On Sep 13, 2011, at 3:34 AM, Chuck Church wrote:
Is the concern over a DDOS aimed against the router itself, or just massive
flows passing through?
Yes, but mainly the former.
;
---
Roland Dobbins rdobb...@arbor.net //
On Sep 13, 2011, at 3:43 AM, Everton Marques wrote:
Would Cisco ISR G2 3925E classify as software-based router?
Yes.
Do you expect it to bend itself down under a few Mbps of 64-byte packets?
Especially if they're directed at the router itself, at some point, sure -
though the ISR2 certainly
On Sep 13, 2011, at 4:13 AM, Brent Jones wrote:
A high end ASIC can handle millions/tens of millions PPS, but directed
to the control plane (which is often a general purpose CPU as well,
Intel or PowerPC), probably not in most scenarios.
CoPP.
On Sep 11, 2011, at 4:02 PM, Leigh Porter wrote:
I'd agree that, usually, distributed is better but these are not distributed
networks, there is a single point (or a few large single points) of contact.
The point is that these aggregations of state are quite vulnerable, and
therefore they
On Sep 9, 2011, at 11:06 PM, Alexander Harrowell wrote:
Further, if making your hosting network IPv6 is hard, the answer is surely to
give the job to a CDN operator with v6 clue.
This is a good strategy for payload-type content from unitary sources which
lends itself to
On Sep 10, 2011, at 12:46 PM, Mark Tinka wrote:
GPRS/3G/EDGE has made many a mobile provider especially notorious.
All this problematic state should be broken up into smaller instantiations and
distributed as close to the access edge (RAN, wireline, etc.) as possible in
order to a) reduce the
On Sep 6, 2011, at 2:53 PM, BH wrote:
Has anyone seen similar traffic before? I
I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often
don't know a lot about TCP/IP, and if something happens to work once, they
incorporate it into their attack tool defaults and keep using
On Sep 5, 2011, at 11:51 PM, Nick Feamster wrote:
If the most valuable destinations
'Most valuable', 'least expensive', 'least congested', 'most reliable', 'most
responsive', 'least contractually onerous', 'most generous ratio', 'most
lucrative', et. al. - all these criteria and more come
On Sep 4, 2011, at 5:02 PM, Randy Bush wrote:
Will the benefits of security - no more YouTube incidents, etc. - be
perceived as worth having one's routing at the whim of an non-operational
administrative monopoly?
Given recent events in SSL CA-land, how certain are we that the putative
On Sep 5, 2011, at 11:04 AM, Michael Schapira wrote:
One crucial way in which S*BGP differs from other features is that ASes which
deploy S*BGP *must* use their ability to validate paths to inform route
selection (otherwise, adding security to BGP makes no sense).
Origin validation path
On Sep 5, 2011, at 11:55 AM, Dobbins, Roland wrote:
Origin validation path validation.
Rather, that should read, 'Origin/path validation origin/path enforcement'.
The idea of origin validation is a simple one. The idea of path validation
isn't to determine the 'correctness
On Jul 31, 2011, at 9:15 AM, Jimmy Hess mysi...@gmail.com wrote:
Is there an RFC specifying precisely what are considered the proper
precautions?
precautions should ideally be enabled in BIND by default.
Not of which I'm aware. I'm happy to contribute to any efforts you or anyone
else are
On Aug 1, 2011, at 7:42 AM, Mark Andrews wrote:
Named already takes proper precautions by default. Recursive service is
limited to directly connected networks by default. The default
was first changed in 9.4 (2007) which is about to go end-of-life once the
final wrap up release is done.
On Aug 1, 2011, at 9:22 AM, Mark Andrews wrote:
And even if DNS/TCP was use by default machines can still get DoS'd because
IP is spoofable.
They can be DDoSed with spoofed or non-spoofed packets, and there are defenses
against such attacks.
Apologies if I was unclear - my point was that
On Jul 31, 2011, at 3:08 AM, Jimmy Hess wrote:
A good example, would be services such as OpenDNS.
