#arpnetworks 2015-07-19,Sun

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
mercutiogenericweb [00:01]
kellytkThank you mercutio. Leveraging the reserved domain "example.com" was too attractive in the end and I went with that. As you'll see, it worked out [00:11]
.................. (idle for 1h25mn)
Is it a selling point for company websites running over HTTPS? (this does not include signing in et. al naturally) [01:36]
................... (idle for 1h33mn)
mike-burnsI block JS, images, and cookies from non-HTTPS Web sites. [03:09]
mercutiomost sites are shifting towards https
some quicker than others
there's positives and negatives.
[03:17]
............... (idle for 1h10mn)
***SpaceDump has quit IRC (Ping timeout: 255 seconds)
SpaceDump has joined #arpnetworks
[04:27]
........................ (idle for 1h56mn)
grodybespokeserver.com
i think i call most of my servers AvinIT v.blah
[06:23]
......................... (idle for 2h0mn)
m0undshttps://blog.shodan.io/its-the-data-stupid/ [08:24]
........................................................ (idle for 4h38mn)
kellytkmike-burns: May I ask why you block images from non-HTTPS websites?
grody: That isn't a real site is it? The menu links don't work
[13:02]
mike-burnskellytk: images can be exploited at a surprising rate. My bias: I am (one of) security@ for my company. We make a bunch of open source products, including a file uploading library for Rails (we make Paperclip). I've dealt with multiple emails to security@ for vulns (all of which are fixed now so I can talk about them) around using image uploads to exploit Web browsers.
So I figure: if I'm going to be exploited, I want it to be by the Web site itself and not from some MITM.
Given how crazy font rendering is, I'd block custom fonts from non-HTTPS if I could figure out how.
[13:10]
kellytkmike-burns: That makes sense, thank you [13:13]
.............. (idle for 1h5mn)
***solj has joined #arpnetworks [14:18]
....... (idle for 33mn)
dj_goku_ has joined #arpnetworks
dj_goku has quit IRC (Read error: Connection reset by peer)
solj has left
acf__ has quit IRC (Ping timeout: 240 seconds)
acf_ has joined #arpnetworks
[14:51]
grodykellytk, im not entirely sure.. the location is not far from me, but i have never heard of them
it's been registered by what looks like an individual, no company name - but that doesn't mean they aren't a sole trader
was just some random site i remember i helped a customer to use for their site (since it was an sitebuilder site)
s/an/a/
[14:55]
BryceBot<grody> was just some radom site i remember i helped a customer to use for their site (since it was a sitebuilder site) [14:57]
grodysimple, clean, efficient, no hidden palava or mind numbing navigation
i imagine the holder of example.com gets a lot of traffic if they were to run MTA/HTTP
[14:59]
staticsafeexample.com is run by IANA and is defined in RFC to be used for documentation etc. [15:07]
m0unds^ [15:08]
grodythere ya go :)
i noticed an odd thing with IANA assigned IPv6 for "special use" when i misconfigured an IP41 on a 3G connection with no actual support for it - was quite shocked as i never saw that before
it ofc didn't work, but before it'd link local only
[15:09]
kellytkstaticsafe: That's why I went with it, and said last night "Leveraging the reserved domain "example.com""
It's too convenient to pass up
[15:17]
.... (idle for 18mn)
mercutioexample.com has no MX record [15:35]
........ (idle for 39mn)
***grody has quit IRC (Ping timeout: 246 seconds) [16:14]
grody has joined #arpnetworks [16:26]
grody:(
&%"%! IPSec ^&"(!£ pfSense
[16:29]
....................... (idle for 1h50mn)
mercutio, 417mbps [18:19]
mercutiohuh? [18:20]
grodyNAT traffic this router will handle (software)
was a simple port to port with masq
claims 900 in hardware (original firmware) - it became unresponsive when i saw it hit 417mbps
that meets the (if ever) 300mbps service i may one day dream of
[18:20]
m0undsgrody: what packet size were you testing with?
i'd almost guarantee the claim is based on ~1500byte frame size
testing with IMIX wouldn't look as good from a marketing standpoint
[18:23]
grodyyea 1500
did read that 3000 should work (probably 9000) but meh
technically that should reduce load
i wonder...
bit scared of tampering MTU actually on this switch.. had to fiddle it just to get 1508 MTU on PPPoE
[18:25]
m0undsheh [18:28]
grodywasn't as straight forward as it should have been
bizaare as hell though
small PI space i manage, added a rule to allow a sort of spoofing from my @home IPs and routed them via it
me > tunnel > server (No NAT) > | > server > me
odd as hell
trying to fix policy routing between ARP | ME | OVH to have a simple choice exit point based on dest IP w/o sending crap or bad traffic
[18:28]
mercutiobgp! [18:37]
....... (idle for 31mn)
grodyhttp://www.speedtest.net/my-result/4517203674
thats interesting
yea sadly i no longer own any PI space, i do manage a /22 mind
didnt actually realise this host was on the west coast
[19:08]
mercutioyou didn't know arp was on west coast? [19:10]
grodylol no
i did wonder why the ping was 70 odd ms higher than my NYC server
might have to get some PI/PA on IPv6 - should be easy enough
gonna have to poke around NZ, see what route it takes to ARP
[19:10]
mercutioyou don't necessarily need pi space for ipv6
you just need permission to re-advertise the space.
