Re: Data Center operations mail list?
Done, thanks! On Wed, Aug 12, 2015 at 10:36 AM, Chris Boyd cb...@gizmopartners.com wrote: On Aug 12, 2015, at 7:53 AM, Oliver O'Boyle oliver.obo...@gmail.com wrote: I missed the subscription info. Can you repost please? I can be #100 :) http://lists.nadcog.org Welcome aboard. —Chris -- :o@
Re: Experience on Wanguard for 'anti' DDOS solutions
Date: Tue, 11 Aug 2015 08:14:54 +0200 From: marcel.durega...@yahoo.fr marcel.durega...@yahoo.fr To: nanog@nanog.org Subject: Re: Experience on Wanguard for 'anti' DDOS solutions Message-ID: 55c992de.3020...@yahoo.fr Content-Type: text/plain; charset=windows-1252; format=flowed anybody from this impressive list ?: https://www.andrisoft.com/company/customers -- Marcel Anybody here compared Wanguard's performance with the DDoS vendors in the market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? Another question, have anybody from the reviewers tested the false positives of the box, or experienced any false positive incidents? Thanks, Ramy
Re: Data Center operations mail list?
On Aug 12, 2015, at 7:53 AM, Oliver O'Boyle oliver.obo...@gmail.com wrote: I missed the subscription info. Can you repost please? I can be #100 :) http://lists.nadcog.org Welcome aboard. —Chris
Re: Data Center operations mail list?
Interesting... I just went to the web site to subscribe and I received an email that I was already subscribed. I don't remember doing that... So how did this happen?? Robert On Wed, 12 Aug 2015 07:33:05 -0500 Rafael Possamai raf...@gav.ufsc.br wrote: I was actually surprised with how many people subscribed already. I think we are close to 100 already in less than 24 hours. I could use some help drafting some basic mailing list rules (no spam, no soliciting, etc) and if anyone has any suggestions, please let me know. On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka mark.ti...@seacom.mu wrote: On 11/Aug/15 17:46, Alex Brooks wrote: With the lack of interest compared to NANOG (especially seeing how the old list simply dried up) it might be best making the list global rather than North America only to get the traffic levels up a bit. Tend to agree that a list with global scope might be more useful. Mark.
Re: Experience on Wanguard for 'anti' DDOS solutions
Hello My 2 cents You can use Wanguard for the detection and A10 for the mitigation, you have just to play with the API. Regards Fabien Le 12 août 2015 à 16:28, Ramy Hashish ramy.ihash...@gmail.com a écrit : Date: Tue, 11 Aug 2015 08:14:54 +0200 From: marcel.durega...@yahoo.fr marcel.durega...@yahoo.fr To: nanog@nanog.org Subject: Re: Experience on Wanguard for 'anti' DDOS solutions Message-ID: 55c992de.3020...@yahoo.fr Content-Type: text/plain; charset=windows-1252; format=flowed anybody from this impressive list ?: https://www.andrisoft.com/company/customers -- Marcel Anybody here compared Wanguard's performance with the DDoS vendors in the market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? Another question, have anybody from the reviewers tested the false positives of the box, or experienced any false positive incidents? Thanks, Ramy
Re: Data Center operations mail list?
Robert, the first few people who expressed interested were subscribed manually. Everyone else has been using the list website to subscribe! There should have been a message sent out with the subscription email explaining it :) On Wed, Aug 12, 2015 at 10:28 AM, Robert Webb rw...@ropeguru.com wrote: Interesting... I just went to the web site to subscribe and I received an email that I was already subscribed. I don't remember doing that... So how did this happen?? Robert On Wed, 12 Aug 2015 07:33:05 -0500 Rafael Possamai raf...@gav.ufsc.br wrote: I was actually surprised with how many people subscribed already. I think we are close to 100 already in less than 24 hours. I could use some help drafting some basic mailing list rules (no spam, no soliciting, etc) and if anyone has any suggestions, please let me know. On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka mark.ti...@seacom.mu wrote: On 11/Aug/15 17:46, Alex Brooks wrote: With the lack of interest compared to NANOG (especially seeing how the old list simply dried up) it might be best making the list global rather than North America only to get the traffic levels up a bit. Tend to agree that a list with global scope might be more useful. Mark.
