Re: DDOS Simulation
I've seen people push close to 10Gbps line rate with 1 byte packets on an Intel card with PF_RING. On 28 Jul 2015, at 1:40 am, lobna gouda lobna_go...@hotmail.com wrote: Hello David et Dan, Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product From: dro...@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: do...@telecurve.com CC: nanog@nanog.org Looking for similar here. -Dan On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender do...@telecurve.com wrote: Hi All, We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? Regards, Dovid
Re: routing issue? could someone from verizon FiOS please take a look?
Hi, I actually saw this issue a few weeks back but with a customer's website. It's actually not a routing issue, but a DNS issue. If you check the IPs that Verizon resolves for you, they'll be different from the IPs that other resolvers will resolve. It's weird, I know, but that's all the information I have for you. Hope I helped, Ammar. On 24 Feb 2015, at 9:53 pm, Gordon Cook c...@cookreport.com wrote: Verizon Fios cannot connect me to lavra.spb.ru This is the Russian site of the second most important monastery in Russia. It is reachable from Boston avra.spb.ru (91.218.229.131), 64 hops max, 52 byte packets 1 192.168.100.1 (192.168.100.1) 2.293 ms 0.815 ms 0.764 ms 2 100.64.0.129 (100.64.0.129) 1.108 ms 3.013 ms 1.068 ms 3 10.16.28.1 (10.16.28.1) 1.411 ms 1.277 ms 1.068 ms 4 10.16.13.1 (10.16.13.1) 4.796 ms 2.301 ms 5.207 ms 5 69.46.226.129.lightower.net (69.46.226.129) 4.380 ms 3.138 ms 4.630 ms 6 ae2.bstpmallj42.lightower.net (64.72.64.113) 3.768 ms 6.008 ms 3.888 ms 7 xe-4-0-2.bar2.boston1.level3.net (4.53.56.153) 6.030 ms 4.890 ms 7.058 ms 8 ae-231-3607.edge4.london1.level3.net (4.69.166.25) 91.525 ms 81.571 ms ae-232-3608.edge4.london1.level3.net (4.69.166.29) 81.327 ms 9 ae-231-3607.edge4.london1.level3.net (4.69.166.25) 78.121 ms ae-232-3608.edge4.london1.level3.net (4.69.166.29) 79.734 ms 78.890 ms 10 195.50.122.186 (195.50.122.186) 173.491 ms 133.054 ms 198.495 ms 11 * * * 12 oversun-gw.transtelecom.net (217.150.54.25) 210.399 ms 138.519 ms 139.291 ms 13 mr-o-rtc1-rsw-2.oversun.ru (94.198.48.154) 131.070 ms 131.007 ms 129.553 ms 14 mr-o-rtc5-rsw-2.oversun.ru (94.198.48.110) 140.012 ms 208.023 ms 145.352 ms 15 vip-h5.ihc-ru.net (91.218.229.131) 131.485 ms 133.319 ms 129.822 ms and from comcast and other locations apparently it has v6 routing info as well ..someone much more knowledgable than i suggested that this can be a source of reachability problems but here is what happens on my machine ordons-mac-pro:~ gordoncook$ traceroute lavra.spb.ru traceroute to lavra.spb.ru (92.242.140.21), 64 hops max, 52 byte packets 1 wireless_broadband_router (192.168.1.1) 0.654 ms 0.351 ms 0.295 ms 2 l100.cmdnnj-vfttp-26.verizon-gni.net (98.110.50.1) 4.607 ms 4.326 ms 7.869 ms 3 g0-1-0-0.cmdnnj-lcr-22.verizon-gni.net (130.81.223.100) 12.172 ms 9.502 ms 7.242 ms 4 xe-9-1-6-0.ny5030-bb-rtr2.verizon-gni.net (130.81.199.226) 15.080 ms