From ocl at gih.com Sun Aug 1 22:53:00 2010 From: ocl at gih.com (Olivier MJ Crepin-Leblond) Date: Sun, 01 Aug 2010 22:53:00 +0100 Subject: [IPv6crawler-wg] Fwd: Re: Response to port scanning security alert Message-ID: <4C55ECBC.4090903@gih.com> Interesting feedback from Eric Johnston. What do you think? Good suggestions? I was thinking of putting a page up on turtle which has a short intro and link to the Web site. I might write this later this week. In the meantime, I have also added a TXT field on turtle.ipv6matrix.org DNS. Let me know what you think. Warm regards, Olivier -------- Message original -------- Sujet: Re: Response to port scanning security alert Date : Sun, 1 Aug 2010 22:01:41 +0100 De : Eric Pour : Olivier MJ Crepin-Leblond Copie ? : Colin Johnston Olivier Many thanks for your email and the detailed explanation. Now we know what you are doing it is no problem. Our concern is that a portscan alarm might be a prelude to some more serious attack. We block certain IP address ranges from known troublemakers. The only details we recorded about the events are the two batches of 45 emails from our firewall. For examples, one from each batch: A portscan was detected. Details about the event: Time.............: 2010:07:30-12:46:37 Source IP address: 212.124.204.162 (turtle.ipv6matrix.org) A portscan was detected. Details about the event: Time.............: 2010:07:30-18:53:54 Source IP address: 212.124.204.162 (turtle.ipv6matrix.org) Our firewall/gateway router is a VMWARE dedicated virtual PC running Linux and Astaro Security Gateway Software 7.506 Our web server in the local LAN. We have not blocked your IP address and we don't want you to block our urls or IP address 95.154.204.250 Two suggestions .. 1. We suggest that you put text at the index page of the web server(s) http://212.124.204.162/ and http://turtle.ipv6matrix.org/ explaining about your project. - perhaps some of your text in this email might help. It is usual for search engine robots to leave a trail in the scanned server log file giving the url of the robot and if the server owner accesses that url it says something like "We are a robot collecting ..." This is reassuring to the scanned server owner. 2. Somehow our firewall detects that your IP address is called turtle.ipv6matrix.org We wonder if the wording might be changed. networkscan.ipv6matrix.org would be more meaningful. We get many scanning attacks from all over the web and often the apparent source IP address has many PCs hidden in a LAN behind it. Best regards, Eric and Colin (Network Administrator) Eric Johnston 01245 352373 Dir. Satellite Signals Ltd. eric at satsig.net -------------------------------------------------- From: "Olivier MJ Crepin-Leblond" Sent: Saturday, July 31, 2010 7:24 PM To: Cc: ; Subject: Response to port scanning security alert > Dear Mr. Johnston, > > further to our phone conversation this afternoon, and as promised, > please find further information in this email about the IPv6 Matrix > project: > > I am the project manager for the ISOC-sponsored IPv6 Matrix project > currently operating from the UK. > > I was alerted by 2020 Media Support, our upstream providers, that our > crawler project has triggered a port scan alert with your routers and > apologise for the disturbance. It appears that some firewall hardware > report unusual traffic activity, mis-categorizing it as a port scan > attack. > > This project, sponsored in part by the Internet Society ( > http://www.isoc.org ) and run by the English Chapter of ISOC, aims to > test the most popular Internet domains in the world for IPv6 connectivity. > You are no doubt aware that the Internet is running out of IPv4 > addresses and that a transition towards IPv6 is the preferred option to > maintain its viability and global scaling. Our aim is to track the > spread of IPv6 worldwide, in order to provide more reliable statistics > on IPv6 implementation and enable decision takers to migrate to the new > addressing scheme in time before IPv4 addressing runs out. See figure 36 > on: http://www.potaroo.net/tools/ipv4/index.html > > This project is a public service to the Internet, and its results can be > found on: > http://www.ipv6matrix.org/ > > A short project description can be found on: > http://www.isoc.org/isoc/chapters/projects/awards.php?phase=10 > > At present, we are still at beta testing stage, and are trying to work > out any quirks in the back-end crawling code, so your feedback is very > important to us. The .UK domain name space was tested on Thursday, with > .NET space tested on Friday with .COM currently being tested this > week-end. In order to have reliable results, we do not wish our IP > addresses to end up on blacklists, and are therefore very attentive to > feedback from domain admins such as you. If you have any more detailed > log of the "port scan" event, I would really appreciate them so as for > us to amend our crawling engine accordingly. > Traceroute and Tracepath, as well as Ping, sometimes trigger firewalls, > especially on specific ports. > > The only ports which we test connectivity to are: > - Port 25 (SMTP), > - Port 53 (DNS), > - Port 80 (HTTP), > - Port 443 (HTTPS) > - Port 123 (NTP) > > All we do is to check if there is response on the port's IPv4 and IPv6 > address (if any IPv6 connectivity is found). This generates a minute > amount of traffic. > > At the moment, the test collects data as follows for each Top Level > Domain: > > - MX : [type,domain,host, ipv4, ipv6, rank] > - NS : [type,domain,host, ipv4, ipv6, rank] > - WWW : [type,domain,host, ipv4, ipv6] > - NTP : [type,domain,host, ipv4, ipv6] > - Soa : > [type,domain,soa,primary_by_rank,primary_inhouse,secondary,total,contact, > serial, > refresh, retry, expire, minimum] > - Geoip : > [type,domain,host,ipv4,ipv6,asn,city,region_name, country_code, > longitude,latitude] > - Reverse : [type,domain,host, ipv4, ipv6, name4, name6 ] > - Ping : [type,domain,host, ipv4, > ipv6,count,min,avg,max,std,min6,avg6,max6,std6] > - Tcp25 : [type,domain,host,port,ipv4, ipv6,tcp,tcp6] > - Tcp80 : [type,domain,host,port,ipv4, ipv6,tcp,tcp6] > - Tcp443 : [type,domain,host,port,ipv4, ipv6,tcp,tcp6] > - Tls : [type,domain,host,ipv4, reachable,tls] > - Path : [type,domain,host, ipv4, ipv6, mtu4, hops4, > back4, path4, mtu6, hops6, back6, path6] > - IPv6 Type : [type,domain,host,ipv6,valid,prefixid,ipv6type] > - IPv6 domain : [domain,ns,mx,www,ntp] > > The tests will take place on a monthly basis, and you therefore might be > receiving recurring security alerts in the future, unless you can > parameter your firewall to ignore alerts from our crawler which runs on > from 212.124.204.162. > Alternatively, I would be happy to take your domain name out of the > crawler's site testing list. If so, please email me the list of domain > names which you are in charge of and I'll make sure they are removed > from the testing list. > > I hope that this email has answered your concerns but if you have any > further queries, I am happy to discuss them with you on: 07956 84 1113 > > Warmest regards, > > Olivier > > -- > Olivier MJ Cr?pin-Leblond, PhD > http://www.gih.com/ocl.html > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ocl at gih.com Mon Aug 2 15:54:48 2010 From: ocl at gih.com (Olivier MJ Crepin-Leblond) Date: Mon, 02 Aug 2010 15:54:48 +0100 Subject: [IPv6crawler-wg] Response to port scanning security alert In-Reply-To: <4C55F0DE.40205@gih.com> References: <4C546A57.5020605@gih.com> <6387F274EB8F4C74900DA5F094135480@EricPC> <4C55F0DE.40205@gih.com> Message-ID: <4C56DC38.2040004@gih.com> Eric, just a quick follow-up: On 01/08/2010 23:10, Olivier MJ Crepin-Leblond wrote : > > >> Two suggestions .. >> >> 1. We suggest that you put text at the index page of the web >> server(s) http://212.124.204.162/ and http://turtle.ipv6matrix.org/ >> explaining about your project. - perhaps some of your text in this >> email might help. It is usual for search engine robots to leave a >> trail in the scanned server log file giving the url of the robot and >> if the server owner accesses that url it says something like "We are a >> robot collecting ..." This is reassuring to the scanned server owner. >> > Very good idea indeed. I was initially thinking of shutting the Web > server down, but now that you mention this, I'll put something together > this week, with a link to the www.ipv6matrix.org results. > Done. >> 2. Somehow our firewall detects that your IP address is called >> turtle.ipv6matrix.org We wonder if the wording might be changed. >> networkscan.ipv6matrix.org would be more meaningful. We get many >> scanning