Re: DDoS mitigation Equinix?
I actually use GigeNET at the moment for DDoS protection and they're terrible. Their trigger detection is terrible at picking up attacks and my attack is barely ever mitigated because of it. On Sun, Jul 20, 2014 at 12:00 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Sun, Jul 20, 2014 at 2:54 PM, Ameen Pishdadi apishd...@gmail.com wrote: It was none of the mentioned , didn't wanna come off as advertising .. Gigenet is the company ok, cool the OP probably is interested... thanks! Sent from my iPhone On Jul 20, 2014, at 1:51 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:32 AM, Ameen Pishdadi apishd...@gmail.com wrote: Equinix doesn't provide Ddos protection , cloud flare is able to mitigate attacks by spreading out the traffic across 20-30 different pops which are mostly located at Equinix. Cloud flare is pretty much a cdn , people have been using cdns for years to mitigate Ddos like akaimi , wasn't really popular though because of how expensive cdns like Akamai were, btw they recently bought prolexic. Cloud flare as far as I know does not sell Ddos protection service by any other means then there web proxy/cache service. Also there core business isn't Ddos protection it's website optimization via cdn type setup. Our company also uses Equinix and other carrier hotels to provide Ddos protection, 'our company' .. since use used 3 different names of companies in the previous part of the message, which one is 'our' ? we provide a connection to our network by cross connects or peering exchanges , 1 gig or 10 gig and filter the Ddos before it leaves our network, this can be on full time or only when an attack is detected. Other methods of filtered traffic delivery are gre VPN tunnels and reverse proxy method. The difference between us , prolexic vs cloud flare is the different delivery methods allow protection against attacks towards other services and protocols besides http protocol/websites, and protection against entire networks versus an individual domain, it's just a different business model going after different market segments. Sent from my iPhone On Jul 19, 2014, at 2:44 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: Hi, I've heard that using Equinix has it's DDoS protection benefits like large companies such as CloudFlare use them for DDoS mitigation, I don't get it, how do they help with DDoS protection? You still get a 1Gbit from them or whatever and also do you guys know around how much they'd cost? Thanks! Sent from my iPhone On Jul 19, 2014, at 2:44 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: Hi, I've heard that using Equinix has it's DDoS protection benefits like large companies such as CloudFlare use them for DDoS mitigation, I don't get it, how do they help with DDoS protection? You still get a 1Gbit from them or whatever and also do you guys know around how much they'd cost? Thanks!
Re: BGP Session
Hi, Yeah, I need to turn on and off overtime, but I'm getting my own ASN very soon so that shouldn't be a problem soon! :) but how would I go about turning off a location at a certain time? Thanks! On Wed, Jul 16, 2014 at 5:50 PM, Jonathan Lassoff j...@thejof.com wrote: Wow -- be careful playing with public eBGP sessions unless you know what you're doing. It can affect the entire Internet. Since you're just connecting to a single upstream ISP, you wont qualify for a public AS number. So, you'll have to work with your upstream ISP to agree on a private AS number you can use. You will be setting up an eBGP session (which is a session between two different AS numbers, as opposed to iBGP, wherein the AS numbers are the same). As for running BGP on a dedicated server, it'll depend on the OS in use. Assuming Linux, take a look at Quagga, BIRD, and ExaBGP. http://www.nongnu.org/quagga/ http://bird.network.cz/ https://code.google.com/p/exabgp/ It may be a *lot* easier for you to just have your upstream ISP announce your IP space, and route it to your dedicated server, unless you need the ability to turn it off and on over time. Cheers, jof On Wed, Jul 16, 2014 at 1:05 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: Hi, So I just purchased a Dedicated server from this one company and I have a /24 IPv4 block that I bought from a company on WebHostingTalk, but I am clueless on how to setup the /24 IPv4 block using the BGP Session. I want to set it up to run through their network as if it was one of their IPs, etc. I keep seeing things like iBGP (which I think means like a inner routing BGP) and eBGP (what I'm talking about??) but I have no idea how to set those up or which one I would need. Any help would be appreciated. Thanks!
DDoS mitigation Equinix?