One can argue a) that services like OpenDNS aren't necessarily a Good Thing
when run by those who don't take the proper precautions and b) that OpenDNS in
particular is run by smart, responsible
On Jul 30, 2011, at 1:51 AM, Elliot Finley wrote:
my DNS servers were getting slow so I blocked recursive queries for all but
my own network.
This should be the standard practice. By operating an open recursor, you lend
your DNS server to abuse as a contributor to DNS
On Jul 26, 2011, at 8:57 PM, harbor235 wrote:
My question is, is it best practice to extend an inband VPN throughout for
device management functions as well?
Going inband defeats the purpose of the DCN.
---
Roland Dobbins
On Jul 15, 2011, at 10:24 AM, Jimmy Hess wrote:
In most cases if you have a DoS attack coming from the same Layer-2 network
that a router is attached to,
it would mean there was already a serious security incident that occured to
give the attacker that special point to attack fr
This
On Jul 17, 2011, at 4:15 PM, Florian Weimer wrote:
In practice, the IPv4 vs IPv6 difference is that some vendors provide DHCP
snooping, private VLANs and unicast flood protection in IPv4
land, which seems to provide a scalable way to build Ethernet networks with
address validation---but
On Jul 13, 2011, at 11:02 PM, Ronald Bonica wrote:
- enumerate the operational problems solved by LISP
Separation of locator/ID is a fundamental architectural principle which
transcends transport-specific (i.e., IPv4/IPv6) considerations. It allows for
node/application/services agility, and
On Jul 14, 2011, at 10:49 AM, Randy Bush wrote:
not to quibble but i thought 6296 was stateless.
AFAICT, the translators themselves are just rewriting addresses and not paying
attention to 'connections', which is all to the good. But then we get to this:
-
5.2. Recommendations for
On Jun 28, 2011, at 3:52 PM, Eugen Leitl wrote:
For the last couple of months i have been pulling my hair out trying
to solve this problem.
Sounds like TCP RTT and/or packet-loss - should be easy to determine the issue
with a bit of traffic capture.
On Jun 15, 2011, at 12:47 PM, James Grace wrote:
Are there any horrific consequences to picking up this practice?
http://tools.ietf.org/html/draft-kirkham-private-ip-sp-cores-04
---
Roland Dobbins rdobb...@arbor.net //
On May 27, 2011, at 9:12 AM, valdis.kletni...@vt.edu
valdis.kletni...@vt.edu wrote:
What do you do on Patch Tuesday?
For that matter, what do you do when the latest 'cool' YouTube video go viral,
or Amazon offer the next Lady GaGa album on sale for $0.99, or people with
iDevices download
On May 18, 2011, at 7:42 PM, Rogelio wrote:
This solution would need to be tied into the authentication services so
authenticated users hit the gateway.
So the attackers can just hammer the authentication subsystem and take it down,
instead?
;
By going the 'authentication' route in the
On Apr 12, 2011, at 12:42 PM, Owen DeLong wrote:
I have used Evolution and IMAP with exchange servers in the past, so, I'm not
convinced this is an entirely accurate statement.
And in fact, I'm posting this message in plain-text via the OSX Mail.app
connected via native Exchange protocols
On Apr 9, 2011, at 10:51 AM, John Palmer (NANOG Acct) wrote:
My question is - does anyone have any suggestions for another e-mail
appliance like the Barracuda Spam Firewall that doesn't try to charge their
customers for time not used
http://www.ironport.com/
http://www.networkworld.com/news/2011/032811-paul-baran-packet-switching-obit.html
---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
The basis of optimism is sheer terror.
On Mar 27, 2011, at 11:55 AM, Christopher Wolff wrote:
To date the single response I've received is change your password which
wasn't what I had in mind.
The thing to do is to ensure that your client's machines/networks aren't
compromised, and then to change the password(s) from a known
On Mar 25, 2011, at 5:21 PM, Florian Weimer wrote:
I can't see how a practice that is completely acceptable at the root
certificate level is a danger so significant that state-secret-like
treatment is called for once end-user certificates are involved.