xe-9-1-2-0.ny5030-bb-rtr2.verizon-gni.net (130.81.209.144) 8.986 ms xe-4-1-8-0.ny5030-bb-rtr2.verizon-gni.net (130.81.209.84) 22.085 ms 5 * * * 6 0.ae1.br2.nyc4.alter.net (140.222.229.91) 79.467 ms 77.046 ms 74.729 ms 7 204.255.168.114 (204.255.168.114) 85.591 ms 86.899 ms 204.255.168.110 (204.255.168.110) 87.011 ms 8 be2061.ccr42.jfk02.atlas.cogentco.com (154.54.3.69) 96.323 ms be2060.ccr41.jfk02.atlas.cogentco.com (154.54.31.9) 84.779 ms be2061.ccr42.jfk02.atlas.cogentco.com (154.54.3.69) 85.063 ms 9 be2482.ccr21.cle04.atlas.cogentco.com (154.54.27.157) 31.562 ms 31.990 ms be2483.ccr22.cle04.atlas.cogentco.com (154.54.29.201) 27.548 ms 10 be2351.ccr41.ord01.atlas.cogentco.com (154.54.44.85) 37.087 ms be2185.ccr42.ord01.atlas.cogentco.com (154.54.43.177) 42.273 ms be2351.ccr41.ord01.atlas.cogentco.com (154.54.44.85) 39.590 ms 11 be2157.ccr22.mci01.atlas.cogentco.com (154.54.6.117) 49.793 ms be2156.ccr21.mci01.atlas.cogentco.com (154.54.6.85) 50.583 ms be2157.ccr22.mci01.atlas.cogentco.com (154.54.6.117) 49.492 ms 12 be2133.ccr22.sfo01.atlas.cogentco.com (154.54.30.65) 77.446 ms be2132.ccr21.sfo01.atlas.cogentco.com (154.54.30.53) 77.060 ms be2133.ccr22.sfo01.atlas.cogentco.com (154.54.30.65) 77.001 ms 13 be2164.ccr21.sjc01.atlas.cogentco.com (154.54.28.34) 74.999 ms 74.569 ms be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66) 74.852 ms 14 be2063.rcr21.b001848-1.sjc01.atlas.cogentco.com (154.54.1.162) 74.377 ms be2095.rcr21.b001848-1.sjc01.atlas.cogentco.com (154.54.3.138) 77.126 ms 89.476 ms 15 c1.sj.mpt.fiberinternetcenter.net (66.201.58.2) 82.483 ms 86.964 ms 80.094 ms 16 sanjose2.barefruit.co.uk (66.201.32.134) 125.112 ms 106.932 ms 124.778 ms 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * 31 * * * 32 * * * 33 * * * 34 * * * 35 * * * 36 * * * 37 * * * 38 * * * 39 * * * 40 * unallocated.barefruit.co.uk (92.242.140.21) 111.898 ms * gordons-mac-pro:~ gordoncook$ PS: my FIOS contract is up in april. Any suggestion of how to avoid a $30 per month price increase would be greatly appreciated OFF list of course many thanks Gordon Cook COOK Report on Internet Protocol
Re: GTT NOC
Hi all, Thanks so much for the responses. It looks like the issue has now been resolved! Ammar On 14 Feb 2015, at 5:51 am, Adam Davenport a...@davenpro.com wrote: Ammar, Feel free to contact me off-list, and I'd be happy to take a look into this issue for you. Thanks! On 2/13/2015 8:10 PM, Ammar Zuberi wrote: Hi all, Does anyone know of a direct phone number for someone with somewhat authority at GTT? Our prefix has been hijacked by a customer of theirs and we haven’t received any kind of response to our email and the guys on the phone seem to not speak very good English. Any ideas? Ammar.
GTT NOC
Hi all, Does anyone know of a direct phone number for someone with somewhat authority at GTT? Our prefix has been hijacked by a customer of theirs and we haven’t received any kind of response to our email and the guys on the phone seem to not speak very good English. Any ideas? Ammar.
