration ? It seems that mx doesnt support SMTP UTF8 (we have customers with email address that contains ~ (for example): SMTPUTF8 is required, but was not offered by host mxbw.lb.bluewin.ch[195.186.227.50] Thanks, Rémy

1 0

experiencing DDOS via a drupal GET request
by maj＠mbuf.net 21 Jan '21

21 Jan '21

Hello, this is to share with you that I am experiencing a ddos attack for a webserver I manage. It is a Drupal/PHP/Nginx platform that is flooded with GET requests such as: GET /es/search?f%5B0%5D=language%3Aes&f%5B1%5D=regions%3A4490&f%5B2%5D=regions%3A4511&f%5B3%5D=regions%3A4538&f%5B4%5D=regions%3A4556&f%5B5%5D=regions%3A4567&f%5B6%5D=regions%3A4593&f%5B7%5D=regions%3A4601&f%5B8%5D=regions%3A4603&f%5B9%5D=regions%3A4620&f%5B10%5D=regions%3A4631&f%5B11%5D=regions%3A4674&f%5B12%5D=type_of_content%3A4697&f%5B13%5D=type_of_content%3A4710&f%5B14%5D=type_of_content%3A4857&f%5B15%5D=type_of_content%3A4862&f%5B16%5D=type_of_content%3A4943&f%5B17%5D=type_of_content%3A6249&f%5B18%5D=type_of_content%3A6423&f%5B19%5D=wcc_programmes%3A4882&f%5B20%5D=wcc_programmes%3A4893 It targets the search module which does not cache the data and means resource impact. This involves more than 12'000 individual ip addresses, spread over CN, IN, KO, MX, and US. A list of the subnet part involved can be found here[0]. (list is of course gorwing over time, attack is not over and spread of hosts continue) I plan to further investigate the networks involved, how likely they are cloud nodes or infected hosts for instance. I am on the AS3303/Swisscom BTW. Is anyone experiencing such traffic? This is not huge in terms of bw, but scaled adequately to eat servers cpu resources. Regards. [0] https://www.mbuf.net/files/f/ebbc54f52b564824bf5e/ -- |_|0|_| Julien MABILLARD - Matrix: @jma:matrix.mbuf.net - XMPP: jma(a)tls.mbuf.net |_|_|0| OpenPGP fingerprint: 1E47 513E 8B00 8BC5 E874 23E4 54A4 32FB 260A 2D41 |0|0|0| ssb: @O7yM/4Y0Jcp1uZToeis2AKApyOvb8ZHkoXuAh0wPcAM=.ed25519

1 0

Anyone from AS9009 / GlobalAXS / m247 Zurich NOC?
by Benoît Panizzon 04 Jan '21

04 Jan '21

Happy new Year. If anyone from AS9009 Zurich NOC reads this list. Please contact me off list about a more serious incident involving some of your IP Addresses. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________

1 0

.ch zone file is open data now
by Michael Hausding 04 Jan '21

04 Jan '21

Dear list Happy new Year! We want to let you know that the the .ch zone file, containing all delegated .ch domain names, is publicly available for download. Access is limited by Article 10(1)(a)(6) of the Ordinance on Internet Domains for combating cybercrime, scientific and social research or for other purposes in the public interest. Details, on how to access the file are available here: https://swit.ch/zonedata, and I also wrote a blogpost https://securityblog.switch.ch/2020/11/18/dot_ch_zone_is_open_data/. If you have any feedback or do anything interesting with the data, please share. Michael ------------------------------------ Michael Hausding, Competence Lead DNS & Domain Abuse SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 77, incident phone +41 44 268 15 40 michael.hausding(a)switch.ch http://securityblog.switch.ch

1 0

Spam from 'Rocketmails.ch'
by Benoît Panizzon 28 Dec '20

28 Dec '20

Dear List Today we received several delisting request for URI's and IP Addresses somehow associated with Newsletters sent by 'Rocketmails.ch'. The listings were caused during the last 14 days or so by multiple customers reporting those emails as spam and claiming not having subscribed, nor being a customer of the advertising company. And I guess I can figure out why... Quote: "Sie erhalten dieses Mailing, weil Sie sich bei unseren Aktionsseiten oder der unserer Werbepartner mit der Email-Adresse XXXX eingetragen haben." There is no mention of WHAT partner or WHAT website they allegedly subscribed. So that could also explain that they don't know the company whose products are advertised via Rocketmails. So for the recipient this is just spam. Anyone else seeing these and knowing more about how the transfer of such personal data happens between those partner and what kind of partners those are? So far no spamtrap hits, so this does not look like harvested addresses. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________

10 23

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

swinog