Only Friends.
Wednesday, December 30, 2009
Wednesday, December 16, 2009
Clairol Complements Intensifier Blue Reviews
Educational Cartoons
Due to the emergence of a new cartoon about DNS reminded of an old (about 10-years old) cartoon about a TCP / IP:
UPD: Who has difficulty with English, here is video (mpeg) and Russian Subtitles it .
Due to the emergence of a new cartoon about DNS reminded of an old (about 10-years old) cartoon about a TCP / IP:
UPD: Who has difficulty with English, here is video (mpeg) and Russian Subtitles it .
Tuesday, December 15, 2009
Hair Color Chart Koleston
Distributed Search Engine, IM and social networking in one bottle
I thought , it would be very useful to create a distributed search engine, or distributed the same social network as an alternative to Google.
First - What I would like to do? I see these goals:
There are several options for distributed systems.
In such circumstances, the question immediately arises:
1. How to ensure coherence of the system? That is, what to do If links between the two parts of the system has broken, and these parts are no longer related to each other? I think that in this case, the parts must be viable and without a whole, but must "merge" when possible. Think it's wise to use anycast, as well as building a "distant" links, ie links to the most remote nodes of the graph (not geographically remote, and topologically), ie graph should be balanced, not flat.
2. How to protect against compromise of information, ie when someone makes a million virtual servers, issuing him the right rating?
On the one hand, the user name must be unique on the other - names like Serg78243 look crooked, it is better to just digital logins, like in ICQ. Domain hierarchy (as in email) binds to the servers and actually is not justified - it still turns a flat band. com, well, or some plane, it is still the problem of name uniqueness is not solved. There is nothing easier than ICQ, my head does not come: not unique nick plus avtovydavaemy unique digital uin. Only digital uin must be sufficiently large and random, to avoid conflict - because we want to two parts of such a network could exist separately from each other, and then merge together.
Where and how to store information about the user (the password, contact list, lastridy, blog, etc.)? Obviously, at some sites, and what kind of sites should be determined by user login - either on his uin (some hash), or by kukam. That is, if the cookies do not have this information (for example, the user has gone from a new location), the crc16 (uin) define a group of nodes that know the information about all users with the hash, in the sense that they know which sites are responsible for what users. Each node can join any group, and all nodes know that the upper level hierarchy (65536 groups) and receive updates about the changes at this level. Of course, the number 65536 is taken from the ceiling, the number of hierarchical levels and the degree of branching can vary and should do so automatically based on the total number of nodes in the network, the resources required and reliability. User does not know on what node stores information about him, she wanders among the nodes and is abstract in the network. " When sending messages to users who offline, it waits for the sender node. Thus, the user knows that while his favorite server is working fine, no silence his message is not lost.
user searches for different criteria (first / last name / city / age, etc.) - this problem is closely overlaps with the task of implementing a distributed network search engine (an alternative search engine Google). In general, I imagine an algorithm like this: the user types a query such as "short poems about love." Next hop makes the primary semantic analysis of this request, after which defines the group of nodes responsible for these categories, get answers from them, sorts them and produces the result. In this case, he must find some kind of crc of requests "short," "poetry," "love", "short poems," poems about love, for each of these categories to define a group specializing in such sites, and send queries to them, they can drill down on these requests through the hierarchy, giving requests other servers and collecting from them the answers. Here, of course, you need to build on existing developments in the field of neural networks. In addition, each node can gradually Scan nearby (or random, or "your") site web, index it and report the results of those servers who specialize in this (found) information.
Spam. Here, it seems to me, it's simple. I want to receive messages from those who are somehow connected to me like something on my left, somehow I found. Or through mutual friends, or by common interests, or even through some connection. Then it is not spam. If the one who sent me a message in any way with I is not connected - it's spam. Of course, spam - not a binary concept, the message may be spam to a greater or lesser degree. The greater interest in humans, it less than its interest in each of them. The longer the chain of acquaintances, the less credibility to the message. And even better when you send the first message (or Request link-building) to explicitly specify the path location. For example, if I wrote a utility and give my uin for communication on this utility, I file Community (interest) for the utility, respectively, the person to contact with me must first specify your interest in this tool, and then connect with me, pointing out that our common interest, then it will be clear that this is not spam, and how people got my contact. The information about what interests a person should not be publicly available. What does "is stored in an open distributed system and not to be publicly accessible - a very simple, it should be encrypted user-defined password and disclosed only after it was requested.
How to deal with criminals, that is, with nodes that are built into the network and work several different algorithm, falsifying search results (twirling rating), using their own purposes confidential information about users (Including passwords)? Subject to the random distribution of users between the nodes an attacker can not know in advance what users it will serve. Ask for too much, can not serve all the time - it will be less than the request due to the congestion. If he will not give the information that they give parallel nodes (specializing in those same users and same themes) - its credibility fall. And the use of passwords casual users are unlikely interesting. Besides, if you do not lock on http, you can use dsa-authorization (or other keypair), so that even avtorizuya user, you can not have the opportunity to get his password and do anything on his behalf. In general, if we evaluate the reputation of the servers to get that "cheat" rating without losing reputation, will not be easier than to create the same wave livejournal postings from psevdoyuzerov, unwinding or discredit certain sites or companies. (I'm not saying it's impossible).
Of course, the client interface may be different at different sites. Somewhere in the web, with or without ajax, somewhere in your plugin, somewhere very own customer ... The user can choose what he prefers, for reasons of convenience and reliability. Hence, a healthy competition.
What are the thoughts on this? I'm obviously not enough Knowledge about the theory of neural networks. I would be grateful for comments and advice.
I thought , it would be very useful to create a distributed search engine, or distributed the same social network as an alternative to Google.
First - What I would like to do? I see these goals:
- search engine (a lot of areas - searching for files, search the hierarchy of relevance);
- Wednesday communication: IM (including audio and video), social network, including - for the communication of people nat / proxy; spam problem;
- interest groups (similar to the forums, community or newsgroups);
- blogs, hosting, wiki;
- security, authentication, encryption;
- web interface, no need to put special software by the user.
There are several options for distributed systems.
- as STP or mechanism of DR / BDR in OSPF. In fact, centralization with self-chosen center.
- as usenet or bgp. Each keeps its own copy, which under normal circumstances should be the same, be synchronized.
- as DNS. The hierarchy at the top There are several fixed servers, but not all requests pass through the top.
- like jabber or email. The user is tied to a specific server, which indicates to the user.
- as Fido. In an address specified routing to a specific detail (networks), and more - is solved on the spot.
In such circumstances, the question immediately arises:
1. How to ensure coherence of the system? That is, what to do If links between the two parts of the system has broken, and these parts are no longer related to each other? I think that in this case, the parts must be viable and without a whole, but must "merge" when possible. Think it's wise to use anycast, as well as building a "distant" links, ie links to the most remote nodes of the graph (not geographically remote, and topologically), ie graph should be balanced, not flat.
2. How to protect against compromise of information, ie when someone makes a million virtual servers, issuing him the right rating?
On the one hand, the user name must be unique on the other - names like Serg78243 look crooked, it is better to just digital logins, like in ICQ. Domain hierarchy (as in email) binds to the servers and actually is not justified - it still turns a flat band. com, well, or some plane, it is still the problem of name uniqueness is not solved. There is nothing easier than ICQ, my head does not come: not unique nick plus avtovydavaemy unique digital uin. Only digital uin must be sufficiently large and random, to avoid conflict - because we want to two parts of such a network could exist separately from each other, and then merge together.
Where and how to store information about the user (the password, contact list, lastridy, blog, etc.)? Obviously, at some sites, and what kind of sites should be determined by user login - either on his uin (some hash), or by kukam. That is, if the cookies do not have this information (for example, the user has gone from a new location), the crc16 (uin) define a group of nodes that know the information about all users with the hash, in the sense that they know which sites are responsible for what users. Each node can join any group, and all nodes know that the upper level hierarchy (65536 groups) and receive updates about the changes at this level. Of course, the number 65536 is taken from the ceiling, the number of hierarchical levels and the degree of branching can vary and should do so automatically based on the total number of nodes in the network, the resources required and reliability. User does not know on what node stores information about him, she wanders among the nodes and is abstract in the network. " When sending messages to users who offline, it waits for the sender node. Thus, the user knows that while his favorite server is working fine, no silence his message is not lost.
user searches for different criteria (first / last name / city / age, etc.) - this problem is closely overlaps with the task of implementing a distributed network search engine (an alternative search engine Google). In general, I imagine an algorithm like this: the user types a query such as "short poems about love." Next hop makes the primary semantic analysis of this request, after which defines the group of nodes responsible for these categories, get answers from them, sorts them and produces the result. In this case, he must find some kind of crc of requests "short," "poetry," "love", "short poems," poems about love, for each of these categories to define a group specializing in such sites, and send queries to them, they can drill down on these requests through the hierarchy, giving requests other servers and collecting from them the answers. Here, of course, you need to build on existing developments in the field of neural networks. In addition, each node can gradually Scan nearby (or random, or "your") site web, index it and report the results of those servers who specialize in this (found) information.
Spam. Here, it seems to me, it's simple. I want to receive messages from those who are somehow connected to me like something on my left, somehow I found. Or through mutual friends, or by common interests, or even through some connection. Then it is not spam. If the one who sent me a message in any way with I is not connected - it's spam. Of course, spam - not a binary concept, the message may be spam to a greater or lesser degree. The greater interest in humans, it less than its interest in each of them. The longer the chain of acquaintances, the less credibility to the message. And even better when you send the first message (or Request link-building) to explicitly specify the path location. For example, if I wrote a utility and give my uin for communication on this utility, I file Community (interest) for the utility, respectively, the person to contact with me must first specify your interest in this tool, and then connect with me, pointing out that our common interest, then it will be clear that this is not spam, and how people got my contact. The information about what interests a person should not be publicly available. What does "is stored in an open distributed system and not to be publicly accessible - a very simple, it should be encrypted user-defined password and disclosed only after it was requested.
