with Customer B's traffic,
and the difficulty of implementing such constraints). It can be an
option worth exploring, in many circumstances.
Roland Dobbins
rstood and -documented, and a bit of research
can help bring one up to speed on them pretty quickly.
----
Roland Dobbins
-address validation (SAV). Without the ability to
spoof, there would be no reflection/amplification attacks.
---
Roland Dobbins
int is that when applying broad policies of this nature, one must
be very conservative, else one can cause larger problems on a macro
scale. Internet ateriosclerosis is a significant issue.
---
Roland Dobbins
control.
* btw, what can you experts tell me about tcp-based volumetric
attacks...
TCP reflection/amplification.
---
Roland Dobbins
-appropriate manner. And when we're using techniques like
QoSing down certain ports/protocols, we must err on the side of caution,
lest we cause larger problems than the attacks themselves.
---
Roland Dobbins
ng_Isp_v2.pdf>
-------
Roland Dobbins
.
---
Roland Dobbins
xge>
---
Roland Dobbins
.
---
Roland Dobbins
On 15 Aug 2018, at 6:28, Grant Taylor via NANOG wrote:
> Is there something that I've missed the boat on?
No - it's a belt-and-suspenders sort of thing, along with GTSM.
---
Roland Dobbins
echnology-ebook/dp/B0051TM5L2/>
---
Roland Dobbins
infrastructure self-protection concepts:
<https://app.box.com/s/osk4po8ietn1zrjjmn8b>
---
Roland Dobbins <rdobb...@arbor.net>
licies at the IDC edge which disallow unwanted UDP/11211 as well as
TCP/11211 from reaching abusable memcached deployments.
---
Roland Dobbins <rdobb...@arbor.net>
On 27 May 2017, at 0:19, Roland Dobbins wrote:
> <https://app.box.com/s/ko8lk4vlh1835p36na3u>
This is the correct URI for the first preso, apologies:
<https://app.box.com/s/osk4po8ietn1zrjjmn8b>
-------
Roland Dobbins <rdobb...@arbor.net>
On 27 May 2017, at 0:54, valdis.kletni...@vt.edu wrote:
> I'll go out on a limb and suggest that except for a very basic home/SOHO
> network, "You may need" should be "You will probably need".
Concur, heh.
-----------
Roland Dobbins <rdobb...@arbor.net>
You may need one
set of ACLs at the peering/transit edge, and other, more specific ACLs,
at the IDC distribution gateway, customer aggregation gateway, et. al.
---
Roland Dobbins <rdobb...@arbor.net>
IRC.
---
Roland Dobbins <rdobb...@arbor.net>
of capability, too.
---
Roland Dobbins <rdobb...@arbor.net>
On 7 Jan 2017, at 14:22, Joly MacFie wrote:
> Blind backlash from IoT DDoS? Looming billions of rf tagged items​?
None of this has anything to do with this 'DOA' thing, though.
---
Roland Dobbins <rdobb...@arbor.net>
of this nature, I've been waiting
for the ITU to impose GOSIP or whatever on us for the last ~30 years or
so - but so far, nothing much has happened in that regard.
Is there actually a reason to suspect that this time it will be any
different?
---
Roland Dobbins <rd
, per se.
Can you provide more context?
---
Roland Dobbins <rdobb...@arbor.net>
tl-expiry-attack.html>
-------
Roland Dobbins <rdobb...@arbor.net>
On 22 Dec 2016, at 20:27, Jean | ddostest.me via NANOG wrote:
the already known Layer 4 amp DDoS like dns, ntp, ssdp, snmp
These are layer-7 reflection/amplification attacks - i.e.,
application-layer - *not* layer-4.
---
Roland Dobbins <rdobb...@arbor.net>
On 20 Dec 2016, at 12:18, Laurent Dumont wrote:
> As a student in the field, this is the kind of stuff I live for! ;)
<https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#Notable_cases>
-------
Roland Dobbins <rdobb...@arbor.net>
On 17 Dec 2016, at 0:13, Job Snijders wrote:
There are providers who inspect the AS_PATH's contents and make
decisions to reject (ignore) a route announcement or
not based on the presence of certain values.
+1
---
Roland Dobbins <rdobb...@arbor.net>
On 16 Dec 2016, at 16:40, Roland Dobbins wrote:
Looking at the source IP distribution, does a significant proportion
of the larger query base seem to originate out-of-region?
And are do they appear to be mostly broadband access networks
?
