Re: south bay ops channel

[Randy Bush]

> dear lazynet.  is there a list, irc, slack, ... for ops in the
> southern bay area?  need to find/discuss colo, hands, brains, ...

fwiw, in seattle, the SIX chatter list would be a good example.

randy

south bay ops channel

[Randy Bush]

dear lazynet.  is there a list, irc, slack, ... for ops in the southern
bay area?  need to find/discuss colo, hands, brains, ...  thanks.

randy

Re: Iran cuts 95% of Internet traffic

[Sean Donelan]

Digging a little deeper, it looks like Iran's blocking is more complex 
than I've seen before.


Consumer/mobile networks appear nearly completely blocked.

However, many important business/financial networks and B2B traffic appear 
operating normally.


I don't yet have good data about of the granularity of the blocking.  But 
the Iranian government is not using the typical blunt cut-off of 
everything we've seen in other countries.

Re: Recommended DDoS mitigation appliance?

[Rabbi Rob Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello, NANOG!

Thank you to all who have generously given your time to respond
publicly and privately.  I have a long list of things to research
while configuring our shiny new Juniper routers.  :)  I'll summarize
to the list shortly.

Be well!
Rob, the routing rabbi.
- -- 
Rabbi Rob Thomas   Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
agree." - Leo McKern
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3TQCsACgkQQ+hhYvqF
8o2Iqg/+IyWtI8vPfEX6tcnoaFTz+fU86wAHzlr9ZQ4OuuGIutNYMOgl7BoJ709E
qDb8iZTZuMtj3zfPXd/YsYbC2gFrqkybYzcPKK2Pd/m+iYUEgy6ckthzzdKENWFF
CBaPfSMJIBUH2lcIl97JYxRGvzE0ffLYScCkI0UWWDr8ZHJb5oqA+u8zs4FGgDDI
7bY2eQcw+ZoCcah1uMeVCFC2WPIa4OxmJeIECK29ROOlutJ6bqNMEElD9148Q1W7
MUeoyfOaJxY1U+NjkyTDSF8MwMXsOxwPWE4z0GlHPdGaBB/ksuFohiM/eIIjf0+O
XAj27WRkpbuBT8jYd1IT/ljVjJzruI11x97Vln3S0Zi9mP62n1VED1377jMezzzQ
YBXLsEllXu5TcTUbFdt9n+0F8CIn1eo8klsGi8UtjsGV7tDGx9leZ91tCChpdvIa
KQALYSkMu4AeODpcceBNfQ/GBimUpuKWEDPWg6FPDyZgkdYvBOJCAm71yFUzXYO/
vaQ7ZqVTyRosvM+hO7xVotDXSZgT2PtBLJNfdWk7NMJvBlS5xNl/6Gb6UZd261a8
0LEu5Yta1iFk+zWN8lb7yA0nATFhQBjz1ClqFscnzSirM5BLNIMUgRNyDAgg9UcY
+ytzSKl/XaTLBXeKfxXr+Ju0HjYsjxBlGWr605VRpu5a/QzyJ5o=
=/Ew7
-END PGP SIGNATURE-

Re: AT released DANOS code to Linux Foundation

[Jared Geiger]

DANOS is using FRR in the opensource version at least.

On Mon, Nov 18, 2019 at 1:15 PM Mike Hammett  wrote:

> Chances are, if there was a decision to be made, UBNT made the wrong
> choice.
>
> That said, I've heard a lot of good about ZebOS.  *shrugs*
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions 
> 
> 
> 
> 
> Midwest Internet Exchange 
> 
> 
> 
> The Brothers WISP 
> 
> 
> --
> *From: *"Rubens Kuhl" 
> *To: *"Nanog" 
> *Sent: *Monday, November 18, 2019 3:10:39 PM
> *Subject: *Re: AT released DANOS code to Linux Foundation
>
>
>
> On Mon, Nov 18, 2019 at 5:55 PM Brielle  wrote:
>
>> On 11/18/2019 1:31 PM, Jared Geiger wrote:
>> > This past Friday, the code for DANOS was released as open source to the
>> > Linux Foundation and published at https://github.com/danos
>>
>> This is pretty awesome news.
>>
>>  From what I'm reading, it looks like the commercial support options
>> will be able to use ZebOS as the routing engine instead of quagga?
>> EdgeOS has been using it for a while, and was a huge step up in terms of
>> stability and functionality.
>>
>>
> Curiously, at the same time EdgeOS replaced Quagga with ZebOS I started
> reading more complaints and more people dropping UBNT altogether in the L3
> world.
> So I wonder if it was a good decision or not...
>
>
> Rubens
>
>
>

Re: AT released DANOS code to Linux Foundation

[Ross Tajvar]

For an additional point of reference - I run two Edgerouter Pros with
multiple full tables (v4 and v6). One of them is fine, but one of them
crashes and reboots about once a week. I'm currently trying to replace
them, possibly with DANOS now that it's out.

On Mon, Nov 18, 2019 at 4:23 PM Brielle  wrote:

> On 11/18/2019 2:12 PM, Mike Hammett wrote:
> > Chances are, if there was a decision to be made, UBNT made the wrong
> choice.
> >
> > That said, I've heard a lot of good about ZebOS.  *shrugs*
>
> Well, early on during the switch there was a few issues with the change.
>   For example, I had to fix the support for various IPv6 bits like 6rd.
>
> It really should have been labeled as a major release (1.0 -> 2.0)
> instead of an incremental (1.x to 1.x+1)...  but hindsight and all.
>
> That being said, I do run a few EdgeRouter Infinities with OSPF and BGP
> (taking full tables for v4 and v6) and they've not had glaring issues
> for any of my uses.
>
> Some people just upgrade WAYY too quickly without doing proper bench
> testing - and it always bites you in the ass in the end.
>
> --
> Brielle Bruns
> The Summit Open Source Development Group
> http://www.sosdg.org/ http://www.ahbl.org
>

Re: AT released DANOS code to Linux Foundation

[Brielle]

On 11/18/2019 2:12 PM, Mike Hammett wrote:

Chances are, if there was a decision to be made, UBNT made the wrong choice.

That said, I've heard a lot of good about ZebOS.  *shrugs*


Well, early on during the switch there was a few issues with the change. 
 For example, I had to fix the support for various IPv6 bits like 6rd.


It really should have been labeled as a major release (1.0 -> 2.0) 
instead of an incremental (1.x to 1.x+1)...  but hindsight and all.


That being said, I do run a few EdgeRouter Infinities with OSPF and BGP 
(taking full tables for v4 and v6) and they've not had glaring issues 
for any of my uses.


Some people just upgrade WAYY too quickly without doing proper bench 
testing - and it always bites you in the ass in the end.


--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: Iran cuts 95% of Internet traffic

[Ross Tajvar]

Do we have any ideas which prefixes are still accessible?

On Mon, Nov 18, 2019 at 3:01 PM Scott Fisher  wrote:

> One would hope so, but I am I sure they will just threaten their
> population on using it. Tyrannical regimes know no bounds.
>
> Thanks,
> Scott Fisher
> Team Cymru
>
> On 11/18/19 2:26 PM, Tony Wicks wrote:
> >>Implementation specifics vary. Most rely on state control of consumer
> > ISPs and implement a variety of systems at that layer. Many also have
> > chokepoints for >international connectivity as well.
> >
> >
> >
> > I guess all these governments who like to control access so tightly are
> > going to be in a total tailspin over Starlink eh.
> >
> >
> >
> >
> >
> >
> >
>
>

Re: AT released DANOS code to Linux Foundation

[Mike Hammett]

Chances are, if there was a decision to be made, UBNT made the wrong choice. 