Hi, I've heard that using Equinix has it's DDoS protection benefits like large companies such as CloudFlare use them for DDoS mitigation, I don't get it, how do they help with DDoS protection? You still get a 1Gbit from them or whatever and also do you guys know around how much they'd cost? Thanks!
Re: BGP Session
I know, the DC is going to be giving me a BGP session on their router so I can set it up, I'm not using a Linux server as a router. On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote: On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: So I just purchased a Dedicated server from this one company and I have a /24 IPv4 block that I bought from a company on WebHostingTalk, but I am clueless on how to setup the /24 IPv4 block using the BGP Session. I want to set it up to run through their network as if it was one of their IPs, etc. I keep seeing things like iBGP (which I think means like a inner routing BGP) and eBGP (what I'm talking about??) but I have no idea how to set those up or which one I would need. Howdy, Unless you have (1) a real router available, not a just a server and (2) an expert available to help you with your first BGP configuration I strongly recommend you simply ask your service provider to announce the /24 to the Internet on your behalf. Server-based BGP software like Quagga for Linux is reasonably good but it should absolutely not be involved in your _first_ attempt to connect with the Internet's default-free zone. Simple mistakes with eBGP can cause tremendous damage to other folks on the Internet. Trial and error is simply not OK. If it isn't worth it to you to buy a BGP-capable router then you also aren't prepared to make the investment in learning it takes to use BGP without causing harm. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ Can I solve your unusual networking challenges?
Re: BGP Session
Proxying. On Sat, Jul 19, 2014 at 9:59 AM, Suresh Ramasubramanian ops.li...@gmail.com wrote: A single linux box with a whole /24 on it? What sort of use case is that, BTW? On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com wrote: I know, the DC is going to be giving me a BGP session on their router so I can set it up, I'm not using a Linux server as a router. On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote: On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: So I just purchased a Dedicated server from this one company and I have a /24 IPv4 block that I bought from a company on WebHostingTalk, but I am clueless on how to setup the /24 IPv4 block using the BGP Session. I want to set it up to run through their network as if it was one of their IPs, etc. I keep seeing things like iBGP (which I think means like a inner routing BGP) and eBGP (what I'm talking about??) but I have no idea how to set those up or which one I would need. Howdy, Unless you have (1) a real router available, not a just a server and (2) an expert available to help you with your first BGP configuration I strongly recommend you simply ask your service provider to announce the /24 to the Internet on your behalf. Server-based BGP software like Quagga for Linux is reasonably good but it should absolutely not be involved in your _first_ attempt to connect with the Internet's default-free zone. Simple mistakes with eBGP can cause tremendous damage to other folks on the Internet. Trial and error is simply not OK. If it isn't worth it to you to buy a BGP-capable router then you also aren't prepared to make the investment in learning it takes to use BGP without causing harm. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ Can I solve your unusual networking challenges?
Re: BGP Session
Yeah, we're using it for an anycasted node but like, I'm confused on certain parts like, just a really basic question. When doing things like conf t router bgp AS1337 neighbor 208.54.128.0 remote-as AS13335 neighbor 208.54.128.0 description BGP with Upstream neighbor 208.54.128.0 password lolpass address-family ipv4 no synchronization neighbor 208.54.128.0 activate neighbor 208.54.128.0 soft-reconfiguration inboung I'm confused on when doing this, would I need to state like First go to AS13335 then go to TATA then go to my server or would it just automatically do that or would my provider do that? I'm confused on that. how would I state multiple peers.? On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com wrote: An Anycasting node. For example, as part of a reliable DNS service. A /24 is usually the smallest prefix length that is portably accepted. Also, applications where connections need to appear to be coming from many source IPs. On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com wrote: A single linux box with a whole /24 on it? What sort of use case is that, BTW? On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com wrote: I know, the DC is going to be giving me a BGP session on their router so I can set it up, I'm not using a Linux server as a router. On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote: On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: So I just purchased a Dedicated server from this one company and I have a /24 IPv4 block that I bought from a company on WebHostingTalk, but I am clueless on how to setup the /24 IPv4 block using the BGP Session. I want to set it up to run through their network as if it was one of their IPs, etc. I keep seeing things like iBGP (which I think means like a inner routing BGP) and eBGP (what I'm talking about??) but I have no idea how to set those up or which one I would need. Howdy, Unless you have (1) a real router available, not a just a server and (2) an expert available to help you with your first BGP configuration I strongly recommend you simply ask your service provider to announce the /24 to the Internet on your behalf. Server-based BGP software like Quagga for Linux is reasonably good but it should absolutely not be involved in your _first_ attempt to connect with the Internet's default-free zone. Simple mistakes with eBGP can cause tremendous damage to other folks on the Internet. Trial and error is simply not OK. If it isn't worth it to you to buy a BGP-capable router then you also aren't prepared to make the investment in learning it takes to use BGP without causing harm. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ Can I solve your unusual networking challenges?
