Telia contact
Hi, If there are any Telia engineers lurking about could you please contact me off-list regarding a routing question? Thanks! --J
Telia contact
Hi, If there are any Telia engineers lurking about could you please contact me off-list regarding a routing question? Thanks! --J
Re: box against dos/ddos
+1 for Radware On 31/01/2013 18:36, dennis wrote: Agreed, my shortlist for evaluation would include Arbor, Radware and Genie NRM. New players to the market include just about every IPS and application load balancing solution out there. -- From: Suresh Ramasubramanian ops.li...@gmail.com Sent: Thursday, January 31, 2013 10:23 AM To: Piotr piotr.1...@interia.pl Cc: nanog@nanog.org Subject: Re: box against dos/ddos arbor peakflow to start with? On Thursday, January 31, 2013, Piotr wrote: Hi, I looking some box (vendor, model), which i can put out of the main/product network, which can analyze packets netflow,sflow,syslog from bgp router(s) and after discover some anomaly it can do some action, for example: - Box have bgp session with bgp router and advertise attacked ip prefix with some community. Bgp router set next-hop for this prefix to /dev/null Normal traffic via bgp router is about 1G/s in and 10G/s out What is worth of looking and what you suggest ? thanks for help, Piotr -- --srs (iPad)
Re: AltDB?
On 05/01/2011 17:09, Craig Pierantozzi wrote: On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote: [snip] Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb? Yes, Level 3 will continue to use the last data mirrored and archived. New filters are not pushed daily, they are only pushed when things change. Archives are here in case people want to know what the latest was: ftp://rr.level3.net/pub/rr/archive.mirror-data/ regards So has anyone had any contact from ALTDB as to what's going on? Thanks! --J
Re: Over a decade of DDOS--any progress yet?
On 08/12/2010 16:14, Drew Weaver wrote: I would say that 99% of the attacks that we see are 'link fillers' with 1% being an application attack. thanks, -Drew This has been our recent experience as well. There are some pure app attacks, to be sure, but we many blended attacks also. Bandwidth (UDP/ICMP/SYN Flood) attack to distract with a app attack (GET/PUSH floods) attempting to run underneath the radar. We regularly see SYN floods these days 20 Gb/s. The thing to bear in mind is that app attacks *are* difficult to detect as they are low bandwidth and make a full TCP connection. As a result many IDS/Firewalls etc regularly miss these attacks. Lastly there is usually always someone at the other end of these attacks watching what is working and what is not. If the attack doesn't work they will simply round up more bots to increase the attack bandwidth or change the attack vector. Best, --J --- Jay Coley Prolexic Technologies
Re: APAC to US crawling
Randy Epstein wrote: Is anyone seeing a huge latency jump from Asia Pac to US again? snip The above was taken from a user in China tracing to New York about 30 mins ago There was another earthquake today in Asia, this one between Japan and Taiwan. Is this possibly related? Randy Just got word that TGN-1 near Taiwan has been cut off the coast of Taiwan. --J
Re: DOS attack assistance?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pete Templin wrote: One of my customers, a host at 64.8.105.15, is feeling a bonus ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels. It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible. Any pointers on what to do next? If it's all coming from that single IP 88.191.63.28, just request that your upstream block it. Usually if you explain the situation to them they'll oblige. Otherwise you'll want to look at mitigation gear (Toplayer, Cisco, etc) there are loads out there or you can look into a DDoS mitigation service. The Contacts I can see for that ASN are role: Technical Contact for ProXad address:Free SAS / ProXad address:8, rue de la Ville L'Eveque address:75008 Paris phone: +33 1 73 50 20 00 fax-no: +33 1 73 92 25 69 remarks:trouble: Information: http://www.proxad.net/ remarks:trouble: Spam/Abuse requests: mailto:[EMAIL PROTECTED] admin-c:RA999-RIPE tech-c: FG4214-RIPE nic-hdl:TCP8-RIPE mnt-by: PROXAD-MNT source: RIPE # Filtered abuse-mailbox: [EMAIL PROTECTED] Hope that helps! - --J -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktKf8ACgkQETh+0NgvOtF+IgCdFE4TD885Ot9d97b+Dhenmrn8 oVYAniR3qua8mG3D7escGxv+td458jUK =BwvQ -END PGP SIGNATURE-
Re: the attack continues..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank Bulk wrote: The website is http://www.betmania.com/; and when I try to connect to it I get Database Error: Unable to connect to the database:Could not connect to MySQL. It's not unusual for betting sites to be DDoSed for ransom. Also competition (rival companies) based attacks are extremely common in the gambling/betting industry as well these days. Are you running any special promotions at the same time as your competition? - --J Frank -Original Message- From: Jay Hennigan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 18, 2008 10:24 AM To: NANOG list Subject: Re: the attack continues.. Beavis wrote: Hello Lists, I'm still getting attacked and most of the IP's i got have been reported. and just this morning it looks as if someone is testing my network. and sending out short TCP_SESSION requests. now i may be paranoid but this past few days have been hell.. just want to know if the folks from these ip's can help me out. Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start Time,Extra Info 205.188.116.7,47198,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156 205.188.117.134,45379,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 205.188.117.137,42257,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 75.105.128.38,4092,200.0.179.73,80,TCP_SESSION,2008-10-18 14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0 First 3 IP's come from AOL, I'll try to see if I can get their attention. Last IP is from a Wildblue Communications WBC-39. Beavis, you're running a web server on 200.0.179.73, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj6MisACgkQETh+0NgvOtFHnwCfRYCU4VwNmQRXABtgem4wmWhX gD8AnRSxyfM67NJKGiYVn1MNYNQ5eaSO =J0JL -END PGP SIGNATURE-