Re: Experience on Wanguard for 'anti' DDOS solutions
Hello Fabien, And why don't you use A10 for both detection and mitigation? Thanks, Ramy On Wed, Aug 12, 2015 at 6:42 PM, Fabien Delmotte fdelmot...@mac.com wrote: Hello My 2 cents You can use Wanguard for the detection and A10 for the mitigation, you have just to play with the API. Regards Fabien Le 12 août 2015 à 16:28, Ramy Hashish ramy.ihash...@gmail.com a écrit : Date: Tue, 11 Aug 2015 08:14:54 +0200 From: marcel.durega...@yahoo.fr marcel.durega...@yahoo.fr To: nanog@nanog.org Subject: Re: Experience on Wanguard for 'anti' DDOS solutions Message-ID: 55c992de.3020...@yahoo.fr Content-Type: text/plain; charset=windows-1252; format=flowed anybody from this impressive list ?: https://www.andrisoft.com/company/customers -- Marcel Anybody here compared Wanguard's performance with the DDoS vendors in the market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? Another question, have anybody from the reviewers tested the false positives of the box, or experienced any false positive incidents? Thanks, Ramy
Can someone from Cogentco.com contact me offlist?
A routing/filtering problem probably between be2185.ccr22.cle04.atlas.cogentco.com and be2009.ccr21.alb02.atlas.cogentco.com. -- -=[Lou Katz]=- Composed on an ASR33
Re: Experience on Wanguard for 'anti' DDOS solutions
hi ramy On 08/12/15 at 05:28pm, Ramy Hashish wrote: Anybody here compared Wanguard's performance with the DDoS vendors in the market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? wouldn't the above comparison be kinda funky comparing software solutions with hardware appliances and/or cloud scubbers ?? comparisons between vendors should be between sw solutions, or hw appliances vs other hw, or cloud vs other clouds wanguard should be compared with other sw options or vendors using sflow, netflow, jflow, etc etc http://www.andrisoft.com/software/wanguard http://bitbucket.org/tortoiselabs/ddosmon http://www.github.com/FastVPSEestiOu/fastnetmon http://nfdump.sourceforge.net http://nfsen.sourceforge.net wanguard - software solution using sflow http://www.andrisoft.com/software/wanguard arbor hardware/software solutions -- peakflow http://www.arbornetworks.com/products/peakflow radware -- hardware/software/cloud solutions -- defenseflow http://www.radware.com/products/attack-mitigation-service/ http://www.radware.com/Products/DefenseFlow/ nsfocus -- hardware/cloud solutions http://www.nsfocus.com/products/ A10 -- hardware solution http://www.a10network.com/products riorey --- hardware solution http://www.riorey.com/riorey-ddos-products staminus - hardware/cloud solutions http://www.staminus.net/shield # and to add to the ddos confusion .. akamai/prolexic --- hardware/cloud solution f5 hardware/cloud solutions http://www.f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology fortinet -- custom ASIC hardware and cloud solution http://www.fortinet.com/products/fortiddos/ddos-mitigation-appliances.html - simulated ddos attacks should include: == == you are already getting hourly low level DDoS attacks from your script kiddies ==try to defend against those mostly harmless attacks first == # # some trivial benchmark DDoS attacks to generate -- internally only # - never send DDoS packets outside of your bldg/gateway # # DDoS-Simulator.net == generate any DDoS packets per your desires # - use nc, socat, *perf, nping or hping to generate most of these DDoS attacks # - use dsniff/arpspoof to break everything # within your own network, send few packets per second attacks within your own network, send x,000 packets per second attacks within your own network, send xxx,000 packet per second attacks sustained sporadically over hours/days - arp-based attacks - udp-based attacks nping -v -d1 -c 1 --data-length 1511 --rate 12345 --udp 127.0.0.1 hping -c 1 -d 1511 -i u 81 --rand-source -p 123 -S --udp -p 123 127.0.0.1 - icmp-based attacks ping -c 1 -s 1511 -i 0.8 127.0.0.1 nping -v -d1 -c 1 --data-length 1511 --rate 12345 --icmp 127.0.0.1 hping -c 1 -d 1501 --rand-source --file TeraByteFile.bin --icmp 127.0.0.1 gazillionPingApps - tcp-based attacks --- ez to send malicious packets and to defend against # 10,000 random src add hping -c 1 -d 1511 -i u 81 --rand-source -xxTCPflags 127.0.0.1 # -S = set SYN flag # -F = set FIN flag # -A = set ACK flag - application layer tests --- http, ssh, mail and 65,532 other ports hping -c 1 -d 1511 -i u 81 --rand-source -p 22 -S 127.0.0.1 hping -c 1 -d 1511 -i u 81 --rand-source -p 25 -S 127.0.0.1 hping -c 1 -d 1511 -i u 81 --rand-source -p 80 -S 127.0.0.1 hping -c 1 -d 1511 -i u 81 --rand-source -p 53 -S --udp 127.0.0.1 - these attack the servers or client desktop/laptops - volumetric attacks -- almost everybody will fail this test - volumetric attacks are pointless, you'll always fail at some point ping -f iperf socat - send spam .. mitigated separately ... - send virus and worms to the list ... mitigated separately ... - cloud solutions - if you have regulatory compliance requirements, your options are extemely limited to a few certified amd expensive clouds - what triggers the packets to go to the cloud for scrubbing - you do NOT want somebody looking at millions of packets to decide to send it off the cloud for scrubbing or not - you might NOT want to send everything to the cloud and incurr un-necessary expenses if you're NOT under xxxGbit/sec DDoS attacks - ddos mitigation should be able to distinguish legit traffic from real ddos traffic - eg folks downloading or sending 4GB dvd or larger files - eg silly folks sending 4GB dvd via emails # simplified way to distinguish legit users from ddos attackers if web servers are running
Re: Experience on Wanguard for 'anti' DDOS solutions
you can try to get some financials (probably poor technical) view on DDOS : http://www.infonetics.com/pr/2014/1H14-DDoS-Prevention-Appliances-Market-Highlights.asp The DDOS prevention Appliances report is not free, and I doubt it's really technical :-) But at least you could know what your financial guys might think. Could help you if you want to convince them to buy Arbor :-). - Marcel On 12.08.2015 16:28, Ramy Hashish wrote: Date: Tue, 11 Aug 2015 08:14:54 +0200 From: marcel.durega...@yahoo.fr marcel.durega...@yahoo.fr To: nanog@nanog.org Subject: Re: Experience on Wanguard for 'anti' DDOS solutions Message-ID: 55c992de.3020...@yahoo.fr Content-Type: text/plain; charset=windows-1252; format=flowed anybody from this impressive list ?: https://www.andrisoft.com/company/customers -- Marcel Anybody here compared Wanguard's performance with the DDoS vendors in the market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? Another question, have anybody from the reviewers tested the false positives of the box, or experienced any false positive incidents? Thanks, Ramy
Re: Cogent revisited
On 11/Aug/15 16:00, Adam Greene wrote: Have opinions changed since then? Or is Cogent still the budget alternative to have in your mix, but better to stay away from if you need high-performance, reliable, mostly standalone bandwidth (which is how I would summarize the consensus in 2012)? We use Cogent. No major drama. Then again, we have 7x of the top global providers in the mix. My take is if you want to be single-homed, buy from a network slightly lower in the chain to the top providers. They'll have a good blend. If you want to buy from Cogent, buy from a slightly smaller ISP as well, or add one or two other global providers into your mix. I'd do this anyway, whether it was Cogent or not. Mark.
router dump and config
[ uncast reply please, unless you just wanna tell me to foad publicly, which is fine ] purely for research, and we promise to destroy after. would appreciate one router config (passwords/credentials removed, of course) rib dump from that router (we can process C or J) which has a number of large tier-1 peers we are not really looking at peering or anything such as that. no politics or business involved at all. it's about ACL load, RPKI simulation, ... thanks randy
Re: Data Center operations mail list?