---
Roland Dobbins <rdobb...@arbor.net>
On 16 Dec 2016, at 10:17, Roland Dobbins wrote:
<http://pages.cs.wisc.edu/~plonka/netgear-sntp/>
Over on nznog, Cameron Bradley posited that this may be related to a
TR-069/-064 Mirai variant, which makes use of a 'SetNTPServers' exploit.
Perhaps one of them is actually s
On 16 Dec 2016, at 10:16, Roland Dobbins wrote:
>
<http://pages.cs.wisc.edu/~plonka/netgear-sntp/>
-------
Roland Dobbins <rdobb...@arbor.net>
On 16 Dec 2016, at 10:09, Dan Drown wrote:
This seems more like "someone pushed out bad firmware" rather than
something malicious.
Everything old is new again . . .
-------
Roland Dobbins <rdobb...@arbor.net>
queries, or lots of level-6/level-7 admin
command attempts?
---
Roland Dobbins <rdobb...@arbor.net>
On 5 Dec 2016, at 21:50, Graham Johnston wrote:
What is your preferred one and why?
<http://testmy.net/>
Thorough, reasonable teat methodology, allows one to store history,
decent range of test servers worldwide.
---
Roland Dobbins <rdobb...@arbor.net>
On 2 Dec 2016, at 22:31, Christopher Morrow wrote:
> that statement seems ... hard to prove.
Paging Geoff Huston to the white courtesy phone . . .
;>
---
Roland Dobbins <rdobb...@arbor.net>
nternet' is equally uninformed. State actors already
know how to do this, they don't need to 'learn' or 'test' anything.
DDoS attacks are the Great Equalizer; when it comes to DDoS,
nation-states are just another player.
-------
Roland Dobbins <rdobb...@arbor.net>
On 26 Oct 2016, at 0:41, Gary Baribault wrote:
> other than the two local major ISPs (keeping last Friday in mind!)
. . . why would you want to expose them to the public Internet at all?
There are many, many reasons not to do so.
---
Roland Dobbins <
On 21 Oct 2016, at 23:01, Mike Hammett wrote:
> Are there sites that can test your BCP38\84 compliance?
<https://www.caida.org/projects/spoofer/>
-------
Roland Dobbins <rdobb...@arbor.net>
On 20 Oct 2016, at 23:32, Mark Tinka wrote:
Some requirements call for Ethernet transport as opposed to IP.
Sure - but it's probably worth revisiting the origins of those
requirements, and whether there are better alternatives.
---
Roland Dobbins <rd
.
---
Roland Dobbins <rdobb...@arbor.net>
On 28 Sep 2016, at 0:18, Brielle Bruns wrote:
> I call shenanigans on providers not seeing their unruly users.
I was talking about the users, not the ISPs.
---
Roland Dobbins <rdobb...@arbor.net>
, however.
Especially the Internet part.
;>
---
Roland Dobbins <rdobb...@arbor.net>
* the unruly children, but *choose* to ignore them. That's
the difference.
Keep in mind, most of the folks on this list are not representative of
the average consumer in terms of the skill-sets which are relevant in
this problem space.
---
Roland Dobbins <rd
On 27 Sep 2016, at 22:37, Patrick W. Gilmore wrote:
All the more reason to educate people TODAY on why having vulnerable
devices is a Very Bad Idea.
Yes, but how do they determine that a given device is vulnerable?
---
Roland Dobbins <rdobb...@arbor.net>
provider, just as
they typically do for electricity and water.
---
Roland Dobbins <rdobb...@arbor.net>
they own, every can of
soda in their refrigerator, ever major (and many minor) components of
their automobiles, every blade in their windowshades, etc.
---
Roland Dobbins <rdobb...@arbor.net>
ilar would work here.
Concur that this is the least-improbable model, absolutely.
But keep in mind that subscriptions/services for in-home wiring were
(and are) also a tiny percentage of the user base.
-------
Roland Dobbins <rdobb...@arbor.net>
ship
them a pre provisioned dongle). The number of people capable of doing
this troubleshooting for themselves is roughly equivalent to the number
of people who've successfully set up 2FA on their own initiative.
---
Roland Dobbins <rdobb...@arbor.net>
user
troubleshooting, as well.
---
Roland Dobbins <rdobb...@arbor.net>
in the public mind of 'my network' from 'the Internet'
that is analogous to the separation between 'the power company' and 'the
electrical wiring in my house/apartment' (and even in that space, the
conceptual separation often isn't present).
---
Roland Dobbins <rd
.gifs or
something, surely this might be possible, yes?
It seems within the realm of possibility this sort of response - or lack
thereof - could result in some gaming network operators becoming a bit
jaded. And perhaps some customers, too.
---
Roland Dobbins
of engagement of clueful folks in the global
operational community. Some gaming-oriented networks are
well-represented; others are not, sadly.
---
Roland Dobbins <rdobb...@arbor.net>
; as CGN becomes
more prevalent on wireline broadband networks, it's only going to get
worse.
AFAIK, PSN doesn't support IPv6. That would be another topic of
discussion with the operational folks.
---
Roland Dobbins <rdobb...@arbor.net>
they can be enforced.
---
Roland Dobbins <rdobb...@arbor.net>
On 13 Jun 2016, at 8:52, Kasper Adel wrote:
> 2) Do some planning and research first.
This.
---
Roland Dobbins <rdobb...@arbor.net>
he
cache-flushing challenges you're now experiencing.
Sometimes it isn't possible, of course.
-------
Roland Dobbins <rdobb...@arbor.net>
th addressing seldom, if ever, accomplishes anything
useful in terms of successfully defending against DDoS attacks.
-------
Roland Dobbins <rdobb...@arbor.net>
their ISPs?
;>
---
Roland Dobbins <rdobb...@arbor.net>
ing-Opensourcely-wp.pdf>
Just keep in mind, *nothing* is perfect.
---
Roland Dobbins <rdobb...@arbor.net>
and research papers,
but rather upon our actions which generate the data and experiential
observations upon which such reports and research papers are based.
---
Roland Dobbins <rdobb...@arbor.net>
d); those
espousing it pretty quickly changed their tunes once their networks had
been knocked flat a couple of times.
;>
-------
Roland Dobbins <rdobb...@arbor.net>
rapidity of response, and interoperability in both inter- and
intra-network DDoS mitigation scenarios.
---
Roland Dobbins <rdobb...@arbor.net>
On 30 Apr 2016, at 19:56, Pierre Lamy wrote:
> to null out the destination rather than the source.
<https://tools.ietf.org/html/rfc5635>
-------
Roland Dobbins <rdobb...@arbor.net>
On 13 Mar 2016, at 3:03, George Herbert wrote:
> It's a symptom of trying to save a few cents at the risk of dollars.
Concur 100%.
Not to mention the related security issues.
---
Roland Dobbins <rdobb...@arbor.net>
lying around in random rooms, and that
those rooms are de facto government data centers, whether those who're
responsible for said rooms/servers know it or not . . .
---
Roland Dobbins <rdobb...@arbor.net>
spamming the list.
-------
Roland Dobbins <rdobb...@arbor.net>
es.
I really like to hear feedback about my vision.
See above.
-------
Roland Dobbins <rdobb...@arbor.net>
NetFlow implementations (with the exceptions of crippled
implementations like the aforementioned EARL6/EARL7 and pre-Sup7 Cisco
4500) are simply untrue.
---
Roland Dobbins <rdobb...@arbor.net>
.
This is incorrect, and reflects an inaccurate understanding of how
NetFlow/IPFIX actually works, in practice. It's often repeated by those
with little or no operational experience with NetFlow/IPFIX.
---
Roland Dobbins <rdobb...@arbor.net>
, anyways.
---
Roland Dobbins <rdobb...@arbor.net>
rt 1:1.
---
Roland Dobbins <rdobb...@arbor.net>
On 27 Feb 2016, at 8:06, Keith Medcalf wrote:
Consumer Narrowband Access Networks use these protocols all the time.
Most broadband access customers do not actively use these protocols,
themselves, with the partial exception of SIP.
---
Roland Dobbins <rd
On 27 Feb 2016, at 7:59, John Levine wrote:
I think that most if not all of the consumer over the top VoIP phones
like Vonage use SIP.
That's true. One would hope that they're not globally reachable,
however.
---
Roland Dobbins <rdobb...@arbor.net>
On 27 Feb 2016, at 7:23, John Levine wrote:
The VoIP phones sure use SIP.
True, but how prevalent are 'bare' SIP phones vs. VoIP systems utilized
by remote workers via VPNs?
---
Roland Dobbins <rdobb...@arbor.net>
On 27 Feb 2016, at 4:03, John Levine wrote:
A certain number of us work from home and connect to headquarters with
a VPN. and have SIP phones, you know.