Re: FTTx Active-Ethernet Hardware
Hi, Here in Dubai they have a wide FTTH deployment (almost 80% of homes and offices) with almost no copper in the service provider networks. They use these Planet devices in every deployment I've taken a look at so far. Ammar On 10 Feb 2015, at 6:42 pm, Ray Soucy r...@maine.edu wrote: Price and functionality-wise Planet MGSW-28240F and GSD-1020S look pretty close to what I'm looking for. Anyone have real experience with using them on a large scale? Performance? On Tue, Feb 10, 2015 at 8:34 AM, Mike Hammett na...@ics-il.net wrote: Check out Mikrotik, Planet and TP-Link. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Ray Soucy r...@maine.edu To: NANOG nanog@nanog.org Sent: Tuesday, February 10, 2015 7:31:22 AM Subject: FTTx Active-Ethernet Hardware One thing I'm personally interested in is the growth of municipal FTTx that's starting to happen around the US and possibly applying that model to highly rural areas (e.g. 10 mile long town with no side streets, existing utility polls, 250 or so homes) and doing a realistic cost analysis of what that would take. What options are out there for Active-Ethernet hardware. Ideally something that could handle G.8032 and 802.1ad in hardware for the distribution side (24 or 48-port SFP metro switch) and something inexpensive for the access side but still managed (e.g. a 4-port switch with an SFP uplink supporting Q-in-Q). I'm really looking for something cheap to keep costs down for a proof-of-concept. The stuff from Cisco and even Ciena is a bit more expensive than my target. -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: FTTx Active-Ethernet Hardware
Hi, Generally, I haven’t seen many issues. I see our home Internet slow down once in a while, but I doubt its anything to do with the Planet devices but more so with the way the provider operates their network. Ammar On Feb 10, 2015, at 7:05 PM, Ray Soucy r...@maine.edu wrote: Thank you, this is useful information. From your perspective as a user, do things seem fairly stable? On Tue, Feb 10, 2015 at 9:52 AM, Ammar Zuberi am...@fastreturn.net wrote: Hi, Here in Dubai they have a wide FTTH deployment (almost 80% of homes and offices) with almost no copper in the service provider networks. They use these Planet devices in every deployment I've taken a look at so far. Ammar On 10 Feb 2015, at 6:42 pm, Ray Soucy r...@maine.edu wrote: Price and functionality-wise Planet MGSW-28240F and GSD-1020S look pretty close to what I'm looking for. Anyone have real experience with using them on a large scale? Performance? On Tue, Feb 10, 2015 at 8:34 AM, Mike Hammett na...@ics-il.net wrote: Check out Mikrotik, Planet and TP-Link. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Ray Soucy r...@maine.edu To: NANOG nanog@nanog.org Sent: Tuesday, February 10, 2015 7:31:22 AM Subject: FTTx Active-Ethernet Hardware One thing I'm personally interested in is the growth of municipal FTTx that's starting to happen around the US and possibly applying that model to highly rural areas (e.g. 10 mile long town with no side streets, existing utility polls, 250 or so homes) and doing a realistic cost analysis of what that would take. What options are out there for Active-Ethernet hardware. Ideally something that could handle G.8032 and 802.1ad in hardware for the distribution side (24 or 48-port SFP metro switch) and something inexpensive for the access side but still managed (e.g. a 4-port switch with an SFP uplink supporting Q-in-Q). I'm really looking for something cheap to keep costs down for a proof-of-concept. The stuff from Cisco and even Ciena is a bit more expensive than my target. -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: HTTPS redirects to HTTP for monitoring
So your idea is to block every HTTPS website? On 18 Jan 2015, at 6:48 pm, Ca By cb.li...@gmail.com wrote: On Sunday, January 18, 2015, Grant Ridder shortdudey...@gmail.com wrote: Hi Everyone, I wanted to see what opinions and thoughts were out there. What software, appliances, or services are being used to monitor web traffic for inappropriate content on the SSL side of things? personal use? enterprise enterprise? It looks like Websense might do decryption ( http://community.websense.com/forums/t/3146.aspx) while Covenant Eyes does some sort of session hijack to redirect to non-ssl (atleast for Google) ( https://twitter.com/CovenantEyes/status/451382865914105856). Thoughts on having a product that decrypts SSL traffic internally vs one that doesn't allow SSL to start with? -Grant IMHO, it would be better to just block the service and say the encrypted traffic is inconsistent with your policy instead of snooping it and exposing sensitive data to your middle box. These boxes that violate end to end encryption are a great place for hackers to steal the bank and identity info of everyone in your company. That sounds like a lot liablity to put on your shoulders. CB
Re: Verizon.net email admin?
Maybe your IP block isn’t being accepted by Verizon? Can you traceroute it etc? On Jan 17, 2015, at 1:00 AM, Chris Adams c...@cmadams.net wrote: Anybody Verizon.net mail admins around? I have a downstream customer on a newly-deployed IP allocation that can't get to pop.verizon.net (connections just time out). She can surf elsewhere, she can take the same computer to another location (different IP block) and it works, so it appears something on Verizon is filtering out the IP space (from 107.190.192.0/20). Thanks. -- Chris Adams c...@cmadams.net
Re: 129.250.35.250/251 NTT DNS Instability
Traceroute from my home connection in Dubai, United Arab Emirates: traceroute to 129.250.35.250 (129.250.35.250), 64 hops max, 52 byte packets 1 192.168.1.1 (192.168.1.1) 2.293 ms 1.549 ms 7.657 ms 2 94.203.22.1 (94.203.22.1) 3.281 ms 8.348 ms 8.494 ms 3 10.39.162.65 (10.39.162.65) 5.722 ms 2.753 ms 4.999 ms 4 10.171.0.19 (10.171.0.19) 2.780 ms 3.022 ms 3.278 ms 5 10.100.35.78 (10.100.35.78) 6.344 ms 5.340 ms 5.254 ms 6 10.44.24.162 (10.44.24.162) 90.120 ms 90.141 ms 92.448 ms 7 116.51.26.81 (116.51.26.81) 276.227 ms 265.609 ms 368.385 ms 8 ae-1.r21.sngpsi05.sg.bb.gin.ntt.net (129.250.7.20) 275.509 ms 270.857 ms 274.100 ms 9 ae-4.r23.tokyjp01.jp.bb.gin.ntt.net (129.250.7.37) 258.667 ms 265.824 ms 256.990 ms 10 x.ns.gin.ntt.net (129.250.35.250) 251.302 ms 252.865 ms 255.337 ms On Jan 12, 2015, at 8:28 PM, A MEKKAOUI amekka...@mektel.ca wrote: What we've seen is that this morning some of our clients cannot connect to internet and when we change the DNS to use Google DNS internet works fine. I'll see if I can get a tracert to 129.250.35.250 and will send it. Thank you A MEKKAOUI MEKTEL INC www.mektel.ca -Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: 12 janvier 2015 11:20 To: A MEKKAOUI Cc: nanog@nanog.org Subject: Re: 129.250.35.250/251 NTT DNS Instability Can you give examples? 129.250.35.250/251 are anycasted so a trace route would be helpful as well. - jared On Jan 12, 2015, at 11:17 AM, A MEKKAOUI amekka...@mektel.ca wrote: Hi We've seen some DNS instability and want to know if anyone of you have seen the same thing. Your comments will be appreciated. Thank you Karim
Re: DDOS solution recommendation
I’m stuck trying to find a virtual router environment that I can play with flowspec on. We do have some Juniper routers, but they are in production and I don’t think I want to touch flowspec on them just yet. Does anyone have any experience or any ideas here? Even openbgpd? On Jan 11, 2015, at 6:58 PM, Roland Dobbins rdobb...@arbor.net wrote: On 11 Jan 2015, at 20:52, Ca By wrote: 1. BCP38 protects your neighbor, do it. It's to protect yourself, as well. You should do it all the way down to the transit customer aggregation edge, all the way down to the IDC access layer, etc. 2. Protect yourself by having your upstream police Police UDP to some baseline you are comfortable with. This will come back to haunt you, when the programmatically-generated attack traffic 'crowds out' the legitimate traffic and everything breaks. You can only really do this for ntp. 3. Have RTBH ready for some special case. S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too). --- Roland Dobbins rdobb...@arbor.net
Anyone from EPOCH Internet/MegaPath?
Hi, The AS number we were assigned by ARIN (AS14558) was previously owned by DANDY and was in the EPOCH routing registry. We get conflicting route generations from IRR due to this, is there anyone that can contact me off-list and get this done or does anyone have any suggestions on how I can go about getting this removed. I’ve already tried to call and email them, everyone seems clueless unfortunately. Ammar.
