Re: Reliable Cloud host ?
HP has built an Openstack based cloud. I got a beta account and things are surprisingly stable. hpcloud dot com On Wed, Feb 29, 2012 at 1:12 PM, Tei oscar.vi...@gmail.com wrote: related to the topic: http://slashdot.org/story/12/02/29/153226/microsofts-azure-cloud-suffers-major-downtime -- -- ℱin del ℳensaje.
Cisco CSS 11503 SSL and reverse DNS
Hi All: Will having correct reverse DNS mapping improve SSL performance on a 11503 during peak load? My guess is no but I don't want to pound my prod device to find out. -Bobby
SNMP, Static NAT and management systems including servers midwear and applications
Hi All: I have been asked to extend the capabilities of my current monitoring and management system to another division of the company. All IP space is rfc1918 with no public routed space in the mix. Needless to say, and rightfully so, the network folks won't allow me to directly attach my management network to theirs. I use SNMP for system level monitoring for all servers via agents on the servers (WIN and NIX). Static NAT will be put into place but it breaks my SNMP gets used by the noc to validate CPU, disk util ect.. In a quick test NAT on my own network was set up and I can receive traps and parse them fine even with the NAT as the current trap receiver and visualization can handle incoming traps and NAT. I can see system IP and peer IP fulfilling the two sides. I know I can create an simple ALG via a Apache server with Perl to execute the SNMP get on the foreign network. Noc folks can see data and import it into the ticket (no blind escalations). My question is how have others handled SNMP and static NATs without a ground up re-architecture. I don't want to bring in new protocols and change my systems as they are today due to the heavy integration with provisioning, work flow and process flows. They have worked well to date besides the huge sunk $ investment in software and integration. I have been looking for a complex ALG but there doesn't seem to be much out there and I would rather not manipulate the payload, but map it correctly. Any suggestions? -Bob
SSH brute force China and Linux: best practices
Hola Nanog: So after many years of a hiatus from Linux, I recently dropped XP in favour of Fedora. Now that my happy windows blinders are off, I see alarming things. Ugly ssh brute force, DNS server IP spoofing with scans and typical script kiddie tactics. What are the new set of best practices for those running a NIX home computer. Yes I have a firewall and I do peruse my logs on a regular basis. BTW: ever drop a malformed URL to alert an admin to some thing that sucks? w3.hp.com/execs/makes/too/much/money or www.yourbuddiesdomain.com/it/is/all/rfc/space/use/1918/when/referring/to/non/routable Thanks, BobbyMac
Re: Conclusion: Smart hands in NYC area and new: Tokyo
Semi-on topic: In 2005 I was working with NTTcom on creating a new webhosting offering. NTT was going to move 16 FULL racks of net and server gear from the lab, to the next floor which was the actual datacenter. This required (due to weight and space issues) that every server/net device had to be unracked and uncabled. The crew doing physical move also did the break down of everything. I inquired about the down time to the lab and how long the move would take. I was told that it would take about 8 hours. I was extremely pessimistic that this would happen and voiced my concern. The lead server admin reassured me that everything would be perfect and that there would be no issues. To prove the point, he place a screw on top of one of the servers and stated This will be in the same place tomorrow but in the data center. The move was 99.99% successful. The exception was that some one plugged fiber into the wrong port on a DB server but the aformentioned screw was in the same place on the server. Absolutely AMAZING! I'll track down which company provided the service. -Robert On Thu, Aug 6, 2009 at 5:07 AM, Elmar K. Bins e...@4ever.de wrote: Hello altogether, I got a couple of freelancers and a few tips which companies to use. I thought I'd at least share the company recommendations, of which I'll have the bosses pick. One other thing - I'll be needing the same thing in Tokyo by the end of the year. If anyone has recommendations, please don't hesitate. I'm not shy of travelling, but I'd rather save time and money there... Yours, Elmar. Recommended companies: Team Silverback (www.teamsilverback.com) OnForce (www.onforce.com) Endeavor Xeta Blackbox Ledcor (www.ltscompany.com)
Visio diag automations
Hi All: I have to create Visio diagrams for sales engagements for a webhosting provider. I use the same template based on our standard architecture but vary the number/model/detail of the servers. I am sick of the cut-n-paste approach and am wondering who has automated some of these processes. What I would like to do is provide a standard data file (excel, csv, ect..) and have that populate the detailed areas of the diagram. My boss won't pay for any software but I can use open source under XP or cygwin. Thanks, Robert
