* James Braunegg
Of course for any form of Anti DDoS hardware to be functional you
need to make sure your network can route and pass the traffic so you
can absorb the bad traffic to give you a chance cleaning the
traffic.
So in order for an Anti-DDoS appliance to be functional the network
Hi,
You can also test WANGUARD, http://www.andrisoft.com/ for DDoS detection
and BGP triggered blackholing.
On Thu, Dec 19, 2013 at 11:32 AM, Eugeniu Patrascu eu...@imacandi.netwrote:
Hi,
You can also take a look at http://www.packetdam.com/ for DDoS protection.
Eugeniu
On Thu, Dec 19,
On Wed, 18 Dec 2013 15:12:28 -0800
cb.list6 cb.li...@gmail.com wrote:
I am strongly considering having my upstreams to simply rate limit
ipv4 UDP. It is the simplest solution that is proactive.
I understand your willingness to do this, but I'd strongly advise
you to rethink such a strategy.
On Dec 19, 2013, at 3:53 PM, Tore Anderson t...@fud.no wrote:
So in order for an Anti-DDoS appliance to be functional the network needs to
be able to withstand the DDoS on its own. How terribly useful.
Due to the nature of network infrastructure devices and TCP/IP, it's quite
necessary that
On 19/12/2013 13:17, Dobbins, Roland wrote:
This is a base requirement for any network operator, without exception.
in fact, this comes down to cost / benefit / application analysis, without
exception.
Many hosting profiles don't require this sort of anti-DDoS kit. In many
cases it's far
On Dec 19, 2013, at 8:40 PM, Nick Hilliard n...@foobar.org wrote:
Many hosting profiles don't require this sort of anti-DDoS kit.
My post had nothing to do with 'anti-DDoS kit'.
I'm sure mitigation boxes like this serve well in many situations if the cost
/ benefit justifies the
We have two MPLS circuits malfunctioning, one from DE to NJ, and another from
DE to CA. Both are showing high latency and packet loss. Curious to hear if
anyone else is having issues.
Thanks
On 19/12/2013 14:08, Dobbins, Roland wrote:
My post had nothing to do with 'anti-DDoS kit'.
hmm, re-reading it, your post was contextually ambiguous and I read it in a
different way to the way that apparently you meant.
but yes, if you're doing onsite ddos scrubbing, you needs lotsabandwidth.
On 12/18/13 8:03 PM, Jon Lewis jle...@lewis.org wrote:
On Wed, 18 Dec 2013 valdis.kletni...@vt.edu wrote:
On Wed, 18 Dec 2013 15:12:28 -0800, cb.list6 said:
I am strongly considering having my upstreams to simply rate limit ipv4
UDP. It is the simplest solution that is proactive.
What
On Dec 18, 2013, at 18:12, cb.list6 wrote:
I am strongly considering having my upstreams to simply rate limit ipv4
UDP. It is the simplest solution that is proactive.
Recently it's been said that when a protocol is query/response (like DNS),
willingly suppressing responses might be as
On Thu, 19 Dec 2013, Lee Howard wrote:
I am strongly considering having my upstreams to simply rate limit ipv4
UDP. It is the simplest solution that is proactive.
What are the prospects for ipv6 UDP not suffering the same fate?
Roughly 0%, but there's so little v6 traffic compared to v4,
On Thu, Dec 19, 2013 at 8:18 AM, Edward Lewis ed.le...@neustar.biz wrote:
On Dec 18, 2013, at 18:12, cb.list6 wrote:
I am strongly considering having my upstreams to simply rate limit ipv4
UDP. It is the simplest solution that is proactive.
Recently it's been said that when a protocol is
Probably a TTL problem. Did you configure ebgp-multihop?
Eric Dugas
ZEROFAIL / AS40191
edu...@zerofail.com
-Original Message-
From: Philip Lavine [mailto:source_ro...@yahoo.com]
Sent: December 18, 2013 10:48 AM
To: NANOG list
Subject: BGP from Juniper to Cisco ASR
Dec 18 07:46:33:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm really surprised no one has mentioned Akamai/Prolexic, especially since
their recent marriage.
If someone has already mentioned it: Apologies.
