Re: Barefoot "Tofino": 6.4 Tbps whitebox switch silicon?
Looks very promising! On Thu, Jun 16, 2016 at 6:21 AM, Eric Kuhnke <eric.kuh...@gmail.com> wrote: > a lot of PR fluff, but this may be of interest: > > http://www.wired.com/2016/06/barefoot-networks-new-chips-will-transform-tech-industry/ > > https://barefootnetworks.com/media/white_papers/Barefoot-Worlds-Fastest-Most-Programmable-Networks.pdf > > > Based on their investors, could have interesting results for much lower > cost 100GbE whitebox switches. -- Sincerely yours, Pavel Odintsov
Re: Detecting Attacks
Hello! You could try my open source project: https://github.com/pavel-odintsov/fastnetmon It's pretty popular and used by a very big number of really big networks. We have option for capturing "pcap" dump for each attack for detailed investigation. On Sat, Jun 11, 2016 at 8:22 AM, subashini hariharan <suba@gmail.com> wrote: > Hello, > > I am Subashini, a graduate student. I am interested in doing my project in > Network Security. I have a doubt related to it. > > The aim is to detect DoS/DDoS attacks using the application. I am going to > use ELK (ElasticSearch, Logstash, Kibanna) for processing the logs (Log > Analytics). > > My doubt is regarding how do we generate logs for detecting this attack? As > I am new to this process, I am not sure about it. > > Also, if it is possible to do any other attacks similar to this, you can > please give a hint about it. > > Could anyone please help with this, it would be a great help!! > > > -- > Thank You. > > With Regards, > H.Subashini -- Sincerely yours, Pavel Odintsov
Re: Major IX bandwidth sharing
Hello! Nice addition. That's additional risks for company which want to share capacity :) On Fri, Apr 22, 2016 at 12:13 AM, Blake Dunlap <iki...@gmail.com> wrote: > Not to mention the sharer's traffic will be impacted by said DoS... > > On Thu, Apr 21, 2016 at 1:43 PM, Max Tulyev <max...@netassist.ua> wrote: >> They fight with DDoS, so it means every month 95% traffic will be full 100G. >> >> On 21.04.16 22:40, Pavel Odintsov wrote: >>> If they could offer 95th percentile usage no more than commit they >>> should pay only for it. But actually it depends on certain carrier and >>> certain agreement conditions. >>> >>> On Thursday, 21 April 2016, Max Tulyev <max...@netassist.ua >>> <mailto:max...@netassist.ua>> wrote: >>> >>> Hello, >>> >>> I'm sure in this case they will pay for 100G every month, not for >>> 10-20G ;) >>> >>> On 21.04.16 20:25, Pavel Odintsov wrote: >>> > Hello! >>> > >>> > If you want cheaper price just ask any TIER-1 provider for link >>> with commit >>> > 10ge and burst up to 100GE. It will be definitely cheaper and >>> simpler than >>> > your "magic" with IX cost reduction. >>> > >>> > On Thursday, 21 April 2016, Paras Jha <pa...@protrafsolutions.com >>> <javascript:;>> wrote: >>> > >>> >> Interesting to see how the idea is gaining traction >>> >> >>> >> On Thu, Apr 21, 2016 at 8:52 AM, Piotr Iwanejko >>> <piotr.iwane...@gmail.com <javascript:;> >>> >> <javascript:;>> >>> >> wrote: >>> >> >>> >>> Hello Nanog-ers, >>> >>> >>> >>> We are looking for a company that has >=100G connectivity to >>> major IX-es >>> >>> (AMS-IX, DE-CIX preferred) with traffic asymmetry/heavy outgoing >>> traffic, >>> >>> willing to resell incoming fraction n*10G/1*100G IX-only IP transit. >>> >>> Our company develops custom Anti-DDoS solution on PC platform ( >>> >>> http://www.slideshare.net/atendesoftware/100-mpps-on-pc) and we >>> want to >>> >>> collocate 1U scrubbing node. >>> >>> >>> >>> Please contact me off list for more details. >>> >>> >>> >>> Thank you. >>> >>> -- >>> >>> Piotr Iwanejko >>> >> >>> >> >>> >> >>> >> >>> >> -- >>> >> Regards, >>> >> Paras >>> >> >>> >> President >>> >> ProTraf Solutions, LLC >>> >> Enterprise DDoS Mitigation >>> >> >>> > >>> > >>> >>> >>> >>> -- >>> Sincerely yours, Pavel Odintsov >> -- Sincerely yours, Pavel Odintsov
Re: Major IX bandwidth sharing
If they could offer 95th percentile usage no more than commit they should pay only for it. But actually it depends on certain carrier and certain agreement conditions. On Thursday, 21 April 2016, Max Tulyev <max...@netassist.ua> wrote: > Hello, > > I'm sure in this case they will pay for 100G every month, not for 10-20G ;) > > On 21.04.16 20:25, Pavel Odintsov wrote: > > Hello! > > > > If you want cheaper price just ask any TIER-1 provider for link with > commit > > 10ge and burst up to 100GE. It will be definitely cheaper and simpler > than > > your "magic" with IX cost reduction. > > > > On Thursday, 21 April 2016, Paras Jha <pa...@protrafsolutions.com > <javascript:;>> wrote: > > > >> Interesting to see how the idea is gaining traction > >> > >> On Thu, Apr 21, 2016 at 8:52 AM, Piotr Iwanejko < > piotr.iwane...@gmail.com <javascript:;> > >> <javascript:;>> > >> wrote: > >> > >>> Hello Nanog-ers, > >>> > >>> We are looking for a company that has >=100G connectivity to major > IX-es > >>> (AMS-IX, DE-CIX preferred) with traffic asymmetry/heavy outgoing > traffic, > >>> willing to resell incoming fraction n*10G/1*100G IX-only IP transit. > >>> Our company develops custom Anti-DDoS solution on PC platform ( > >>> http://www.slideshare.net/atendesoftware/100-mpps-on-pc) and we want > to > >>> collocate 1U scrubbing node. > >>> > >>> Please contact me off list for more details. > >>> > >>> Thank you. > >>> -- > >>> Piotr Iwanejko > >> > >> > >> > >> > >> -- > >> Regards, > >> Paras > >> > >> President > >> ProTraf Solutions, LLC > >> Enterprise DDoS Mitigation > >> > > > > > > -- Sincerely yours, Pavel Odintsov
Re: Major IX bandwidth sharing
Hello! If you want cheaper price just ask any TIER-1 provider for link with commit 10ge and burst up to 100GE. It will be definitely cheaper and simpler than your "magic" with IX cost reduction. On Thursday, 21 April 2016, Paras Jha <pa...@protrafsolutions.com> wrote: > Interesting to see how the idea is gaining traction > > On Thu, Apr 21, 2016 at 8:52 AM, Piotr Iwanejko <piotr.iwane...@gmail.com > <javascript:;>> > wrote: > > > Hello Nanog-ers, > > > > We are looking for a company that has >=100G connectivity to major IX-es > > (AMS-IX, DE-CIX preferred) with traffic asymmetry/heavy outgoing traffic, > > willing to resell incoming fraction n*10G/1*100G IX-only IP transit. > > Our company develops custom Anti-DDoS solution on PC platform ( > > http://www.slideshare.net/atendesoftware/100-mpps-on-pc) and we want to > > collocate 1U scrubbing node. > > > > Please contact me off list for more details. > > > > Thank you. > > -- > > Piotr Iwanejko > > > > > -- > Regards, > Paras > > President > ProTraf Solutions, LLC > Enterprise DDoS Mitigation > -- Sincerely yours, Pavel Odintsov
Re: Stop IPv6 Google traffic
Hello! Same question from my side. What's original issue with IPv6 and Google? On Sun, Apr 10, 2016 at 9:11 AM, Filip Hruska <f...@fhrnet.eu> wrote: > Why do you want to prevent IPv6 access to Google? > What's the point? > > > On 04/10/2016 04:07 PM, Max Tulyev wrote: >> >> Customers see timeouts if I blackhole Google network. I looking for >> alternatives (other than stop providing IPv6 to customers at all). >> >> On 10.04.16 16:50, valdis.kletni...@vt.edu wrote: >>> >>> On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said: >>> >>>> I need to stop IPv6 web traffic going from our customers to Google >>>> without touching all other IPv6 and without blackhole IPv6 Google >>>> network (this case my customers are complaining on long timeouts). >>>> >>>> What can you advice for that? >>> >>> >>> Umm.. fix the reasons why they're seeing timeouts? :) >>> >>> Have you determined why the timeouts are happening? >>> >> > -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
Yep, actually do not mean. I've never used Nexus and haven't any experience with it :) I mentioned this in original message. I'm pretty sure it's awesome switch. But as I haven't any experience I do not known cons and pros about it. On Tue, Mar 1, 2016 at 5:38 PM, Mark Tinka <mark.ti...@seacom.mu> wrote: > > > On 1/Mar/16 16:33, Pavel Odintsov wrote: > >> As opposed to older Cisco switches. > > Well, every vendor has older switches. > >> Btw, 100GE is pretty new and >> actually I have experience only with Extreme Black Diamond 8. > > Does not mean the Nexus is a bad choice for high capacity core > switching. Just means you know Extreme. > > Mark. -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
As opposed to older Cisco switches. Btw, 100GE is pretty new and actually I have experience only with Extreme Black Diamond 8. On Tue, Mar 1, 2016 at 5:24 PM, Mark Tinka <mark.ti...@seacom.mu> wrote: > > > On 1/Mar/16 09:44, Pavel Odintsov wrote: >> But unfortunately they (Cisco Nexus) are pretty expensive and fairly >> new for DC and ISP market. It's pretty rare to find big company with >> switching backbone on Nexus switches. > > As opposed to? > > We are looking at the Nexus 7700 for 100Gbps core switching. > > Mark. -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
Yep, Broadcom doing thing right way! :) But unfortunately they (Cisco Nexus) are pretty expensive and fairly new for DC and ISP market. It's pretty rare to find big company with switching backbone on Nexus switches. But I like this direction of switch silicom unification :) Focus moved from "network brands" with Not Invented Here syndrome to enough smart agnostic hardware vendors. On Mon, Feb 29, 2016 at 1:15 PM, Nikolay Shopik <shopik+li...@nvcube.net> wrote: > Cisco Nexus switches support sflow, since they are broadcom based. > > On 29/02/16 10:26, Pavel Odintsov wrote: >> Cisco do not support this protocol at all (that's pretty weird, >> really). -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
Thanks! Very interesting. Will dig into details :) On Mon, Feb 29, 2016 at 3:55 PM, Edward Dore <edward.d...@freethought-internet.co.uk> wrote: > >> On 29 Feb 2016, at 12:37, Pavel Odintsov <pavel.odint...@gmail.com> wrote: >> >> Hello! >> >> Nice information. Very interesting architecture. They are using L3 on >> IX? How big Juniper Lan in comparison with Extreme lan? > > Hi Pavel, > > The Juniper LAN is VPLS and the Extreme LAN is standard layer 2 with EAPS > instead of *STP. > > The Juniper LAN peaks at ~2.7Tbps (https://stats.linx.net/lans#lon1), whilst > the Extreme LAN peaks at ~0.6Tbps (https://stats.linx.net/lans#lon2). > > Edward Dore > Freethought Internet -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
Hello! Nice information. Very interesting architecture. They are using L3 on IX? How big Juniper Lan in comparison with Extreme lan? On Mon, Feb 29, 2016 at 3:16 PM, Edward Dore <edward.d...@freethought-internet.co.uk> wrote: > >> On 29 Feb 2016, at 09:59, Pavel Odintsov <pavel.odint...@gmail.com> wrote: >> >> For example, at huge Internet Exchanges you actually haven't any >> netflow enabled devices (just check design architecures from AMX-IX, >> DEC-IX, LINX or even MSK-IX). > > > LINX use IPFIX (which is derived from NetFlow) for the Juniper LAN. > > The Extreme LAN uses sFlow. > > Edward Dore > Freethought Internet -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
Thanks for detailed question! I have only one question. Why you against sFLOW protocol telemetry with so huge passion ? :) It's not proprietary technology and not an product from yet another big company. I'm not trying to sell anything because... nothing to sell. Really, isn't it? It's just yet another open standard to analyze data approved and implemented as RFC. If somebody developed this standard. Implemented it in ASIC (they have very huge price for development and production you know). That's means "somebody" really want it and will definitely use it. Actually, sflow is not so popular as netflow. But to be honest it's pretty young standard in compare with netflow and it implements slightly different approach. Which will be useful in some cases. For example, at huge Internet Exchanges you actually haven't any netflow enabled devices (just check design architecures from AMX-IX, DEC-IX, LINX or even MSK-IX). Almost all IX developed with L2 in ming and they actually haven't any devices which could produce netflow. So IX could not use netflow even if they want. But you vote for "sflow is weird protocol and you should avoid it". How IX could monitor traffic if they haven't netflow? So if they follow your recommendations they should drop idea about traffic monitoring at all :) I do not like holy wars about something vs something. But actually in modern network world every technology has applicable usage and it's not good idea to avoid it just because your religion (I'm speaking about netflow religion) prohibit it for you. Actually you are writing this email from company email and I could conclude it's Arbor vision and is not your own. Could you clarify it? Could I use your vision as Arbor's vision in public speeches / presentations? Thanks! On Mon, Feb 29, 2016 at 12:42 PM, Roland Dobbins <rdobb...