That said, I've heard a lot of good about ZebOS. *shrugs* 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Rubens Kuhl"  
To: "Nanog"  
Sent: Monday, November 18, 2019 3:10:39 PM 
Subject: Re: AT released DANOS code to Linux Foundation 







On Mon, Nov 18, 2019 at 5:55 PM Brielle < br...@2mbit.com > wrote: 


On 11/18/2019 1:31 PM, Jared Geiger wrote: 
> This past Friday, the code for DANOS was released as open source to the 
> Linux Foundation and published at https://github.com/danos 

This is pretty awesome news. 

>From what I'm reading, it looks like the commercial support options 
will be able to use ZebOS as the routing engine instead of quagga? 
EdgeOS has been using it for a while, and was a huge step up in terms of 
stability and functionality. 






Curiously, at the same time EdgeOS replaced Quagga with ZebOS I started reading 
more complaints and more people dropping UBNT altogether in the L3 world. 
So I wonder if it was a good decision or not... 




Rubens 

Re: AT released DANOS code to Linux Foundation

[Rubens Kuhl]

On Mon, Nov 18, 2019 at 5:55 PM Brielle  wrote:

> On 11/18/2019 1:31 PM, Jared Geiger wrote:
> > This past Friday, the code for DANOS was released as open source to the
> > Linux Foundation and published at https://github.com/danos
>
> This is pretty awesome news.
>
>  From what I'm reading, it looks like the commercial support options
> will be able to use ZebOS as the routing engine instead of quagga?
> EdgeOS has been using it for a while, and was a huge step up in terms of
> stability and functionality.
>
>
Curiously, at the same time EdgeOS replaced Quagga with ZebOS I started
reading more complaints and more people dropping UBNT altogether in the L3
world.
So I wonder if it was a good decision or not...


Rubens

Re: AT released DANOS code to Linux Foundation

[Brielle]

On 11/18/2019 1:31 PM, Jared Geiger wrote:
This past Friday, the code for DANOS was released as open source to the 
Linux Foundation and published at https://github.com/danos


This is pretty awesome news.

From what I'm reading, it looks like the commercial support options 
will be able to use ZebOS as the routing engine instead of quagga? 
EdgeOS has been using it for a while, and was a huge step up in terms of 
stability and functionality.



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

AT released DANOS code to Linux Foundation

[Jared Geiger]

This past Friday, the code for DANOS was released as open source to the
Linux Foundation and published at https://github.com/danos

AT bought the Vyatta product from Brocade and developed on the DPDK
Brocade Vyatta 5600 version. The software was renamed DANOS. So if it
performs like other DPDK routers, you can expect about 10 Gbps of
throughput per XEON 2600v4 or newer core you allocate to it. Other closed
source DPDK router products are able to do 100+ Gbps with appropriate CPU
and network interface resources. This would make it the first opensource
fully functioning DPDK based router. The CLI configuration is slightly
different even from the last vyatta 5600 version released but easy to adapt
to if familiar with vyos or ubiquiti edgeos.

AT is using it in production in various locations and roles. News
articles reference IP Infusion as the vendor offering commercial support
but it seems they may only support the cellsite gateway router.
https://www.fiercetelecom.com/telecom/at-t-sets-a-date-to-drop-danos-into-linux-foundation-names-ip-infusion-as-reseller

The project's site is https://www.danosproject.org/

A bootable ISO is at
https://danosproject.atlassian.net/wiki/spaces/DAN/pages/753667/DANOS+1908

I'm only an enthusiast and not affiliated with the project.

Regards,
Jared Geiger

Re: Iran cuts 95% of Internet traffic

[Scott Fisher]

One would hope so, but I am I sure they will just threaten their
population on using it. Tyrannical regimes know no bounds.