Re: BGP Session
Oh no, I just used the first ASNs that came to mind :P On Sat, Jul 19, 2014 at 10:23 AM, Jonathan Lassoff j...@thejof.com wrote: On Sat, Jul 19, 2014 at 10:12 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: Yeah, we're using it for an anycasted node but like, I'm confused on certain parts like, just a really basic question. When doing things like conf t router bgp AS1337 neighbor 208.54.128.0 remote-as AS13335 neighbor 208.54.128.0 description BGP with Upstream neighbor 208.54.128.0 password lolpass address-family ipv4 no synchronization neighbor 208.54.128.0 activate neighbor 208.54.128.0 soft-reconfiguration inboung I'm confused on when doing this, would I need to state like First go to AS13335 then go to TATA then go to my server or would it just automatically do that or would my provider do that? I'm confused on that. how would I state multiple peers.? AS13335 is Cloudflare. How does TATA relate? You have a deicated server connected to TATA and Cloudflare? I'm skeptical. You really ought to do some more reading, learning, and practicing before running public BGP. I would recommend reading this book cover-to-cover: http://www.bgpexpert.com/'BGP'-by-Iljitsch-van-Beijnum/ It's only ~250 small pages. To practice and experiment, emulate some example configurations with GNS3 and Dynamips, or some Linux VMs with Quagga or BIRD. On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com wrote: An Anycasting node. For example, as part of a reliable DNS service. A /24 is usually the smallest prefix length that is portably accepted. Also, applications where connections need to appear to be coming from many source IPs. On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com wrote: A single linux box with a whole /24 on it? What sort of use case is that, BTW? On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com wrote: I know, the DC is going to be giving me a BGP session on their router so I can set it up, I'm not using a Linux server as a router. On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote: On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: So I just purchased a Dedicated server from this one company and I have a /24 IPv4 block that I bought from a company on WebHostingTalk, but I am clueless on how to setup the /24 IPv4 block using the BGP Session. I want to set it up to run through their network as if it was one of their IPs, etc. I keep seeing things like iBGP (which I think means like a inner routing BGP) and eBGP (what I'm talking about??) but I have no idea how to set those up or which one I would need. Howdy, Unless you have (1) a real router available, not a just a server and (2) an expert available to help you with your first BGP configuration I strongly recommend you simply ask your service provider to announce the /24 to the Internet on your behalf. Server-based BGP software like Quagga for Linux is reasonably good but it should absolutely not be involved in your _first_ attempt to connect with the Internet's default-free zone. Simple mistakes with eBGP can cause tremendous damage to other folks on the Internet. Trial and error is simply not OK. If it isn't worth it to you to buy a BGP-capable router then you also aren't prepared to make the investment in learning it takes to use BGP without causing harm. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ Can I solve your unusual networking challenges?
