Re: [SECURITY] Application layer attacks/DDoS attacks
Just to ask, what is the expected effect on DDoS attacks if folks implemented BCP38? How does the cost of implementing BCP38 compare to the cost of other solution attempts? H
Re: [SECURITY] Application layer attacks/DDoS attacks
--- st...@ntp.org wrote: From: Harlan Stenn st...@ntp.org Just to ask, what is the expected effect on DDoS attacks if folks implemented BCP38? --- A moot point these days. After all the years it has been out (15 years: https://tools.ietf.org/html/bcp38) it can be seen that many are not implementing it. Those that care (NANOG type folks) already have deployed it and those that don't care have not and will not. I have met a lot of the latter in recent years. Maybe I'm getting cynical? scott What's going on? Isn't everybody headed to the beach or the mountains for Memorial Day weekend? ;-)
Re: [SECURITY] Application layer attacks/DDoS attacks
Yes Harlan, you are absolutely right, even if this won't stop the botnet-based DDoS attacks, but at least will significantly decrease the volume/frequency of the volume based attacks. On the other side, the DDoS protection now become a business where all-tiers ISPs make money of, and those ISPs is the exact place where the implementation of anti-spoofing make the best sense, conflict of interests now... However, the trusted network initiative might be a good approach to start influencing operators to apply anti-spoofing mechanisms. Salam, Ramy On 23 May 2015 10:48 pm, Harlan Stenn st...@ntp.org wrote: Just to ask, what is the expected effect on DDoS attacks if folks implemented BCP38? How does the cost of implementing BCP38 compare to the cost of other solution attempts? H
Re: [SECURITY] Application layer attacks/DDoS attacks
On 24 May 2015, at 3:14, Scott Weeks wrote: Those that care (NANOG type folks) already have deployed it and those that don't care have not and will not. Concur 100%. https://app.box.com/s/r7an1moswtc7ce58f8gg --- Roland Dobbins rdobb...@arbor.net
Re: Help Needed Segmenting Existing Network with Sophos UTM Cisco Catalyst switches and RHEL6 Hypervisors
Thanks Baldur. I am definitely planning on doing that. Eric, no the VMs are not all segregated, they are all blended together. You can find a 192.168 sharing the same physical host as a 10.10. I've never played with OpenVSwitch before, though. Would introducing it here lead to any further complexities? On Sat, May 23, 2015 at 8:05 PM, Baldur Norddahl baldur.nordd...@gmail.com wrote: The answer to this one is easy. Yes, there is very likely a series of steps, that will achieve what you want remotely. But... The data center is a long way away, and any downtime will be catastrophic. The slightest misstep and you will be down until you arrive at the site. So do not even think about trying this. You go there and you do it at night, when the impact of a mistake is less. Regards, Baldur
Re: [SECURITY] Application layer attacks/DDoS attacks
While I don't think any ISP wants DDoS to make $$, I do based on experience believe that business cases have to be made for everything. With the prices pay for BW in most of the world now, ( or the last number of years) its going to be VERY hard to get anyone to allocated time/$$ or energy to do anything they don't need to, to get the bit to you. -jim On Sat, May 23, 2015 at 6:33 PM, Ramy Hashish ramy.ihash...@gmail.com wrote: Yes Harlan, you are absolutely right, even if this won't stop the botnet-based DDoS attacks, but at least will significantly decrease the volume/frequency of the volume based attacks. On the other side, the DDoS protection now become a business where all-tiers ISPs make money of, and those ISPs is the exact place where the implementation of anti-spoofing make the best sense, conflict of interests now... However, the trusted network initiative might be a good approach to start influencing operators to apply anti-spoofing mechanisms. Salam, Ramy On 23 May 2015 10:48 pm, Harlan Stenn st...@ntp.org wrote: Just to ask, what is the expected effect on DDoS attacks if folks implemented BCP38? How does the cost of implementing BCP38 compare to the cost of other solution attempts? H
Re: Help Needed Segmenting Existing Network with Sophos UTM Cisco Catalyst switches and RHEL6 Hypervisors
Can you provide a quick diagram with the current subnet and traffic path? On Fri, May 22, 2015 at 7:51 PM Sina Owolabi notify.s...@gmail.com wrote: Hi! I am in a bit of a planning and implementation quandary and I'm hoping to solicit implementation assistance on an already existing network which needs to have segmentation and security. I have only remote access to the network which comprises a number of Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of virtual machines in different networks), a Sophos UTM gateway device (specifically ASG220) serving as a router, and two Cisco Catalyst 2960 switches (one on the internet side of the UTM gateway, and the other allowing access to the UTM from the RHEL6 hypervisors). There are a number of subnets defined on both the hypervisors and the virtual machines, all using the Sophos UTM as their gateway to each other, and to the internet. My task is to properly segregate access and traffic between the devices, which do not have VLANs defined on them. Remotely. My question is, can I create VLANs, and their trunk ports on the 2960 switches (especially on the LAN switch) that will segregate traffic between the networks defined on the UTM, the hypervisors and their guest machines, without causing network downtime? Is it best to attack the switches first, creating the VLANs there, before implementing VLANs on the UTM and the hypervisors? I would be grateful for any planning assistance. The data center is a long way away, and any downtime will be catastrophic. Thanks in advance!
[SECURITY] Application layer attacks/DDoS attacks
Hello there, As a reaction to the increasing demand -from enterprises- over the DDoS protection services, a fierce competition between vendors is about to start in this playground, big upfront investments started to happen in the tier one, tier two and tier three ISPs, IMHO this will have its aggressive effect on the volume of the DDoS attacks, and will eventually steer the mindset of the enterprises towards hosting the most critical applications/services in a well geographically-dispersed cloud and increasing the surface area using anycast then relatively decreasing the attack volume. Back to the DDoS protection, most anti-DDoS vendors are marketing their products as application layer attack DDoS defense, I am little bit confused; aren't the application firewalls -either integrated in a NGFW or a UTM- the responsible for mitigating application layer attacks? Thanks, Ramy
Re: [SECURITY] Application layer attacks/DDoS attacks
On 23 May 2015, at 19:56, Ramy Hashish wrote: I am little bit confused; aren't the application firewalls -either integrated in a NGFW or a UTM- the responsible for mitigating application layer attacks? https://app.box.com/s/a3oqqlgwe15j8svojvzl https://app.box.com/s/4h2l6f4m8is6jnwk28cg --- Roland Dobbins rdobb...@arbor.net
Re: Help Needed Segmenting Existing Network with Sophos UTM Cisco Catalyst switches and RHEL6 Hypervisors
Diagramming is a little difficult right now, but think of the current state as router-on-a-stick without VLANs, that needs to have VLANs setup. On Sat, May 23, 2015, 6:57 AM olushile akintade olush...@gmail.com wrote: Can you provide a quick diagram with the current subnet and traffic path? On Fri, May 22, 2015 at 7:51 PM Sina Owolabi notify.s...@gmail.com wrote: Hi! I am in a bit of a planning and implementation quandary and I'm hoping to solicit implementation assistance on an already existing network which needs to have segmentation and security. I have only remote access to the network which comprises a number of Red Hat Linux 6-based hypervisor servers (hosting a multiplicity of virtual machines in different networks), a Sophos UTM gateway device (specifically ASG220) serving as a router, and two Cisco Catalyst 2960 switches (one on the internet side of the UTM gateway, and the other allowing access to the UTM from the RHEL6 hypervisors). There are a number of subnets defined on both the hypervisors and the virtual machines, all using the Sophos UTM as their gateway to each other, and to the internet. My task is to properly segregate access and traffic between the devices, which do not have VLANs defined on them. Remotely. My question is, can I create VLANs, and their trunk ports on the 2960 switches (especially on the LAN switch) that will segregate traffic between the networks defined on the UTM, the hypervisors and their guest machines, without causing network downtime? Is it best to attack the switches first, creating the VLANs there, before implementing VLANs on the UTM and the hypervisors? I would be grateful for any planning assistance. The data center is a long way away, and any downtime will be catastrophic. Thanks in advance!
Re: [SECURITY] Application layer attacks/DDoS attacks
To many pieces to answer on a weekend on NANOG, but those of us that work in the DDoS space the last number of years have seen huge growth in the application layer attacks. This does not mean a decrease in volumetric attack, just that now you have to worry about both and lots of each. FW's while they have got better are still not the solution for many reasons. Moving things to the cloud helps in come cases but not all. This is an arms race, the better we protecting the better the bad guys get at attacking. -jim On Sat, May 23, 2015 at 9:56 AM, Ramy Hashish ramy.ihash...@gmail.com wrote: Hello there, As a reaction to the increasing demand -from enterprises- over the DDoS protection services, a fierce competition between vendors is about to start in this playground, big upfront investments started to happen in the tier one, tier two and tier three ISPs, IMHO this will have its aggressive effect on the volume of the DDoS attacks, and will eventually steer the mindset of the enterprises towards hosting the most critical applications/services in a well geographically-dispersed cloud and increasing the surface area using anycast then relatively decreasing the attack volume. Back to the DDoS protection, most anti-DDoS vendors are marketing their products as application layer attack DDoS defense, I am little bit confused; aren't the application firewalls -either integrated in a NGFW or a UTM- the responsible for mitigating application layer attacks? Thanks, Ramy
Re: Peering and Network Cost
- Original Message - From: Dave Taht dave.t...@gmail.com Two things I am curious about are 1) What is the measured benefit of moving a netflix server into your local ISP network and 2) does anyone measure cross town latency. If we lived in a world where skype/voip/etc transited the local town only, what sort of latencies would be see within an ISP and within a cross-connect from, say a gfiber to a comcast? Once upon a time I'd heard that most phone calls were within 6 miles of the person's home, but I don't remember the breakdown of those call percentages (?), and certainly the old-style phone system was achieving very low latencies for those kinds of traffic. The lack of decent geographic locality of reference on the Internet has bothered me for some time; it's often presented as an *effect* of the eyeballs/servers nature of the net, but I'm not at all sure it's not more a cause of it -- at least at this late date. The problem, of course, is that carriers make money off transit; it's not in their commercial best interest to unload those links; it's very similar to the reason my best friend's second semester pre-law textbooks cost her nearly $1000; the people selecting them have no interest in the price, since they don't pay it. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Help Needed Segmenting Existing Network with Sophos UTM Cisco Catalyst switches and RHEL6 Hypervisors
The answer to this one is easy. Yes, there is very likely a series of steps, that will achieve what you want remotely. But... The data center is a long way away, and any downtime will be catastrophic. The slightest misstep and you will be down until you arrive at the site. So do not even think about trying this. You go there and you do it at night, when the impact of a mistake is less. Regards, Baldur