Thanks,
Scott Fisher
Team Cymru

On 11/18/19 2:26 PM, Tony Wicks wrote:
>>Implementation specifics vary. Most rely on state control of consumer
> ISPs and implement a variety of systems at that layer. Many also have
> chokepoints for >international connectivity as well.
> 
>  
> 
> I guess all these governments who like to control access so tightly are
> going to be in a total tailspin over Starlink eh.
> 
>  
> 
>  
> 
>  
> 



signature.asc
Description: OpenPGP digital signature

OT: RE: Iran cuts 95% of Internet traffic

[Scott Weeks]

--- t...@wicks.co.nz wrote:
From: "Tony Wicks" 

I guess all these governments who like to control...



The wierd thing to me is the one thing governments are afraid 
of is people talking to each other without restriction.  Not 
this or that, rather just people talking freely.  WTF...

scott

 

 

 

RE: Iran cuts 95% of Internet traffic

[Tony Wicks]

>Implementation specifics vary. Most rely on state control of consumer ISPs and 
>implement a variety of systems at that layer. Many also have chokepoints for 
>>international connectivity as well.

 

I guess all these governments who like to control access so tightly are going 
to be in a total tailspin over Starlink eh.

 

 

 

Re: Iran cuts 95% of Internet traffic

[Matt Harris]

On Mon, Nov 18, 2019 at 11:29 AM Scott Weeks  wrote:

>
>
> --- s...@donelan.com wrote:
> From: Sean Donelan 
>
> Its very practical for a country to cut 95%+ of its Internet connectivity.
> Its not a complete cut-off, there is some limited connectivity. But for
> most ordinary individuals, their communication channels are cut-off.
>
> https://twitter.com/netblocks/status/1196366347938271232
> --
>
>
> Does anyone know the network mechanics of how this happens?  For
> example, do all fiber connections go through a governmant choke
> point for suppression?  If so, what's to stop ubiquity-style
> microwave over the border to sympathetic folks on the other side?
>
> scott
>

Implementation specifics vary. Most rely on state control of consumer ISPs
and implement a variety of systems at that layer. Many also have
chokepoints for international connectivity as well.

Penalties for evading the censorship regime? I don't know specifically what
those entail, but probably at the very least fines and confiscation of
equipment, possibly imprisonment, or even worse in some places? Scanning
for RF emissions on common communications frequencies isn't particularly
difficult, nor is police just looking around their jurisdictions for such
antennas on the exterior of buildings.

Of course, there will always be ways around these sorts of things for
people who have the means/resources/technical capability to do so, and some
will be much harder to get caught with than others. But the 0.01% of people
who have the means and resources aren't the real target anyway, as many
people with the means are people who already have a lot to lose and hence
tend to remain loyal to the state to begin with. The 0.01% who have the
technical capability to do something like build a unidirectional
transceiver from parts and deploy it in a way that it won't easily be
detected are a small enough group that they can be written off. It's the
other 99.8% whom they're worried about and against whom censorship regimes
have the best overall efficacy.

Re: Iran cuts 95% of Internet traffic

[Scott Weeks]

--- s...@donelan.com wrote:
From: Sean Donelan 

Its very practical for a country to cut 95%+ of its Internet connectivity. 
Its not a complete cut-off, there is some limited connectivity. But for 
most ordinary individuals, their communication channels are cut-off.

https://twitter.com/netblocks/status/1196366347938271232
--


Does anyone know the network mechanics of how this happens?  For
example, do all fiber connections go through a governmant choke
point for suppression?  If so, what's to stop ubiquity-style 
microwave over the border to sympathetic folks on the other side?  

scott

Re: Hulu thinks all my IP addresses are "business class", how to reach them?

[Blake Hudson]

Doug, out of curiosity, what does Hulu do once they have classified your 
IP ranges as "business class"? Charge customers a different rate? Offer 
different content? Refuse service?



Doug McIntyre wrote on 11/18/2019 10:41 AM:

I've been offering residential and business ISP services for a long time.

Hulu recently blocked my customers from accessing their service, because my
ARIN IP address blocks are "business class" instead of residential.