@arbor.net> wrote: > On 29 Feb 2016, at 15:53, Pavel Odintsov wrote: > >> It's not about default. It's about minimal possible. > > > To my knowledge, there has never been a Cisco router which only allowed an > active flow timer value of 180s, which wasn't user-configurable. I would > appreciate the details of any such router. >> >> >> For Mikrotik routers same issue. Minimal possible timeout is 60 / 60. >> And impossible to decrease it. > > > As we've seen already from another poster in this thread, that isn't the > case. > >> Also so much routers could not do enough accurate netflow without >> additional (and very expensive) line cards just for netflow >> generation. > > > I believe you're referring to PICs on Juniper routers, yes? Or perhaps the > requirement for E3 or E5 linecards on Cisco 12Ks? Or maybe DFCs on Cisco > 6500s/7600s? Or possibly M-series linecards on Cisco N7Ks (which are > switches, of course)? > > TANSTAAFL. > >> OK, we could handle some sort of SYN flood. > > > As noted previously, this is indeed the case. >> >> >> But what about 20 Gbps http flood with valid requests when each >> customer are real (and not spoofied) and they are sending huge post >> requests and hang on connection? > > > Attacks of this nature generally leave a 'wake' or 'contrail' which is > pretty easily spotted if one's statistical anomaly detection routines are > optimal. > >> Actually it could wait for active/inactive timeout and you will get >> bad news from ops guys about network downtime. > > > As a network ops guy, I can assure you that you are incorrect, largely > because you don't seem to understand the interplay of active flow timer, > inactive flow timer, NetFlow cache size, NetFlow cache FIFOing, and normal > flow cache baselines. > >> But sflow will handle it with flying colors without delay. > > > NetFlow handles it with flying colors without delay. >> >> >> What about destination http host detection with netflow? Could it >> extract "host" header from netflow? And drop only part of traffic to >> our own host? > > > Of course not, for classical flow telemetry templates - but that's when one > drops from the macroanlytical to the microanalytical. And flow telemetry > doesn't 'drop' anything. > > For some reason, you don't mention Flexible NetFlow at all. It's true that > it's taken a while to become practical to use (back when the then-Cisco > NetFlow PM asked me to create the CLI grammar and syntax for FNF, I noted > that it wouldn't take off until there was a decent control-plane interface > for creating, configuring, and tearing down dynamic flow caches, as well as > some degree of ASIC support on larger platforms), but now that the various > 'SDN'-type provisioning mechanisms are being implemented, and now that at > least partial FNF is supported to var
Re: sFlow vs netFlow/IPFIX
Thanks for explained answer! But actually it's mistake to think I haven't real field experience just because I'm developer. In world of big companies nobody could do ops and development. But I'm trying to keep close to both worlds. And could conclude it's definitely possible. It's definitely possible thanks to my flexible company :) But actually "I think you're referring to the *default* value for the active flow timer, which can of course be altered." It's not about default. It's about minimal possible. For Mikrotik routers same issue. Minimal possible timeout is 60 / 60. And impossible to decrease it. Also so much routers could not do enough accurate netflow without additional (and very expensive) line cards just for netflow generation. OK, we could handle some sort of SYN flood. But what about 20 Gbps http flood with valid requests when each customer are real (and not spoofied) and they are sending huge post requests and hang on connection? How netflow will handle correctly handshaked connection, established http session but haven't closed correctly for a while? Actually it could wait for active/inactive timeout and you will get bad news from ops guys about network downtime. But sflow will handle it with flying colors without delay. What about destination http host detection with netflow? Could it extract "host" header from netflow? And drop only part of traffic to our own host? Definitely not. Netflow haven't any information about http headers but sflow has. What about same issue for dns flood when somebody flood out some certain host? You could detect this attack with netflow. But you could not extract information about certain type of DDoS attack and attacked domain. When we speaking about "very rough" DDoS attack mitigation and filtering we could use netflow. But when we are really care about network stability, customer service SLA and ability to filter malicious traffic with perfect precision we should use sflow. I really like to hear feedback about my vision. On Mon, Feb 29, 2016 at 11:38 AM, Roland Dobbins <rdobb...@arbor.net> wrote: > On 29 Feb 2016, at 15:12, Pavel Odintsov wrote: > >> Looks like you haven't so much field experience with sflow. I could >> help and offer some real field experience below. > > > I've already recounted my real-world operational experience with NetFlow. > >> I have my own netflow collector implementation for netflow v5, netflow v9 >> and IPFIX (just check my repository > > > Coding something and using something operationally are two different things. > I'm not a coder, but I've used NetFlow operationally since 1998, primarily > on Cisco platforms (some Junipers, but I don't know a lot about Juniper > boxes). > >> So you know about Mirkotik implementation of netflow (they have >> minimum possible active and inactive timeout - 60 seconds) ? > > > Yes. That does not equate to a 60s delay in detection/classifying/tracing > back a SYN-flood, or anything else. > >> Or what about old Cisco routers which support only 180 seconds as active >> timeouts? > > > I think you're referring to the *default* value for the active flow timer, > which can of course be altered. > >> Could they offer affordable time for telemetry delivery? > > > Yes, because there has never been any such router, and also because cache > size and other tunable parameters, as well as FIFOing out of flows when the > cache is full, guarantees that very few flows of the type seen in DDoS > traffic hang around in the cache for any appreciable length of time. > >> Because not all netflow implementations are OK. And definitely some >> netflow implementations are broken. > > > You can search the archives on this list and see my previous detailed > explanation of NetFlow caveats on Cisco 6500/7600 with EARL6 and EARL7 > ASICs. > > Your statements about it taking an inordinately long time to > detect/classify/traceback SYN-floods and other types of DDoS attacks > utilizing NetFlow implementations (with the exceptions of crippled > implementations like the aforementioned EARL6/EARL7 and pre-Sup7 Cisco 4500) > are simply untrue. > > --- > Roland Dobbins <rdobb...@arbor.net> -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
What you mean as lack of ifindex in sflow? I could offer example sflow v5 sample structure description (it's from my C++ based sflow parser but actually it's pretty simple to understand): uint32_t sample_sequence_number; // sample sequence number uint32_t source_id_type; // source id type uint32_t source_id_index;// source id index uint32_t sampling_rate; // sampling ratio uint32_t sample_pool;// number of sampled packets uint32_t drops_count;// number of drops due to hardware overload uint32_t input_port_type;// input port type uint32_t input_port_index; // input port index uint32_t output_port_type; // output port type uint32_t output_port_index; // outpurt port index uint32_t number_of_flow_records; ssize_t original_payload_length; As you can see we have source id, sampling rate and definitely we have full information about source and destination ifindexes. In addition to sample structure (which consist of first X bytes of each packet) we have counter structures which working as old good "snmp counters" and offer detailed information about load on each port. Looks like you haven't so much field experience with sflow. I could help and offer some real field experience below. --- Few words about netflow. When you are speaking about "netflow" you should mentions explicit vendors. Because netflow is very-very-very vendor specific. I have my own netflow collector implementation for netflow v5, netflow v9 and IPFIX (just check my repository https://github.com/pavel-odintsov/fastnetmon/blob/master/src/netflow_plugin/netflow_collector.cpp). I spent so much nights on debugging this protocols. So you know about Mirkotik implementation of netflow (they have minimum possible active and inactive timeout - 60 seconds) ? Or what about old Cisco routers which support only 180 seconds as active timeouts? Could they offer affordable time for telemetry delivery? The only one way to have accurate bandwidth data in netflow to use some sort of average or moving average for certain time (30 seconds for example). But if you have really huge network you should use netflow sampling. And here I should say multiple nice questions! Cisco and Juniper are using really incompatible way to encode sampling rate. That's really funny but that is. I do not know about other vendors because network sampling is very specific feature. But with sampling (if your collector could decode yet another netflow incompatible implementation) things going really weird :) And you could get accurate bandwidth data only if you have really HUGE network with only 10-100GE customers because traffic speed to small (100 - 1000mbps) customers will be really weird :) What's your ideas about this all? Please mention vendor names whet you vote for netflow next time. Because not all netflow implementations are OK. And definitely some netflow implementations are broken. On Mon, Feb 29, 2016 at 10:53 AM, Roland Dobbins <rdobb...@arbor.net> wrote: > On 29 Feb 2016, at 14:41, Pavel Odintsov wrote: > >> Could you describe they in details? > > > Inconsistent stats, lack of ifindex information. > >> But netflow __could__ delay telemetry up to 30 seconds (in case of huge >> syn/syn-ack flood for example) and you network will experience downtime. > > > This is incorrect, and reflects an inaccurate understanding of how > NetFlow/IPFIX actually works, in practice. It's often repeated by those > with little or no operational experience with NetFlow/IPFIX. > > ------- > Roland Dobbins <rdobb...@arbor.net> -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
Sorry but I could not understand what issues you've found in sflow. Could you describe they in details? Recently I had speech at RIPE 71 and show pattern of real attack which achieved 6 gbps in first 30 seconds (just check slide 6 here http://www.slideshare.net/pavel_odintsov/ripe71-fastnetmon-open-source-dos-ddos-mitigation). And sflow device could offer 3-4 seconds detection time from this case. But netflow __could__ delay telemetry up to 30 seconds (in case of huge syn/syn-ack flood for example) and you network will experience downtime. But with sflow you could detect and mitigate this attack in seconds. Is it make sense? On Mon, Feb 29, 2016 at 10:32 AM, Roland Dobbins <rdobb...@arbor.net> wrote: > On 29 Feb 2016, at 14:26, Pavel Odintsov wrote: > >> From my own experience sflow should be selected if you are interested in >> internal packet payload (for dpi / ddos detection) or you need fast reaction >> time on some actions (ddos is best example). > > > This does not match my experience. In particular, the implied canard about > flow telemetry being inadequate for timely DDoS > detection/classification/traceback grows tiresome, as it's used for that > purpose every day, and works quite well. > > If one is also using an IDMS-type device to mitigate DDoS traffic, the > device sees the whole packet, anyways. > > --- > Roland Dobbins <rdobb...@arbor.net> -- Sincerely yours, Pavel Odintsov
Re: sFlow vs netFlow/IPFIX
Hello, folks! I've huge experience for battle sflow vs netflow because in my free DDoS detection toolkit fastnetmon we support both capture methods. You could look at this comparison table: https://github.com/pavel-odintsov/fastnetmon/blob/master/docs/CAPTURE_BACKENDS.md >From my own experience sflow should be selected if you are interested in internal packet payload (for dpi / ddos detection) or you need fast reaction time on some actions (ddos is best example). If you just need to count traffic and you accept pretty long reaction time and not enough accurate traffic bandwidth data you could select netflow. >From hardware point of view almost all brand new switches support sflow free of charge (no additional licenses or modules). But be aware, Cisco do not support this protocol at all (that's pretty weird, really). Also keep in mind sflow implemented in hardware ASIC with small help from CPU and it's pretty fast and suitable for really any traffic bandwidth. I have experience with sflow analytics for 1.5 Tb+ network and it's working really well! For netflow sometimes you need additional modules / software licenses and sometime devices completely haven't support for it. And if you have software devices (for example small SRX routers from Juniper) netflow generation will be pretty expensive from CPU point of view because netflow need pretty big amount of CPU resources for aggregation. On Mon, Feb 29, 2016 at 5:41 AM, <valdis.kletni...@vt.edu> wrote: > On Mon, 29 Feb 2016 09:24:42 +0700, "Roland Dobbins" said: >> On 29 Feb 2016, at 6:26, Baldur Norddahl wrote: >> >> > Around here they are currently voting on a law that will require unsampled >> > 1:1 netflow on all data in an ISP network with more than 100 users. >> >> That's interesting, given that most larger routers don't support 1:1. > > In the war between reality and governmental paranoia, reality usually loses. -- Sincerely yours, Pavel Odintsov
Re: Softlayer / Blocking Cuba IP's ?