Again, I don't know enough about what
On Mar 24, 2011, at 6:19 PM, Joakim Aronius wrote:
Surely the value of stolen certs are higher if the public do not know that
they exist.
A wider swathe of interested parties would know of their existence, and their
existence would be officially confirmed, which would make them more
On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
Disclosure devalues information.
I think this case is different, given the perception of the cert as a 'thing'
to be bartered.
---
Roland Dobbins rdobb...@arbor.net //
On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
Announcing this high and loud even before fixes were available would not have
exposed more users to threats, but less.
An argument against doing this prior to fixes being available is that
miscreants who didn't know about this previously
On Mar 11, 2011, at 2:33 PM, Owen DeLong wrote:
There's a HUGE difference between IP unnumbered and link-local.
In all honesty, at the macro level, I don't see it; if you wouldn't mind
elaborating on this, I would certainly find it useful.
On Mar 12, 2011, at 11:14 AM, Jeff Wheeler wrote:
Of course, I don't really mean to call Owen a liar, or foolish, or anything
else.
Please don't; even though I disagree with him and agree with you very strongly
on this set of issues, Owen is a smart and straightforward guy, and is simply
On Mar 11, 2011, at 10:51 AM, George Bonser wrote:
If you are a content provider, it doesn't make any difference if they take
down the links between your routers or if they take down the link that your
content farm is on.
Of course, it does - you may have many content farms/instances,
On Mar 11, 2011, at 11:34 AM, George Bonser wrote:
And I say taking down 10 such farms is no bigger problem than taking down 10
/64 backbone links.
Yes, but the difference is in routine attacker behavior.
And of course, iACLs should be protecting p2p links and loopbacks, irrespective
of
On Mar 11, 2011, at 2:02 PM, Owen DeLong wrote:
If you want to be truly anal about it, you can also block packets to
non-existent
addresses on the PtoP links.
Sure, I advocate iACLs to block traffic to p2p links and loopbacks. Still,
it's best not to turn routers into sinkholes in the
On Mar 8, 2011, at 1:32 AM, Yaoqing(Joey) Liu wrote:
I'm trying to find all causes of multiple origin AS problem(MOAS) as
follows, but not sure if it's complete.
1. MOAS isn't necessarily a 'problem'; it's fairly common, these days, and
has been for quite some time. The actual problem
On Mar 3, 2011, at 2:42 AM, Wil Schultz wrote:
Not a huge operational issue, but I'm sure there are some folks that this hit
a little bit.
As Chris indicates, it would be a big win if recursion were disabled on the
authoritative servers, and instead handled by dedicated caching-only
On Feb 28, 2011, at 7:35 PM, Tony Finch wrote:
It ought to be possible to look at SMB or mDNS messages to get more
information about what the host claims to be...
We can't trust those, they're easily manipulated and/or
situationally-irrelevant.
Or not present at all, if the endpoint
On Feb 28, 2011, at 8:40 PM, Jim Gettys wrote:
Again, having a permanently known identifier being broadcast all the time is
a potentially a serious security/safety issue.
We already have this with MAC addresses, unless folks bother to periodically
change them, do we not?
On Feb 28, 2011, at 8:52 PM, Ray Soucy wrote:
IPv6 is simple, elegant, and flexible.
This is the first time I've ever seen 'IPv6' in the same sentence with
'simple', 'elegant', or 'flexible', unless preceded by 'not'.
;
On Feb 28, 2011, at 9:01 PM, Joe Abley wrote:
By embedding the MAC into the layer-3 address, the concern is that the
information becomes accessible Internet-wide.
Given the the toxicity of hotel networks alone, my guess is that it already is
pretty much available Internet-wide, at least to
On Feb 28, 2011, at 9:59 PM, Joe Abley wrote:
There's no point worrying about v6-only operations if we can't get
dual-stack working reliably.
I think this is the most insightful, cogent, and pertinent comment made
regarding IPv6 in just about any medium at any time.