Re: DDOS solution recommendation
I'd beg to differ on this one. The average attacks we're seeing are double that, around the 30-40g mark. Since NTP and SSDP amplification began, we've been seeing all kinds of large attacks. Obviously, these can easily be blocked upstream to your network. Hibernia Networks blocks them for us. Ammar On 11 Jan 2015, at 8:37 am, Paul S. cont...@winterei.se wrote: While it indeed is true that attacks up to 600 gbit/s (If OVH and CloudFlare's data is to be believed) have been known to happen in the wild, it's very unlikely that you need to mitigate anything close. The average attack is usually around the 10g mark (That too barely) -- so even solutions that service up to 20g work alright. Obviously, concerns are different if you're an enterprise that's a DDoS magnet -- but for general service providers selling 'protected services,' food for thought. On 1/11/2015 午後 12:48, Damian Menscher wrote: On Thu, Jan 8, 2015 at 9:01 AM, Manuel Marín m...@transtelco.net wrote: I was wondering what are are using for DDOS protection in your networks. We are currently evaluating different options (Arbor, Radware, NSFocus, RioRey) and I would like to know if someone is using the cloud based solutions/scrubbing centers like Imperva, Prolexic, etc and what are the advantages/disadvantages of using a cloud base vs an on-premise solution. It would be great if you can share your experience on this matter. On-premise solutions are limited by your own bandwidth. Attacks have been publicly reported at 400Gbps, and are rumored to be even larger. If you don't have that much network to spare, then packet loss will occur upstream of your mitigation. Having a good relationship with your network provider(s) can help here, of course. If you go with a cloud-based solution, be wary of their SLA. I've seen some claim 100% uptime (not believable) but of course no refund/credits for downtime. Another provider only provides 20Gbps protection, then will null-route the victim. On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble char...@thefnf.org wrote: Also how are folks testing ddos protection? What lab gear,tools,methods are you using to determine effectiveness of the mitigation. Live-fire is the cheapest approach (just requires some creative trolling) but if you want to control the off button, cloud VMs can be tailored to your needs. There are also legitimate companies that do network stress testing. Keep in mind that you need to test against a variety of attacks, against all components in the critical path. Attackers aren't particularly methodical, but will still randomly discover any weaknesses you've overlooked. Damian
Re: DDOS solution recommendation
You'd notice that most people don't really know how big the attack that they're sending is. I've done a lot of research into how these attacks actually work and most of them are done by kids who don't really know what they're doing. To them an attack is something that will take their target down (usually a home connection or a game server). If this doesn't happen, they fire off complaints to the person that runs the DDoS service. Its a whole industry out there, and they're generally far ahead of us. Ammar On 11 Jan 2015, at 9:43 am, Damian Menscher dam...@google.com wrote: On Sat, Jan 10, 2015 at 8:37 PM, Paul S. cont...@winterei.se wrote: While it indeed is true that attacks up to 600 gbit/s (If OVH and CloudFlare's data is to be believed) have been known to happen in the wild, it's very unlikely that you need to mitigate anything close. Agree that trusting others' numbers is unwise (there's a bias to inflate sizes), but from personal experience I can say that their claims are plausible. The average attack is usually around the 10g mark (That too barely) -- so even solutions that service up to 20g work alright. I'm not sure how to compute an average -- I generally just track the maximums. I suspect some reports of 10Gbps attacks are simply that the attack saturated the victim's link, and they were unable to measure the true size. (I agree there are many actual 10Gbps attacks also, of course -- attackers know this size will usually work, so they don't waste resources.) Obviously, concerns are different if you're an enterprise that's a DDoS magnet -- but for general service providers selling 'protected services,' food for thought. Even if you're just a hosting provider, your customers may be DDoS magnets. Coincidentally, at the time you pressed send, we were seeing a 40Gbps attack targeting a customer. Damian On 1/11/2015 午後 12:48, Damian Menscher wrote: On Thu, Jan 8, 2015 at 9:01 AM, Manuel Marín m...@transtelco.net wrote: I was wondering what are are using for DDOS protection in your networks. We are currently evaluating different options (Arbor, Radware, NSFocus, RioRey) and I would like to know if someone is using the cloud based solutions/scrubbing centers like Imperva, Prolexic, etc and what are the advantages/disadvantages of using a cloud base vs an on-premise solution. It would be great if you can share your experience on this matter. On-premise solutions are limited by your own bandwidth. Attacks have been publicly reported at 400Gbps, and are rumored to be even larger. If you don't have that much network to spare, then packet loss will occur upstream of your mitigation. Having a good relationship with your network provider(s) can help here, of course. If you go with a cloud-based solution, be wary of their SLA. I've seen some claim 100% uptime (not believable) but of course no refund/credits for downtime. Another provider only provides 20Gbps protection, then will null-route the victim. On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble char...