Hello! I have other question. Why somebody exists in this list? Nobody should be in this block list actually. If you ban some country because this country is bad (so really? One countries are worse than other, really? Who care in this evaluations? Some yet another "smart" government?) If you ask for block somebody you are becoming the worst person on the Whole Earth. This songs really like Internet Nazism. Just imagine world where you should drop all packets from martians because your government thinks they are stupid. Songs like Orwell 1984. Not so perfect way. >From my point if view nobody should block North Korea, Cuba or definitely Crimea because Internet is not is the politic game field. It's way to communicate. Both bad and good people could use it and nobody should care about "who can". On Sun, Feb 21, 2016 at 2:16 PM, Max Tulyev <max...@netassist.ua> wrote: > Why Crimea still not in the list? > > On 20.02.16 02:57, frnk...@iname.com wrote: >> Official statement here: >> https://knowledgelayer.softlayer.com/faq/softlayer-network-wide-ip-blocking >> >> Frank >> >> -Original Message- >> From: NANOG [mailto:nanog-bounces+frnkblk=iname@nanog.org] On Behalf Of >> Faisal Imtiaz >> Sent: Friday, February 19, 2016 5:21 PM >> To: Carlos A. Carnero Delgado <carloscarn...@gmail.com> >> Cc: nanog list <nanog@nanog.org> >> Subject: Re: Softlayer / Blocking Cuba IP's ? >> >> Ola Carlos, >> >> I am very familiar with Govt. instituted restrictions, and yes, people >> always find ways to get around it. I cannot speak for the Cuban Gov. nor for >> the US Gov. as to what they decide to do and when. >> >> What was/is irksome about Softlayer's decision is the following:- >> >> 1) Unilateral implementation of a restricted policy without any notification. >> >> 2) The broad stroke implementation of a Gov Policy that does not apply to >> the communication service they applied the policy to. >> >> i.e. As much as we all dislike Dictatorial Behavior, and we fully recognize >> Softlayer is a Private Entity, who can exercise it's right to act >> Dictatorially, Such behavior in the overall community (Internet) is frowned >> upon and (as it should) have a long term negative affect to business. >> >> Saludos. >> >> Faisal Imtiaz >> Snappy Internet & Telecom >> 7266 SW 48 Street >> Miami, FL 33155 >> Tel: 305 663 5518 x 232 >> >> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net >> >>> From: "Carlos A. Carnero Delgado" <carloscarn...@gmail.com> >>> To: "Faisal Imtiaz" <fai...@snappytelecom.net> >>> Cc: "nanog list" <nanog@nanog.org> >>> Sent: Friday, February 19, 2016 6:08:42 PM >>> Subject: Re: Softlayer / Blocking Cuba IP's ? >> >>> Hi, >> >>> (disclaimer: I'm Cuban national, living in Cuba, and a long time lurker in >>> this >>> great list) >> >>> 2016-02-19 15:27 GMT-05:00 Faisal Imtiaz < fai...@snappytelecom.net > : >> >>>> Considering the fact that such a block was just put in place about a week >>>> ago ? >>>> Last time I checked, blocking any part of the world is not part of any >>>> legal >>>> requirements on any Global Service Provider ? other than a 'company >>>> policy' ? >> >>> Being denied access to services, as a Cuban national, is something that >>> we've >>> all experienced here and we (sadly) have come to accept it as a fact of >>> life. >>> Sometimes we resort to proxies/VPNs in order to conceal our origin -- and >>> by a >>> similar token, sometimes, our destination ;). >> >>> However, there are a couple of things that have made me wondering how >>> arbitrary >>> decisions can be. I think sometimes it just boils down to specific provider >>> policies that try to (maybe rightfully) cover their bottoms in the light of >>> the >>> law. For instance, I can't hide the fact that I have access to Gmail; but at >>> the same time there are many Google properties and services than I can't. >>> There >>> are many companies, global companies, that I can't access, and others are >>> open >>> to us which are, paradoxically, completely based on the US and under US law >>> (won't name them publicly to avoid potential damage). >> >>> Any way, I'm going back to lurk mode. However, feel free to ask anything, >>> on- of >>> offlist. And I thank you all for this wonderful resource. >>> Carlos. >> >> >> > -- Sincerely yours, Pavel Odintsov
Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters
Hello! You could check awesome project for this purposes: http://www.stableit.ru/2015/06/generate-bgp-filters-with-bgpq3.html It's authored by Russian carrier RETN.net. On Thu, Feb 4, 2016 at 2:58 PM, Henrik Thostrup Jensen <h...@nordu.net> wrote: > Hi Martin > > On Thu, 4 Feb 2016, Martin T wrote: > >> am I correct that ISPs (in RIPE region), who update their BGP prefix >> filters automatically, ask their IP transit customer or peering >> partner to provide their "route"/"route6" object(s) or "as-set" object >> in order to find all the prefixes which they should accept? > > > This is a common practice to do. Both within and outside the RIPE region. > For bigger networks, prefix lists become somewhat unwieldy, and one can then > use as-path filters instead. Use a prefix limit with this. > > Typically you use a tool (bgpq3) to generate the prefix lists. > >> If the IP transit customer or peering partner provides an "as-set", then >> ISP needs to ensure that this "as-set" belongs to this IP transit customer >> or peering partner because there is no automatic authentication for this, >> i.e. anybody can create an "as-set" object to database with random "members" >> attributes? > > > I don't know the procedure for creating as-sets, maybe someone else can chip > in. > >> This is opposite to "route"/"route6" objects which follow a strict >> authentication scheme. > > > I believe this differs depending on the irrd software/operator. > >> In addition, in case of "as-set", an ISP needs to recursively find all the >> AS numbers from "members" attributes because "as-set" can include other >> "as-sets"? > > > Some irrd servers, can expand this automatically (I think). But seriously, > use a tool for this. > >> Quite a lot of question, but I would simply like to be sure that I >> understand this correctly. > > > There are basically two abstractions: > > 1. as-set. Can contain other as-sets or as numbers. > 2. prefixes are registered to an as-number. > > Remember that there are multiple IRR servers, and they mirror each other. > > Use http://irrexplorer.nlnog.net/ to play around a bit :-). > > > Best regards, Henrik > > Henrik Thostrup Jensen > Software Developer, NORDUnet > > -- Sincerely yours, Pavel Odintsov
Re: DDoS Mitigation
Hello, Christopher! Could you share "there are quite a few in the US that will filter traffic like this for you" off-list? On Thu, Nov 5, 2015 at 3:27 AM, Christopher Morrow <morrowc.li...@gmail.com> wrote: > a short answer for the OP is: "Find an ISP that will actually support you" > > there are quite a few in the US that will filter traffic like this for > you (vzb will) on demand, provided the traffic is service impacting > and NOT 'victoria secret runway show' traffic. > > alternately you could find an ISP that has a mitigation service (vzb, > att, ntt, sprint i think still does) and move your links there. > > All of those are cheaper when under attack than the off-netork > solutions (generally). > > On Thu, Nov 5, 2015 at 9:12 AM, Tin, James <j...@akamai.com> wrote: >> This is my first post to Nanog. So please don't flame me down ;) >> >> Hi Mario. >> >> Typically the cost of Ddos mitigation is charged on the amount of clean >> traffic inbound to your network, the number of protected /24 ranges you need >> protected and the number of datacentres you want to protect. >> >> Ideally the Ddos mitigation solution should block attacks as close as >> possible to the source of the attack. One good way of doing this is by >> leveraging anycast from multiple scrubbing centres and ensure there is >> enough backbone bandwidth between each scrubbing centre to deliver clean >> traffic. >> >> Blocking it at your upstream transit provider may be too late for >> significant attacks as any service provider between you and the source could >> black hole the traffic before it gets to your peers. This results in >> legitimate traffic not being able to reach your network. >> >> Paras is correct, attacks could be on any port and often multivector and >> change within an attack campaign if attackers see one vector is not >> effective. So each attack really needs to be dealt with dynamically to >> ensure there are no false positives (something is blocked when it shouldn't >> be) >> >> Unfortunately it is very simple to intimate a Ddos attack, but the cost of >> mitigation is very high. So the solution you choose really depends on the >> monetary cost of the outages, clients you have and whether the cost can be >> amortised over your client base. >> >> I have seen service providers offer premium hosting services which have Ddos >> mitigation, using separate infrastructure and links to their normal >> customers. This reduces the cost of mitigation while also containing the >> risks and the collateral damage. >> >> There are also different Ddos mitigation solutions depending on the service >> protocols your are offering. Ie web traffic could be mitigated with cdn vs >> all protocols and ports with BGP via a scrubbing centre. >> >> Sent from my iPhone >> James Tin >> Enterprise Security Architect APJ >> Join the Conversation. >> Log on to Akamai Community. >> [http://www.akamai.com/images/img/community-icon-large.png] >> <https://community.akamai.com/> >> >> [http://www.akamai.com/images/img/bg/akamai-logo.png]<http://www.akamai.com/> >> >> Office: +<tel:+1.617.444.1234>61 9008 4906 >> Cell: +<tel:+1.617.444.1234>61 466 961 555 >> Akamai Technologies >> Level 7, 76 Berry St >> North Sydney, NSW 2071 >> >> Connect with Us: >> [http://www.akamai.com/images/img/akamai-community-icon.jpg] >> <https://community.akamai.com/> >> [http://www.akamai.com/graphics/misc/rs_icon_small.png] >> <http://blogs.akamai.com/> >> [http://www.akamai.com/graphics/misc/tw_icon_small.png] >> <https://twitter.com/akamai> >> [http://www.akamai.com/graphics/misc/fb_icon_small.png] >> <http://www.facebook.com/AkamaiTechnologies> >> [http://www.akamai.com/graphics/misc/in_icon_small.png] >> <http://www.linkedin.com/company/akamai-technologies> >> [http://www.akamai.com/graphics/misc/yt_icon_small.png] >> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> >> >> >> >> >> On 5 Nov 2015, at 05:13, Paras >> <pa...@protrafsolutions.com<mailto:pa...@protrafsolutions.com>> wrote: >> >> Hey, >> >> Just blocking port 19 won't cut it, as we often see Chargen attacks that run >> on nonstandard ports as well >> >> Thanks, >> Paras >> >> On 11/4/2015 12:33 PM, Mario Eirea wrote: >> Hello everyone, >> >> Looking to find out how the pricing model works for DDoS mitigation and what >> to expect as far as ballpark pricing from my ISP. Some background, we are >> getting hit with a chargen attack that comes and goes and is saturating our >> 500mb connection. Tried hitting up the ISP for UDP block on 19 but they want >> us to go through our rep, in the process making this go on longer that is >> necessary. Any feedback would be appreciated. >> >> Thanks, >> >> -ME >> >> -- Sincerely yours, Pavel Odintsov
Re: DDoS mitigation for ISPs
Hello! Could recommend folks from EU - http://qrator.net/en/ Two years without any issues. Perfect SSL and http filtration. On Thu, Oct 29, 2015 at 10:53 PM, Hugo Slabbert <h...@slabnet.com> wrote: >>> Alternatively: http://lmgtfy.com/?q=ddos+protection >>> >> Actually I did the google thing first and followed up with several of the >> top results, and not once did I see anyone offering a bgp tunnel + scrub >> which is why I asked. I did get some good off list responses however, thanks >> all. >> >> >> Mike- > > > Apologies for the snarky link. A Google search on my end turned up several > of the solutions I listed manually and which definitely do GRE + BGP. > Apparently my past searches on the subject have coloured my current results > more than I expected... > > > -- > Hugo > > h...@slabnet.com: email, xmpp/jabber > PGP fingerprint (B178313E): > CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E > > (also on textsecure & redphone) > -- Sincerely yours, Pavel Odintsov
Looking for upstream provider with BGP Flow Spec support / RFC 5575
Hello, dear Nanog Community! I'm looking for upstreams with BGP Flow Spec / RFC 5575 support in US (West and East coast are welcome). We have implemented support for BGP Flow Spec traffic filtering in our own open source DDoS detection toolkit and using it on our own MX routers. Works really well. But we are experiencing so much attacks on channel overflow and want to lock part of traffic on upstream's side. Thanks! -- Sincerely yours, Pavel Odintsov
Re: Any Tool to replace Peakflow CP
Hello! Thanks for recommendation, Alvin! As author of FastNetMon I will be very glad to hear some feedback about my tool and could help with configuration / development :) On Sun, Sep 6, 2015 at 6:22 AM, alvin nanog <nano...@mail.ddos-mitigator.net> wrote: > > hi aluisio > > On 09/06/15 at 02:01am, Aluisio da Silva wrote: >> Hello, >> >> Does anyone here have a suggestion for a tool to replace Peakflow CP from >> Arbor Networks? > > # for reference > http://www.arbornetworks.com/products > >> Please if possible you would like hear some suggestions. > > - sflow based > http://www.sflow.com/products/floodprotect.php > http://www.inmon.com/technology/sflowTools.php > > http://www.andrisoft.com/software/wanguard > http://www.github.com/FastVPSEestiOu/fastnetmon > http://www.packetdam.com > http://www.radware.com/Products/DefenseFlow > > - netflow based > ?cisco url? > > http://nfdump.sourceforge.net > http://nfsen.sourceforge.net > http://sourceforge.net/projects/panoptis > > - jflow based > ?juniper? > > magic pixie dust > alvin > # > # DDoS-Mitigator.com > # > >> Thanks. >> >> Aluísio da Silva >> Coordenação de Planejamento e Engenharia >> CTBC >> (34) 3256-2471 >> (34) 9976-0471 >> www.ctbc.com.br -- Sincerely yours, Pavel Odintsov
Re: Experience on Wanguard for 'anti' DDOS solutions
Hello! We have some open source software for this task https://github.com/FastVPSEestiOu/fastnetmon :) Feel free to ask me any questions off list. On Mon, Aug 10, 2015 at 9:58 AM, Marcel Duregards marcel.durega...@yahoo.fr wrote: Dear Nogers, We are currently evaluating some DDOS detection/mitigation solutions. Do you have any inputs/experiences on Wanguard from Andrisoft, please ?https://www.andrisoft.com/software/wanguard Currently we are just interested on the packets/flows sensors with the console for detection and RTBH trigger. Maybe the packet filtering (for scrubbing) will come later. Best Regards,-Marcel Duregards -- Sincerely yours, Pavel Odintsov
Re: Yet Another BGP (Border Gateway Protocol) Python Implementation
Nice! On Friday, August 7, 2015, Alistair Mackenzie magics...@gmail.com wrote: As our priority, we will do MPLS VPN, IPv6, *Flowspec* firstly. In the future, we will consider multicast and EVPN. Thanks. On 7 August 2015 at 10:05, Pavel Odintsov pavel.odint...@gmail.com javascript:_e(%7B%7D,'cvml','pavel.odint...@gmail.com'); wrote: Hi! Thanks for your code! I have used ExaBGP for one year and will try your tool too! Do you have any plans about BGP Flow Spec? On Friday, August 7, 2015, Bjørn Mork bj...@mork.no javascript:_e(%7B%7D,'cvml','bj...@mork.no'); wrote: Randy Bush ra...@psg.com javascript:_e(%7B%7D,'cvml','ra...@psg.com'); javascript:; writes: perhaps dissing someone for their free code is even ruder than not doing ipv6 in 2015? you don't have to use either. Definitely. In any case, one advantage of open sourcing stuff is that you can always answer such comments with a simple Patches welcome! which tends to silence critics :-) Bjørn -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
Re: Yet Another BGP (Border Gateway Protocol) Python Implementation
Hi! Thanks for your code! I have used ExaBGP for one year and will try your tool too! Do you have any plans about BGP Flow Spec? On Friday, August 7, 2015, Bjørn Mork bj...@mork.no wrote: Randy Bush ra...@psg.com javascript:; writes: perhaps dissing someone for their free code is even ruder than not doing ipv6 in 2015? you don't have to use either. Definitely. In any case, one advantage of open sourcing stuff is that you can always answer such comments with a simple Patches welcome! which tends to silence critics :-) Bjørn -- Sincerely yours, Pavel Odintsov
Re: DDOS Simulation