How to deal with criminals, that is, with nodes that are built into the network and work several different algorithm, falsifying search results (twirling rating), using their own purposes confidential information about users (Including passwords)? Subject to the random distribution of users between the nodes an attacker can not know in advance what users it will serve. Ask for too much, can not serve all the time - it will be less than the request due to the congestion. If he will not give the information that they give parallel nodes (specializing in those same users and same themes) - its credibility fall. And the use of passwords casual users are unlikely interesting. Besides, if you do not lock on http, you can use dsa-authorization (or other keypair), so that even avtorizuya user, you can not have the opportunity to get his password and do anything on his behalf. In general, if we evaluate the reputation of the servers to get that "cheat" rating without losing reputation, will not be easier than to create the same wave livejournal postings from psevdoyuzerov, unwinding or discredit certain sites or companies. (I'm not saying it's impossible).
Of course, the client interface may be different at different sites. Somewhere in the web, with or without ajax, somewhere in your plugin, somewhere very own customer ... The user can choose what he prefers, for reasons of convenience and reliability. Hence, a healthy competition.
What are the thoughts on this? I'm obviously not enough Knowledge about the theory of neural networks. I would be grateful for comments and advice.
Friday, December 4, 2009
What Kind Of Weave Lala Wears
It's a conspiracy
person to identify something natural to consistently specify, and not vice versa. City, street, house and apartment. Or hour, minute, second. Or hundreds, tens, ones. In general, it is understandable.
However, some write / read from left to right, some right to left, like someone was led, then "intuitive" No, it's a tradition, as there are countries with left and right movement. Arabs and Jews write from right to left, Europeans and Americans - from left to right.
So. Why internet domain names have the form firma.kiev.ua, which make it more intuitive successive refinement, to be read from right to left? Why not ua.kiev.firma (as in the conference hierarchy usenet, in fidoshnyh ehah and many other places)? Who are the authors DNS was a Jew or an Arab? After all, even for rezolvinga parse domain must consistently from right to left (first ua, then kiev.ua, then firma.kiev.ua), which is completely illogical for English.
I'm not talking about Intel's architecture with the storage of numbers left byte is the youngest - so there is no record of the Jews nor the Arabs, as far as I know. And because every time when receiving or sending of such numbers in the network to rearrange bytes in places, and upon receipt - to change back, because in the network, the benefit, passed the normal order (first byte, then the younger). What's the trick inverted byte order? To be able to write the four-byte integer and then at the same address double-byte read, and if the number was small, get the right result? Somehow it looks undignified as an argument.
person to identify something natural to consistently specify, and not vice versa. City, street, house and apartment. Or hour, minute, second. Or hundreds, tens, ones. In general, it is understandable.
However, some write / read from left to right, some right to left, like someone was led, then "intuitive" No, it's a tradition, as there are countries with left and right movement. Arabs and Jews write from right to left, Europeans and Americans - from left to right.
So. Why internet domain names have the form firma.kiev.ua, which make it more intuitive successive refinement, to be read from right to left? Why not ua.kiev.firma (as in the conference hierarchy usenet, in fidoshnyh ehah and many other places)? Who are the authors DNS was a Jew or an Arab? After all, even for rezolvinga parse domain must consistently from right to left (first ua, then kiev.ua, then firma.kiev.ua), which is completely illogical for English.
I'm not talking about Intel's architecture with the storage of numbers left byte is the youngest - so there is no record of the Jews nor the Arabs, as far as I know. And because every time when receiving or sending of such numbers in the network to rearrange bytes in places, and upon receipt - to change back, because in the network, the benefit, passed the normal order (first byte, then the younger). What's the trick inverted byte order? To be able to write the four-byte integer and then at the same address double-byte read, and if the number was small, get the right result? Somehow it looks undignified as an argument.
Tuesday, November 17, 2009
Chevrolet Silverado Ss For Sale In Calgary
More about JUNOScripts
JONOScripts (among others) make it possible to automatically respond to random events. For example, when detecting a 2% loss on the link to increase ospf metric. Mechanism powerful and flexible.
In our case, it took two applications:
1. Need to reserve L2-transport. And one of the ways BPDU does not pass, so that any options STP does not fit (bpdu tunneling does not work either).
2. Traffic to the client is distributed on two link as multipath bgp, the client should limit the bandwidth of the sum of these two paths. Since speed limit of the MX is placed on each ICHIP independently and sabinterfeysy client we belonged to different physical 10GE-interfaces, bandwidth limitation The brute force is not obtained.
Both problems are successfully resolved through the event scripts.
In the first case - the reaction of either OSPF, or the ping tests. If you fall main link specified list Wilanow from this trunk is removed, and in the trunk to the backup link is added. When lifting the basic link configuration is reset. Script
second - a reaction to the change of state BGP with the client. If both sessions are alive, each sabinterfeysov prescribed limit in half of the put client bandwidth. If one of the BGP fell - on the remaining poliser increases up to a full band. script
In the configuration of event policy no tricks there, so do not quote, and just lazy. If anyone interested - show, moreover, that the scripts without a description, and not oriented in slax, to understand how and with what parameters to run them, problematic, sorry.
In general, everything works. However, there are nuances.
It would seem that the fall ospf or physical interface to say in one place "shutdown" (well, or "Set disable"), in the other - "no shutdown" (ie "clear disable") can be directly, the response time of such a mechanism can be much better than the rapid-stp. Indeed - the interface went to Downe, immediately dropped OSPF, immediately went to an event, run the script, changed the config - all about all the tens of milliseconds (well, maybe a hundred). But then about a minute done commit. :-( It's not like Cisco, where the shutdown and no shutdown are processed immediately.
second nuance - how to be a lock change config? What if someone is currently editing the configuration? If you just open the configuration file, make changes and commit the, we risk to use someone's not ready to change. If we make exclusive - we simply will not be allowed to change the configuration, do not switch to a backup channel for the fall primary. If private - run the risk of unnoticed undo somebody else's changes (human or a script), made during Our commit. Nevertheless, the changes from the script private - the most viable option for manual changes - the usual edit (without options). So the risk is obtained minimal (though nonzero).
Maybe implement a lock with the expectation of their own, inside the script? For example, put a file on a semaphore while editing configuration. Alas, the idea failed: when attempting to execute any command "file ..." from a script error: "Operation allowed only from CLI". Do not put out a functional language contact to external resources. : (Something got to do what protection through jcs: dampen (), which stores data in a file system, but would not say that this defense is a beautiful and reliable.
Well, among other things, it turned out that the scripting support in general is still quite crude and buggy. For example, in 9.5R1 to the parameters of the script appended to the end gaps. 9.5R2 on why something does not work, editing by private, add in the config comment (junos: comment) - either private, or comment, but not both. If you try to run the event script does not from the root, get the error:
Sometimes, if you want to gently close the session (not just dropnut connection, and said request-end-session), we obtain the following:
В общем, скрипты - это хорошо, но, I hope future versions will be even better. :)
JONOScripts (among others) make it possible to automatically respond to random events. For example, when detecting a 2% loss on the link to increase ospf metric. Mechanism powerful and flexible.
In our case, it took two applications:
1. Need to reserve L2-transport. And one of the ways BPDU does not pass, so that any options STP does not fit (bpdu tunneling does not work either).
2. Traffic to the client is distributed on two link as multipath bgp, the client should limit the bandwidth of the sum of these two paths. Since speed limit of the MX is placed on each ICHIP independently and sabinterfeysy client we belonged to different physical 10GE-interfaces, bandwidth limitation The brute force is not obtained.
Both problems are successfully resolved through the event scripts.
In the first case - the reaction of either OSPF, or the ping tests. If you fall main link specified list Wilanow from this trunk is removed, and in the trunk to the backup link is added. When lifting the basic link configuration is reset. Script
second - a reaction to the change of state BGP with the client. If both sessions are alive, each sabinterfeysov prescribed limit in half of the put client bandwidth. If one of the BGP fell - on the remaining poliser increases up to a full band. script
In the configuration of event policy no tricks there, so do not quote, and just lazy. If anyone interested - show, moreover, that the scripts without a description, and not oriented in slax, to understand how and with what parameters to run them, problematic, sorry.
In general, everything works. However, there are nuances.
It would seem that the fall ospf or physical interface to say in one place "shutdown" (well, or "Set disable"), in the other - "no shutdown" (ie "clear disable") can be directly, the response time of such a mechanism can be much better than the rapid-stp. Indeed - the interface went to Downe, immediately dropped OSPF, immediately went to an event, run the script, changed the config - all about all the tens of milliseconds (well, maybe a hundred). But then about a minute done commit. :-( It's not like Cisco, where the shutdown and no shutdown are processed immediately.
second nuance - how to be a lock change config? What if someone is currently editing the configuration? If you just open the configuration file, make changes and commit the, we risk to use someone's not ready to change. If we make exclusive - we simply will not be allowed to change the configuration, do not switch to a backup channel for the fall primary. If private - run the risk of unnoticed undo somebody else's changes (human or a script), made during Our commit. Nevertheless, the changes from the script private - the most viable option for manual changes - the usual edit (without options). So the risk is obtained minimal (though nonzero).