Re: BGP Session
Yeah, that's probably the best idea in this situation. I've been really interested in BGP but didn't know where to start, I'll read all the books that you guys put up above and start reading them. Also, referring to what you said If you are not peering with TATA, then your routes would not go to TATA first. (unless the next-hop is indirect and that brings up other fundamental routing things that you should learn about) Yeah, I meant that if I was getting a Transit service from them. Like, if using a DC like Equinix, you have access to countless amounts of opportunities to use Transits from virtually any provider, if I were to contact TATA and ask for a transit, I'd set that up in BGP, but I'm confused on how. I'll look into Fundamental routing. Thanks! On Sat, Jul 19, 2014 at 10:29 AM, Scott Morris s...@emanon.com wrote: Fundamental routing training would greatly help you here. I would suggest looking for that. If you are not peering with TATA, then your routes would not go to TATA first. (unless the next-hop is indirect and that brings up other fundamental routing things that you should learn about) AS13335 is not TATA. So if this is what your provider gave you, one first assumes you¹d be directly connected to them (that¹s one of the rules in BGP¹s RFC for external connections).. If you have multiple providers, you may have multiple peers. Each one would give you information. But like others have stated, I would strongly suggest you stop your testing for the moment and either hire someone to help or take some time to learn the basics on there. Otherwise, successful or not, your testing will really have no meaning to you. Just my two cents. Scott -Original Message- From: Abuse Contact stopabuseandrep...@gmail.com Date: Saturday, July 19, 2014 at 1:12 PM To: Jonathan Lassoff j...@thejof.com Cc: nanog@nanog.org nanog@nanog.org Subject: Re: BGP Session Yeah, we're using it for an anycasted node but like, I'm confused on certain parts like, just a really basic question. When doing things like conf t router bgp AS1337 neighbor 208.54.128.0 remote-as AS13335 neighbor 208.54.128.0 description BGP with Upstream neighbor 208.54.128.0 password lolpass address-family ipv4 no synchronization neighbor 208.54.128.0 activate neighbor 208.54.128.0 soft-reconfiguration inboung I'm confused on when doing this, would I need to state like First go to AS13335 then go to TATA then go to my server or would it just automatically do that or would my provider do that? I'm confused on that. how would I state multiple peers.? On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com wrote: An Anycasting node. For example, as part of a reliable DNS service. A /24 is usually the smallest prefix length that is portably accepted. Also, applications where connections need to appear to be coming from many source IPs. On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com wrote: A single linux box with a whole /24 on it? What sort of use case is that, BTW? On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com wrote: I know, the DC is going to be giving me a BGP session on their router so I can set it up, I'm not using a Linux server as a router. On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote: On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact stopabuseandrep...@gmail.com wrote: So I just purchased a Dedicated server from this one company and I have a /24 IPv4 block that I bought from a company on WebHostingTalk, but I am clueless on how to setup the /24 IPv4 block using the BGP Session. I want to set it up to run through their network as if it was one of their IPs, etc. I keep seeing things like iBGP (which I think means like a inner routing BGP) and eBGP (what I'm talking about??) but I have no idea how to set those up or which one I would need. Howdy, Unless you have (1) a real router available, not a just a server and (2) an expert available to help you with your first BGP configuration I strongly recommend you simply ask your service provider to announce the /24 to the Internet on your behalf. Server-based BGP software like Quagga for Linux is reasonably good but it should absolutely not be involved in your _first_ attempt to connect with the Internet's default-free zone. Simple mistakes with eBGP can cause tremendous damage to other folks on the Internet. Trial and error is simply not OK. If it isn't worth it to you to buy a BGP-capable router then you also aren't prepared to make the investment in learning it takes to use BGP without causing harm. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web
BGP Session
Hi, So I just purchased a Dedicated server from this one company and I have a /24 IPv4 block that I bought from a company on WebHostingTalk, but I am clueless on how to setup the /24 IPv4 block using the BGP Session. I want to set it up to run through their network as if it was one of their IPs, etc. I keep seeing things like iBGP (which I think means like a inner routing BGP) and eBGP (what I'm talking about??) but I have no idea how to set those up or which one I would need. Any help would be appreciated. Thanks!
Anycast
Hello, So I'm new to owning my own IPs. I want to setup multiple locations for a new service that I'm starting , one location in the USA East and one location in the USA West (to get started). I originally thought that IP Anycasting happened when you have to get a IP Transit from a T1 network like NTT or something and then tell them to set it up for each location;however, now I'm hearing that you need to just announce the IPs at multiple DCs. Could somebody please clarify this confusion for me? Thanks.