attacks from all over the web and often the apparent source >> IP address has many PCs hidden in a LAN behind it. >> > We've got a CNAME as crawler.ipv6matrix.org, but I think you're right, > this would probably be helpful to anyone enquiring, to swap the name & > cname round. Yesterday, I added a DNS TXT field to turtle.ipv6matrix.org > which points to the Web server. I'll ask my Team what they think of the > idea of swapping the names around and act accordingly. > Done. Warm regards, Olivier -- Olivier MJ Cr?pin-Leblond, PhD http://www.gih.com/ocl.html From colinj at mx5.org.uk Mon Aug 2 19:29:41 2010 From: colinj at mx5.org.uk (Colin Johnston) Date: Mon, 2 Aug 2010 19:29:41 +0100 Subject: [IPv6crawler-wg] Response to port scanning security alert In-Reply-To: <4C56DC38.2040004@gih.com> References: <4C546A57.5020605@gih.com> <6387F274EB8F4C74900DA5F094135480@EricPC> <4C55F0DE.40205@gih.com> <4C56DC38.2040004@gih.com> Message-ID: Thanks for responding to our concerns re scanning and the great information links now provided will help many sysadmins' understand what you are doing. For example team cymru do this where they provide information about the scanning machine as best practice to aid firewall admins Colin From ocl at gih.com Sat Aug 7 11:15:36 2010 From: ocl at gih.com (Olivier MJ Crepin-Leblond) Date: Sat, 07 Aug 2010 11:15:36 +0100 Subject: [IPv6crawler-wg] Fwd: RE: Response to NETGEAR port scanning security alert Message-ID: <4C5D3248.90803@gih.com> FYI -------- Message original -------- Sujet: RE: Response to NETGEAR port scanning security alert Date : Sat, 7 Aug 2010 02:00:55 +0100 De : Steven Burn Organisation : Ur I.T. Mate Group Pour : 'Olivier MJ Crepin-Leblond' Olivier, Thank you for your e-mail. My apologies for the delay in responding, and thank you for the information. Regards Steven Burn Ur I.T. Mate Group www.it-mate.co.uk ::: Declaration ::: Ur I.T. Mate Group is NOT a company, it is the name given to a collection of websites developed and maintained by Steven Burn. Websites and software currently owned, operated and developed by Ur I.T. Mate Group are provided on a free to view and use basis. Ur I.T. Mate Group does not and will not ask for or solicit, personal information*, password, credit card details or payments. For more information, please see our Privacy Policy. http://support.it-mate.co.uk/?mode=Documents&doc=Privacy Ur I.T. Mate Group is based in the United Kingdom. * Except where registration for an online service is required (e.g. forums, sGB) -----Original Message----- From: Olivier MJ Crepin-Leblond [mailto:ocl at gih.com] Sent: 31 July 2010 19:19 To: services at it-mate.co.uk Cc: abuse at 2020media.net.uk; IPv6crawler-wg at gih.com Subject: Response to NETGEAR port scanning security alert Dear Mr. Burn I am the project manager for the ISOC-sponsored IPv6 Matrix project currently operating from the UK. I was alerted by 2020 Media Support, our upstream providers, that our crawler project has triggered a port scan alert with your routers and apologise for the disturbance. It appears that some firewall hardware report unusual traffic activity, mis-categorizing it as a port scan attack. This project, sponsored in part by the Internet Society ( http://www.isoc.org ) and run by the English Chapter of ISOC, aims to test the most popular Internet domains in the world for IPv6 connectivity. You are no doubt aware that the Internet is running out of IPv4 addresses and that a transition towards IPv6 is the preferred option to maintain its viability and global scaling. Our aim is to track the spread of IPv6 worldwide, in order to provide more reliable statistics on IPv6 implementation and enable decision takers to migrate to the new addressing scheme in time before IPv4 addressing runs out. See figure 36 on: http://www.potaroo.net/tools/ipv4/index.html This project is a public service to the Internet, and its results can be found on: http://www.ipv6matrix.org/ A short project description can be found on: http://www.isoc.org/isoc/chapters/projects/awards.php?phase=10 At present, we are still at beta testing stage, and are trying to work out any quirks in the back-end crawling code, so your feedback is very important to us. The .UK domain name space was tested on Thursday, with .NET space tested on Friday with .COM currently being tested this week-end. In order to have reliable results, we do not wish our IP addresses to end up on blacklists, and are therefore very attentive to feedback from domain admins such as you. If you have any more detailed log of the "port scan" event, I would really appreciate them so as for us to amend our crawling engine accordingly. Traceroute and Tracepath, as well as Ping, sometimes trigger firewalls, especially on specific ports. The only ports which we test connectivity to are: - Port 25 (SMTP), - Port 53 (DNS), - Port 80 (HTTP), - Port 443 (HTTPS) - Port 123 (NTP) All we do is to check if there is response on the port's IPv4 and IPv6 address (if any IPv6 connectivity is found). This generates a minute amount of traffic. At the moment, the scan collects data as follows for each Top Level Domain: - MX : [type,domain,host, ipv4, ipv6, rank] - NS : [type,domain,host, ipv4, ipv6, rank] - WWW : [type,domain,host, ipv4, ipv6] - NTP : [type,domain,host, ipv4, ipv6] - Soa : [type,domain,soa,primary_by_rank,primary_inhouse,secondary,total,contact, serial, refresh, retry, expire, minimum] - Geoip : [type,domain,host,ipv4,ipv6,asn,city,region_name, country_code, longitude,latitude] - Reverse : [type,domain,host, ipv4, ipv6, name4, name6 ] - Ping : [type,domain,host, ipv4, ipv6,count,min,avg,max,std,min6,avg6,max6,std6] - Tcp25 : [type,domain,host,port,ipv4, ipv6,tcp,tcp6] - Tcp80 : [type,domain,host,port,ipv4, ipv6,tcp,tcp6] - Tcp443 : [type,domain,host,port,ipv4, ipv6,tcp,tcp6] - Tls : [type,domain,host,ipv4, reachable,tls] - Path : [type,domain,host, ipv4, ipv6, mtu4, hops4, back4, path4, mtu6, hops6, back6, path6] - IPv6 Type : [type,domain,host,ipv6,valid,prefixid,ipv6type] - IPv6 domain : [domain,ns,mx,www,ntp] The scans will take place on a monthly basis, and you therefore might be receiving recurring security alerts in the future, unless you can parameter your firewall to ignore alerts from our crawler which runs on from 212.124.204.162. Alternatively, I would be happy to take your domain name out of the crawler's site testing list. If so, please email me the list of domain names which you are in charge of and I'll make sure they are removed from the testing list. I hope that this email has answered your concerns but if you have any further queries, I am happy to discuss them with you on: 07956 84 1113 Warmest regards, Olivier -- Olivier MJ Cr?pin-Leblond, PhD http://www.gih.com/ocl.html -- Olivier MJ Cr?pin-Leblond, PhD http://www.gih.com/ocl.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From ocl at gih.com Tue Aug 17 16:40:37 2010 From: ocl at gih.com (Olivier MJ Crepin-Leblond) Date: Tue, 17 Aug 2010 17:40:37 +0200 Subject: [IPv6crawler-wg] Fwd: [ipv6-wg] IPv6 RIPEness - Criteria for a Potential Fifth Star Rating - RIPE Labs Message-ID: <4C6AAD75.6060107@gih.com> Very interesting article pointing to the RIPE Ripeness page which has pointers to interesting methods and tools, including suggested methods to detecting tunnels etc. I am pleased to see that the IPv6 Crawler which Sameh and his Team have built already does a lot of this work, and the crawler's not only doing this on Local Internet Registries (LIRs) but on the whole world! Kind regards, Olivier -------- Message original -------- Sujet: [ipv6-wg] IPv6 RIPEness - Criteria for a Potential Fifth Star Rating - RIPE Labs Date : Tue, 17 Aug 2010 16:06:34 +0200 De : Amanda Gowland Pour : ipv6-focus at ripe.net, ipv6-wg at ripe.net, ncc-services-wg at ripe.net [Apologies for duplicates] Dear Colleagues, Earlier this year, RIPE Labs posted an article about IPv6 "RIPEness", a 4-star rating system of LIR IPv6 deployment. In that article, we asked for feedback on what criteria we could use to determine the potential addition of a 5th star to the rating system. We received some great feedback on how we could determine a 5-star RIPEness rating, you can read about it on RIPE Labs: https://labs.ripe.net/Members/becha/ipv6-ripeness-5th-star-criteria As always, any comments or suggestions are welcome. You can send us email or post in the article's comment section. Kind Regards, Amanda Gowland RIPE NCC -------------- next part -------------- An HTML attachment was scrubbed... URL: From ocl at gih.com Wed Aug 25 01:17:44 2010 From: ocl at gih.com (Olivier MJ Crepin-Leblond) Date: Wed, 25 Aug 2010 02:17:44 +0200 Subject: [IPv6crawler-wg] ISOC Report Draft Message-ID: <4C746128.5060601@gih.com> Dear all, please find a copy of the IPv6 project report draft that I am planning to send to ISOC. This will also serve as a way to alert ISOC Headquarters about the project's progress, and to have them test the Web site. This is a draft document, so please do not distribute to third parties. I would appreciate any feedback, additions etc. within the next 2 days so that I can email it to ISOC by Thursday afternoon. Please let me know ASAP. Thanks, Olivier -- Olivier MJ Cr?pin-Leblond, PhD http://www.gih.com/ocl.html -------------- next part -------------- A non-text attachment was scrubbed... Name: IPv6 project report.doc Type: application/msword Size: 1349120 bytes Desc: not available URL: From ocl at gih.com Thu Aug 26 17:46:16 2010 From: ocl at gih.com (Olivier MJ Crepin-Leblond) Date: Thu, 26 Aug 2010 18:46:16 +0200 Subject: [IPv6crawler-wg] Fwd: XS4ALL Introduces native IPv6 for DSL customers Message-ID: <4C769A58.80002@gih.com> FYI XS4ALL is a large ISP in the Netherlands. I expect others to follow... sometime... Kind regards, Olivier -------- Message original -------- Sujet: XS4ALL Introduces native IPv6 for DSL customers Date : Thu, 26 Aug 2010 17:22:34 +0200 De : Marco Hogewoning Pour : ipv6-ops at lists.cluenet.de Sorry for the spam... Groet, MarcoH --- PRESS RELEASE 26 August 2010 IPv6 available for all, starting today XS4ALL OFFERS IPv6 TO ALL CUSTOMERS Dutch ISP XS4ALL has officially started providing IPv6 connectivity to all its customers today. The current pool of available IP addresses (IPv4) will likely run dry within one year, forcing ISPs to take action. When there are no longer IPv4 addresses available, new services can only be connected to the Internet via IPv6. XS4ALL has been working hard on implementing the new protocol and the hard labour is paying off: XS4ALL is among the very first providers in Europe to make IPv6 available to its customers, offering them the chance to prepare for the future. Successful pilot XS4ALL customers have been able to experiment with IPv6 for some time now, using so called IPv6 tunnelling. This tunnelling technique provides IPv6 connectivity, but is still dependent upon the underlying IPv4 infrastructure. Today?s new technology however offers native IPv6, totally independent of the old IPv4 protocol, which makes it truly future proof. To be able to provide large scale IPv6 connectivity, XS4ALL has recently completed a very successful pilot in which several hundred customers have been testing the new protocol. Thanks to their co-operation and feedback XS4ALL was able to identify several minor problems in its network. With those fixed, we feel confident that the protocol can now be released to the general public. What?s in a name ?Seventeen years ago we were the first to provide internet access to the public in The Netherlands,? says Niels Huijbregts, XS4ALL?s spokesperson. ?Now we?re the first to ensure future connectivity as the Internet expands to cover more and more devices and places. Once again we?re providing Access for All?. IP addresses are the unique numbers that identify every computer on the Internet. Because of the rapid growth of the net, new addresses are running out. That?s why it?s of major importance to start using the new protocol: when all IPv4 addresses have been given out, new services can only be connected to the Internet using IPv6. ?If you start using the new protocol now, there?s still time to get used to it and experiment. If you wait too long you run the risk of having to switch in great haste,? says Huijbregts. Flick of a switch XS4ALL customers can activate IPv6 on their account with a simple flick of a switch in the Service Centre on the company?s website. They can start using the new protocol right away, provided they have DSL modem that supports IPv6. Suitable new modems will be provided to customers who renew their contract. Now that this important milestone has been reached, XS4ALL will focus on adjusting all mail and web servers, the last step in making the company fully IPv6-ready. For more information please call Niels Huijbregts, XS4ALL?s spokesperson -------------- next part -------------- An HTML attachment was scrubbed... URL: