[129463] in North American Network Operators' Group
Re: IPv4 squatters on the move again?
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Sep 7 12:15:19 2010
In-Reply-To: <Pine.LNX.4.61.1009071026370.5148@soloth.lewis.org>
Date: Tue, 7 Sep 2010 12:14:12 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Jon Lewis <jlewis@lewis.org>
Cc: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>, NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Sep 7, 2010 at 10:35 AM, Jon Lewis <jlewis@lewis.org> wrote:
> On Tue, 7 Sep 2010, Christopher Morrow wrote:
>> I used to have some quick/dirty instructions for how to verify that
>> the traffic was in fact proxy traffic, something like:
>> 1) log traffic from the soon-to-be-ex-customer (acl logs are fine)
>> 2) pick an external 'top talker'
>> 3) route that /32 to a host you control
>> 4) run NC on the port that /32 is being contacted on
>> 5) rejoice (and shut now ex-customer interface) when you see: "CONNECT
>> smtp.xxxxx:25"
>
> Seems like a lot of work when you could just setup a monitor session on
> their port and capture a few minutes of actual spam traffic as evidence just
> before shutting their port.
sorry, can't do monitor on a ptp oc-12 link :(