I've tried to find a contact for them as I am not a customer, the
supportrequ...@hulu.com address mentioned in NANOG previously is just
an autoresponder that says open a ticket online (once you are logged into your 
account).

Does anybody have a contact for them that I can discuss what they are
looking at to determine if my IP addresses are "residential"
vs. "business" class?

Thanks.

Re: Hulu thinks all my IP addresses are "business class", how to reach them?

[Brian Ellwood]

Have you tried reaching out to ipad...@hulu.com?

—
Brian Ellwood
Senior Systems Engineer
INOC Data Centers
O: 518-689-4350

> On Nov 18, 2019, at 11:41, Doug McIntyre  wrote:
> 
> I've been offering residential and business ISP services for a long time.
> 
> Hulu recently blocked my customers from accessing their service, because my
> ARIN IP address blocks are "business class" instead of residential.
> 
> I've tried to find a contact for them as I am not a customer, the
> supportrequ...@hulu.com address mentioned in NANOG previously is just
> an autoresponder that says open a ticket online (once you are logged into 
> your account). 
> 
> Does anybody have a contact for them that I can discuss what they are
> looking at to determine if my IP addresses are "residential"
> vs. "business" class?
> 
> Thanks.
> 
> 



smime.p7s
Description: S/MIME cryptographic signature

Re: Recommended DDoS mitigation appliance?

[Tom Beecher]

It's a logical evolution as botnets became less of a tool for lulz and more
of a economic asset to certain segments of the world.

No sense launching an orbital strike where a garden hose will do the job
just as well.

On Mon, Nov 18, 2019 at 9:05 AM Tom Hill  wrote:

> On 18/11/2019 13:50, Mike Hammett wrote:
> > I would like the list to know that not all targets attract such large
> > attacks. I know many eyeball ISPs that encounter less than 10 gig
> > attacks, which can be reasonably absorbed\mitigated. Online gamers
> > looking to boot someone else from the game aren't generally committing
> >>100 gigs of resources to an attack.
>
>
> There are two very good reasons to use 'surgical' amounts of traffic in
> attacks:
>
>  1. Concealing the size of your botnet
>
>  2. Reducing the damage to the end user's ISP, and thus reducing the
> likelihood that they escalate the attack to the authorities (because
> who's got the time to do that for an individual subscriber?)
>
> The shift to "just enough to knock the customer off without killing the
> whole network" happened around ~2015 in my capacity, at least.
>
> --
> Tom
>

Hulu thinks all my IP addresses are "business class", how to reach them?

[Doug McIntyre]

I've been offering residential and business ISP services for a long time.

Hulu recently blocked my customers from accessing their service, because my
ARIN IP address blocks are "business class" instead of residential.

I've tried to find a contact for them as I am not a customer, the
supportrequ...@hulu.com address mentioned in NANOG previously is just
an autoresponder that says open a ticket online (once you are logged into your 
account). 

Does anybody have a contact for them that I can discuss what they are
looking at to determine if my IP addresses are "residential"
vs. "business" class?

Thanks.

Re: Recommended DDoS mitigation appliance?

[Jeff Meyers]

Hi Rabbi,

a PoC quite a while ago with RioRey worked quite satisfying but we are
working with Arbor since a couple of years. It works okay and is
insanely expensive. Mostly because of the price I wouldn't recommend it
but I'm not sure if there is anything in the market technically on the
same level but with a lower price. We did a PoC with A10 2 years ago as
a possible replacement but the concept is completely different so we
couldn't convince ourselves yet to switch.

HTH,
Jeff

Am 17.11.2019 um 23:18 schrieb Rabbi Rob Thomas:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hello, NANOG!

I'm in the midst of rebuilding/upgrading our backbone and peering -
sessions cheerfully accepted :) - and am curious what folks recommend
in the DDoS mitigation appliance realm?  Ideally it would be capable
of 10Gbps and circa 14Mpps rate of mitigation.  If you have a
recommendation, I'd love to hear it and the reasons for it.  If you
have an alternative to an appliance that has worked well for you
(we're a mix of Cisco and Juniper), I'm all ears.