Hello! My machines have 16GB of memory but traffic generator uses about ~1GB of memory for 10GE link. On Tue, Jul 28, 2015 at 12:36 AM, alvin nanog nano...@mail.ddos-mitigator.net wrote: hi pavel On 07/28/15 at 12:02am, Pavel Odintsov wrote: It's poor man's traffic generator :) that's the best kind :-) as long as it gets the job done and you get to control what it does My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5 2604 witj 2 port Intel X520 10GE. nice cpu hw trick questions for those thinking of generating ddos traffic for testing - ?? how much memory was needed to run the traffic generator i assume around 1GB of memory for 1gigE interface and i still can purposely run out of memory while some apps are running at 10gigE pci card, you'd probably want at least 12GB - 16GB of memory - some poor mans apps to generate traffic ... start w/ nping or hping # generate 1,000 Mbit/sec of junk .. floodig is trivial ... ping -i 0.001 -s 2000 victimIP# nping --data-length 2000 --rate 1000 victimIP# socat iperf ... # # generate udp or icmp or arp or tcp traffic # # add options to generate large-sized packets # add options to generate 10Gbit/sec ( number of packet/sec ) # # play around with tcp headers # add options to send MTU=1501 byte but NOT set DF # add options to send ACK but no request # # add options to spoof source and desitination address and ports # # if the host machine become un-available, you've got a problem # for host in gw dns ntp http smtp for protocol in arp icmp udp tcp nping --protocol [ options ] host.example.com # hping is nice too done done # for bonus arp fun ... attacker# arpspoof gateway victim attacker# arpspoof victim gateway # prevent mitm with: use hard coded arp /etc/ethers for linux use OpenSSL certs to flag a warning when attacker inserted itself in between gateway and un-aware victim pixie dust alvin - DDoS-Mitigator.net On Mon, Jul 27, 2015 at 11:59 PM, valdis.kletni...@vt.edu wrote: On Mon, 27 Jul 2015 23:32:56 +0300, Pavel Odintsov said: I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it). OK, I'll bite - what hardware were you using to inject that many packets? -- Sincerely yours, Pavel Odintsov
Re: DDOS Simulation
Yep, it's definitely possible. I have done this with netmap/PF_RING/DPDK and SnabbSwitch. On Tue, Jul 28, 2015 at 1:06 AM, Ammar Zuberi am...@fastreturn.net wrote: I've seen people push close to 10Gbps line rate with 1 byte packets on an Intel card with PF_RING. On 28 Jul 2015, at 1:40 am, lobna gouda lobna_go...@hotmail.com wrote: Hello David et Dan, Are you going to perform the DDOS solution yourself, or you are looking for a company to provide a solution for you. Some companies perform an attack simulation for you before buying the product From: dro...@gmail.com Date: Mon, 27 Jul 2015 09:31:21 -0700 Subject: Re: DDOS Simulation To: do...@telecurve.com CC: nanog@nanog.org Looking for similar here. -Dan On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender do...@telecurve.com wrote: Hi All, We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? Regards, Dovid -- Sincerely yours, Pavel Odintsov
Re: Working with Spamhaus
Hello! Completely agree with Larry. I'm enough big hosting provider and we have multiple spam issues every day. But we fix they ASAP before any folks from SpamHaus become angry :) So we still have 1-2 abuses from SpamHaus every few weeks. But we resolve they in few hours and we haven't any issues with blocking or blacklisting. They are very responsive and like us because we do things smoothy :) Actually they really do Internet better. Don't hate they! On Wed, Jul 29, 2015 at 6:45 AM, Larry Sheldon larryshel...@cox.net wrote: On 7/28/2015 22:06, Bryan Tong wrote: If anyone has any advice on how to deal with these people. Please let me know here or off list. Based on years of experience, the very best way is don't. Don't profit from spam, and as a result don't deal with Spamhaus at all. -- sed quis custodiet ipsos custodes? (Juvenal) -- Sincerely yours, Pavel Odintsov
Re: DDOS Simulation
Hello! It's poor man's traffic generator :) My test lab is i7 2600 with 2 port Intel X520 10GE and Intel Xeon E5 2604 witj 2 port Intel X520 10GE. On Mon, Jul 27, 2015 at 11:59 PM, valdis.kletni...@vt.edu wrote: On Mon, 27 Jul 2015 23:32:56 +0300, Pavel Odintsov said: I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it). OK, I'll bite - what hardware were you using to inject that many packets? -- Sincerely yours, Pavel Odintsov
Re: DDOS Simulation
Hello! I would like to recommend MoonGen for generating very high speed attacks (I have generated up to 56 mpps/40GE with it). There are another open project: quezstresser.com On Mon, Jul 27, 2015 at 11:25 PM, alvin nanog nano...@mail.ddos-mitigator.net wrote: hi dovid On 07/27/15 at 11:32am, Dovid Bender wrote: We are looking into a few different DDOS solutions for a client. We need a LEGITIMATE company that can simulate some DDOS attacks (the generic + specific to the clients business). Anyone have any recommendations? i've compiled a fairly comprehensive list is here: - http://ddos-mitigator.net/Competitors simulating ddos attacks are fairly easy to do, except one does have to be careful of process and proceedure and the all important get out of jail for free card ( let your local ISP techie's know too ) http://DDoS-Simulator.net/Demo ( wrapper gui around *perf/nc/nmap/*ping command options ) ddos mitigation is not a single thing-a-ma-jig, and should be multi-layered, different solutions solving different DDoS issues http://ddos-solutions.net/Mitigation/#Howto - how are they attacking - who is attacking ( script kiddie vs master of deception ) - what are they attacking - when are they attacking - why are they attacking - ... # - # what kind of simulations are you trying to do ?? # - - volumetric attacks say 10gigabit vs 200gigabit attacks is trivial - ping flood, udp flood, arp flood, tcp flood, etc, etc local appliances with 10/100 gigabit NIC cards should be able to generate close to 100 gigabit/sec of ddos attacks - udp and icmp attacks are harder to mitigate, since those packets need to be stopped at the ISP if it came down the wire to the local offices, it already used the bandwidth, cpu, memory, time, people, etc, etc - tcp-based ddos attacks are trivial ( imho ) to defend against with iptables + tarpits if each tcp connection takes 2K bytes, the DDoS attacker that is intent on sending large quantity of tcp-based packets would incur a counter ddos attack using up its own kernel memory 100,000 tcp packet/sec * 2K byte -- 200M /sec of kernel memory ?? with tcp timeout of 2 minutes implies they'd need 24TB of ?? kernel memory to sustain a 100,000 tcp packet/sec attack # live demo of tarpit incoming ddos attacks http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl http://target-practice.net/cgi-bin/IPtables-GUI.pl # command line options is 100x faster and easier than html # to automatically add new incoming ddos attackers iptables-gui -doadd -addauto # to automatically remove inactive ddos attackers iptables-gui -dodel -deluto ssh based solutions are nice but only works on port 22 http based solutions are nice but only works on port 80 there are 65,533 other ports to defend against DDoS attacks which is defensible with tarpit - it is trivial to generate attacks against apache or web browser - it is trivial to generate attacks against sendmail or mail reader - netcat/socat/nc, hping*, nping, etc, etc - something that you can define source and destination IP# - something that you can define source and destination port# - it is harder to generate the various malformed tcp headers - gui to help set tcp header flags and options for nmap/hping - http://ddos-simulator.net/Demo/ - spam, virii and worms seems to be in its own category - another important question for your clients is if they are under any govermental regulations which will limit their choices of solutions - hippa, pci, sox, etc inhouse ddos solutions should not have any governmental compliance issues cloud based ddos solutions and their facilities would have to comply with the various govermental issues both inhouse and cloud based solutions solve some problems another 32+ point comparison for inhouse vs cloud based solutions - http://ddos-mitigator.net/InHouse-vs-Cloud thanx alvin - http://ddos-mitigator.net - http://ddos-simulator.net -- Sincerely yours, Pavel Odintsov
Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
Hello! There are few vendors which could offer 100GE capture solutions which could be used with FastNetMon. I could share vendor names off list if you are interested in it. Now we do only packet counting and compare it with fixed thresholds. But we are working on deep packet inspection of attacks. But pps/bps thresholds still useful in this case too. On Tue, Jul 21, 2015 at 5:48 PM, Rafael Possamai raf...@gav.ufsc.br wrote: Pavel, what kind of resources does the analysis of a 100G circuit require? Or is it just counting packets? On Tue, Jul 21, 2015 at 8:11 AM, Pavel Odintsov pavel.odint...@gmail.com wrote: You could do SQC with FastNetMon. We have per subnet / per host and per protocol counters. We are working on multi 100GE mode very well :) On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai raf...@gav.ufsc.br wrote: Has anyone tried to implement real-time SQC in their network? You can calculate summary statistics and use math to determine if traffic is normal or if there's a chance it's garbage. You won't be able to notice one-off attacks, but anything that repeats enough times should pop up. Facebook uses similar technology to figure out what kind of useless news to display on your feed. In summary, instead of blocking an entire country, we should be able to analyze traffic as it comes, and determine a DDoS attack without human intervention. On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch ja...@puck.nether.net wrote: On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote: DNS is still largely UDP. Water is also still wet :) - but you may not be doing 10% of your links as UDP/53. DNS can also use TCP as well, including sending more than one query in a pipelined fashion. The challenge that Cameron is trying to document here is when seeing large volumes of UDP it becomes necessary to do something to keep the network up. This response is frustrating for those of us who prefer to have a unfiltered e2e network but maintaining the network as up in the face of these adverse conditions is important. - Jared --Curtis On 7/20/2015 5:40 PM, Ca By wrote: Folks, it may be time to take the next step and admit that UDP is too broken to support https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00 Your comments have been requested On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver drew.wea...@thenap.com wrote: Has anyone else seen a massive amount of illegitimate UDP 1720 traffic coming from China being sent towards IP addresses which provide VoIP services? I'm talking in the 20-30Gbps range? The first incident was yesterday at around 13:00 EST, the second incident was today at 09:00 EST. I'm assuming this is just another DDoS like all others, but I would be interested to hear if I am not the only one seeing this. On list or off-list is fine. Thanks, -Drew -- Best Regards Curtis Maurand Principal Xyonet Web Hosting mailto:cmaur...@xyonet.com http://www.xyonet.com -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
Hello, folks! Could anybody tun my toolkit https://github.com/FastVPSEestiOu/fastnetmon with collect_attack_pcap_dumps = on option agains this attack type? With pcap dump we could do detailed analyze and share all details with Community. On Tue, Jul 21, 2015 at 2:16 PM, Jared Mauch ja...@puck.nether.net wrote: I'm reminded of the the russians are hacking our water system stories from a few years back, when it turned out the water system adminstrator was on vacation in russia. often traffic comes from unexpected locations. perhaps you should fail-closed with good business practices to open things up. perhaps you fail-open then mitigate risk by using a blocklist. my suggestion is that if you didn't live through the days of the bogon lists, which were later allocated to RIRs, a block list is likely not the right approach if you truly working on security posture. - Jared On Mon, Jul 20, 2015 at 09:50:44PM +0100, Colin Johnston wrote: blocking to mitigate risk is a better trade off gaining better percentage legit traffic against a indventant minor valid good network range. Sent from my iPhone On 20 Jul 2015, at 21:20, valdis.kletni...@vt.edu wrote: On Mon, 20 Jul 2015 21:12:33 +0100, Colin Johnston said: source user to use phone contact and or postal service to establish contact And your phone and postal addresses are listed *where* that Joe Aussie-Sixpack is likely to be able to find? (Hint 1: If it's on your website, they can't find it.) (Hint 2: Mortal users have never heard of WHOIS or similar services) And what are the chances that after 3-4 days of unreachable, the user will simply conclude you've gone out of business and you've lost a customer/reader to a competitor? -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- Sincerely yours, Pavel Odintsov
Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
You could do SQC with FastNetMon. We have per subnet / per host and per protocol counters. We are working on multi 100GE mode very well :) On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai raf...@gav.ufsc.br wrote: Has anyone tried to implement real-time SQC in their network? You can calculate summary statistics and use math to determine if traffic is normal or if there's a chance it's garbage. You won't be able to notice one-off attacks, but anything that repeats enough times should pop up. Facebook uses similar technology to figure out what kind of useless news to display on your feed. In summary, instead of blocking an entire country, we should be able to analyze traffic as it comes, and determine a DDoS attack without human intervention. On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch ja...@puck.nether.net wrote: On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote: DNS is still largely UDP. Water is also still wet :) - but you may not be doing 10% of your links as UDP/53. DNS can also use TCP as well, including sending more than one query in a pipelined fashion. The challenge that Cameron is trying to document here is when seeing large volumes of UDP it becomes necessary to do something to keep the network up. This response is frustrating for those of us who prefer to have a unfiltered e2e network but maintaining the network as up in the face of these adverse conditions is important. - Jared --Curtis On 7/20/2015 5:40 PM, Ca By wrote: Folks, it may be time to take the next step and admit that UDP is too broken to support https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00 Your comments have been requested On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver drew.wea...@thenap.com wrote: Has anyone else seen a massive amount of illegitimate UDP 1720 traffic coming from China being sent towards IP addresses which provide VoIP services? I'm talking in the 20-30Gbps range? The first incident was yesterday at around 13:00 EST, the second incident was today at 09:00 EST. I'm assuming this is just another DDoS like all others, but I would be interested to hear if I am not the only one seeing this. On list or off-list is fine. Thanks, -Drew -- Best Regards Curtis Maurand Principal Xyonet Web Hosting mailto:cmaur...@xyonet.com http://www.xyonet.com -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. -- Sincerely yours, Pavel Odintsov
Re: 'gray' market IPv4
Hello, folks! I have finished multiple (and 5th in RIPE) inter RIR subnet moves in RIPE region. We have moved multiple /21-/20 networks and awerage cost was about $10 per ip. On Tuesday, July 14, 2015, Martin Hannigan hanni...@gmail.com wrote: On Tue, Jul 14, 2015 at 10:22 AM, Matt Kelly mjke...@gmail.com javascript:; wrote: This list is actual sale prices, http://www.ipv4auctions.com/previous_auctions/ -- Matt On July 14, 2015 at 10:14:05 AM, Justin Wilson - MTIN (li...@mtin.net javascript:;) wrote: Thes folks (and I am not advertising or affiliated with them) publish a list of most recent transfer completed: http://ipv4marketgroup.com/broker-services/buy/ http://ipv4marketgroup.com/broker-services/buy/ vs. http://www.ipv4auctions.com/previous_auctions/ If you compare the pricing that both have made available you will find one is posting average prices exponentially higher than the other. When you trend the granular auction site data the auction numbers demonstrate a trend would expect, that smaller prefixes are more expensive since it takes a similar amount of effort to process a /24 as it does a /20. Dollar differences between a /24 unit and a /17 unit move the needle significantly. Based on both of both sets of public data its easy to conclude that auctions will work for at least small buyers of space if they're sophisticated enough to address the RIR issues. If you do decide to take the simple broker approach (not all are simple and not all approaches are suitable to simple brokers), use an RFP. And Yelp. :-) Best, -M -- Sincerely yours, Pavel Odintsov
Re: Inexpensive software bgp router that supports route tags?