Maybe implement a lock with the expectation of their own, inside the script? For example, put a file on a semaphore while editing configuration. Alas, the idea failed: when attempting to execute any command "file ..." from a script error: "Operation allowed only from CLI". Do not put out a functional language contact to external resources. : (Something got to do what protection through jcs: dampen (), which stores data in a file system, but would not say that this defense is a beautiful and reliable.
Well, among other things, it turned out that the scripting support in general is still quite crude and buggy. For example, in 9.5R1 to the parameters of the script appended to the end gaps. 9.5R2 on why something does not work, editing by private, add in the config comment (junos: comment) - either private, or comment, but not both. If you try to run the event script does not from the root, get the error:
Oct 1931 16:31:32 eventd [932]: UI_DBASE_OPEN_FAILED: Database open failed for file '/ var / run / db / schema.db': Permission denied Oct 31 16:31:32 eventd [932]: UI_CONFIGURATION_ERROR: Process: eventd, path: \u0026lt;none>, statement: \u0026lt;none>, Opening configuration database: Could not open database schema
Sometimes, if you want to gently close the session (not just dropnut connection, and said request-end-session), we obtain the following:
Oct 1929 11:28:37 rpc name: request-end-session
Oct 1929 11:28:37 buffer trace: normal: 0x80e8000 (364/0x16c)
Oct 1929 11:28:37 buffer: {{{\u0026lt;? xml version = "1.0" encoding = "us-ascii "?>}}}
Oct 1929 11:28:37 buffer : {{{\u0026lt;junoscript xmlns = " http://xml.juniper.net/xnm/1.1/xnm " xmlns:junos=" http://xml.juniper.net/junos/9.5R2/junos " schemaLocation=" http://xml.juniper.net/junos/9.5R2/junos junos/9.5R2/junos.xsd" os="JUNOS" release="9.5R2.7" hostname="" version="1.0">}}}
Oct 29 11:28:37 buffer: {{{<rpc-reply xmlns:junos=" http://xml.juniper.net/junos/9.5R2/junos " xmlns="">}}}
Oct 29 11:28:37 buffer trace: normal: 0x80eb02d (15/0xf)
Oct 29 11:28:37 buffer: {{{<end-session/>}}}
Oct 29 11:28:37 buffer trace: normal: 0x80ed154 (13/0xd)
Oct 29 11:28:37 buffer: {{{</rpc-reply>}}}
Oct 29 11:28:37 buffer trace: normal: 0x80eb161 (69/0x45)
Oct 29 11:28:37 buffer: {{{]]>]]>}}}
Oct 29 11:28:37 buffer: {{{<!-- session end at 2009-10-29 11:28:37 EET -->}}}
Oct 29 11:28:37 buffer: {{{</junoscript>}}}
Oct 29 11:28:37 buffer trace: read fails: 0x80ef1a6 (0/0x0)
Oct 29 11:28:37 error: [filename: xmn:rpc results] [line: 6] Sequence ']]>' not allowed in content
Oct 29 11:28:37 error: [filename: xmn:rpc results] [line: 6] [input: detected an error in element content] internal error
Oct 29 11:28:37 error: [filename: xmn:rpc results] [line: 6] Extra content at the end of the document
Oct 29 11:28:37 commit script: xml-mode: could not read content
Oct 29 11:28:37 invalid reply to rpc
Oct 29 11:28:37 could not get reply
Oct 29 11:28:37 xmlXPathCompiledEval: evaluation failed
Oct 29 11:28:37 runtime error: file /var/db/scripts/op/move-vlans.slax element value-of
Oct 29 11:28:37 XPath evaluation returned no result.
В общем, скрипты - это хорошо, но, I hope future versions will be even better. :)
Sunday, November 15, 2009
Born Blonde Toner Instructions
DoS & DDoS
all accustomed to the fact that from time to time there are DoS and DDoS-attack. What to do with them?
Resource owners and admins Corporate networks are trying to protect themselves. Any IDS, IPS, PIX, ASA, Netscreen, and many other buzzwords. This approach is logical, but has the obvious drawback: if the attack had put border router, or scored a channel to the ISP, located inside the means of detecting and preventing attacks are useless, you need to assist ISP.
What do ISP, how to protect customers? After all, his task - to transmit IP-traffic to the maximum quality (reliable, fast and lossless), filtration of its functions is not included. On traffic volumes ISP filtering (IPS) will cost unreasonable, customers simply do not need such a service for the money. Yes, and setting filters - the process is time consuming and individual, every client has their own needs and idiosyncrasies.
reaction ISP need only if the attack had put a channel, or border router client. Otherwise, the client has the opportunity filter itself, and to shift this function to the ISP makes no sense. Automatic filtering on the ISP side can be harmful. For example, the traffic is quite legitimate video can be mistakenly regarded as a DoS (big stream of UDP) and filtered, which obviously will not thank the customer.
One of reasonable and common solutions - BGP blackhole (rfc3882). It allows the customer to independently filter the traffic to the attacked IP from upstream, as it proannonsirovav / 32 with a pre-specified community. Even if the client from the attack fell router, BGP-Announcing the target network stops, no traffic, BGP can rise again, but with a blackhole-announcement attacked host. If a customer had to determine which host is being attacked. The downside is that it is a rough filtering, blocked all traffic on the specified IP-address, regardless of source, protocol, etc. Attacked host is sacrificed in order to not suffer more. Dignity - something that does not need assistance from personnel upstream.
The result is that the ISP should not automatically filter DoS-attacks on clients, but must have information about the attacks on both his clients and from them (Botnet) in order to be able, if necessary (if the attack is completely packed the client or the client's request) to quickly filter out the attack, even if the client does not know where from and where it goes. Since the attack often leads to an interruption of service (actually, this is its purpose), it is desirable to have information quickly and most detailed (some kind of attack, the intensity of that in the client, as they feel its routers, etc.) in order to make the decision (to filter and inform the client, not to filter out and tell your customer, ignore). In this case, the ISP has value only rude attack (pps, cps), and content analysis (viruses, hacking activity, even syn flood) - this is something with which a client can fight alone. Under this scheme, we are working on more than one year, we like customers, like, too. :-)
More details about implementation.
on external links removed sampled netflow. As practice shows, rate 8192 is sufficient to detect attacks. This flow remains at some time (a couple of hours, not more) through the flow-tools, in addition, goes to the processing of special daemon dds (samopisnomu), which deals with the detection of attacks. In case of abnormal activity (eg, from host xxxx on the client host yyyy udp stream detected with 40 Kpps) runs a script that includes alarm on monitorilke for a duty shift, and also wrote a letter in which:
- information about the attacked host (which AS and which client it belongs);
- as currently seems to mtr this host (as far as live routers along the way and he attacked host);
- listing related to this anomaly and traffic in the last 5 minutes of the saved in flow-tools. This
enough information for a person to be able, without undue delay and research to decide what to do. Flow can be seen from the listing, with which and to which ports the traffic comes as he looks like a legitimate. From mtr - how the client is suffering from this attack. Technically, one could, under certain conditions and automatically filter the attack, but I personally scary automate these actions, moreover, on the side of ISP.
Demon dds can get a team "
Btw, I have long wondered how people are struggling with the DoS-attacks without dds? If there is an attack, a router poplohelo - as it turns out, which host is attacked, and from what source? Are there any similar utilities?
all accustomed to the fact that from time to time there are DoS and DDoS-attack. What to do with them?
Resource owners and admins Corporate networks are trying to protect themselves. Any IDS, IPS, PIX, ASA, Netscreen, and many other buzzwords. This approach is logical, but has the obvious drawback: if the attack had put border router, or scored a channel to the ISP, located inside the means of detecting and preventing attacks are useless, you need to assist ISP.
What do ISP, how to protect customers? After all, his task - to transmit IP-traffic to the maximum quality (reliable, fast and lossless), filtration of its functions is not included. On traffic volumes ISP filtering (IPS) will cost unreasonable, customers simply do not need such a service for the money. Yes, and setting filters - the process is time consuming and individual, every client has their own needs and idiosyncrasies.
reaction ISP need only if the attack had put a channel, or border router client. Otherwise, the client has the opportunity filter itself, and to shift this function to the ISP makes no sense. Automatic filtering on the ISP side can be harmful. For example, the traffic is quite legitimate video can be mistakenly regarded as a DoS (big stream of UDP) and filtered, which obviously will not thank the customer.
One of reasonable and common solutions - BGP blackhole (rfc3882). It allows the customer to independently filter the traffic to the attacked IP from upstream, as it proannonsirovav / 32 with a pre-specified community. Even if the client from the attack fell router, BGP-Announcing the target network stops, no traffic, BGP can rise again, but with a blackhole-announcement attacked host. If a customer had to determine which host is being attacked. The downside is that it is a rough filtering, blocked all traffic on the specified IP-address, regardless of source, protocol, etc. Attacked host is sacrificed in order to not suffer more. Dignity - something that does not need assistance from personnel upstream.
The result is that the ISP should not automatically filter DoS-attacks on clients, but must have information about the attacks on both his clients and from them (Botnet) in order to be able, if necessary (if the attack is completely packed the client or the client's request) to quickly filter out the attack, even if the client does not know where from and where it goes. Since the attack often leads to an interruption of service (actually, this is its purpose), it is desirable to have information quickly and most detailed (some kind of attack, the intensity of that in the client, as they feel its routers, etc.) in order to make the decision (to filter and inform the client, not to filter out and tell your customer, ignore). In this case, the ISP has value only rude attack (pps, cps), and content analysis (viruses, hacking activity, even syn flood) - this is something with which a client can fight alone. Under this scheme, we are working on more than one year, we like customers, like, too. :-)
More details about implementation.
on external links removed sampled netflow. As practice shows, rate 8192 is sufficient to detect attacks. This flow remains at some time (a couple of hours, not more) through the flow-tools, in addition, goes to the processing of special daemon dds (samopisnomu), which deals with the detection of attacks. In case of abnormal activity (eg, from host xxxx on the client host yyyy udp stream detected with 40 Kpps) runs a script that includes alarm on monitorilke for a duty shift, and also wrote a letter in which:
- information about the attacked host (which AS and which client it belongs);
- as currently seems to mtr this host (as far as live routers along the way and he attacked host);
- listing related to this anomaly and traffic in the last 5 minutes of the saved in flow-tools. This
enough information for a person to be able, without undue delay and research to decide what to do. Flow can be seen from the listing, with which and to which ports the traffic comes as he looks like a legitimate. From mtr - how the client is suffering from this attack. Technically, one could, under certain conditions and automatically filter the attack, but I personally scary automate these actions, moreover, on the side of ISP.
Demon dds can get a team "
cvs-d: pserver: cvs@happy.kiev.ua: / cvs co dds ". When processing ~ 20G traffic sampled rate 8192 he otzhiraet ~ 30M of memory and ~ 0.2% cpu load. Btw, I have long wondered how people are struggling with the DoS-attacks without dds? If there is an attack, a router poplohelo - as it turns out, which host is attacked, and from what source? Are there any similar utilities?
Saturday, November 14, 2009
Who Is The Cartoon Old Lady
rating providers
not long ago wrote about the rating.
did to him in sisadminski: given the tools Self-view it, including graphics, and postings scored. And in actual fact, read reviews of many interesting and somewhere to go and ask for rating - No. :)
regular posts will not, but something, after all, publish.
specify at once - I was based solely on the BGP-tables. These findings may not correspond to financial relationships, and may even be at all the consequences of some Rout-faces.
Since October Rostelecom has ceased to announce its network through ReTN and was first place in the rankings. In November Synterra become a client Retn, which greatly improved his position, but in the first place did not lead.
in the Ukrainian segment at all remarkably stable, except for the fact that DataGroup walked in the ranking of Ukrtelecom.
table rankings for October (averaged) compared with ratings for September:
Here's the basic dynamics of Russian providers for the year (from November 2008 to November 2009):
not long ago wrote about the rating.
did to him in sisadminski: given the tools Self-view it, including graphics, and postings scored. And in actual fact, read reviews of many interesting and somewhere to go and ask for rating - No. :)
regular posts will not, but something, after all, publish.
specify at once - I was based solely on the BGP-tables. These findings may not correspond to financial relationships, and may even be at all the consequences of some Rout-faces.
Since October Rostelecom has ceased to announce its network through ReTN and was first place in the rankings. In November Synterra become a client Retn, which greatly improved his position, but in the first place did not lead.
in the Ukrainian segment at all remarkably stable, except for the fact that DataGroup walked in the ranking of Ukrtelecom.
table rankings for October (averaged) compared with ratings for September:
| Rank | Diff | AS number | AS name | Country | /24 | Pfxs | ASes | Degree/Upstreams/Peering | Updates/Withdr/WithdrRate |
| 98 | +1▲ | 12389 | Rostelecom | RU | 40 556 | 5444 | 1118 | 430/ 6 /16 | 1 897 473/159 702/3.938 |
| 109 | -1▼ | 9002 | ReTN | RU | 33 428 | 3164 | 1021 | 858/ 3 /714 | 322 444/11 350/0.340 |
| 111 | 0◀ | 3216 | Golden Telecom | RU | 31 934 | 3640 | 1001 | 405/ 4 /110 | 1 068 485/76 117/2.384 |
| 117 | 0◀ | 20485 | TransTelecom | RU | 28 404 | 4804 | 995 | 392/ 3 /10 | 632 653/57 229/2.015 |
| 121 | 0◀ | 8342 | RTComm | RU | 26,993 | 3126 | 854 103 / 4 / 18 | 614 558/75 049/2.780 | |
| 130 | 0 ◀ | 8359 | MTU Intell | RU | 22 695 | 2590 | 880 | 97/ 3 /21 | 241 559/16 116/0.710 |
| 172 | 0◀ | 6854 | Synterra | RU | 14 368 | 1787 | 443 | 166/ 6 /6 | 432 764/20 365/1.417 |
| 254 | 0◀ | 3267 | RUNNet | RU | 8422 | 870 | 260 | 423/ 6 /317 | 220 411/18 516/2.199 |
| 299 | 0◀ | 8744 | StartTelecom | RU | 6669 | 649 | 172 | 100/ 1 /6 | 200 037/15 479/2.321 |
| 384 | 0◀ | 12695 | DiNet | RU | 4571 | 402 | 99 | 67/ 4 /4 | 145 752/10 045/2.198 |
| 413 | 0◀ | 29648 | ComLine | RU | 4197 | 368 | 74 | 31/ 2 /0 | 191 676/6009/1.432 |
| 416 | 0◀ | 8402 | Corbina | RU | 4165 | 181 | 51 | 56/ 5 /1 | 100 508/9062/2.176 |
| 420 | 0◀ | 13249 | IT Systems | UA | 4104 | 455 | 220 | 76/ 4 /8 | 83 379/6541/1.594 |
| 445 | 0◀ | 44237 | CTC Core | RU | 3824 | 194 | 33 | 24/ 3 /2 | 97 991/3441/0.900 |
| 448 | 0◀ | 35320 | ETT | UA | 3725 | 633 | 276 | 91/ 2 /10 | 119 183/13 331/3.579 |
| 468 | +1▲ | 41440 | SibirTelecom | RU | 3565 | 152 | 41 | 29/ 3 /0 | 141 718/8649/2.426 |
| 482 | -1▼ | 8997 | SpbNit | RU | 3469 | 477 | 37 | 29/ 2 /3 | 64 124/12 899/3.718 |
| 484 | 0◀ | 20764 | Rascom | RU | 3456 | 314 | 136 | 39/ 4 / 7 | 46 408/3429/0.992 |
| 494 | 0 ◀ | 35400 | ; MFIST (USI) | RU | 3369 | 374 | 47 | 13 / 2 / 0 | 217 297/9913/2.942 |
| 505 | +1▲ | 43975 | VolgaTelecom | RU | 3261 | 128 | 27 | 14/ 3 /0 | 157 521/3186/0.977 |
| 511 | +1▲ | 21219 | Datagroup | UA | 3227 | 647 | 328 | 190/ 1 /8 | 73 755/6351/1.968 |
| 523 | -2▼ | 6849 | UkrTelecom | UA | 3144 | 309 | 96 | 42/ 2 /1 | 32 433/2531/0.805 |
| 548 | +1▲ | 25229 | Volia | UA | 2949 | 78 | 30 | 27/ 2 /1 | 117 059/5747/1.949 |
| 569 | +1▲ | 30751 | Eurotel | RU | 2781 | 389 | 73 | 17 / 4 / 5 | 125 524/9926/3.569 |
| 595 | +4 ▲ | 39 792 | Anders BG | RU | 2565 | 251 | 116 | 75/ 3 /12 | 46 398/3124/1.218 |
| 609 | 0◀ | 8732 | Comcor | RU | 2473 | 274 | 148 | 122/ 3 /7 | 59 400/2363/0.956 |
| 643 | 0◀ | 2118 | Relcom | RU | 2291 | 115 | 25 | 20/ 2 /5 | 48 771/3589/1.567 |
| 650 | 0◀ | 21127 | ZapSibTTK | RU | 2254 | 333 | 105 | 84/ 1 /0 | 54 842/6576/2.917 |
| 666 | +1▲ | 12714 | NetByNet | RU | 2128 | 122 | 53 | 23/ 2 /5 | 25 711/3518/1.653 |
| 685 | +5▲ | 5568 | RBNet | RU | 2056 | 109 | 42 | 41/ 5 /12 | 39 254/2069/1.006 |
| 715 | -8▼ | 12883 | Ucomline | UA | 1890 | 512 | 153 | 72/ 5 /2 | 39 215/4737/2.506 |
| 729 | +1▲ | 21414 | RusComNet | RU | 1838 | 172 | 68 | 49/ 6 /9 | 40 074/2479/1.349 |
| 741 | +3▲ | 3255 | UarNet | UA | 1802 | 681 | 234 | 108/ 4 /6 | 43 611/4469/2.480 |
| 752 | -2▼ | 20632 | PeterStar | RU | 1775 | 149 | 56 | 52/ 4 /6 | 37 828/1229/0.692 |
| 764 | +2▲ | 44467 | IRN-STC-AS AS for InterRegional Network STC | RU | 1750 | 89 | 14 | 10/ 4 /0 | 113 392/7132/4.075 |
| 770 | +2▲ | 28809 | NaukaNet | RU | 1720 | 256 | 102 | 66/ 8 /9 | 63 539/4913/2.856 |
| 775 | -3▼ | 2854 | Equant | RU | 1696 | 238 | 105 | 93/ 3 /3 | 29 375/1607/0.948 |
| 778 | -7▼ | 29632 | NetAssist | UA | 1682 | 91 | 39 | 21/ 1 /3 | 57 661/5379/3.198 |
| 817 | 0◀ | 21011 | TopNet | UA | 1538 | 461 | 200 | 87/ 3 /7 | 59 636/6183/4.020 |
| 856 | +8▲ | 29076 | CityTelecom | RU | 1448 | 182 | 88 | 52/ 2 /12 | 29 464/9908/6.843 |
| 868 | 0◀ | 31133 | Megafon | RU | 1391 | 190 | 55 | 40/ 4 /3 | 41 281/3443/2.475 |
| 885 | -2▼ | 28917 | Fiord | RU | 1338 | 230 | 81 | 48/ 2 / 10 28 | 423/1287/0.962 |
| 894 | -1 ▼ | 8615 | ; CNT-AS CNT Autonomous System RU | 1327 | 41 22 25 | / 3 / 3 | 34 717/514/0.387 | ||
| 953 | +3▲ | 12332 | PRIMORYE-AS Far East Telecommunications Company | RU | 1186 | 44 | 2 | 3/ 2 /0 | 126 357/10 412/8.779 |
Here's the basic dynamics of Russian providers for the year (from November 2008 to November 2009):
Free Pokemon Soul Silver Online
Nipanimayu
When windsurfing or poppy drops some application, window pops up with a proposal to send this information to Microsoft, or, respectively, to Apple for review. Under FreeBSD, if the user is faced with mistake, he can say "send-pr" and send a problem report.