On 11/Aug/15 17:46, Alex Brooks wrote: With the lack of interest compared to NANOG (especially seeing how the old list simply dried up) it might be best making the list global rather than North America only to get the traffic levels up a bit. Tend to agree that a list with global scope might be more useful. Mark.
Re: Cogent revisited
On 11 August 2015 at 21:47, Adam Greene maill...@webjogger.net wrote: Perhaps that depends on were are you in the world and your traffic types. I have worked with two UK ISPs that have Cogent as one of their transit providers, neither have had any problems in the 5+ years they've both had the Cogent transit, it has always just worked. Cheers, James.
Re: Branch Location Over The Internet
Josh, Just an FYI, I've successfully used these two EoIP implementations on Linux: https://code.google.com/p/linux-eoip/ https://github.com/bbonev/eoip So I wouldn't say EoIP is Mikrotik only -- these interop perfectly with Mikrotik. I started using these due to stability problems we were having with CCRs. Pat Tue, Aug 11, 2015 at 06:32:55PM -0400, Josh Luthman wrote: Eoip is Mikrotik only Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Aug 11, 2015 6:28 PM, Colton Conor colton.co...@gmail.com wrote: EoIP seems to be what I am looking for, however this recent Mikrotik session says: EoIP could be a solution for tunneling L2 over L3. ? EoIP disadvantages: ? Fragmentation of L2 frames over multiple L3 packets ? Performance issues ? VPLS advantages: ? No fragmentation. ? 60% more performance then EoIP. So it sounds like VPLS might be better than EoIP? I can't find much about EoIP online, so is this a Mikrotik only protocol? On Tue, Aug 11, 2015 at 1:46 PM, J?rgen Jaritsch j...@anexia.at wrote: Hi, Mikrotik Routerboard + (encrypted) Ethernet over IP (EoIP). If required: MPLS+OSPF+BGP in the EoIP for additional features. Build the pseudo Layer2 with two dedicated boxes. In the HQ you can hand it over directly to the MX80 and at the new office you can work with small boxes like Cisco 7301 (also available with redundant PS) or if you need more ports: 19xx ... #) cheap setup #) can easily transport a few hundred Meg #) you can use refurb parts if required #) big community support for Mikrotik Routerboards #) encrypted transport possible #) works with dynamic IPs #) MPLS in the EoIP allows you to transport VRFs with BGP signaling Etc etc Best regards J?rgen Jaritsch Head of Network Infrastructure ANEXIA Internetdienstleistungs GmbH Telefon: +43-5-0556-300 Telefax: +43-5-0556-500 E-Mail: j...@anexia.at Web: http://www.anexia.at Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt Gesch?ftsf?hrer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601 -Original Message- *From:* Colton Conor [colton.co...@gmail.com] *Received:* Dienstag, 11 Aug. 2015, 20:23 *To:* NANOG [nanog@nanog.org] *Subject:* Branch Location Over The Internet We have an enterprise that has a headquarter office with redundant fiber connections, its own ASN, its own /22 IP block from ARIN, and a couple of gigabit internet connections from multiple providers. The office is taking full BGP routes from tier 1 providers using a Juniper MX80. They are establishing their first branch location, and need the branch location to be able to securely communicate back to headquarters, AND be able to use a /24 of headquarters public IP addresses. Ideally the device at the HQ location would hand out public IP address using DHCP to the other side of the tunnel at the branch location. We know that in an ideal world it would be wise to get layer 2 transport connections from HQ to the branch location, but lets assume that is not an option. Please don't flood this thread about how it could be an option because it's not at this time. This setup will be temporary and in service for the next year until we get fiber to the branch site. Let's assume at the branch location we can get a DOCSIS cable internet connection from a incumbent cable provider such as Comcast, and that provider will give us a couple static IP address. Assume as a backup, we have a PPPoE DSL connection from the ILEC such as Verizon who gives us a dynamic IP