@thefnf.org wrote: Also how are folks testing ddos protection? What lab gear,tools,methods are you using to determine effectiveness of the mitigation. Live-fire is the cheapest approach (just requires some creative trolling) but if you want to control the off button, cloud VMs can be tailored to your needs. There are also legitimate companies that do network stress testing. Keep in mind that you need to test against a variety of attacks, against all components in the critical path. Attackers aren't particularly methodical, but will still randomly discover any weaknesses you've overlooked. Damian
Re: merry xmas
At least you’re only having problems with the IPv6 version, I’ve spent about an hour trying to get the IPv4 version of fakeroute working and I just can’t. I even tried a few different ones. Does anyone have a version that works? I have some fun things I’d like to do with it ;) Ammar. On Dec 25, 2014, at 5:01 AM, Sadiq Saif li...@sadiqs.com wrote: On 12/24/2014 14:40, Theodore Baschak wrote: For anyone who wishes to implement a Holiday Message for us IPv6 folks, Job Snijders has this code online: https://github.com/job/ipv6-traceroute-faker Just needs Linux, Python, and a /64 routed to it. Been trying to get this running but I get this error: TypeError: do_callback() takes exactly 1 argument (2 given) Not sure where it is getting the second argument. Any ideas? -- Sadiq Saif https://staticsafe.ca
Re: IXes and AS length
That’s exactly what I was thinking… Equinix doesn’t really have anything to do with that part of the peering ecology. On Dec 18, 2014, at 9:55 PM, Clayton Zekelman clay...@mnsi.net wrote: I'm not sure how they can do that. Equinix is Layer 2 - your peering parameters are between you and your peer? At 12:52 PM 18/12/2014, Mike Hammett wrote: So I just found out that the IX we're looking to hook up with (Equinix) doesn't allow downstream ASes. How does that functionally work? Stepping outside my ISP for a moment, I know a building owner with several buildings that provides Internet to his tenants. He's getting an AS so he can have upstream diversity. Unless carrier A or ISP B have direct private peering with whomever (Amazon, NetFlix, Google, FaceBook, etc., etc.), that building owner doesn't have a route to those services? They can't utilize carrier A or ISP B's public peering connection? How can that possibly bee with with every ISP being required to have their own physical presence on the exchange? That's just not practical. I understand not having parallel ASNs (advertising both ASN A and ASN B separately) from a sales perspective, but I don't understand ASN A advertising directly on the IX, but not allowing ASN A's downstream customers of ASNs B, C, D and E. Am I wrong or is this just an Equinix thing? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com --- Clayton Zekelman Managed Network Systems Inc. (MNSi) 3363 Tecumseh Rd. E Windsor, Ontario N8W 1H4 tel. 519-985-8410 fax. 519-985-8409
Re: automatic / intelligent fiber optic patch panel (iow SDN @ layer 0)
Doesn't the MetaMako device do exactly the same thing as the Glimmerglass photonic switch? Ammar On 15 Dec 2014, at 2:50 pm, Peter teStrake peter.testr...@tradingscreen.com wrote: Hi Arnold, I have recently been talking to these guys ( https://www.metamako.com/use-cases/ ) about intelligent cross connect management within our data centers. Maybe this would work for you, and probably less complicated than a robot. Cheers Pete On 11/12/2014 09:21, joel jaeggli joe...@bogus.com wrote: On 12/10/14 4:33 PM, Phil Bedard wrote: Curious what the use case is where a photonic or L1 switch wouldn't get the job done? With the robotic system you still need to wire everything up so it's available to be xconnected. We've done electromechanical cross connect termination before on a very large scale. http://www.siemens.com/history/pool/newsarchiv/newsmeldungen/20110403_bild _3_fernsprechamt_muenchen-schwabing_458px.jpg those systems typically don't have the capacity to connect 100% of the edges at once. FiberZone was another vendor who made robotic patch panels, but I'm not sure they are around anymore. their website is still there, I've never seen an AFM live. Interesting also Verizon has a patent on automated patch panels, but using very specific mechanics. https://www.google.com/patents/US8175425 Phil On 12/9/14, 11:51 PM, Arnold Nipper arn...@nipper.de wrote: Am 2014-12-10 00:36, schrieb Andrew Jones: http://www.laser2000.de/out/media/glimmerglass_system_100%281%29.pdf Thank you, Andrew ... while Glimmerglass is really an exciting and excdellent system, these devices are exactly those photonic cross connects I'm _not_ looking for :9 On 10.12.2014 10:21, Arnold Nipper wrote: I'm looking for a modular, cost-effective automatic / intelligent fibre optic patch panel. I'm not looking at these photonic x-connects, but really for something which does the patching instead of a technician. Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arn...@nipper.de phone: +49 6224 5593407 2 mobile: +49 172 2650958 fax: +49 6224 5593407 9