However, if I'm faced with a clear problem in Cisco / Juniper / Extreme, I should pay for it, to tell the manufacturer about problem. Even if my arms thrown iosom bark trapnuvshiysya dzhunosovy demon or a reproducible bug extreme. To me it is completely incomprehensible. It is not I need - if I have something not working, I'm not going to wait until the vendor fix bugs and release updates, it is unacceptable for me, I'll find another way to solve this problem so that more of this error is not encountered. And after that I can inform the vendor about the error (so that other users not stepping on the same rake), and I can not tell. Why prevent the vendors, so I reported it a bug? After all, it does not necessarily take the guarantee correction does not necessarily make bug reports available to the public - why not just give the opportunity to send bug reports?
If so did a vendor I would have thought that he had some quirk in the brain. But so do virtually everything, and that means something I do not understand.
Explain.
When windsurfing or poppy drops some application, window pops up with a proposal to send this information to Microsoft, or, respectively, to Apple for review. Under FreeBSD, if the user is faced with mistake, he can say "send-pr" and send a problem report.
However, if I'm faced with a clear problem in Cisco / Juniper / Extreme, I should pay for it, to tell the manufacturer about problem. Even if my arms thrown iosom bark trapnuvshiysya dzhunosovy demon or a reproducible bug extreme. To me it is completely incomprehensible. It is not I need - if I have something not working, I'm not going to wait until the vendor fix bugs and release updates, it is unacceptable for me, I'll find another way to solve this problem so that more of this error is not encountered. And after that I can inform the vendor about the error (so that other users not stepping on the same rake), and I can not tell. Why prevent the vendors, so I reported it a bug? After all, it does not necessarily take the guarantee correction does not necessarily make bug reports available to the public - why not just give the opportunity to send bug reports?
If so did a vendor I would have thought that he had some quirk in the brain. But so do virtually everything, and that means something I do not understand.
Explain.
What To Say On A Engagement Card
Cisco: the speed limit transit Vilan
often have a task: to limit speed Vila, passing in transit through the Switch from one interface to another.
Catalyst easily supports ingress policing on a physical interface, but if you want does not restrict all traffic from an interface, and separate from Leland trunk ports, everything becomes harder. Especially if the rate should be limited to no the sum of all areas of Vila, and to each side independently (and usually it is true). Nevertheless, the problem is solved as the 3560 (3550, 3750, 3560-E, etc.), and in 6500.
3560 - through hierarchical policy-maps.
Пример конфига:
Счётчики do not work, but the speed is limited. Insignificant in view of (match of access-list to "permit any", an unused "set dscp") are really needed, without them no longer work. As they say, it is difficult to understand, but you must remember. Which dscp set - no matter (most importantly, not to 0), but apparently for different Wilanow need to install different values.
At the physical interface should be spelled "mls qos vlan-based". In the policy on an interface may be a few classes - for different input interfaces.
for 6500 is otherwise. The above method does not work there, the terms "match input-interface", "match vlan" and other head-on methods - too (at least on the "cheap" cards such as WS-X6724-SFP or WS-X6748-GE-TX) .
First had to try to bridge the speed limit for SVI and vlan-mapping back (to the number Vilan has not changed). Works, but cpu-based, routing processor immediately killed, and customers do not like the jitter. Therefore
was found more acceptable solution (tested on sup32, sup720 and vs-s720 with different line cards).
At the physical interface (trunk), apply service-policy iface1. There may be many classes for different Wilanow. And on this physical interface should not be "mls qos vlan-based". That is the trouble: Vila in the trunk, which terminates locally, can no longer be restricted to the SVI, everything should be confined to on this physical interface to Wilanow.
In this case, the processor consumes humanity (up to certain limits), jitter is practically not growing, but the application control-plane such Whelan will still fall off (which makes one sad thought).
Incidentally, in this case, we can not only limit the speed, but also consider the traffic of Wilanow transit in each direction - the counters in policy-map regularly work.
often have a task: to limit speed Vila, passing in transit through the Switch from one interface to another.
Catalyst easily supports ingress policing on a physical interface, but if you want does not restrict all traffic from an interface, and separate from Leland trunk ports, everything becomes harder. Especially if the rate should be limited to no the sum of all areas of Vila, and to each side independently (and usually it is true). Nevertheless, the problem is solved as the 3560 (3550, 3750, 3560-E, etc.), and in 6500.
3560 - through hierarchical policy-maps.
Пример конфига:
mls qos
no mls qos rewrite ip dscp
!
access-list 101 remark ANY
access-list 101 permit ip any any
!
class-map match-all INTERFACES-FOR-VLAN-10
match input-interface GigabitEthernet0/8
class-map match-all ANY
match access-group 101
!
policy-map POLICY-FOR-INTERFACES-FOR-VLAN-10
class INTERFACES-FOR-VLAN-10
police 10240000 1920000 exceed-action drop
!
policy-map POLICY-FOR-VLAN-10
class ANY
set dscp 7
service-policy POLICY-FOR-INTERFACES-FOR-VLAN-10
!
interface Vlan10
no ip address
service-policy input POLICY-FOR-VLAN-10
Счётчики do not work, but the speed is limited. Insignificant in view of (match of access-list to "permit any", an unused "set dscp") are really needed, without them no longer work. As they say, it is difficult to understand, but you must remember. Which dscp set - no matter (most importantly, not to 0), but apparently for different Wilanow need to install different values.
At the physical interface should be spelled "mls qos vlan-based". In the policy on an interface may be a few classes - for different input interfaces.
for 6500 is otherwise. The above method does not work there, the terms "match input-interface", "match vlan" and other head-on methods - too (at least on the "cheap" cards such as WS-X6724-SFP or WS-X6748-GE-TX) .
First had to try to bridge the speed limit for SVI and vlan-mapping back (to the number Vilan has not changed). Works, but cpu-based, routing processor immediately killed, and customers do not like the jitter. Therefore
was found more acceptable solution (tested on sup32, sup720 and vs-s720 with different line cards).
mac packet-classify use vlan! mac access-list extended VLAN10 permit any any vlan 10! class-map match-all vlan10-in match access-group name VLAN10 policy-map iface1 class-map vlan10-in police cir 100000000 bc 1000000 be 2000000 conform-action transmit exceed-action drop! interface Vlan10 no ip address mac packet-classify
At the physical interface (trunk), apply service-policy iface1. There may be many classes for different Wilanow. And on this physical interface should not be "mls qos vlan-based". That is the trouble: Vila in the trunk, which terminates locally, can no longer be restricted to the SVI, everything should be confined to on this physical interface to Wilanow.
In this case, the processor consumes humanity (up to certain limits), jitter is practically not growing, but the application control-plane such Whelan will still fall off (which makes one sad thought).
Incidentally, in this case, we can not only limit the speed, but also consider the traffic of Wilanow transit in each direction - the counters in policy-map regularly work.
Use Woolite In Front Loader
junos dynamic-db
In JunOs not so long ago (9.4 or 9.5 - too lazy to look) appeared dynamic-db .
feature interesting and useful - Primarily for prefix-lists. The idea is that some parts of the configuration specific to bgp (prefix-lists and policy-statements) can be taken to a separate config file, and from the ground there of reference. This greatly reduces the size of the main config, speeds up the commit, rollback history does not clog filters, auto-update. We have a prefix-lists - it is about 90% of the config, commit instead of a couple of minutes was held for about 20 seconds.
However, as it turned out, while there are not going smoothly. :-(
first thing encountered - you can not watch this the most dynamic config, but to go in there and tell the show, which is very inconvenient for scripting, and privilege requires configuration changes when only viewing. Had do op script show-dyn-conf.slax , showing the dynamic config (however, the problem with the privileges it does not solve).
And about a month of using dynamic-db from him without any apparent reason сорвало крышу (MX480, 9.5R2.7). :-(
cured deleting file / var / run / db / juniper.dyn.
had to renounce the use of dynamic-db. At least not yet. :-(
In JunOs not so long ago (9.4 or 9.5 - too lazy to look) appeared dynamic-db .
feature interesting and useful - Primarily for prefix-lists. The idea is that some parts of the configuration specific to bgp (prefix-lists and policy-statements) can be taken to a separate config file, and from the ground there of reference. This greatly reduces the size of the main config, speeds up the commit, rollback history does not clog filters, auto-update. We have a prefix-lists - it is about 90% of the config, commit instead of a couple of minutes was held for about 20 seconds.
However, as it turned out, while there are not going smoothly. :-(
first thing encountered - you can not watch this the most dynamic config, but to go in there and tell the show, which is very inconvenient for scripting, and privilege requires configuration changes when only viewing. Had do op script show-dyn-conf.slax , showing the dynamic config (however, the problem with the privileges it does not solve).
And about a month of using dynamic-db from him without any apparent reason сорвало крышу (MX480, 9.5R2.7). :-(
[edit dynamic]
gul# run show ?