Private responses are fine, and I'm happy to summarize back to the
list if there is interest.

Thank you!
Rob.
- --
Rabbi Rob Thomas   Team Cymru
"It is easy to believe in freedom of speech for those with whom we
 agree." - Leo McKern
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF
8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF
xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV
7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv
oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ
N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y
7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti
27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ
hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka
VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC
g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP
d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=
=uuel
-END PGP SIGNATURE-

Re: Recommended DDoS mitigation appliance?

[Töma Gavrichenkov]

Peace,

On Mon, Nov 18, 2019, 4:51 PM Mike Hammett  wrote:

> I would like the list to know that not all targets attract such large
> attacks.
>

It is not that easily predictable.  E.g. in case of reflection DDoS
sometimes even the attacker has no good idea of how much of traffic s/he is
generating today.
There are other complicated cases.
--
Töma

>

Re: Iran cuts 95% of Internet traffic

[Wayne Bouchard]

Though Iran's situation is hardly a new advent, it reminds me that
more and more countries seem to be going for the centralized
filter/control/kill option and what a sad development that is. It sure
seems like this is going to vastly change how inter-nation traffic (or
at least inter-continental) is exchanged between providers and even
how bandwidth is sold. It feels to me like it won't be too much longer
before such things start to become somewhat less a matter of business
and more a matter of treaty.

-Wayne

On Mon, Nov 18, 2019 at 10:09:36AM -0500, Sean Donelan wrote:
> 
> Its very practical for a country to cut 95%+ of its Internet connectivity. 
> Its not a complete cut-off, there is some limited connectivity. But for 
> most ordinary individuals, their communication channels are cut-off.
> 
> https://twitter.com/netblocks/status/1196366347938271232

---
Wayne Bouchard
w...@typo.org
Network Dude
http://www.typo.org/~web/

Iran cuts 95% of Internet traffic

[Sean Donelan]

Its very practical for a country to cut 95%+ of its Internet connectivity. 
Its not a complete cut-off, there is some limited connectivity. But for 
most ordinary individuals, their communication channels are cut-off.


https://twitter.com/netblocks/status/1196366347938271232

Re: Recommended DDoS mitigation appliance?

[Tom Hill]

On 18/11/2019 13:50, Mike Hammett wrote:
> I would like the list to know that not all targets attract such large
> attacks. I know many eyeball ISPs that encounter less than 10 gig
> attacks, which can be reasonably absorbed\mitigated. Online gamers
> looking to boot someone else from the game aren't generally committing
>>100 gigs of resources to an attack.


There are two very good reasons to use 'surgical' amounts of traffic in
attacks:

 1. Concealing the size of your botnet

 2. Reducing the damage to the end user's ISP, and thus reducing the
likelihood that they escalate the attack to the authorities (because
who's got the time to do that for an individual subscriber?)

The shift to "just enough to knock the customer off without killing the
whole network" happened around ~2015 in my capacity, at least.

-- 
Tom

Re: Recommended DDoS mitigation appliance?

[Mike Hammett]

I would like the list to know that not all targets attract such large attacks. 
I know many eyeball ISPs that encounter less than 10 gig attacks, which can be 
reasonably absorbed\mitigated. Online gamers looking to boot someone else from 
the game aren't generally committing >100 gigs of resources to an attack. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Rabbi Rob Thomas"  
To: nanog@nanog.org 
Sent: Sunday, November 17, 2019 4:18:57 PM 
Subject: Recommended DDoS mitigation appliance? 

-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 


Hello, NANOG! 