My voice for awesome ExaBGP too! On Wednesday, July 1, 2015, harbor235 harbor...@gmail.com wrote: Quagga supports BGP communities, Mike On Wed, Jul 1, 2015 at 11:19 AM, David H ispcoloh...@gmail.com javascript:; wrote: Hi all, I was wondering if anyone can recommend a software (preferable), or hardware-based router with an API, that supports BGP with tags on advertised routes? I want to use it for a RTBH feed and having it in software would make certain things easier to automate. I tried Quagga/Zebra but it doesn't support tags. I see Mikrotik hardware routers have an API, but I can't tell if the API supports adding BGP networks, so I need to investigate that further. I can go hardware if I have to, with some ssh/expect scripts, but thought there may be other options that are easier. Thanks, David -- Sincerely yours, Pavel Odintsov
Re: Fkiws with destination port 0 and TCP SYN flag set
Hello! Looks like it's silly hping3 flood: 12:43:08.961024 IP 192.168.0.127.10562 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961031 IP 192.168.0.127.10563 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961039 IP 192.168.0.127.10564 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961046 IP 192.168.0.127.10565 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961054 IP 192.168.0.127.10566 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961062 IP 192.168.0.127.10567 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961070 IP 192.168.0.127.10568 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961077 IP 192.168.0.127.10569 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961085 IP 192.168.0.127.10570 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961093 IP 192.168.0.127.10571 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961101 IP 192.168.0.127.10572 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961108 IP 192.168.0.127.10573 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961116 IP 192.168.0.127.10574 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961123 IP 192.168.0.127.10575 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961131 IP 192.168.0.127.10576 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961139 IP 192.168.0.127.10577 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961146 IP 192.168.0.127.10578 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961154 IP 192.168.0.127.10579 216.239.32.21.0: Flags [.], win 512, length 0 Just try: hping3 --flood target_host. On Wed, Jun 17, 2015 at 12:34 PM, Maqbool Hashim maqb...@madbull.info wrote: Hi, The destination host is sending an ACK+RST with the source port set to zero. The destination IP is always one of the two hosts that are generating the SYN packets with a destination port of 0. The destination port however is hard to match up to a source port in the original SYN packet due to the fact that we don't have all the packets. It's actually going to be difficult to get the access and procedural sign off etc. to run tcpdump on the machines involved. What might be easier is to set up a span port for the hosts access port on the switch and grab that via the collector laptop I have. Thanks, MH From: Marcin Cieslak sa...@saper.info Sent: 17 June 2015 10:30 To: Maqbool Hashim Cc: nanog@nanog.org Subject: Re: Fkiws with destination port 0 and TCP SYN flag set On Wed, 17 Jun 2015, Maqbool Hashim wrote: It is always the same destination servers and in normal operations these source and destination hosts do have a bunch of legitimate flows between them. I was leaning towards it being a reporting artifact, but it's interesting that there are a whole set of Ack Reset packets from the destination hosts with a source port of 0 also. So the destination host is sending ACK+RST with the *source* port set to zero, or the *destination* port? Does this not indicate that it probably isn't a reporting artifact? I would just tcpdump on one of the source machines to find out. ~Marcin -- Sincerely yours, Pavel Odintsov
Re: Fkiws with destination port 0 and TCP SYN flag set
Hello! Just add --syn flag: 12:51:51.150085 IP 192.168.0.127.14628 216.239.34.21.0: Flags [S], seq 680218921, win 512, length 0 12:51:51.150092 IP 192.168.0.127.14629 216.239.34.21.0: Flags [S], seq 2073100941, win 512, length 0 12:51:51.150100 IP 192.168.0.127.14630 216.239.34.21.0: Flags [S], seq 1003157405, win 512, length 0 12:51:51.150108 IP 192.168.0.127.14631 216.239.34.21.0: Flags [S], seq 466773687, win 512, length 0 12:51:51.150115 IP 192.168.0.127.14632 216.239.34.21.0: Flags [S], seq 338869897, win 512, length 0 12:51:51.150123 IP 192.168.0.127.14633 216.239.34.21.0: Flags [S], seq 1513724122, win 512, length 0 12:51:51.150130 IP 192.168.0.127.14634 216.239.34.21.0: Flags [S], seq 1971827612, win 512, length 0 12:51:51.150138 IP 192.168.0.127.14635 216.239.34.21.0: Flags [S], seq 168197290, win 512, length 0 12:51:51.150146 IP 192.168.0.127.14636 216.239.34.21.0: Flags [S], seq 1079714921, win 512, length 0 12:51:51.150153 IP 192.168.0.127.14637 216.239.34.21.0: Flags [S], seq 1634213253, win 512, length 0 12:51:51.150161 IP 192.168.0.127.14638 216.239.34.21.0: Flags [S], seq 1220755012, win 512, length 0 12:51:51.150168 IP 192.168.0.127.14639 216.239.34.21.0: Flags [S], seq 351031228, win 512, length 0 12:51:51.150176 IP 192.168.0.127.14640 216.239.34.21.0: Flags [S], seq 286599236, win 512, length 0 12:51:51.150184 IP 192.168.0.127.14641 216.239.34.21.0: Flags [S], seq 125907752, win 512, length 0 hping3 --flood --syn host.com On Wed, Jun 17, 2015 at 12:50 PM, Maqbool Hashim maqb...@madbull.info wrote: Hmm, no flags set in your output though? From: Pavel Odintsov pavel.odint...@gmail.com Sent: 17 June 2015 10:44 To: Maqbool Hashim Cc: Marcin Cieslak; nanog@nanog.org Subject: Re: Fkiws with destination port 0 and TCP SYN flag set Hello! Looks like it's silly hping3 flood: 12:43:08.961024 IP 192.168.0.127.10562 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961031 IP 192.168.0.127.10563 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961039 IP 192.168.0.127.10564 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961046 IP 192.168.0.127.10565 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961054 IP 192.168.0.127.10566 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961062 IP 192.168.0.127.10567 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961070 IP 192.168.0.127.10568 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961077 IP 192.168.0.127.10569 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961085 IP 192.168.0.127.10570 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961093 IP 192.168.0.127.10571 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961101 IP 192.168.0.127.10572 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961108 IP 192.168.0.127.10573 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961116 IP 192.168.0.127.10574 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961123 IP 192.168.0.127.10575 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961131 IP 192.168.0.127.10576 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961139 IP 192.168.0.127.10577 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961146 IP 192.168.0.127.10578 216.239.32.21.0: Flags [.], win 512, length 0 12:43:08.961154 IP 192.168.0.127.10579 216.239.32.21.0: Flags [.], win 512, length 0 Just try: hping3 --flood target_host. On Wed, Jun 17, 2015 at 12:34 PM, Maqbool Hashim maqb...@madbull.info wrote: Hi, The destination host is sending an ACK+RST with the source port set to zero. The destination IP is always one of the two hosts that are generating the SYN packets with a destination port of 0. The destination port however is hard to match up to a source port in the original SYN packet due to the fact that we don't have all the packets. It's actually going to be difficult to get the access and procedural sign off etc. to run tcpdump on the machines involved. What might be easier is to set up a span port for the hosts access port on the switch and grab that via the collector laptop I have. Thanks, MH From: Marcin Cieslak sa...@saper.info Sent: 17 June 2015 10:30 To: Maqbool Hashim Cc: nanog@nanog.org Subject: Re: Fkiws with destination port 0 and TCP SYN flag set On Wed, 17 Jun 2015, Maqbool Hashim wrote: It is always the same destination servers and in normal operations these source and destination hosts do have a bunch of legitimate flows between them. I was leaning towards it being a reporting artifact, but it's interesting that there are a whole set of Ack Reset packets from the destination hosts with a source port of 0 also. So the destination host is sending ACK+RST with the *source* port set to zero, or the *destination* port? Does this not indicate that it probably isn't a reporting
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Hello, Nanog! I have speech at ENOG 9 and would like to share my slides there: http://www.enog.org/presentations/enog-9/17-FastNetMon_ENOG_pdf.pdf Thank you for attention! On Thursday, June 4, 2015, Rafael Possamai raf...@gav.ufsc.br wrote: You could look into LXD for that type of deployment. On Thu, Jun 4, 2015 at 12:55 PM, Pavel Odintsov pavel.odint...@gmail.com javascript:_e(%7B%7D,'cvml','pavel.odint...@gmail.com'); wrote: Brilliant idea! But in Docker we could offer only sflow and sflow. Port mirror capture need support from the kernel side. Will try shortly! On Thursday, June 4, 2015, Roberto Bertó roberto.be...@gmail.com javascript:_e(%7B%7D,'cvml','roberto.be...@gmail.com'); wrote: What about we build a Docker? 2015-06-04 14:47 GMT-03:00 Alexander Maassen outsi...@scarynet.org javascript:_e(%7B%7D,'cvml','outsi...@scarynet.org'); javascript:;: It's a security tool. So ppl using it want to publicly hide the fact they use it in case you screw up and it contains leaks ;) Oorspronkelijk bericht Van: Pavel Odintsov pavel.odint...@gmail.com javascript:_e(%7B%7D,'cvml','pavel.odint...@gmail.com'); javascript:; Datum: Aan: Jim Popovitch jim...@gmail.com javascript:_e(%7B%7D,'cvml','jim...@gmail.com'); javascript:; Cc: nanog@nanog.org javascript:_e(%7B%7D,'cvml','nanog@nanog.org'); javascript:; Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation Looks like many folks want hide company emails ;) I'm good guy and will not spam or offer slmething ;))) But I'm impressed about amount of off list requests. Really huge interest in tool. On Thursday, June 4, 2015, Jim Popovitch jim...@gmail.com javascript:_e(%7B%7D,'cvml','jim...@gmail.com'); javascript:; wrote: There's a surprising amount of GMail (yes, including me) and new-ness in this thread.Should I be impressed with the freshness or concerned about astroturfing? :-) Bah Humbug! -Jim P. -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Hello, folks! Due to huge interest about VM's I have prepared VyOS based ISO image with FastNetMon: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/VYOS_BINARY_ISO_IMAGE.md You could run it with any virtual machine and just aim your sflow/netflow targets to it! :) On Thu, Jun 4, 2015 at 9:26 PM, Rafael Possamai raf...@gav.ufsc.br wrote: You could look into LXD for that type of deployment. On Thu, Jun 4, 2015 at 12:55 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Brilliant idea! But in Docker we could offer only sflow and sflow. Port mirror capture need support from the kernel side. Will try shortly! On Thursday, June 4, 2015, Roberto Bertó roberto.be...@gmail.com wrote: What about we build a Docker? 2015-06-04 14:47 GMT-03:00 Alexander Maassen outsi...@scarynet.org javascript:;: It's a security tool. So ppl using it want to publicly hide the fact they use it in case you screw up and it contains leaks ;) Oorspronkelijk bericht Van: Pavel Odintsov pavel.odint...@gmail.com javascript:; Datum: Aan: Jim Popovitch jim...@gmail.com javascript:; Cc: nanog@nanog.org javascript:; Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation Looks like many folks want hide company emails ;) I'm good guy and will not spam or offer slmething ;))) But I'm impressed about amount of off list requests. Really huge interest in tool. On Thursday, June 4, 2015, Jim Popovitch jim...@gmail.com javascript:; wrote: There's a surprising amount of GMail (yes, including me) and new-ness in this thread.Should I be impressed with the freshness or concerned about astroturfing? :-) Bah Humbug! -Jim P. -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Brilliant idea! But in Docker we could offer only sflow and sflow. Port mirror capture need support from the kernel side. Will try shortly! On Thursday, June 4, 2015, Roberto Bertó roberto.be...@gmail.com wrote: What about we build a Docker? 2015-06-04 14:47 GMT-03:00 Alexander Maassen outsi...@scarynet.org javascript:;: It's a security tool. So ppl using it want to publicly hide the fact they use it in case you screw up and it contains leaks ;) Oorspronkelijk bericht Van: Pavel Odintsov pavel.odint...@gmail.com javascript:; Datum: Aan: Jim Popovitch jim...@gmail.com javascript:; Cc: nanog@nanog.org javascript:; Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation Looks like many folks want hide company emails ;) I'm good guy and will not spam or offer slmething ;))) But I'm impressed about amount of off list requests. Really huge interest in tool. On Thursday, June 4, 2015, Jim Popovitch jim...@gmail.com javascript:; wrote: There's a surprising amount of GMail (yes, including me) and new-ness in this thread.Should I be impressed with the freshness or concerned about astroturfing? :-) Bah Humbug! -Jim P. -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Looks like many folks want hide company emails ;) I'm good guy and will not spam or offer slmething ;))) But I'm impressed about amount of off list requests. Really huge interest in tool. On Thursday, June 4, 2015, Jim Popovitch jim...@gmail.com wrote: There's a surprising amount of GMail (yes, including me) and new-ness in this thread.Should I be impressed with the freshness or concerned about astroturfing? :-) Bah Humbug! -Jim P. -- Sincerely yours, Pavel Odintsov
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Thank you for interest! Feel free to ask me about anything! Feature requests very appreciate! On Wed, Jun 3, 2015 at 9:31 AM, Johan Kooijman m...@johankooijman.com wrote: Interesting project, Pavel. I'll most certainly give this a trial run. On Tue, Jun 2, 2015 at 10:16 PM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Nanog! I'm very pleased to present my open source DoS/DDoS attack monitoring toolkit here! We have spent about 10 months for development of FastNetMon and could present huge feature list now! :) Stop! What is FastNetMon? It's really very fast toolkit which could find attacked host in your network and block it (or redirect to filtering appliance) This solution could save your network and your sleep :) Our site located here: https://github.com/FastVPSEestiOu/fastnetmon We support following engines for traffic capture: - Netflow (v5, v9 and IPFIX) - sFLOW v5 - port mirror/SPAN (PF_RING and netmap supported) Also we have deep integration with ExaBGP (huge thanks to Thomas Mangin) for triggering blackhole on the Core Router or upstream. Since 1.0 version we have added support for following features: - Ability to detect most popular attack types: syn_flood, icmp_flood, udp_flood, ip_fragmentation_flood - Add support for Netmap for Linux (we have prepared special driver for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap) and FreeBSD. - Add support for PF_RING ZC (very fast but need license from ntop folks) - Add ability to collect netflow v9/IPFIX data from multiple devices with different templates set - Basic support for IPv6 (we could receive netflow data over IPv6) - Add plugin support for capture engines - Add support of L2TP decapsulation (important for DDoS attack detection inside tunnel) - Add ability to store attack details in Redis - Add Graphite/Grafana integration for traffic visualization - Add systemd unit file - Add ability to unblock host after some timeout - Introduce support of moving average for all counters - Add ExaBGP integration. We could announce attacked host with BGP to border router or uplink - Add so much details in attack report - Add ability to store attack fingerprint in file We have complete support for following platforms: - Fedora 21 - Debian 6, 7, 8 - CentOS 6, 7 - FreeBSD 9, 10, 11 - DragonflyBSD 4 - MacOS X 10.10 From network equipment side we have tested solution with: - Cisco ASR - Juniper MX - Extreme Summit - ipt_NETFLOW Linux We have binary packages for this operation systems: - CentOS 6: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6 - CentOS 7: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7 - Fedora 21: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21 - FreeBSD: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port For any other operation systems we recommend automatic installer script: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md Please join to our mail list or ask about anything here https://groups.google.com/forum/#!forum/fastnetmon Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Met vriendelijke groeten / With kind regards, Johan Kooijman -- Sincerely yours, Pavel Odintsov
Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Hello! Thank you! Please share your experience after tests! On Wed, Jun 3, 2015 at 5:50 PM, Budiwijaya bbuuddi...@gmail.com wrote: Yep, definitely i'll give this a trial run. We are developing nullroute application internally. I'll try to run this in our lab. On Wed, Jun 3, 2015 at 3:16 AM, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Nanog! I'm very pleased to present my open source DoS/DDoS attack monitoring toolkit here! We have spent about 10 months for development of FastNetMon and could present huge feature list now! :) Stop! What is FastNetMon? It's really very fast toolkit which could find attacked host in your network and block it (or redirect to filtering appliance) This solution could save your network and your sleep :) Our site located here: https://github.com/FastVPSEestiOu/fastnetmon We support following engines for traffic capture: - Netflow (v5, v9 and IPFIX) - sFLOW v5 - port mirror/SPAN (PF_RING and netmap supported) Also we have deep integration with ExaBGP (huge thanks to Thomas Mangin) for triggering blackhole on the Core Router or upstream. Since 1.0 version we have added support for following features: - Ability to detect most popular attack types: syn_flood, icmp_flood, udp_flood, ip_fragmentation_flood - Add support for Netmap for Linux (we have prepared special driver for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap) and FreeBSD. - Add support for PF_RING ZC (very fast but need license from ntop folks) - Add ability to collect netflow v9/IPFIX data from multiple devices with different templates set - Basic support for IPv6 (we could receive netflow data over IPv6) - Add plugin support for capture engines - Add support of L2TP decapsulation (important for DDoS attack detection inside tunnel) - Add ability to store attack details in Redis - Add Graphite/Grafana integration for traffic visualization - Add systemd unit file - Add ability to unblock host after some timeout - Introduce support of moving average for all counters - Add ExaBGP integration. We could announce attacked host with BGP to border router or uplink - Add so much details in attack report - Add ability to store attack fingerprint in file We have complete support for following platforms: - Fedora 21 - Debian 6, 7, 8 - CentOS 6, 7 - FreeBSD 9, 10, 11 - DragonflyBSD 4 - MacOS X 10.10 From network equipment side we have tested solution with: - Cisco ASR - Juniper MX - Extreme Summit - ipt_NETFLOW Linux We have binary packages for this operation systems: - CentOS 6: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6 - CentOS 7: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7 - Fedora 21: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21 - FreeBSD: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port For any other operation systems we recommend automatic installer script: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md Please join to our mail list or ask about anything here https://groups.google.com/forum/#!forum/fastnetmon Thank you for your attention! -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation
Hello, Nanog! I'm very pleased to present my open source DoS/DDoS attack monitoring toolkit here! We have spent about 10 months for development of FastNetMon and could present huge feature list now! :) Stop! What is FastNetMon? It's really very fast toolkit which could find attacked host in your network and block it (or redirect to filtering appliance) This solution could save your network and your sleep :) Our site located here: https://github.com/FastVPSEestiOu/fastnetmon We support following engines for traffic capture: - Netflow (v5, v9 and IPFIX) - sFLOW v5 - port mirror/SPAN (PF_RING and netmap supported) Also we have deep integration with ExaBGP (huge thanks to Thomas Mangin) for triggering blackhole on the Core Router or upstream. Since 1.0 version we have added support for following features: - Ability to detect most popular attack types: syn_flood, icmp_flood, udp_flood, ip_fragmentation_flood - Add support for Netmap for Linux (we have prepared special driver for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap) and FreeBSD. - Add support for PF_RING ZC (very fast but need license from ntop folks) - Add ability to collect netflow v9/IPFIX data from multiple devices with different templates set - Basic support for IPv6 (we could receive netflow data over IPv6) - Add plugin support for capture engines - Add support of L2TP decapsulation (important for DDoS attack detection inside tunnel) - Add ability to store attack details in Redis - Add Graphite/Grafana integration for traffic visualization - Add systemd unit file - Add ability to unblock host after some timeout - Introduce support of moving average for all counters - Add ExaBGP integration. We could announce attacked host with BGP to border router or uplink - Add so much details in attack report - Add ability to store attack fingerprint in file We have complete support for following platforms: - Fedora 21 - Debian 6, 7, 8 - CentOS 6, 7 - FreeBSD 9, 10, 11 - DragonflyBSD 4 - MacOS X 10.10 From network equipment side we have tested solution with: - Cisco ASR - Juniper MX - Extreme Summit - ipt_NETFLOW Linux We have binary packages for this operation systems: - CentOS 6: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6 - CentOS 7: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7 - Fedora 21: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21 - FreeBSD: https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port For any other operation systems we recommend automatic installer script: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md Please join to our mail list or ask about anything here https://groups.google.com/forum/#!forum/fastnetmon Thank you for your attention! -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
Hello! Ray, I could suggest switch from multi physical CPU configuration to single. Like Intel Xeon E5-1650/1660/1680 or even Xeon E3 platforms. Because multi processor systems need really huge amount of knowledge for NUMA configuration and PCI-E devices assignment for each NUMA. Secondly, I could vote many times for Supermicro! :) Dell or HP are really ugly systems for soft routers. CPU frequency tuning, PCM debugging are real nightmare on this systems. Please beware of they! Supermicro is very clear and do not block useful functions of platform. On Wed, May 20, 2015 at 4:08 PM, Ray Soucy r...@maine.edu wrote: You're right I dropped down to the v2 for pricing reasons: - Supermicro SuperServer 5017R-MTRF - 4x SATA - 8x DDR3 - 400W Redundant - Eight-Core Intel Xeon Processor E5-2640 v2 2.00GHz 20MB Cache (95W) - 4 x SAMSUNG 2GB PC3-12800 DDR3-160 - 2 x 500GB SATA 6.0Gb/s 7200RPM - 3.5 - Western Digital RE4 WD5003ABYZ - Supermicro System Cabinet Front Bezel CSE-PTFB-813B with Lock and Filter (Black) - No Windows Operating System (Hardware Warranty Only, No Software Support) - Three Year Warranty with Advanced Parts Replacement FWIW I used Sourcecode as the system builder. They've been great to work with. On Tue, May 19, 2015 at 4:46 PM, Joe Greco jgr...@ns.sol.net wrote: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
We could cut full BGP and select only important prefixes with ExaBGP. On Wed, May 20, 2015 at 4:41 PM, Nick Hilliard n...@foobar.org wrote: On 20/05/2015 14:32, Cody Grosskopf wrote: I haven't tried myself but some of the stuff Cumulus Linux is doing is pretty amazing, not certain quagga can or should handle full bgp table but you could probably get a Penguin 10gbe for less than 8k. quagga (or whatever RIB manager you want, e.g. bird) isn't the issue. The issue is that these switches have limited hardware FIB capacity and if you attempt to put a full table on them, they won't accept it. Nick -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
I have tried Cumulus. It's awesome! :) You definitely could run Quagga, Bird or even ExaBGP https://github.com/Exa-Networks/exabgp and build full feature router from 10GE switch. On Wed, May 20, 2015 at 4:32 PM, Cody Grosskopf codygrossk...@gmail.com wrote: I haven't tried myself but some of the stuff Cumulus Linux is doing is pretty amazing, not certain quagga can or should handle full bgp table but you could probably get a Penguin 10gbe for less than 8k. On Tue, May 19, 2015, 10:25 AM Colton Conor colton.co...@gmail.com wrote: What options are available for a small, low cost router that has at least four 10G ports, and can handle full BGP routes? All that I know of are the Juniper MX80, and the Brocade CER line. What does Cisco and others have that compete with these two? Any other vendors besides Juniper, Brocade, and Cisco to look at? -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
Yes, right! But ExaBGP could receive full BGP table, drop some rules and reflect they to Quagga which could load FIB on the Cumulus. On Wed, May 20, 2015 at 4:53 PM, Nick Hilliard n...@foobar.org wrote: On 20/05/2015 14:46, Pavel Odintsov wrote: We could cut full BGP and select only important prefixes with ExaBGP. exabgp is rib mgmt only and doesn't program the fib. you will need quagga / bird / etc for this. Nick -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
Yes, you could do filtering with Quagga. But Quagga is pretty old tool without multiple dynamic features. But with ExaBGP you could do really any significant route table transformations with Python in few lines of code. But it's definitely add additional point of failure/bug. On Wed, May 20, 2015 at 4:57 PM, Nick Hilliard n...@foobar.org wrote: On 20/05/2015 14:56, Pavel Odintsov wrote: Yes, right! But ExaBGP could receive full BGP table, drop some rules and reflect they to Quagga which could load FIB on the Cumulus. or you could not bother with exabgp and do your route filtering on quagga. Nothing wrong with exabgp, btw. Great product. It's just the wrong tool for the job here. Nick -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
Hello! Yes, we could run route add / route del when we got any announce from external world with ExaBGP directly. I have implemented custom custom Firewall (netmap-ipfw) management tool which implement in similar manner. But I'm working with BGP flow spec. It's so complex, standard BGP is much times simpler. And I could share my ExaBGP configuration and hook scripts. ExaBGP config: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/src/scripts/exabgp_firewall.conf Hook script which put all announces to Redis Queue: https://github.com/FastVPSEestiOu/fastnetmon/blob/master/src/scripts/exabgp_queue_writer.py But full BGP route table is enough big and need external processing. But yes, with some Python code is possible to implement route server with ExaBGP. On Wed, May 20, 2015 at 5:25 PM, Aled Morris al...@qix.co.uk wrote: On 20 May 2015 at 15:00, Pavel Odintsov pavel.odint...@gmail.com wrote: Yes, you could do filtering with Quagga. But Quagga is pretty old tool without multiple dynamic features. But with ExaBGP you could do really any significant route table transformations with Python in few lines of code. But it's definitely add additional point of failure/bug. Couldn't your back-end scripts running under ExaBGP also manage the FIB, using standard Unix tools/APIs? Managing the FIB is basically just route add and route delete right? Aled -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
Hello! Yep, there are no existent open source routers yet exists. But there are a lot of capabilities for this. We could just wait some time. But DPDK _definitely_ could process 64mpps and 40GE with deep inspection and processing on enough cheap E5 2670v3 chips. Yes, definitely it's ideas about good future. They can't be used now but they have really awesome outlook. On Tue, May 19, 2015 at 11:46 PM, char...@thefnf.org wrote: On 2015-05-19 14:23, Pavel Odintsov wrote: Hello! Somebody definitely should build full feature router with DPDK/netmap/pf_ring :) Netmap yes. The rest no. Why? Because netmap supports libpcap, which means everything just works. Other solutions need porting. You are going along, someone mentions a neat new libpcap based tool on NANOG and you want to try it out. If you've got DPDK/pf_ring, that means you are now having to port it. That's a fair amount of effort to just eval $COOL_NEW_TOOL. I have finished detailed performance tests for all of them and could achieve wire speed forwarding (with simple packet rewrite and checksum calculation) with all of they. With what features applied? DPDK with a fairly full feature set (firewall rules/dynamic routing/across a vpn tunnel/doing full l7 deep packet inspection) on straight commodity (something relatively recent gen xeon something many cores) hardware on $CERTAIN_POPULAR_RTOS seems to max out ~5gbps from what my local neighborhood network testing nerds tell me. As always, your mileage will most certainly vary of course. The nice thing about commodity boxes is that you can just deploy the same core kit and scale it up/down (ram/cpu/redundant psu) at your favorite vendors procurement portal (oh hey $systems_purchaser , can you order a couple extra boxes with that next set of a dozen boxes your buying with this SKU and take it out of my budget? Thx). You are still going to pay a pretty decent list price for boxes that can reasonably forward AND inspect/block/modify at anything approaching line rate over say 5gbps. Then you have things like the parallela board of course with it's FPGA. And you have CUDA cards. But staffing costs for someone who has FPGA(parallel in general)/sysadmin/netadmin skills well that's pricy (and you'll want a couple of those in house if you do this at any kind of scale). Or you could just contract them I suppose (say at like $700.00 per hour or so?, which is what I'd charge to be a one man FPGA coding SDN slinging band since it's sort of like catching unicorns) Course you could just have your jack of all trades in house sys/net ops person and contract coding skills as needed. Don't think this will really save you money. It won't. Buy a Juniper. Seriously. (I have a 6509 in my house along with various switches/routers/wifi/voip phones (all cisco). I'm not anti cisco by any means). But they are expensive from what I hear. You get what you pay for though. What it will get you, is a very powerful and flexible solution that lets you manage at hyperscale with a unified command/control plane. It's DEVOPS 2.0 ( I can fire my netadmins now like I fired my sysadmins after I gave dev full prod access? COOL!) (Yes I'm being incredibly sarcastic and don't actually believe that). :) Also look at onepk from cisco. It's kinda cool if you want SDN without having to fully build your own kit. -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
What about L3 switches? You could receive full BGP table with Linux BOX with ExaBGP, parse it and feed to L3 switch. On Tue, May 19, 2015 at 10:44 PM, Mel Beckman m...@beckman.org wrote: I've seen serious, unusual performance bottlenecks in Mikrotik CCR, in some cases not even achieving a gigabit speeds on 10G interfaces. Performance drops more rapidly then Cisco with smaller packet sizes. -mel beckman On May 19, 2015, at 12:28 PM, Justin Wilson - MTIN li...@mtin.net wrote: I second the Mikrotik recommendation. You don’t get support like you would with Cisco but it’s a solid product. Justin Justin Wilson j...@mtin.net http://www.mtin.net Managed Services – xISP Solutions – Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering – Transit – Internet Exchange On May 19, 2015, at 3:16 PM, Keefe John keefe...@ethoplex.com wrote: For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Keefe On 5/19/2015 3:46 PM, Joe Greco wrote: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
Hello! Somebody definitely should build full feature router with DPDK/netmap/pf_ring :) I have finished detailed performance tests for all of them and could achieve wire speed forwarding (with simple packet rewrite and checksum calculation) with all of they. I.e. I could process 10GE and 14.6 mpps (64byte packets) on very cheap i7 3820 with single intel X540 NIC (total cost about $ 800) with CPU 70% load. But full BGP routing is a challenge but could be implemented with existing approaches like DXR: http://info.iet.unipi.it/~luigi/papers/20120601-dxr.pdf Cheers! On Tue, May 19, 2015 at 10:11 PM, Ken Chase m...@sizone.org wrote: Chat in my nerds irc channel about 10G routers paralleling this 14:21 b the Xeon D-1540 has 8 cores / 16 threads, 2GHz base clock with 2.6GHz turbo, and dual 10G nics on chip 14:21 b 45W TDP 14:31 b supposedly an asrock board is coming that can be 10Gbase-T or SFP+ 14:58 a supermicro are shipping some SFP+ 10G E5 boards 15:00 b but the xeon E5 doesn't have the on die 10G nic 15:07 a X9DRW-7TPF+ http://www.supermicro.com/products/motherboard/xeon/c600/x9drw-7tpf_.cfm Also: 1.4Mpps per 10G link doesnt seem like the minimum packetsize one wants for handling DOS attacks, but I might be bad at math. /kc On Tue, May 19, 2015 at 03:46:16PM -0500, Joe Greco said: How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good (better than a 7200 VXR), and number of tables likely won't be a concern since RAM is cheap. The con is that you're not doing things in hardware, so you'll have higher latency, and your PPS will be lower. What 8 core Xeon E5 v3 would that be? The 26xx's are hideously pricey, and for a router, you're probably better off with something like a Supermicro X10SRn fsvo n with a Xeon E5-1650v3. Board is typically around $300, 1650 is around $550, so total cost I'm guessing closer to $1500-$2000 that route. The edge you get there is the higher clock on the CPU. Only six cores and only 15M cache, but 3.5GHz. The E5-2643v3 is three times the cost for very similar performance specs. Costwise, E5 single socket is the way to go unless you *need* more. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- Ken Chase - Toronto Canada -- Sincerely yours, Pavel Odintsov
Re: Low Cost 10G Router
Microtik CCR have a huge issues in case of DDOS: http://forum.mikrotik.com/viewtopic.php?t=92728 On Tue, May 19, 2015 at 10:37 PM, Eduardo Schoedler lis...@esds.com.br wrote: 2015-05-19 16:16 GMT-03:00 Keefe John keefe...@ethoplex.com: For about $1000 you could get a Mikrotik CCR1036-8G-2S+EM but it only has 2 SFP+ ports. http://routerboard.com/CCR1036-8G-2SplusEM Run away from Mikrotik, especially if you want to run BGP. -- Eduardo Schoedler -- Sincerely yours, Pavel Odintsov
Re: Route Optimization Products
Hello! Traffic optimization is a really nice place for open source project! :) On Fri, May 15, 2015 at 6:27 PM, Rafael Possamai raf...@gav.ufsc.br wrote: Internap also has a product called MIRO, although I am not sure how it differs from FCP. On Fri, May 15, 2015 at 10:19 AM, Mike Hammett na...@ics-il.net wrote: What is out there for route optimization products? I can think of Noction (no inbound) or Internap FCP (old). - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com -- Sincerely yours, Pavel Odintsov
Re: macomnet weird dns record
But I'm not a spam source. I banned for netmask which similar to ISP subnet. On Tue, Apr 14, 2015 at 5:34 PM, Colin Johnston col...@gt86car.org.uk wrote: so fix the spam hosts, don’t mask the problem and make more complicated for folks trying their best to solve Colin On 14 Apr 2015, at 15:09, Pavel Odintsov pavel.odint...@gmail.com wrote: Hello, Colin! We use hexademical numbers in PTR for VPS/Servers because PTR's like host-87.118.199.240.domain.ru so often banned by weird antispam systems by mask \d+\.\d+\.\d+\d+ as home ISP subnets which produce bunch of spam. On Tue, Apr 14, 2015 at 5:00 PM, Colin Johnston col...@gt86car.org.uk wrote: Hi Nikolay, I have obvious hit a cultural nerve here, if so I am sorry. At least there is communication on some level, Chinese colleagues would not even bother to respond to aid debug. Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ? Colin On 14 Apr 2015, at 14:54, Nikolay Shopik sho...@inblock.ru wrote: Are Roman numerals allowed in DNS? Because I know some people also do them. dig -x 217.199.208.190 On 14/04/15 16:45, Chuck Church wrote: Comic Book Guy would probably declare: Worst Naming Convention Ever Chuck -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: nanog@nanog.org Subject: Re: macomnet weird dns record Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex Colin On 14 Apr 2015, at 14:09, Nikolay Shopik sho...@inblock.ru wrote: How its weird? All these chars allowed in DNS records. On 14/04/15 15:36, Colin Johnston wrote: never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfff0.macomnet.net range is blocked non the less since bad traffic from Russia network ranges. Colin -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
Re: macomnet weird dns record
Hello! What about IDN encoded PTR records? I sure it's nice idea and I will implement they in my network shortly. On Tue, Apr 14, 2015 at 4:54 PM, Nikolay Shopik sho...@inblock.ru wrote: Are Roman numerals allowed in DNS? Because I know some people also do them. dig -x 217.199.208.190 On 14/04/15 16:45, Chuck Church wrote: Comic Book Guy would probably declare: Worst Naming Convention Ever Chuck -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: nanog@nanog.org Subject: Re: macomnet weird dns record Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex Colin On 14 Apr 2015, at 14:09, Nikolay Shopik sho...@inblock.ru wrote: How its weird? All these chars allowed in DNS records. On 14/04/15 15:36, Colin Johnston wrote: never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfff0.macomnet.net range is blocked non the less since bad traffic from Russia network ranges. Colin -- Sincerely yours, Pavel Odintsov
Re: macomnet weird dns record
Hello, Colin! We use hexademical numbers in PTR for VPS/Servers because PTR's like host-87.118.199.240.domain.ru so often banned by weird antispam systems by mask \d+\.\d+\.\d+\d+ as home ISP subnets which produce bunch of spam. On Tue, Apr 14, 2015 at 5:00 PM, Colin Johnston col...@gt86car.org.uk wrote: Hi Nikolay, I have obvious hit a cultural nerve here, if so I am sorry. At least there is communication on some level, Chinese colleagues would not even bother to respond to aid debug. Be that as it may, why not use either normal decimal numbers or normal characters to show what a normal person would understand instead of having to convert the shown output ? Colin On 14 Apr 2015, at 14:54, Nikolay Shopik sho...@inblock.ru wrote: Are Roman numerals allowed in DNS? Because I know some people also do them. dig -x 217.199.208.190 On 14/04/15 16:45, Chuck Church wrote: Comic Book Guy would probably declare: Worst Naming Convention Ever Chuck -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colin Johnston Sent: Tuesday, April 14, 2015 9:27 AM To: Nikolay Shopik Cc: nanog@nanog.org Subject: Re: macomnet weird dns record Because looks strange especially if the traffic is 100% bad Best practice says avoid such info in records as does not aid debug since mix of dec and hex Colin On 14 Apr 2015, at 14:09, Nikolay Shopik sho...@inblock.ru wrote: How its weird? All these chars allowed in DNS records. On 14/04/15 15:36, Colin Johnston wrote: never saw hex in host dns records before. host-242.strgz.87.118.199.240.0xfff0.macomnet.net range is blocked non the less since bad traffic from Russia network ranges. Colin -- Sincerely yours, Pavel Odintsov
Re: PoC for shortlisted DDoS Vendors
Hello! Yes, my toolkit can detect only volumetric attacks now. But I have finished performance tests for http protocol parser which could work on wire speed too. And I'm sure I will add support for http attack detection soon. Btw, syn flood attack detection could be implemented in few hours in current code base. If anyone interested in it I will do it shortly. In my day to day work we got fewbattacks everyday. They divided 50/50 for dns/ssdp/snmp amplification and syn flood on http servers. Other attacks is not dangerous for our network and backbone and mitifated manually in each case. On Thursday, April 2, 2015, Mohamed Kamal mka...@noor.net wrote: Hello Pavel, I'm certainly biased to the open-source tools if they do the job required, and I appreciate your effort exerted on this project. However, based upon what I saw under the features list of your tool, I assume that it can detect only volumetric DDoS attacks based upon anomalies such as excessive number of packets/bits/connections/flows per second based upon some previously learnt or set threshold values. But what about the protocol types of attack, which, in my humble opinion is becoming more aggressive day after day? Mohamed Kamal Core Network Sr. Engineer On 4/2/2015 5:03 PM, Pavel Odintsov wrote: Hello! What about open source alternatives? Main part of commercial ddos filters are simple high performace firewalls with detection logic (which much times more stupid than well trained network engineer). But attacks for ISP is not arrived so iften and detection part coukd be executed manually (or with oss tools like netflow analyzers or my own FastNetMon toolkit). For wire speed filtration on 10ge (and even more if you have modern cpu; up to 40ge) you could use netmap-ipfw with linux or freebsd with simple patches (for enabling multy process mode). On Thursday, April 2, 2015, den...@justipit.com javascript:_e(%7B%7D,'cvml','den...@justipit.com'); den...@justipit.com javascript:_e(%7B%7D,'cvml','den...@justipit.com'); wrote: You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net To: NANOG nanog@nanog.org Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer -- Sincerely yours, Pavel Odintsov -- Sincerely yours, Pavel Odintsov
Re: PoC for shortlisted DDoS Vendors
Hello! What about open source alternatives? Main part of commercial ddos filters are simple high performace firewalls with detection logic (which much times more stupid than well trained network engineer). But attacks for ISP is not arrived so iften and detection part coukd be executed manually (or with oss tools like netflow analyzers or my own FastNetMon toolkit). For wire speed filtration on 10ge (and even more if you have modern cpu; up to 40ge) you could use netmap-ipfw with linux or freebsd with simple patches (for enabling multy process mode). On Thursday, April 2, 2015, den...@justipit.com den...@justipit.com wrote: You should include Radware on that list . - Reply message - From: Mohamed Kamal mka...@noor.net javascript:; To: NANOG nanog@nanog.org javascript:; Subject: PoC for shortlisted DDoS Vendors Date: Wed, Apr 1, 2015 9:51 AM In our effort to pick up a reasonably priced DDoS appliance with a competitive features, we're in a process of doing a PoC for the following shortlisted vendors: 1- RioRey 2- NSFocus 3- Arbor 4- A10 The setup will be inline. So it would be great if anyone have done this before and can help provide the appropriate tools, advices, or the testing documents for efficient PoC. Thanks. -- Mohamed Kamal Core Network Sr. Engineer -- Sincerely yours, Pavel Odintsov
Re: DDOS, IDS, RTBH, and Rate limiting
Hello, folks! NetFlow v5 and v9 support have just added to FastNetMon: https://github.com/FastVPSEestiOu/fastnetmon Now you can catch DDoS attacks and collect data from sFLOW v5, NetFlow v5/v9 and even from mirror port with PF_RING in one tool simultaneously! Will be very glad for feedback and testing! On Wed, Dec 3, 2014 at 7:57 AM, Roland Dobbins rdobb...@arbor.net wrote: On 2 Dec 2014, at 17:18, Pavel Odintsov wrote: In near future I will add netflow v5 support. Good job - you should really go for NetFlow v9 when you can, as it supports IPv6 and MPLS labels. Next would be IPFIX. --- Roland Dobbins rdobb...@arbor.net -- Sincerely yours, Pavel Odintsov
Re: scaling linux-based router hardware recommendations
Hello! You could try to build simple router with DPDK yourself. It's very straightforward and have good examples for simple routing. I have done some tests with PF_RING ZC (it's very similar technology to DPDK without specialization on building of network devices) while test my DDoS monitoring solution and it work perfectly. I can achieve 8 million of packets per second (10GE with 120byte packets) on very slow Intel Xeon E5 2420. You could look at this tests from PF_RING developers: http://www.ntop.org/pf_ring/pf_ring-dna-rfc-2544-benchmark/ But building router on top of PF_RING or DPDK is very challenging task because everyone want very different things (BGP, OSPF, RIP... etc.). On Tue, Jan 27, 2015 at 1:54 PM, Paul S. cont...@winterei.se wrote: Anyone aware of any dpdk enabled solutions in the software routing space that doesn't cost an arm and a leg? vMX certainly does. On 1/27/2015 午後 04:33, Pavel Odintsov wrote: Hello! Looks like somebody want to build Linux soft router!) Nice idea for routing 10-30 GBps. I route about 5+ Gbps in Xeon E5-2620v2 with 4 10GE cards Intel 82599 and Debian Wheezy 3.2 (but it's really terrible kernel, everyone should use modern kernels since 3.16 because buggy linux route cache). My current processor load on server is about: 15%, thus I can route about 15 GE on my Linux server. Surely, you should deploy backup server too if master server fails. On Tue, Jan 27, 2015 at 1:53 AM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah -- Sincerely yours, Pavel Odintsov
Re: scaling linux-based router hardware recommendations
Hello! Looks like somebody want to build Linux soft router!) Nice idea for routing 10-30 GBps. I route about 5+ Gbps in Xeon E5-2620v2 with 4 10GE cards Intel 82599 and Debian Wheezy 3.2 (but it's really terrible kernel, everyone should use modern kernels since 3.16 because buggy linux route cache). My current processor load on server is about: 15%, thus I can route about 15 GE on my Linux server. Surely, you should deploy backup server too if master server fails. On Tue, Jan 27, 2015 at 1:53 AM, micah anderson mi...@riseup.net wrote: Hi, I know that specially programmed ASICs on dedicated hardware like Cisco, Juniper, etc. are going to always outperform a general purpose server running gnu/linux, *bsd... but I find the idea of trying to use proprietary, NSA-backdoored devices difficult to accept, especially when I don't have the budget for it. I've noticed that even with a relatively modern system (supermicro with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server adapters, and 16gig of ram, you still tend to get high percentage of time working on softirqs on all the CPUs when pps reaches somewhere around 60-70k, and the traffic approaching 600-900mbit/sec (during a DDoS, such hardware cannot typically cope). It seems like finding hardware more optimized for very high packet per second counts would be a good thing to do. I just have no idea what is out there that could meet these goals. I'm unsure if faster CPUs, or more CPUs is really the problem, or networking cards, or just plain old fashioned tuning. Any ideas or suggestions would be welcome! micah -- Sincerely yours, Pavel Odintsov
Re: DDOS solution recommendation
Hello! If you speaking about ISP filtering you should check your subnets and ASN here: https://radar.qrator.net I was really amazed amount of DDoS bots/amplificators in my network. On Sun, Jan 11, 2015 at 6:47 PM, Michael Hallgren m.hallg...@free.fr wrote: Le 11/01/2015 14:50, Patrick W. Gilmore a écrit : I agree with lots said here. But I've said for years (despite some people saying I am confused) that BCP38 is the single most important thing we can do to cut DDoS. No spoofed source means no amplification. It also stops things like Kaminsky DNS attacks. There is no silver bullet. Security is a series of steps (layers as one highly respected security professional has in his .sig). But the most important layer, the biggest bang for the buck we can do today, is eliminated spoofed source. Push on your providers. Stop paying for transit from networks that do not filter ingress, put it in your RFPs, and reward those who do with contracts. Make it economically advantageous to fix the problem, and people will. +1 mh -- Sincerely yours, Pavel Odintsov