Not typically via/requiring the protocols you mentioned.
---
Roland Dobbins <rdobb...@arbor.net>
are what's being
discussed in this thread.
It's a different story for transit operators.
---
Roland Dobbins <rdobb...@arbor.net>
.
---
Roland Dobbins <rdobb...@arbor.net>
.
Also, see this article:
<http://arstechnica.com/security/2016/02/asus-lawsuit-puts-entire-industry-on-notice-over-shoddy-router-security/>
and this .pdf preso:
<https://app.box.com/s/rblnddlhda44giwfa8hy>
---
Roland Dobbins <rdobb...@arbor.net>
running out-of-date software that is abusable in multiple
ways.
---
Roland Dobbins <rdobb...@arbor.net>
pp.box.com/s/r7an1moswtc7ce58f8gg>
-------
Roland Dobbins <rdobb...@arbor.net>
is
often the case).
And even that small tenth of a percent who're deliberately running their
own DNS servers can end up inadvertently causing disruption if they're
running those DNS servers as open recursors.
---
Roland Dobbins <rdobb...@arbor.net>
.
---
Roland Dobbins <rdobb...@arbor.net>
*destined* for
UDP/53 on broadband access networks, not *sourced from*.
---
Roland Dobbins <rdobb...@arbor.net>
from
broadband access networks due to abusable CPE. Others, as well, of
course, but those are generally the most prevalent.
---
Roland Dobbins <rdobb...@arbor.net>
.
---
Roland Dobbins <rdobb...@arbor.net>
t from the immediate upstream.
---
Roland Dobbins <rdobb...@arbor.net>
On 29 Jan 2016, at 0:05, Crane, Todd wrote:
> Imagine the issues if EoL'ed and EoS'ed those iPads.
Um, I think they are . . .
---
Roland Dobbins <rdobb...@arbor.net>
, or . . . ?
---
Roland Dobbins <rdobb...@arbor.net>
On 13 Dec 2015, at 0:23, Jim Shankland wrote:
Am I missing something, or is an even distribution of originating IP
addresses virtually impossible *without* using spoofing?
If his remarks were reported correctly, they are incorrect.
---
Roland Dobbins <rd
tps://app.box.com/s/776tkb82634ewvzvp26nnout6v4ij39q>
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
---
Roland Dobbins <rdobb...@arbor.net>
, and some preemptive ACLs so that you
aren't forced into completing the DDoS.
---
Roland Dobbins <rdobb...@arbor.net>
y-specific.
-------
Roland Dobbins <rdobb...@arbor.net>
On 7 Dec 2015, at 13:41, Laurent Dumont wrote:
> I appreciate any input on the matter!
1. cisco-nsp is a better list for this type of question.
2. The ASR9K is an edge router, not an access switch.
3. Why not just ask Cisco, for starters?
---
Rol
Start with the BCPs, then move to the macroanalytical. Only dip into
the microanalytical when required, and even then, do so very
selectively.
---
Roland Dobbins <rdobb...@arbor.net>
DDoS attacks, FYI.
---
Roland Dobbins <rdobb...@arbor.net>
On 3 Dec 2015, at 22:26, Nick Hilliard wrote:
> If you believe that someone who issues a ransom threat will stop if you pay
> them off, you're smoking crack.
+1
These attacks aren't rocket-science to defend against.
OP, ping me 1:1.
---
Roland Dobbins
th the right
folks.
---
Roland Dobbins <rdobb...@arbor.net>
On 3 Dec 2015, at 22:04, Josh Reynolds wrote:
> None of those names you just mentioned have made the international news.
Of course they have.
---
Roland Dobbins <rdobb...@arbor.net>
On 4 Dec 2015, at 2:38, Dovid Bender wrote:
> The last I spoke with NTT they said the largest they ever saw was > 300GB
That wasn't DD4BC or Armada Collective.
---
Roland Dobbins <rdobb...@arbor.net>
On 2 Dec 2015, at 0:14, Roland Dobbins wrote:
Until the happy day when we've achieved universal source-address
validation arrives, various combinations of the above.
I forgot to mention RRL on authoritative servers, apologies.
---
Roland Dobbins <rd
ed out'
by programmatically-generated attack traffic).
The real solution to this entire problem set is source-address
validation, as you indicate. Until the happy day when we've achieved
universal source-address validation arrives, various combinations of the
above.
---
Roland D
1 - 100 of 417 matches
Mail list logo