Re: OT - Verizon/ATT Cell/4G Signal Booster/Repeater
Hi, Although this might not apply to you in the US, anyone else thinking about trying this might want to check up on possible legal backlash from using one of these devices. I know you can't legally use one of these in Dubai. Ammar On 16 Dec 2014, at 6:54 am, John Levine jo...@iecc.com wrote: In article 20141216024552.ga26...@esri.com you write: Hi all; Looking to improve cell reception for mixed ATT/Verizon users on the first floor of one of our buildings. Starting to dig into this and coming across items like this one at Amazon[1], but thought some of you out there might have recommendations for something that has worked well for you and has been reliable. The Wilson equipment has a good reputation. Assuming you have good Internet service, you might also consider femtocells, which are small cellular base stations that use your Internet service as backhaul. Verizon: http://www.verizonwireless.com/accessories/samsung-network-extender-scs-2u01/ ATT: http://www.att.com/att/microcell/ R's, John
Re: Carrier-grade DDoS Attack mitigation appliance
Hi, We’re currently running the Arbor Peakflow SP with the TMS and it works very well for us. Best Regards, Ammar Zuberi FastReturn, Inc Direct Line: +971 50 394 7299 Email: am...@fastreturn.net This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. On Dec 8, 2014, at 10:53 PM, Tony McKay tony.mc...@rittercommunications.com wrote: Does anyone on list currently use Peakflow SP from Arbor with TMS, and is it truly a carrier grade DDoS detection and mitigation platform? Anyone have any experience with Plixir? Tony McKay Dir. Of Network Operations Office: 870.336.3449 Mobile: 870.243.0058 -The boundary to your comfort zone fades a little each time you cross it. Raise your limits by pushing them. This electronic mail transmission may contain confidential or privileged information. If you believe that you have received this message in error, please notify the sender by reply transmission and delete the message without copying or disclosing it. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mohamed Kamal Sent: Sunday, December 07, 2014 2:10 PM To: nanog Subject: Carrier-grade DDoS Attack mitigation appliance Have anyone tried any DDoS attack mitigation appliance rather than Arbor PeakFlow TMS? I need it to be carrier-grade in terms of capacity and redundancy, and as far as I know, Arbor is the only product in the market which offers a clean pipe volume of traffic, so if the DDoS attack volume is, for example, 1Tbps, they will grant you for example 50Gbps of clean traffic. Anyway, I'm open to other suggestions, and open-source products that can do the same purpose, we have network development team that can work on this. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: Carrier-grade DDoS Attack mitigation appliance
Hi, A lot of new vendors have entered the DDoS attack prevention market other than Arbor, I've seen carrier grade devices made by Huawei, NSFocus, RioRey and many others. If you're looking at something software based, I've used Andrisoft WanGuard and would recommend it. Ammar. On 8 Dec 2014, at 12:09 am, Mohamed Kamal mka...@noor.net wrote: Have anyone tried any DDoS attack mitigation appliance rather than Arbor PeakFlow TMS? I need it to be carrier-grade in terms of capacity and redundancy, and as far as I know, Arbor is the only product in the market which offers a clean pipe volume of traffic, so if the DDoS attack volume is, for example, 1Tbps, they will grant you for example 50Gbps of clean traffic. Anyway, I'm open to other suggestions, and open-source products that can do the same purpose, we have network development team that can work on this. Thanks. -- Mohamed Kamal Core Network Sr. Engineer
Re: Juniper MX Sizing
What’s a cheaper alternative to the MX104s? We take a full BGP table and are on the AMS-IX and DE-CIX and are looking for a new router. The MX series looks a bit out of budget but we’re currently looking into the Brocade MLX series. We push under 10Gbps, but we do need 10Gbps routing due to capacity issues during attacks. Sorry for being a bit off-topic here. Ammar This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. On Dec 6, 2014, at 12:01 AM, Brad Fleming bdfle...@gmail.com wrote: Then you should look for something other then the MX104. In our testing an MX104 running Junos 13.3R4 with a single, full feed took about 4min 25sec to (1) converge the RIB from a router sitting 0.5ms RTT away and (2) update the FIB with all entries. This performance was observed with single RE and dual RE and without any excess services running. If we added inline-flow sampling to the device full convergence took closer to 5min 45sec in our lab. Efforts to bring the convergence time down (without filtering ingress advertisements) with the assistance of JTAC proved unsuccessful. We decided to “bite the bullet” and procure MX480s instead but obviously that’s not possible for everyone. If the MX480 is out of the question a Brocade CER Premium is an option. We have 3 in production and see very attractive convergence times; however, they have a more limited feature set and you’ll want to understand how their FIB memory scales. Apologies, I don’t know the Cisco equivalent from the ASR line these days but I’m sure others on the list could help out. On Dec 5, 2014, at 11:45 AM, Graham Johnston johnst...