Possible completions:
\zп*\ termination
error: remote side unexpectedly closed connection
Connection to quoll.itsinternet.net closed.
Nov 13 16:32:52 /kernel: BAD_PAGE_FAULT: pid 49853 (mgd), uid 0: pc 0x8109a21 got a read fault at 0xbad006bc, x86 fault flags = 0x4
Nov 13 16:32:52 /kernel: Trapframe Register Dump:
Nov 13 16:32:52 /kernel: eax: baf4bd2e ecx: bad006bc edx: 08315890 ebx: 00000000
Nov 13 16:32:52 /kernel: esp: bfbe5270 ebp: bfbe52c8 esi: 00000000 edi: baf4bdf0
Nov 13 16:32:52 /kernel: eip: 08109a21 eflags: 00010206
Nov 13 16:32:52 /kernel: cs: 0033 ss: 003b ds: bfbd003b es: 831003b
Nov 13 16:32:52 /kernel: fs: 832003b trapno: 0000000c err: 00000004 Nov 13 16:32:52 / kernel: Page table info for PC address 0x8109a21: PDE = 0x2c460067, PTE = 60c31425 Nov 13 16:32:52 / kernel: Dumping 16 bytes starting at PC address 0x8109a21: Nov 13 16:32:52 / kernel: 3a January 1975 1e 84 c0 74 15 8d 41 January 1942 83 ec August 1950
cured deleting file / var / run / db / juniper.dyn.
had to renounce the use of dynamic-db. At least not yet. :-(
Friday, October 23, 2009
How Do U Get An Ovary Infection
Problems with ASN32
After the IOS update the client has fallen off the BGP. As it turned out EdgeCore, DLink and all noname-Chinese BGP falls, if they offer support ASN32. Dropped by mistake "Capability error: unknown capability code 65. It is clear that, technically, this is a problem client and its iron (unsupported capabilities should be ignored), but the customer of this no easier. I guess that does not Once we are stepping on a rake.
Solution for Cisco:
neighbor \u0026lt;ip-address> dont-capability-negotiate
Solution for Juniper:
set disable-4byte-as (in konfiuratsii bgp, group, or neighbor).
And there, and there is a hidden command.
After the IOS update the client has fallen off the BGP. As it turned out EdgeCore, DLink and all noname-Chinese BGP falls, if they offer support ASN32. Dropped by mistake "Capability error: unknown capability code 65. It is clear that, technically, this is a problem client and its iron (unsupported capabilities should be ignored), but the customer of this no easier. I guess that does not Once we are stepping on a rake.
Solution for Cisco:
neighbor \u0026lt;ip-address> dont-capability-negotiate
Solution for Juniper:
set disable-4byte-as (in konfiuratsii bgp, group, or neighbor).
And there, and there is a hidden command.
Tuesday, October 20, 2009
Hair Loss Lower Left Leg
JUNOScripting
programming languages in which the cycle is done only through the recursion, I had to write (lisp, exim acl).
But the language in which it is impossible to change the values of the variables met the first time. 8-() It is not clear, actually, why they are called "variables". I recall the anecdote "and Dostum did not try?"
Okay I did not understand how it works internally. But in his time a lot of writing on ACME - there are also variables and conditional / unconditional jump, and much more, then suddenly was not in the language "High level". Of course, I know the term "algorithmic" and "functional" language, but still turn out their brains, so that use recursion instead of cycle was natural to me napryazhno. A variable for some reason sometimes you want to change.
But nothing has mastered SLAX (Stylesheet Language Alternative Syntax) and wrote a script that was needed.
unpleasantly surprised by the low efficiency. Somehow, I expect that if the script runs through the junos api, then they speed should be okay, by analogy with embedded perl and other embedded scripting languages. Nifiga - query configuration is about half a minute (as in "show configuration"). Commit even more. Here I do not understand I'm what you need to do to a text file of two megabytes for modern processor to parse a minute? Me and a second on this task is difficult to imagine. And patches with dynamic-db - I would have understood if there was dvuhgigovy file instead dvuhmegovy.
Other hohmochki, of course, also delivered. For example, arithmetic expressions is, and there is no division (or I could not find how). Well, okay then, instead of dividing into two may be multiplied by 0.5. But why is printf ("% d", 6000000000 * 0.5) returns "3e +09", which, of course, the parser config is not perceived?
Of course, the ideology of change / commit in JunOS much easier than in Cisco IOS. But why can not Commit changes only, not the entire config? Or lock the only one level of hierarchy, config, and not all of it? It's not rocket science. And without this script can safely change the configuration (for example, update the prefix-lists or something on the events)? After all, suddenly it's time someone something to configure? And the result is a system, which usually works well, "" buggy infrequently, "etc. :-( Pro" configure private "know - it's a good way to undo somebody else's changes and do not notice it.
The fact that others still worse, comforts, but not much.:)
PS And in general, junoscripts - a powerful thing, I Proper.
programming languages in which the cycle is done only through the recursion, I had to write (lisp, exim acl).
But the language in which it is impossible to change the values of the variables met the first time. 8-() It is not clear, actually, why they are called "variables". I recall the anecdote "and Dostum did not try?"
Okay I did not understand how it works internally. But in his time a lot of writing on ACME - there are also variables and conditional / unconditional jump, and much more, then suddenly was not in the language "High level". Of course, I know the term "algorithmic" and "functional" language, but still turn out their brains, so that use recursion instead of cycle was natural to me napryazhno. A variable for some reason sometimes you want to change.
But nothing has mastered SLAX (Stylesheet Language Alternative Syntax) and wrote a script that was needed.
unpleasantly surprised by the low efficiency. Somehow, I expect that if the script runs through the junos api, then they speed should be okay, by analogy with embedded perl and other embedded scripting languages. Nifiga - query configuration is about half a minute (as in "show configuration"). Commit even more. Here I do not understand I'm what you need to do to a text file of two megabytes for modern processor to parse a minute? Me and a second on this task is difficult to imagine. And patches with dynamic-db - I would have understood if there was dvuhgigovy file instead dvuhmegovy.
Other hohmochki, of course, also delivered. For example, arithmetic expressions is, and there is no division (or I could not find how). Well, okay then, instead of dividing into two may be multiplied by 0.5. But why is printf ("% d", 6000000000 * 0.5) returns "3e +09", which, of course, the parser config is not perceived?
Of course, the ideology of change / commit in JunOS much easier than in Cisco IOS. But why can not Commit changes only, not the entire config? Or lock the only one level of hierarchy, config, and not all of it? It's not rocket science. And without this script can safely change the configuration (for example, update the prefix-lists or something on the events)? After all, suddenly it's time someone something to configure? And the result is a system, which usually works well, "" buggy infrequently, "etc. :-( Pro" configure private "know - it's a good way to undo somebody else's changes and do not notice it.
The fact that others still worse, comforts, but not much.:)
PS And in general, junoscripts - a powerful thing, I Proper.
Tuesday, October 6, 2009
Why Does My Zippo Keep Drying Out
Rating Providers - Graphic
Did risovalka schedules based on ratings providers. Here is an example of its work:
can see several peaks - this is due to large routlikov some peering was adopted as a client. They are also going to examine closely, perhaps there is a way to distinguish them from valid relationship. To date, only three peaks for almost two years, other indicators are stable and the rest routliki were detected and rejected from consideration - In my opinion, a good result, especially considering how catchy they are (seen, for example, double faces). Hand to smooth out anything or ask hands, some kind of relationship the client-uplink (to help the program) do not want to - while I'm trying to improve the algorithm.
Sometimes it is possible that the result (Graphic) should wait a couple of minutes - no need to be afraid, once the requested data are cached Submarine, and the next time the answer will be quick.
Retn recently almost lost his championship, but he restrained himself - as far as I can see the beginning of October Rostelecom stopped after he consumed traffic.
According to Ukrainian providers Graphic fun (perhaps only the Ukrainians;). Here you can search out, inter alia, the transitions of major customers from one provider to another. Here:
Did risovalka schedules based on ratings providers. Here is an example of its work:
can see several peaks - this is due to large routlikov some peering was adopted as a client. They are also going to examine closely, perhaps there is a way to distinguish them from valid relationship. To date, only three peaks for almost two years, other indicators are stable and the rest routliki were detected and rejected from consideration - In my opinion, a good result, especially considering how catchy they are (seen, for example, double faces). Hand to smooth out anything or ask hands, some kind of relationship the client-uplink (to help the program) do not want to - while I'm trying to improve the algorithm.
Sometimes it is possible that the result (Graphic) should wait a couple of minutes - no need to be afraid, once the requested data are cached Submarine, and the next time the answer will be quick.
Retn recently almost lost his championship, but he restrained himself - as far as I can see the beginning of October Rostelecom stopped after he consumed traffic.
According to Ukrainian providers Graphic fun (perhaps only the Ukrainians;). Here you can search out, inter alia, the transitions of major customers from one provider to another. Here:
Saturday, September 26, 2009
Bottom Of Feet It Bad
No ideal: (
Cry.
Pachimu if the name Juniper counters longer than 23 characters, then the counters are not available by snmp (jnxFWCounter)? Where did the idea for this strange limitation?
Here For example, colocall-in-rate-limit is, and colocall-out-rate-limit - no longer exists. : (
In addition, from cli counters that you can watch without any problems.
MX480, 9.5R2.7
What poliser considers only dropnutye packages, but not dropnutye bytes - uncomfortable, but this has already resigned himself (you have to multiply the number of packets dropnutyh the average packet size). While that's even considered normal s6500 and Packages and bytes.
Cry.