Re: DDOS solution recommendation
Hello! But abuse@ contacts is very-very-very hard way to contacting with ASN administrator in case of attack. Big amount of requests to #Nanog about please contact ASN noc with me offlist confirms this. I'm got multiple attacks from well known ISP and I spend about 10-20 hours to contacting they in average. It's unacceptable time We need FAST and RELIABLE way to contacting with noc of attackers network for effective attack mitigation. We need something like RTBH for knocking network admin of remote network. Maybe somebody can create social network for noc's with API ?:) On Sun, Jan 11, 2015 at 11:55 PM, Owen DeLong o...@delong.com wrote: On Jan 11, 2015, at 05:07 , Mike Hammett na...@ics-il.net wrote: Why does it seem like everyone is trying to solve this the wrong way? Because it’s what we CAN do. Do other networks' abuse departments just not give a shit? Blackhole all of the zombie attackers and notify their abuse departments. Sure, most of the owners of the PCs being used in these scenarios have no idea they're being used to attack people, but I'd think that if their network's abuse department was notified, either they'd contact the customer about it issue or at least have on file that they were notified. When the unknowing end-user reached out to support over larger and larger parts of the Internet not working, they'd be told to clean up their system. The way to stop this stuff is for those millions of end users to clean up their infected PCs. Agreed… However, let’s look at it from an economics perspective… The average residential service provider doesn’t have the resources and doesn’t charge enough to build the resources to deal with this onslaught. It won’t be the service provider that the attacker blames for the initial few disconnections, it will be the websites in question. So, let’s say XYZ.COM http://xyz.com/ is a really popular site with lots of end-users. Some of those end-users are also unknowingly attacking XYZ.COM http://xyz.com/. XYZ.COM http://xyz.com/ black holes those customers (along with all the other zombies attacking them). XYZ.COM http://xyz.com/ gets angry calls from those customers and has no ability to contact the rest. The rest don’t call their ISP or XYZ.COM http://xyz.com/ because they don’t know that they are unsuccessfully trying to reach XYZ.COM http://xyz.com/, so they don’t see the problem. Depending on hold times, etc., XYZ.COM http://xyz.com/ loses some fraction of their customers (who instead of cleaning up their system, move into the second group who don’t care about the problem any more.) The rest may clean up their systems. So, at the cost of some fraction of their customer base and a substantial burden on their call center, XYZ.COM http://xyz.com/ has managed to clean up a relatively small percentage of systems, but accomplished little else. I’m all for finding a way to do a better job of this. Personally, I’d like to see some sort of centralized clearing house where credible reporters of dDOS information could send some form of standardized (automated) report. The clearing house would then take care of contacting the responsible ISPs in a scaleable and useful manner that the ISPs could handle. Because the clearing house would be a known credible source and because they are providing the information in a way that the ISP can more efficiently utilize the information, it MIGHT allow the ISP to take proactive action such as contacting the user and addressing the problem, limiting the user’s ability to send dDOS traffic, etc. However, this would require lots of cooperation and if such a clearing house were to evolve, it would probably have to start as a coalition of residential ISPs. Owen -- Sincerely yours, Pavel Odintsov
Re: DDOS solution recommendation
I could suggest Voxility.com because they have very good network and can defense any protocol. And I can recommend qrator.net as best solution agains http/https attacks. We use they for 2 years and got only positive feedback. And if you need only ability to reroute to antiddos cloud/blackhole specific IP you could try my open source tool FastNetMon: https://github.com/FastVPSEestiOu/fastnetmon Thank you! On Thu, Jan 8, 2015 at 8:11 PM, Mel Beckman m...@beckman.org wrote: BlackLotus.com looks very good, with GRE tunneling and sensible provider level pricing. -mel via cell On Jan 8, 2015, at 9:06 AM, Manuel Marín m...@transtelco.net wrote: Nanog group I was wondering what are are using for DDOS protection in your networks. We are currently evaluating different options (Arbor, Radware, NSFocus, RioRey) and I would like to know if someone is using the cloud based solutions/scrubbing centers like Imperva, Prolexic, etc and what are the advantages/disadvantages of using a cloud base vs an on-premise solution. It would be great if you can share your experience on this matter. Thank you -- Sincerely yours, Pavel Odintsov
Re: North Korean internet goes dark (yes, they had one)
Why you suggest it? On Tue, Dec 23, 2014 at 8:38 PM, Joe Hamelin j...@nethead.com wrote: On Mon, Dec 22, 2014 at 6:05 PM, Valdis Kletnieks valdis.kletni...@vt.edu wrote: Any of you guys want to fess up? :) http://www.msnbc.com/the-ed-show/watch/north-koreas-internet-goes-dark-376097859903 (Yes, I know, they're saying it's a DDoS, not a routing hack...) I was hoping that everyone just put 175.45.176.0/22 in their bogon list. -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474 -- Sincerely yours, Pavel Odintsov
Re: Estonian IPv6 deployment report
Hello, folks! Tere from your customer FastVPS Eesti OU/AS198068! :) On Mon, Dec 22, 2014 at 6:27 PM, Tarko Tikan ta...@lanparty.ee wrote: hey, Some time ago, many people noticed rapid IPv6 deployment growth in Estonia (from 0% to 5% in 4 weeks). We at 3249/Elion/Estonian Telecom were behind this, other operators don't have any serious IPv6 deployments at the moment. We rolled out v6 to everyone (both business and residential customers) with last-gen CPE, there was no hop-in our hop-out program - aim was to do it perfectly and without customers even noticing. I'm happy to say that we achieved this goal :) To satisfy general interest, I promised small (somehow it turned out longer than I expected) technical writeup how we enabled v6 for our subscribers. If you have any other questions, feel free to ask and I do my best to answer them. You can also skip the technical content and there are some statistics below. Our access network is mix of DSL/GPON/wimax/p2p-ETH and broadband service is deployed in shared service vlans. IPv6 traffic shares vlan with IPv4. Service vlans are transported over MPLS metro network using pseudowires and terminated in geo-clustered Alcatel 7750 BNG routers. Each subscriber is allocated up to 4 mixed v4 and v6 IP hosts. For v4 we are using the usual DHCP, for IPv6 we are using DHCPv6 with IA_PD only, no IA_NA is provided. Unfortunately DHCPv6 provides no way to signal IPv6 default-route thus we have to fall back to RA for default-route. RA does not include any on-link prefixes or DNS information. RAs are L2 unicasted to CPE MAC so no other CPE in service vlan picks up those RAs. To ensure rapid switchover between BNG routers, we are signalling virtual link-local address as default-route. We are using ALU internal DHCP/DHCPv6 servers to allocate leases but we also signal IP information from radius (in such case BNG fakes DHCP server) for static IP customers. Provided IPv6 prefix is always /56 and we keep the old lease for 24h even if the CPE is turned off (actual lease time is 30min). Unfortunately, IPv6 LDRA is not available on most of our access platforms so we have to rely on IPv4 session information for authentication. This linking is done in the radius server during subscriber authentication (excellent radiator + quite awful SQL queries :) - if subscriber has IPv4 session (that has been authenticated using DHCP opt82), same MAC address is allowed to have IPv6 session on exactly the same virtual BNG port. IPv4 and v6 session are both tied to same subscriber and share shapers, QOS etc. We were able to enable IPv6 only on our last-gen Inteno CPEs. They run modified OpenWrt and because it's linux - everything is possible :) In CPE, /56 is divided up to /64s, first one is currently reserved but we will configure it on loopback interface and use it for CPE management. Second /64 is configured on LAN and third is configured on public wifi SSID (if you choose to enable this option). In the LAN, IPv6 config is provided by RAs, we also support RDNSS and stateless DHCPv6 for DNS. There is also ingress IPv6 firewall in the CPE and configuration is modifiable by user. To make deployment as smooth as possible, we rolled out IPv6 capable CPE software first. Then, during the BNG platform refresh, we deployed L2 ACLs that dropped all IPv6 traffic based on 0x86dd ethertype. We then deployed IPv6 config to all BNGs and could verify everything before single v6 lease was handed out to the subscribers. Then, interface by interface, we replaced L2 ACL with one that only allowed 0x86dd for certain, supported, OUIs. This is the current situation and we are investigating ways to support 3rd party CPEs - main problem is unreliable IPv6 config in CPEs. Many don't enable DHCPv6 (or enable NA but no PD) but still pick up default-route from RA and happily signal it to LAN. Some others hammer our BNGs with NA request every 0.1 seconds etc. As statistics go, there are 3+ active IPv6 subscribers (almost 15% of our customer base, based on our public numbers), 81% of them have have at least one IPv6 enabled device in the LAN, 70% have more than one. Most IPv6 traffic is generated by Google+Youtube, Facebook and Akamai. Not bad for a country with 1.3M people. Next up: mobile network :) -- tarko -- Sincerely yours, Pavel Odintsov
Re: jack in the box ssl cert
Wow! Nice burgers! On Sun, Dec 21, 2014 at 1:15 PM, Javier J jav...@advancedmachines.us wrote: can someone let them know they are having a bad day? https://www.jackinthebox.com/ -- Sincerely yours, Pavel Odintsov
Re: Comcast residential DNS contact
Hello! But any other DNS type can be used for DNS amplification. RRL is right solution for amplification issue. I recommend NSD DNS server because it's reliable, has complete support of DNSSEC, IPv6 and RRL. On Wed, Dec 3, 2014 at 5:08 PM, Stephen Satchell l...@satchell.net wrote: On 12/03/2014 04:04 AM, Niels Bakker wrote: * shortdudey...@gmail.com (Grant Ridder) [Wed 03 Dec 2014, 12:54 CET]: Both of Google’s public DNS servers return complete results every time and one of the two comcast ones works fine. If this is working by design, can you provide the RFC with that info? An ANY query will typically return only what's already in the cache. So if you ask for MX records first and then query the same caching resolver for ANY it won't return, say, any TXT records that may be present at the authoritative nameserver. This could be implementation dependent, but Comcast's isn't wrong, and you should not rely on ANY queries returning full data. This has been hashed out to tears in the past, for example when qm**l used to do these queries in an attempt to optimise DNS query volumes and RTT. At the ISP I consult to, I filter all ANY queries, because they have been used for DNS amplification attacks. -- Sincerely yours, Pavel Odintsov
Re: DDOS, IDS, RTBH, and Rate limiting
Hello, folks! Thank you for a very useful feedback! I'm so sorry for my negative vision of netflow :( It's nice protocol but I haven't equpment with ability to generate netflow on wire speed and I use mirror/SPAN instead. I competely redesigned attack-analyzer subsystem and can process sampled data now. I just added sFLOW v5 suport to FastNetMon and you can try it now. In near future I will add netflow v5 support. With sFLOW support my tool can detect attack on 40-100GE links and more! Thanks for sFLOW architecture! :) Thank you! On Sun, Nov 23, 2014 at 2:53 AM, Brian Rak b...@gameservers.com wrote: On 11/22/2014 11:18 AM, Denys Fedoryshchenko wrote: On 2014-11-22 18:00, freed...@freedman.net wrote: We see a lot of Brocade for switching in hosting providers, which makes sFlow easy, of course. Oh, Brocade, recent experience with ServerIron taught me new lesson, that i can't do bonding on ports as i want, it has limitations about even/odd port numbers and etc. Most amazing part i just forgot, that i have this ServerIron, and it is a place where i run DDoS protection (but it works perfectly over tap way). Thanks for reminding about this vendor :) I just hope you're not talking FCX's if you upgrade those to 8.x firmware, you'll lose sflow on the 10gb ports. Once you upgrade, they send a corrupted sflow packet, and at *far* less then the rate that you configure. Even if you adjust your parser to compensate for the corrupt packet, they're still dropping the large majority of samples, making sflow pretty much useless. It's been several months since we reported this, and we're still waiting on a fix. -- Sincerely yours, Pavel Odintsov
Re: DDOS, IDS, RTBH, and Rate limiting
Hello, folks! Thank you for a very useful feedback! I'm so sorry for my negative vision of netflow :( It's nice protocol but I haven't equpment with ability to generate netflow on wire speed and I use mirror/SPAN instead. I competely redesigned attack-analyzer subsystem and can process sampled data now. I just added sFLOW v5 suport to FastNetMon and you can try it now. In near future I will add netflow v5 support. With sFLOW support my tool can detect attack on 40-100GE links and more! Thanks for sFLOW architecture! :) You can check new version here: https://github.com/FastVPSEestiOu/fastnetmon Thank you! On Sun, Nov 23, 2014 at 2:53 AM, Brian Rak b...@gameservers.com wrote: On 11/22/2014 11:18 AM, Denys Fedoryshchenko wrote: On 2014-11-22 18:00, freed...@freedman.net wrote: We see a lot of Brocade for switching in hosting providers, which makes sFlow easy, of course. Oh, Brocade, recent experience with ServerIron taught me new lesson, that i can't do bonding on ports as i want, it has limitations about even/odd port numbers and etc. Most amazing part i just forgot, that i have this ServerIron, and it is a place where i run DDoS protection (but it works perfectly over tap way). Thanks for reminding about this vendor :) I just hope you're not talking FCX's if you upgrade those to 8.x firmware, you'll lose sflow on the 10gb ports. Once you upgrade, they send a corrupted sflow packet, and at *far* less then the rate that you configure. Even if you adjust your parser to compensate for the corrupt packet, they're still dropping the large majority of samples, making sflow pretty much useless. It's been several months since we reported this, and we're still waiting on a fix. -- Sincerely yours, Pavel Odintsov
DDOS, IDS, RTBH, and Rate limiting
Hello, folks! I'm author of fastnetmon, thank you for some PR for my toolkit :) I use this tool for similar type of attacks and we do analyze all traffic from uplinks ports using port mirroring. You can look at this network diagram: https://raw.githubusercontent.com/FastVPSEestiOu/fastnetmon/master/network_map.png I tried to use netflow many years ago but it's not accurate enough and not so fast enough and produce big overhead on middle class network routers. It's because I wrote this tool and do every packet analyze. It can detect attack in 2 seconds max and call BGP blackhole as quick as thought. It can detect three types of attacks: 1) Speed attack for certain IP (we ban every IP which exceed 1 Gbps) 2) Packet per second attack for certain IP (we ban every IP which exceed 100 000 ppps) 3) And flow flood (very useful mode in networks with big bandwidth/pps per client) FastNetMon can handle 2-3 million of packets per second and ~20Gbps on standard i7 2600 Linux box with Intel 82599 NIC. If you need any help or suggestions you can email me directly or ask via GitHub. Thank you! -- Sincerely yours, Pavel Odintsov