I'm in the midst of rebuilding/upgrading our backbone and peering - 
sessions cheerfully accepted :) - and am curious what folks recommend 
in the DDoS mitigation appliance realm? Ideally it would be capable 
of 10Gbps and circa 14Mpps rate of mitigation. If you have a 
recommendation, I'd love to hear it and the reasons for it. If you 
have an alternative to an appliance that has worked well for you 
(we're a mix of Cisco and Juniper), I'm all ears. 

Private responses are fine, and I'm happy to summarize back to the 
list if there is interest. 

Thank you! 
Rob. 
- -- 
Rabbi Rob Thomas Team Cymru 
"It is easy to believe in freedom of speech for those with whom we 
agree." - Leo McKern 
-BEGIN PGP SIGNATURE- 

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF 
8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF 
xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV 
7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv 
oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ 
N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y 
7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti 
27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ 
hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka 
VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC 
g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP 
d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo= 
=uuel 
-END PGP SIGNATURE- 

Re: Recommended DDoS mitigation appliance?

[Alexander Lyamin]

Correct statement.  You forgot one zero.

On Mon, Nov 18, 2019 at 10:48 AM Denys Fedoryshchenko <
nuclear...@nuclearcat.com> wrote:

> On 2019-11-18 04:23, Richard wrote:
> > I would say you are making some assumptions that are not fact based.
> > The OP is very knowledgeable and would not mince words or waste
> > bandwidth. Let us see what he has to say in regards to your remarks.
> > He will be able to make this more clear once he has read what people
> > have stated in other responses.
> >
> > Respectfully, of course, Richard Golodner
> > On 11/17/19 8:12 PM, Töma Gavrichenkov wrote:
> >
> >> Peace,
> >>
> >> On Mon, Nov 18, 2019, 1:49 AM Rabbi Rob Thomas 
> >> wrote:
> >>
>  I am going to assume you want it to spit out 10G clean, what
> >>> size
>  dirty traffic are you expecting it to handle?
> >>>
> >>> Great question!  Let's say between 6Gbps and 8Gbps dirty.
> >>
> >> As someone making a living as a DDoS mitigation engineer for the
> >> last 10 years (minus 1 month) I should say your threat model is sort
> >> of unusual.  Potential miscreants today should be assumed to have
> >> much more to show you even on a daily basis.
> >>
> >> Is it like you also have something filtering upstream for you, e.g.
> >> flowspec-enabled peers?
> >>
> >> --
> >> Töma
> >>
> >>>
>
> AFAIK new threats (SYN+ACK amplification) can't be mitigated over
> flowspec and they can reach 40+Gbps easily.
>


-- 

Alexander Lyamin, VP & Founder

 Qrator * Labs CZ *

office: +420 602 558 144 <++420+602+558+144>

mob: +420 774 303 807 <++420+774+303+807>
skype: melanor9

mailto:  l...@qrator.net

Re: Recommended DDoS mitigation appliance?

[Denys Fedoryshchenko]

On 2019-11-18 04:23, Richard wrote:

I would say you are making some assumptions that are not fact based.
The OP is very knowledgeable and would not mince words or waste
bandwidth. Let us see what he has to say in regards to your remarks.
He will be able to make this more clear once he has read what people
have stated in other responses.

Respectfully, of course, Richard Golodner
On 11/17/19 8:12 PM, Töma Gavrichenkov wrote:


Peace,

On Mon, Nov 18, 2019, 1:49 AM Rabbi Rob Thomas 
wrote:


I am going to assume you want it to spit out 10G clean, what

size

dirty traffic are you expecting it to handle?


Great question!  Let's say between 6Gbps and 8Gbps dirty.


As someone making a living as a DDoS mitigation engineer for the
last 10 years (minus 1 month) I should say your threat model is sort
of unusual.  Potential miscreants today should be assumed to have
much more to show you even on a daily basis.

Is it like you also have something filtering upstream for you, e.g.
flowspec-enabled peers?

--
Töma





AFAIK new threats (SYN+ACK amplification) can't be mitigated over 
flowspec and they can reach 40+Gbps easily.