Pachimu if the name Juniper counters longer than 23 characters, then the counters are not available by snmp (jnxFWCounter)? Where did the idea for this strange limitation?
Here For example, colocall-in-rate-limit is, and colocall-out-rate-limit - no longer exists. : (
In addition, from cli counters that you can watch without any problems.
MX480, 9.5R2.7
What poliser considers only dropnutye packages, but not dropnutye bytes - uncomfortable, but this has already resigned himself (you have to multiply the number of packets dropnutyh the average packet size). While that's even considered normal s6500 and Packages and bytes.
Thursday, September 24, 2009
Pokemon Gold Silver Trade Vba
What to do with harmful more specific routes
There's an old problem:
client announces / 23 upstream and the same grid as the two / 24, IX (for example, UA-IX). The result is that traffic comes from the world upstream on / 23, and then the client is already on / 24 (more specific) through IX. As a result, the client receives the external traffic through IX, with no speed limits, accounting, etc.
issue in detail investigated and described Ginsburg here , and give a solution for JunOS (for which many thanks to him). Therefore, I can only tell their own words, lead configuration for Cisco, and to describe other, less accurate and more simple solutions.
Firstly, just want to say that the administration to tackle the problem unpromising. The client can this be done without malice. In the end, nothing illegal, he does not.
first thing that comes to mind for the protection of from this situation - the imposition of IX to a separate router. Customers who have their own inclusion in the IX, made by "external" router, which just announced by IX no. Drawbacks: firstly, the client may want to reserve access to that IX, secondly, the client should switch to another router if it is connected to IX, in the third place, the client may not be included in the IX, but some client of the client - to be in the fourth, different IX may be several (KH-IX, UA-IX, DE-CIX, etc .), and it is unclear as their share of routers. Actually, the traffic from the IX is a "bonus" for the upstream, which is denied, providing the client paid only IPT-traffic апстриму, очевидно, невыгодно. Вместо отдельных роутеров, разумеется, можно использовать разные vrf в пределах одного роутера. Ещё вариант - строить с клиентами two BGP-session "peace" and "Ukraine" (in other words, IPT, and IX). If IX is only one solution to completely work, though, and creates some inconvenience for customers.
second option - To filter traffic on a router, which goes from upstream to IX. More specifically, from the upstream and peering links of the traffic should go only to customers, and all that goes out on the upstream or peering, start dropping. The disadvantage is that the client in this case simply did not work, causing his displeasure. In addition, upstream and peering can be incorporated into different routers, and in this case, the filtering interface receives more difficult.
solution proposed Ginsburg, the most correct, although not always easy to implement. Namely: to have two routing tables, one only clients, and in another - fullview. Traffic from upstream and peering is being routed to the first table of customers - for the second. In this case, traffic from upstream will take on a client, even if from the IX is more specific route. It does not require a lot of memory, because the client routes is relatively small. A small additional modification: make another routing table, which there is only client prefixes and fallback to the complete table, if the route is not found, and the table used for routing traffic from clients. In this case, traffic from one customer goes to another client, even if there are more specific to IX. Disadvantage: in case of multiple routers decision on where the package is being routed, should be taken immediately at the entrance to the package in our network. That is, it is suitable for MPLS-networks and for networks with a single "external" router, but not very suitable for the rest. However, not hopeless: if external links are included in the different routers, then you can either mark traffic, or build internal links so as to always was unambiguously clear whether upstream traffic from the client or vice versa.
Example configuration with different routing tables for JunOS is at Ginsburg. For Cisco is roughly the same, using vrf. Derived from the upstream traffic in zarulivaetsya vrf through PBR (more elegant solutions are not invent). Checked and ISR (3825, 7200) and 6500 (12.2 (33) SXI) - works. In some cases, the NO-LOCAL to add traffic to its own IP, otherwise the behavior of the receiving country. Configuration changes BGP не требуется.
UPD: Возможные грабли. Up to a 1000 prefixes will be imported by default. The prefix-limit argument is used to specify a limit from 1 to 2,147,483,647 prefixes. That is, if the client prefixes may be more than 1000 (including as a result of erroneous stuffing customer something extra) better in line
There's an old problem:
client announces / 23 upstream and the same grid as the two / 24, IX (for example, UA-IX). The result is that traffic comes from the world upstream on / 23, and then the client is already on / 24 (more specific) through IX. As a result, the client receives the external traffic through IX, with no speed limits, accounting, etc.
issue in detail investigated and described Ginsburg here , and give a solution for JunOS (for which many thanks to him). Therefore, I can only tell their own words, lead configuration for Cisco, and to describe other, less accurate and more simple solutions.
Firstly, just want to say that the administration to tackle the problem unpromising. The client can this be done without malice. In the end, nothing illegal, he does not.
first thing that comes to mind for the protection of from this situation - the imposition of IX to a separate router. Customers who have their own inclusion in the IX, made by "external" router, which just announced by IX no. Drawbacks: firstly, the client may want to reserve access to that IX, secondly, the client should switch to another router if it is connected to IX, in the third place, the client may not be included in the IX, but some client of the client - to be in the fourth, different IX may be several (KH-IX, UA-IX, DE-CIX, etc .), and it is unclear as their share of routers. Actually, the traffic from the IX is a "bonus" for the upstream, which is denied, providing the client paid only IPT-traffic апстриму, очевидно, невыгодно. Вместо отдельных роутеров, разумеется, можно использовать разные vrf в пределах одного роутера. Ещё вариант - строить с клиентами two BGP-session "peace" and "Ukraine" (in other words, IPT, and IX). If IX is only one solution to completely work, though, and creates some inconvenience for customers.
second option - To filter traffic on a router, which goes from upstream to IX. More specifically, from the upstream and peering links of the traffic should go only to customers, and all that goes out on the upstream or peering, start dropping. The disadvantage is that the client in this case simply did not work, causing his displeasure. In addition, upstream and peering can be incorporated into different routers, and in this case, the filtering interface receives more difficult.
solution proposed Ginsburg, the most correct, although not always easy to implement. Namely: to have two routing tables, one only clients, and in another - fullview. Traffic from upstream and peering is being routed to the first table of customers - for the second. In this case, traffic from upstream will take on a client, even if from the IX is more specific route. It does not require a lot of memory, because the client routes is relatively small. A small additional modification: make another routing table, which there is only client prefixes and fallback to the complete table, if the route is not found, and the table used for routing traffic from clients. In this case, traffic from one customer goes to another client, even if there are more specific to IX. Disadvantage: in case of multiple routers decision on where the package is being routed, should be taken immediately at the entrance to the package in our network. That is, it is suitable for MPLS-networks and for networks with a single "external" router, but not very suitable for the rest. However, not hopeless: if external links are included in the different routers, then you can either mark traffic, or build internal links so as to always was unambiguously clear whether upstream traffic from the client or vice versa.
Example configuration with different routing tables for JunOS is at Ginsburg. For Cisco is roughly the same, using vrf. Derived from the upstream traffic in zarulivaetsya vrf through PBR (more elegant solutions are not invent). Checked and ISR (3825, 7200) and 6500 (12.2 (33) SXI) - works. In some cases, the NO-LOCAL to add traffic to its own IP, otherwise the behavior of the receiving country. Configuration changes BGP не требуется.
ip vrf upstreams
rd xx:yy
import ipv4 unicast map IMPORT-UPSTREAMS
!
interface GigabitEthernet0/1.100
description Upstream
encapsulation dot1Q 100
ip address 4.1.1.1 255.255.255.252
ip policy route-map FROM-UPSTREAM
!
route-map FROM-UPSTREAM permit 10
match ip address NO-LOCAL
set vrf upstreams
!
route-map IMPORT-UPSTREAMS permit 10
match community CLIENTS
!
route-map IMPORT-UPSTREAMS permit 20
match community FROM-IGP
!
route-map IMPORT-UPSTREAMS deny 30
!
ip access-list extended NO-LOCAL
deny ospf any any
permit ip any any
!
UPD: Возможные грабли. Up to a 1000 prefixes will be imported by default. The prefix-limit argument is used to specify a limit from 1 to 2,147,483,647 prefixes. That is, if the client prefixes may be more than 1000 (including as a result of erroneous stuffing customer something extra) better in line
import ipv4 unicast explicitly known to a sufficient number of imported prefixes. Tuesday, September 22, 2009
Office Sitting Plan Sample
Likbez
I used to think that everyone who configures BGP or MTA, in general outlines know how to do it. Now I see that Rout-faces - this is not the only random errors, and frighteningly mass phenomenon. So I think that the description of the banal and obvious for many things would not be amiss.
1. BGP-interactions are with the upstream, with customers and peering, ie, parity (for more complicated cases are not view). If Submarine little, peering not. If very small customers with BGP also there is only upstream. BGP must be configured so that upstream (and peering) went announcements only from clients but not from other upstream. Filter networks (access-list or prefix-list) does not solve this problem! customer may have an alternative you upstream, and the prefix of your client received not directly from him, and from upstream, will go to another upstream. Today may be all right, but tomorrow your client will be changed. Not only that: a filter for the as-path this problem, too, in general, does not solve: when you're the fifth time change upstream, carefully redraw all the filters you likely to forget. Correct this problem is solved by bgp community: on announcements received from upstream, putting a special community attribute, and announcements with this attribute upstream do not give. Or vice versa: a special attribute bet on announcements from customers and upstream give only them and nothing else. Then the announcements of your client's leave upstream, if you got them directly from the customer, and will not leave if they are received in a different way (from upstream).