- - ferg
On 12/19/2013 4:08 AM, Adrian M wrote:
Hi,
You can also test WANGUARD,
I was able to solve the issue by statically routing the connected /29 out the
connected interface, that way it overrode the BGP learned route for the same
subnet (unfortunately this might have been a multi-homing issue that resulted
in asymmetrical routing to the primary peer via the secondary
Just about every security, network and ADC vendor out there is claiming
anti-dos capabilities. Be careful when going that route and do your own
validation. I suggest looking at Radware and Arbor (both leaders in the
market). To successfully mitigate an attack the ideal solutions will weed out
Just about every security, network and ADC vendor out there is claiming
anti-dos capabilities. Be careful when going that route and do your own
validation. I suggest looking at Radware and Arbor (both leaders in the
market). To successfully mitigate an attack the ideal solutions will weed out
On Thu, Dec 19, 2013 at 10:30 PM, den...@justipit.com
den...@justipit.comwrote:
Just about every security, network and ADC vendor out there is claiming
anti-dos capabilities. Be careful when going that route and do your own
validation. I suggest looking at Radware and Arbor (both leaders in
I have to disagree with the scaling as I've personally deployed both Arbor and
Radware in carrier and MSSP environments, including tier 1, CLEC and cable
operators. Deployment models vary from infrastructure protection to scrubbing
center and top of rack solutions. Happy to discuss with you
I have to disagree with the scaling as I've personally deployed both Arbor and
Radware in carrier and MSSP environments, including tier 1, CLEC and cable
operators. Deployment models vary from infrastructure protection to scrubbing
center and top of rack solutions. Happy to discuss with you
On Dec 19, 2013, at 10:40 PM, Nick Hilliard n...@foobar.org wrote:
hmm, re-reading it, your post was contextually ambiguous and I read it in a
different way to the way that apparently you meant.
It was quite clear what was meant, even without looking at the linked
presentation, which
I did an OK job of getting my Linksys E2100L working with Comcast v6 on
OpenWRT. It is not officially supported on this platform per se, but a
simple hack of the source for WRT160NL allows it to be built.
Since I was already rolling my own firmware, I checked the box for 'ipv6'
and got the
On Dec 19, 2013, at 6:12 AM, cb.list6 cb.li...@gmail.com wrote:
I am strongly considering having my upstreams to simply rate limit ipv4 UDP.
QoS is a very poor mechanism for remediating DDoS attacks. It ensures that
programmatically-generated attack traffic will 'squeeze out' legitimate
On Dec 19, 2013 4:25 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Dec 19, 2013, at 6:12 AM, cb.list6 cb.li...@gmail.com wrote:
I am strongly considering having my upstreams to simply rate limit ipv4
UDP.
QoS is a very poor mechanism for remediating DDoS attacks. It ensures
that
--- cb.li...@gmail.com wrote:
On Dec 19, 2013 4:25 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Dec 19, 2013, at 6:12 AM, cb.list6 cb.li...@gmail.com wrote:
I am strongly considering having my upstreams to simply
rate limit ipv4 UDP.
QoS is a very poor mechanism for remediating DDoS
* Dobbins, Roland
Once again, nothing in my post said or referred to bandwidth;
The post of mine, to which you replied, did.
Perhaps if you had taken your own advice quoted below when replying to
me, Nick wouldn't have been contextually confused.
Tore
In future, it might be a good idea to
On Dec 20, 2013, at 4:39 AM, cb.list6 cb.li...@gmail.com wrote:
Not answering any of that. But thanks for asking.
I wasn't asking those questions in order to elicit information from you, but
rather as food for thought as you work through these issues.
I think ipv4 udp is just going to
On 12/11/2013 10:23 PM, Rob Seastrom wrote:
Eric Oosting eric.oost...@gmail.com writes:
It brings a tear to my eye that it takes:
0) A long standing and well informed internet technologist;
1) specific, and potentially high end, CPE for the res;
2) specific and custom firmware, unsupported
In the case of Comcast (and anecdotally ISC DHCP) - You'll either need
to wait out the the lease time (4 days) or ask Comcast to nicely clear
out your /64 lease manually. Release/renew doesn't release your current
DHCP lease. I was getting A /64 and /60 (/64 had a preference of 255)
before
FYI - DHCP-PD is now working better in RouterOS 6.5
Prefix length hints are now available (CLI) only.
/ipv6 dhcp-client add add-default-route=yes interface=wan interface
pool-name=dhcp-pd \
prefix-hint=::/60
I'd like to encourage people to use prefix-hint=::/48.
The router should
On Fri, Dec 20, 2013 at 12:30 AM, Owen DeLong o...@delong.com wrote:
FYI - DHCP-PD is now working better in RouterOS 6.5
Prefix length hints are now available (CLI) only.
/ipv6 dhcp-client add add-default-route=yes interface=wan interface
pool-name=dhcp-pd \
prefix-hint=::/60
I'd like
On Fri, Dec 20, 2013 at 5:42 AM, Christopher Morrow
morrowc.li...@gmail.com wrote:
On Fri, Dec 20, 2013 at 12:30 AM, Owen DeLong o...@delong.com wrote:
I'd like to encourage people to use prefix-hint=::/48.
...
I think if I ask (via wide-dhcpv6-server) for more than is going to be
sent I
32 matches
Mail list logo