address. What solution could we put at the HQ site and the branch site to achieve this? Ideally we would want the solution to load balance between the connections based on the connections speeds, and failover if one is down. The cable connection will be much faster speed (probably 150Mbps down and 10 Upload) compared to the DSL connection (10 download and 1 upload). If we need more speed we can upgrade the cable modem to a higher package, but for DSL that is the max speed so we might have to get multiple DSL lines. The cable solution could always be used as the primary, and the DSL connection could only be used as backup if that makes things easier. If you were to do this with Juniper or Cisco gear what would you have at each location? What technology would you use? I know there is Pepewave and a couple of other software solutions that seem to have a proprietary load balancing solutions developed, but I would prefer to use a common Cisco or Juniper solution if one exists. There will be 50 users at the branch office. There is only one branch location at this time, but they might expand to a couple
AW: Branch Location Over The Internet
Patrick, which CCR did you test? Best regards -Ursprüngliche Nachricht- Von: NANOG [mailto:nanog-boun...@nanog.org] Im Auftrag von Patrick Cole Gesendet: Mittwoch, 12. August 2015 00:49 An: Josh Luthman j...@imaginenetworksllc.com Cc: NANOG list nanog@nanog.org Betreff: Re: Branch Location Over The Internet Josh, Just an FYI, I've successfully used these two EoIP implementations on Linux: https://code.google.com/p/linux-eoip/ https://github.com/bbonev/eoip So I wouldn't say EoIP is Mikrotik only -- these interop perfectly with Mikrotik. I started using these due to stability problems we were having with CCRs. Pat Tue, Aug 11, 2015 at 06:32:55PM -0400, Josh Luthman wrote: Eoip is Mikrotik only Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Aug 11, 2015 6:28 PM, Colton Conor colton.co...@gmail.com wrote: EoIP seems to be what I am looking for, however this recent Mikrotik session says: EoIP could be a solution for tunneling L2 over L3. ? EoIP disadvantages: ? Fragmentation of L2 frames over multiple L3 packets ? Performance issues ? VPLS advantages: ? No fragmentation. ? 60% more performance then EoIP. So it sounds like VPLS might be better than EoIP? I can't find much about EoIP online, so is this a Mikrotik only protocol? On Tue, Aug 11, 2015 at 1:46 PM, J?rgen Jaritsch j...@anexia.at wrote: Hi, Mikrotik Routerboard + (encrypted) Ethernet over IP (EoIP). If required: MPLS+OSPF+BGP in the EoIP for additional features. Build the pseudo Layer2 with two dedicated boxes. In the HQ you can hand it over directly to the MX80 and at the new office you can work with small boxes like Cisco 7301 (also available with redundant PS) or if you need more ports: 19xx ... #) cheap setup #) can easily transport a few hundred Meg #) you can use refurb parts if required #) big community support for Mikrotik Routerboards #) encrypted transport possible #) works with dynamic IPs #) MPLS in the EoIP allows you to transport VRFs with BGP signaling Etc etc Best regards J?rgen Jaritsch Head of Network Infrastructure ANEXIA Internetdienstleistungs GmbH Telefon: +43-5-0556-300 Telefax: +43-5-0556-500 E-Mail: j...@anexia.at Web: http://www.anexia.at Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt Gesch?ftsf?hrer: Alexander Windbichler Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601 -Original Message- *From:* Colton Conor [colton.co...@gmail.com] *Received:* Dienstag, 11 Aug. 2015, 20:23 *To:* NANOG [nanog@nanog.org] *Subject:* Branch Location Over The Internet We have an enterprise that has a headquarter office with redundant fiber connections, its own ASN, its own /22 IP block from ARIN, and a couple of gigabit internet connections from multiple providers. The office is taking full BGP routes from tier 1 providers using a Juniper MX80. They are establishing their first branch location, and need the branch location to be able to securely communicate back to headquarters, AND be able to use a /24 of headquarters public IP addresses. Ideally the device at the HQ location would hand out public IP address using DHCP to the other side of the tunnel at the branch location. We know that in an ideal world it would be wise to get layer 2 transport connections from HQ to the branch location, but lets assume that is not an option. Please don't flood this thread about how it could be an option because it's not at this time. This setup will be temporary and in service for the next year until we get fiber to the branch site. Let's assume at the branch location we can get a DOCSIS cable internet connection from a incumbent cable provider such as Comcast, and that provider will give us a couple static IP address. Assume as a backup, we have a PPPoE DSL connection from the ILEC such as Verizon who gives us a dynamic IP address. What solution could we put at the HQ site and the branch site to achieve this? Ideally we would want the solution to load balance between the connections based on the connections speeds, and failover if one is down. The cable connection will be much faster speed (probably 150Mbps down and 10 Upload) compared to the DSL connection (10 download and 1 upload). If we need more speed we can upgrade the cable modem to a higher package, but for DSL that is the max speed so we might have to get multiple DSL lines. The cable solution could always be used as the primary, and the DSL connection could only be used as backup if that makes things easier. If you were to do this with Juniper or Cisco gear what would you have at each location? What technology would you use? I know there is Pepewave and a
Live-streaming the Root Zone Key-Signing Key Ceremony 22
FYI, (Apologies if you see duplicates of this message.) ICANN, as the IANA Functions Operator, will be live-streaming the Root Zone Key-Signing Key Ceremony (number 22) on Thursday, August 13. The main ceremony that day is scheduled to begin at 2000UTC. (This is an activity related to DNSSEC.) For more information about the event see: https://www.iana.org/dnssec/ceremonies/22 On Thursday there will be two cermonies as listed on that web page. The first ceremnoy will rotate cryptographic officer duties, basically, a change in some of the trusted community representatives participating in the key ceremonies. The second ceremony (the main) will feature the introduction of two new Hardware Security Modules. This is the ceremony that will start at 2000 UTC. Please see the above link for more information. The live-streaming link is at the bottom of the page. (https://icann.adobeconnect.com/kskceremony) smime.p7s Description: S/MIME cryptographic signature
Re: Data Center operations mail list?
I was actually surprised with how many people subscribed already. I think we are close to 100 already in less than 24 hours. I could use some help drafting some basic mailing list rules (no spam, no soliciting, etc) and if anyone has any suggestions, please let me know. On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka mark.ti...@seacom.mu wrote: On 11/Aug/15 17:46, Alex Brooks wrote: With the lack of interest compared to NANOG (especially seeing how the old list simply dried up) it might be best making the list global rather than North America only to get the traffic levels up a bit. Tend to agree that a list with global scope might be more useful. Mark.
Re: Data Center operations mail list?
I missed the subscription info. Can you repost please? I can be #100 :) On Wed, Aug 12, 2015 at 8:33 AM, Rafael Possamai raf...@gav.ufsc.br wrote: I was actually surprised with how many people subscribed already. I think we are close to 100 already in less than 24 hours. I could use some help drafting some basic mailing list rules (no spam, no soliciting, etc) and if anyone has any suggestions, please let me know. On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka mark.ti...@seacom.mu wrote: On 11/Aug/15 17:46, Alex Brooks wrote: With the lack of interest compared to NANOG (especially seeing how the old list simply dried up) it might be best making the list global rather than North America only to get the traffic levels up a bit. Tend to agree that a list with global scope might be more useful. Mark. -- :o@