@westmancom.com wrote: Shawn, It's more about FIB than RIB as I am concerned about the time it takes until MPCs have updated route information after large scale changes in routes learned via BGP. Graham Johnston Network Planner Westman Communications Group 204.717.2829 johnst...@westmancom.com think green; don't print this email. -Original Message- From: Shawn Hsiao [mailto:phs...@tripadvisor.com] Sent: Friday, December 05, 2014 11:30 AM To: Graham Johnston Cc: nanog@nanog.org Subject: Re: Juniper MX Sizing Is your sizing concern just for the RIB, or also for FIB to sync up? The latter was a problem for us, but not the former. We also have inline-jflow turned on and that is still a work-in-progress in terms of impacting performance. We are using MX104 for similar purposes for many months now, and with some tweaks in our procedures and configurations we found it to be acceptable. MX104 may not be able to process routes as fast as MX480, but MX480 is also not instantaneous either so similar risks exist. On Dec 5, 2014, at 11:59 AM, Graham Johnston johnst...@westmancom.com wrote: I am wondering if anyone can provide their real world experience about sizing Juniper MX routers as it relates to BGP. I am needing a device that has a mix of layer 2 and 3 features, including MPLS, that will have a very low port count requirement that will primarily be used at a remote POP site to connect to the local IX as well as one or two full route transit providers. The MX104 has what I need from a physical standpoint and a data plane standpoint, as well as power consumption figures. My only concern is whether the REs have enough horsepower to churn through the convergence calculations at a rate that operators in this situation would find acceptable. I realize that 'acceptable' is a moving target so I would happily accept feedback from people using them as to how long it takes and their happiness with the product. For those of you that deem the MX104 unacceptable in this kind of role and moved up to the MX240, what RE did you elect to use? Thanks, Graham Johnston Network Planner Westman Communications Group 204.717.2829 johnst...@westmancom.commailto:johnst...@westmancom.com P think green; don't print this email.
TeliaSonera IC Contacts
Hi all, Does anyone have a contact for an account manager at TeliaSonera IC? We’ve sent at least 3 requests for a quote through their website over a month or so and haven’t got a single reply except for the automated “we’ve received your query” email. We’re looking for IP transit in Amsterdam, NL. Best Regards, Ammar Zuberi FastReturn, Inc Email: am...@fastreturn.net This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Re: TeliaSonera IC Contacts
Hi Sander, It's more of a have to buy from them as opposed to a want to buy from them. I'd much prefer NTT, but they are nowhere near where we are unfortunately. Ammar. On 29 Nov 2014, at 7:25 pm, Sander Steffann san...@steffann.nl wrote: Hi, Does anyone have a contact for an account manager at TeliaSonera IC? We’ve sent at least 3 requests for a quote through their website over a month or so and haven’t got a single reply except for the automated “we’ve received your query” email. And you still want to buy from them?!? Sander
Re: Buying IP Bandwidth Across a Peering Exchange
Hi, I’m pretty sure IX Reach can take you into an Equinix exchange, so it is probably possible that they allow this kind of stuff to happen. Ammar. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. On Nov 26, 2014, at 4:38 PM, Mark Tinka mark.ti...@seacom.mu wrote: On Tuesday, November 25, 2014 10:34:14 PM Eric Van Tol wrote: It's been a while since I've checked the Equinix Customer Agreement and Policies documents, but I know at one time they required a physical presence in the in the IDC for an Exchange cross-connect. This may have changed in the past several years. Several exchange points now support some kind of resale model, where peering members are transported into the exchange point via network, without the need for physical presence at the exchange point location. I'm not sure whether Equinix's exchange points do this. Mark.
Re: Buying IP Bandwidth Across a Peering Exchange
Hi Conor, I know this is possible since Hurricane Electric does it for IPv6 transit, however, I'm not sure if it violates any exchange rules or if it's even a good idea. On 25 Nov 2014, at 10:47 pm, Colton Conor colton.co...@gmail.com wrote: I know typically peering exchanges are made for peering traffic between providers, but can you buy IP transit from a provider on an exchange? An example, buy a 10G port on an exchange, peer 5Gbps of traffic with multiple providers on the exchange, and buy 5Gbps of IP transit from others on the exchange? Some might ask why not get a cross connect to the provider. It is cheaper to buy an port on the exchange (which includes the cross connect to the exchange) than buy multiple cross connects. Plus we are planning on getting a wave to the exchange, and not having any physical routers or switches at the datacenter where the exchange/wave terminates at. Is this possible?