2. Community are external and internal. External - the ones that you give to customers and are taking them. Internal - which use only within their own AS. To routing occurred correctly, the client or upstream should not be able to put the community on the basis of which will change the view of the origin of this announcement. For example, wrong to allow a situation where upstream announcement sent to your "client" community, and this announcement went to another upstream. To avoid this, internal community needs to be cleaned at a reception announcements from both customers and from upstream. For example, the internal community can be a two-or three-digit, and the external - Four-and five-digit, and at the reception, you can delete all of its two-and three-digit community. "Ours" - which is part of xxxx: yyyy Part xxxx - your Submarine.
3. Rule good taste: delete all your unwanted community when exporting announcements. That is, even when all its export upstream, and all except the special information, for export customers. Unnecessary clutter up your community memory routers (worldwide!) And increase the convergence time bgp.
4. Do you think that you have a routing All right? Dial the number to your Submarine here and click "show route-leaks". Most likely, you will learn many interesting things. If you suddenly found nothing - do not relax and look over a longer period of time, it was before.
5. Do not use any weight, unless you know exactly why and what you are doing. For separation prefixes on the priorities there local-preference. The difference is that localpref transmitted between your routers, it is enough to put on the outside of bgp.
6. When configuring BGP on Cisco and many other platforms, you must first register number of the Submarine at the other end (remote-as). Immediately thereafter, BGP strives to rise to the prescription of any filters. As a result, upstream collects from you fullview, or do you get fullview from his client. To this was not, bgp should not rise immediately, while it is not configured completely. In a more or less recent versions of IOS specifically for this at the command "neighbor ... remote-as ..." in the end you can say "shutdown". If this is not possible, first zadaunite sabinterfeys, then configure BGP with all filters, and only then say "no shutdown". Fortunately, at Juniper is no such problem: there can be everything first register and then to commit.
7. A that does not keep all configs routers in cvs or svn? And do not track changes difam? And how to live without it? ;-)
On a more complex version appears Rout-faces I'll write next time.
UPD: I forgot to mention about the much-needed for the client and the peer BGP configuration, as a restriction on the number of prefixes. Very helps against Rout-faces and other troubles. For example, for Cisco IOS: "
I used to think that everyone who configures BGP or MTA, in general outlines know how to do it. Now I see that Rout-faces - this is not the only random errors, and frighteningly mass phenomenon. So I think that the description of the banal and obvious for many things would not be amiss.
1. BGP-interactions are with the upstream, with customers and peering, ie, parity (for more complicated cases are not view). If Submarine little, peering not. If very small customers with BGP also there is only upstream. BGP must be configured so that upstream (and peering) went announcements only from clients but not from other upstream. Filter networks (access-list or prefix-list) does not solve this problem! customer may have an alternative you upstream, and the prefix of your client received not directly from him, and from upstream, will go to another upstream. Today may be all right, but tomorrow your client will be changed. Not only that: a filter for the as-path this problem, too, in general, does not solve: when you're the fifth time change upstream, carefully redraw all the filters you likely to forget. Correct this problem is solved by bgp community: on announcements received from upstream, putting a special community attribute, and announcements with this attribute upstream do not give. Or vice versa: a special attribute bet on announcements from customers and upstream give only them and nothing else. Then the announcements of your client's leave upstream, if you got them directly from the customer, and will not leave if they are received in a different way (from upstream).
2. Community are external and internal. External - the ones that you give to customers and are taking them. Internal - which use only within their own AS. To routing occurred correctly, the client or upstream should not be able to put the community on the basis of which will change the view of the origin of this announcement. For example, wrong to allow a situation where upstream announcement sent to your "client" community, and this announcement went to another upstream. To avoid this, internal community needs to be cleaned at a reception announcements from both customers and from upstream. For example, the internal community can be a two-or three-digit, and the external - Four-and five-digit, and at the reception, you can delete all of its two-and three-digit community. "Ours" - which is part of xxxx: yyyy Part xxxx - your Submarine.
3. Rule good taste: delete all your unwanted community when exporting announcements. That is, even when all its export upstream, and all except the special information, for export customers. Unnecessary clutter up your community memory routers (worldwide!) And increase the convergence time bgp.
4. Do you think that you have a routing All right? Dial the number to your Submarine here and click "show route-leaks". Most likely, you will learn many interesting things. If you suddenly found nothing - do not relax and look over a longer period of time, it was before.
5. Do not use any weight, unless you know exactly why and what you are doing. For separation prefixes on the priorities there local-preference. The difference is that localpref transmitted between your routers, it is enough to put on the outside of bgp.
6. When configuring BGP on Cisco and many other platforms, you must first register number of the Submarine at the other end (remote-as). Immediately thereafter, BGP strives to rise to the prescription of any filters. As a result, upstream collects from you fullview, or do you get fullview from his client. To this was not, bgp should not rise immediately, while it is not configured completely. In a more or less recent versions of IOS specifically for this at the command "neighbor ... remote-as ..." in the end you can say "shutdown". If this is not possible, first zadaunite sabinterfeys, then configure BGP with all filters, and only then say "no shutdown". Fortunately, at Juniper is no such problem: there can be everything first register and then to commit.
7. A that does not keep all configs routers in cvs or svn? And do not track changes difam? And how to live without it? ;-)
On a more complex version appears Rout-faces I'll write next time.
UPD: I forgot to mention about the much-needed for the client and the peer BGP configuration, as a restriction on the number of prefixes. Very helps against Rout-faces and other troubles. For example, for Cisco IOS: "
neighbor ... maximum-prefix 100 restart 10 ", for JunOS: " set protocols bgp group CLIENTS family inet unicast prefix-limit maximum 100 teardown idle-timeout 10 ". That is, if a client sends more than hundreds of announcements, BGP with it automatically zadaunitsya for 10 minutes, then automatically rises, and if the client by the time the error is corrected, he will live, and if not - again lie down for 10 minutes, and so on. Of course, this limit can be set individually for different customers. Friday, September 11, 2009
![[info]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s17NwgKk3g7wDHlnbn9MXVHFNpWvBo0SxsqO5Znww4uWi80vEqBDu1YEq59GiSsOnJwHZYJrkh9uG2ZxPaSMnC9K-SyDbMmvaly4IEJhYBMifz-A=s0-d){kind=small}
Tuesday, March 31, 2009
How To Get Auction License In Ontario
[Project] Xiah-Sshi 20four
XIAH-SSHI 20Four threads made specifically for that portion of the project, and you may also ask questions there.
[Xiah-sshi 24th!] Project Overview
Deadline: August 1st, 2009
Twenty Four Gifts for Junsu In celebration of Junsu’s 24th birthday on December 15th, 2009 (counting by the Korean age system), we will be getting Junsu 24 different gifts. Everyone that contributes will be listed and the list will be included in our gift package to Junsu. Help us make this possible!
o1. Donation to World Vision o2. Inspirational Origami Dolphins
PLEASE VISIT XIAH-SSHI FORUMS FOR MORE INFORMATION [Xiah-sshi 24th!] Project Overview
Deadline: August 1st, 2009
Twenty Four Gifts for Junsu In celebration of Junsu’s 24th birthday on December 15th, 2009 (counting by the Korean age system), we will be getting Junsu 24 different gifts. Everyone that contributes will be listed and the list will be included in our gift package to Junsu. Help us make this possible!
o1. Donation to World Vision o2. Inspirational Origami Dolphins
- o3. Coins N’ Bills
- o4. Tumbler / Twenty Four Birthday Wishes o5. Xiah-sshi Keychain o6. Music Composition Notebook (Xiah-sshi)
o7. Earrings
o8. Necklace
o9. Bracelet
1o. Hat/Cap
11. Shirt
12. Jacket
13. Belt
14. Cologne
15. Sunglasses
16. Wallet
17. Passport Holder
18. Pink Ribbon Teddy Bear (x2 one for Junho)
19: Soccer Ball
20. Album/CD
21. Earphones/Headphones
22. PSP Case
23. Game
24. Pillow
To Contribute & Participate:
http://xiah-sshi.com/index.php?showtopic=582
Giving Warmth & Love We will be donating together as a forum, under the name of Xiah-sshi to World Vision. The receipt of the donation along with a list of all members that donate will be included in our gift package to Junsu. Lets make him proud!
To Contribute & Participate:
http://xiah-sshi.com/index.php?showtopic=581 -
Twenty Four Birthday Wishes As one of the 24 gifts, we will accept 24 birthday wishes from fans. We will not accept more than 24, so please don’t wait to leave your birthday message. Do it now! These 24 wishes will also be translated into Korean by our translators.
To Leave Your Message:
http://xiah-sshi.com/index.php?showtopic=580 -
Inspirational Origami Dolphins (Fan Messages) In addition to the 24 birthday messages, we will be accepting an unlimited number of inspirational messages. For these messages, we ask that you do not write ‘happy birthday’, but a message of encouragement, support, and love. Think of it as something that can cheer Junsu up on a bad day!
To participate in this part of the project, please sign up in the sign up thread. Genna will PM you her address and in the thread there you will find a tutorial on how to fold an origami dolphin. After you finish folding your origami dolphin, write your inspirational message on the outside. That way Junsu wouldn’t have to unfold it in order to read your message!
To Sign-Up & For All Details: - http://xiah-sshi.com/index.php?showtopic=579
Coins N’ Bills We will be collecting coins and bills from different countries to give to Junsu as one of our 24 gifts to him, to show him that his fans are from all around the world. As we only need one coin/bill from each country though, please sign up to be a representative! A name list of each representative will be included in our gift package to Junsu.
To Sign-Up & For All Details:
http://xiah-sshi.com/index.php?showtopic=578 -
DONG BANG SHIN GI FANS ESPECIALLY XIAH JUNSU FANS!!!!! PLEASE JOIN THIS PROJECT
Subscribe to:
Posts (Atom)