[19:13]
grodyhmm
then again.. most provision of IPv6 i have are /48's
ARP, AA and even HE
have the blocking weird with AA - routed as /52's
ideally i want to mesh all my VPS into a single VBC of sorts, with Alias IPs on each IP allocation each provider offers
that way they can all use their own IPs from their providers, but take alternate routes for other kinds of policy routing
ie: now all my traffic from @home to ARP and OVH is OpenVPN first, if OVPN link down, over internet as-is
[19:14]
mercutiosounds complicated [19:20]
grodyi can divert one (or more) hosts or subnets via a designates gateway (US/FR/UK) as request, even if the IP sourcing is a public IP of another hoster, it gets NATd on the outbound of given exit
im not allowed to do simple things
been setting this up more precisely all weekend with lots of success.. i went to print a letter of resignation the other day and my wireless printer decided it wasn't going to work
it took me ages to figure out CUPs on the laptop was using the old printer (static) location and not it's dynamic/discoverable
gonna have to add the NYC into this now.. learning ARP is on west coat is just icing on the cake :D
ideally i can send NZ via US to UK and not via it's stupid satelitel uplink over china/rus/eu
[19:20]
mercutiosatelite? [19:25]
grodyim guessing.. the latency is about 300ms higher than it should be [19:25]
mercutiofor nz?
for new zealand?!
[19:25]
grodysounds about right for 170 miles + 2000 mules + 170 mules
yea
[19:26]
mercutiothere's no satelite here [19:26]
grodyi get about 600 there, 600 back [19:26]
mercutiowhat [19:26]
grodyreally?
where does it go?
[19:26]
mercutiowell not for normal people
there's cables to australia that go to japan
[19:26]
grodyahhh [19:26]
mercutioand cables from australia to singapore [19:26]
grodynothing to US? [19:26]
mercutioand there's cables direct to the US
err via guam
[19:26]
grodyhmm [19:27]
mercutioumm
what are your ping times to japan like?
jp.meh.net.nz
is easy site to test to
[19:27]
grodyfrom UK 290ms from ARP 100ms
i wonder
[19:28]
mercutioyeh so going via japan could give 500msec pings or something [19:28]
grody260ms going via ARP from UK [19:28]
mercutioyou know that your ping time to arp is less than 190 msec :) [19:28]
grodywait what
how teh..
[19:28]
mercutioit was 80msec from arp to jp.meh.net.nz
it's 108 atm for me
ok what about emerald.meh.net.nz
what are your pings like to that?
[19:28]
grodymy routes are broken again :/ [19:30]
mercutiooh [19:30]
grodyoh wait.. pings are L2
haha
i was routing TCP/UDP
[19:30]
mercutioahh [19:30]
grodyL3 sorry [19:31]
mercutioif it's 600 something is whack [19:31]
grody300 [19:32]
mercutioyeh
that's more normal
that's in new zealand
what were you saying about weird routes?
[19:32]
grodywell, 294 [19:32]
mercutiowhere to? [19:32]
grodythats gong via ARP over the OpenVPN [19:32]
mercutiooh
what's it like native?
i know the arp route is fine :)
[19:32]
grody260
so not a massive loss
[19:32]
mercutio260 is damn good [19:33]
grodygameservers :) [19:33]
mercutiothere's meant to be a new translantic cable sometime [19:33]
grodyyea, my ISP has a pretty epic network [19:33]
mercutiowhich should bring down EU<->US ping
gameservers is vultr
jp.meh.net.nz is on vultr
it's been having some network issues recently though
i have a few vultr vm's i use for testing things
and they all seem to have issues :/
[19:33]
grodysounds like a phase heartinternet here went through
no idea what it was.. had a few VPS and they went from great to ^&%£
used to be a really good and cheap provider here years ago that were first to offer freebsd guests.. was brilliant until they sold their soulds
i even gave up reselling VPS because the platforms broke more than they fixed
[19:35]
mercutioheh [19:37]
grodyi think a handful of my customers ended up using ARP
since i diverted them here when i shut it down
remember doing that, site was google adsensed and for the next 6 months i kept getting ARP ads
oddly you said BGP as i was speed testing the UK > ARP routing and it was advertising BGP peers
i swear browsers steal text from screen
wow.. ARP to that host is 100ms
[19:37]
mercutioto what host? [19:41]
grodythat .nz host [19:41]
mercutiojp? [19:41]
grodyARP goes via CORESITE to asiannet then scnet and whatever [19:42]
mercutiojp is japan [19:42]
grodyUK foes the same route from asiannet out [19:42]
mercutioemerald is nz though [19:42]
grodyAA > LINX > AISANET
ah, ARP > Phyber > Coresite > AsiaNet
wonder what happens between Linx and asianet - it's a direct hop and goes from 10ms to 150ms
http://pastebin.com/6Wp1gb1t
[19:42]
mercutioyeah pacnet suck [19:46]
grodyhttp://pastebin.com/7QUTMxnH [19:46]
mercutioi dunno 150 from uk to los angeles is normal [19:46]
grodysimilar with ARP [19:46]
mercutiohop 5 is los angles
hop 6 is japan
[19:46]
grodyyea, lax [19:46]
mercutioi suspect
aimless is a weird name for a router
[19:46]
grodyhaha
AA name all their stuff something"less"
i should obtain a .net.uk for network naming
but i like the comedial effect
comical?
[19:47]
........ (idle for 38mn)
interesting flaw in pfsense
regardless of firewall rules, openvpn client in tap mode to server, server to client can talk to networks in reach via the openvpn
[20:26]
........................... (idle for 2h12mn)
***dj_goku_ has quit IRC (Read error: Connection reset by peer) [22:38]
dj_goku has joined #arpnetworks [22:44]
............ (idle for 57mn)
plettgrody: You would need to be an ISP to get a .net.uk [23:41]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)