Re: MX Record Theories
Not entirely on subject but I thought that allowing DNS queries to occur via TCP is mission critical for simple mail routing. We ran across this back in the day at @Home Network. Firewall rules were changed to not allow port 53 TCP. This severely affected sending mail to large distribution lists. Here is what we found and forgive me if I don't go into too much detail as it was almost 10 years a go. If you add enough recipients to an email, each domain within the send line needs to have an associated MX record. DNS by default starts with UDP which has a limit to the datagram size (64bit). A flag is placed in the header which then requires the request to be sent via TCP (160bit V4). Now that single query can be split up into many different packets providing that the request is more than the 160 bit and obviously IPV6 offers even more information contained in a single packet. -BobbyJim On Tue, May 26, 2009 at 2:01 PM, valdis.kletni...@vt.edu wrote: On Tue, 26 May 2009 11:03:59 PDT, gb10hkzo-na...@yahoo.co.uk said: would be most interested to hear NANOG theories on the variety of MX record practices out there, namely, how come there seem to be so many ways employed to achieve the same goal ? The trick here is that it isn't always *exactly* the same goal. There's multiple mail system architectures and design philosophies. One often overlooked but very important design point for the *large* providers: % dig aol.com mx ;; ANSWER SECTION: aol.com.2805IN MX 15 mailin-01.mx.aol.com. aol.com.2805IN MX 15 mailin-02.mx.aol.com. ... ;; WHEN: Tue May 26 14:40:41 2009 ;; MSG SIZE rcvd: 507 That 507 is critically important if you want to receive e-mail from sites with fascist firewalls that block EDNS0 and/or TCP/53. 5 bytes left. ;)
Re: Dynamic IP log retention = 0?
Just wondering but the knowledge I have of DHCP is that an IP address is assigned to the same computer (or host) and will continue to do so until the pool of IP's is exhausted. Once that occurs, a new request is parsed by the DHCP server and the oldest non-renewed lease address is checked to see if it is live. If no response occurs then the DHCP server assigns that IP to the requesting host. It's much more efficient to write once and check that then it is to write everytime.This is done to save resources on the DHCP server not much unlike the cache on a DNS server. Every look up does not travers the root servers and the auth server, only those that have expired cached entries. Wouldn't it create a DOS against the DHCP server if every host constantly required the server go through the aformentioned process? It does whit in DNS. Change the expire to 2 and the ttl to 2 and see what happens. This did happen for boxsports dot com (what rhymes with box? not sure of the legalities around saying the name). An SA, while trouble shooting, did just that and about 1 month later BOOM! crap hit the fan. It appearedd as though our DNS auth servers were being DOS'd but all requests were legit. The entry was not cached. That said, unless Covad is constantly exhausting it's pool or they mandate that after the lease expires to give a different IP a reverse lookup would give you the hostname of the offender which should remain accurate for some amount of time. No action on Covads part constitutes legal action on yoru part... -Bobbyjim On Fri, Mar 13, 2009 at 8:53 AM, Joe Greco jgr...@ns.sol.net wrote: On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco jgr...@ns.sol.net wrote: Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously. Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better. Port scanning is the Internet equivelant of the common cold. They're a dime a dozen. I recommend taking some Vitamin B and D. Block, and Drop. No, it's more comparable to the jerk who not only doesn't stay at home with his cold, but actively walks around the workplace coughing and sneezing without covering his mouth/nose with a kleenex, spraying people. The reality is that it fails the if everybody did this, would it be a good thing test. While some BD is common sense on the receiving end, this does not make it any more correct for the originating site to let it keep happening. If every PC on the Internet (conservatively, let's assume a billion devices that are sufficiently sophisticated that they could be infected) were to send you a single packet per day, you'd be seeing over 10,000pps. That should suggest that the behaviour is not something to be encouraged. My locking my doors does not mean it's okay for you to check if my door is locked. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