[Yes, I know that
On Feb 28, 2011, at 10:27 PM, Owen DeLong wrote:
Having a MAC address as a permanent identifier is a very different problem
from having that MAC address go into a layer 3 protocol field.
Given the plethora of identifiable information already frothing around in our
data wakes, I'm unsure
On Feb 28, 2011, at 10:27 PM, Nick Hilliard wrote:
We haven't got there because I can't plug in my laptop into any arbitrary
ipv6-only network and expect to be able to load up ipv6.google.com.
-
One day a master from another monastery came upon Abley as he was watching a
young child
On Feb 28, 2011, at 11:14 PM, Owen DeLong wrote:
IPv6-only viability is the real goal. This is, in the long run, a
transition from v4 to v6. Dual-stack is an interim stop-gap, not an end
solution.
I think most everyone agrees with this. However, getting experience with
dual-stack is
On Feb 28, 2011, at 11:15 PM, Nick Hilliard wrote:
At that moment, Dobbins and Abley were enlightened.
hahaha
;
Hey, I think dual-stack is pretty ugly - just that it's less ugly than getting
no operational experience with IPv6 at all on production networks until some
point in the
On Feb 28, 2011, at 9:16 PM, Leo Bicknell wrote:
Those who designed IPv6 appear to have ignored the problem space.
This is true of many, many aspects of IPv6. And those of us who didn't get
involved in the process to try and address (pardon the pun, heh) those problems
bear a burden of the
On Mar 1, 2011, at 7:00 AM, Owen DeLong wrote:
In five years we should be just about ready to start deprecating IPv4, if not
already beginning to do so.
That's been said about so many things, from various legacy OSes to other
protocols such as SNA and SMB/CIFS.
None of those things are
On Mar 1, 2011, at 12:23 PM, Mark Newton wrote:
That's new, and (to my mind) threatening. We've not even begun to consider
the attack vectors that'll open up.
I don't think it's new at all, given the amount of information available today
that you already cite, down to and including
On Feb 27, 2011, at 10:22 PM, Mikael Abrahamsson wrote:
Which is one of the reasons why some of us want DHCPv6 support in hosts.
Also for traceback when hunting down compromised/abusive hosts.
---
Roland Dobbins
On Feb 28, 2011, at 10:47 AM, Steven Bellovin wrote:
You really need to look at switch logs for that, even with IPv4:
http://www.cs.columbia.edu/~smb/talks/arp-attack.pdf
And flow telemetry, and so forth, yes. With BCP deployment in terms of
anti-ARP-spoofing and DCHP snooping/source
On Feb 23, 2011, at 5:42 AM, David Hubbard wrote:
I've seen it discussed on nanog from time to time, typically suggesting using
Zebra, but could not search up a link on a step by step.
https://files.me.com/roland.dobbins/dweagy
On Feb 3, 2011, at 9:35 PM, Scott Howard wrote:
102/8 AfriNIC2011-02whois.afrinic.net ALLOCATED
103/8 APNIC 2011-02whois.apnic.net ALLOCATED
104/8 ARIN 2011-02whois.arin.netALLOCATED
179/8 LACNIC 2011-02whois.lacnic.net ALLOCATED
185/8
On Feb 4, 2011, at 10:04 AM, Franck Martin wrote:
Where can I get more information?
There's some survey data related to this topic presented in the latest
Worldwide Infrastructure Security Report, available at
http://www.arbornetworks.com/report.
On Jan 13, 2011, at 9:59 AM, Jack Bates wrote:
The proxy capabilities of the firewall are additional security measures on
top of the NAT (and definitely should be deployed for their higher security
value).
Not in front of servers, they shouldn't - because they have a negative security
On Mar 21, 2007, at 5:41 AM, Tarig Ahmed wrote:
Security guy told me is not correct to assign public ip to a server, it
should have private ip for security reasons.
He's wrong.
Is it true that NAT can provide more security?
No, it makes things worse from an availability perspective.
On Jan 13, 2011, at 12:02 AM, Justin Scott wrote:
The PCI-DSS comes to mind for those who deal with credit card transactions.
Luckily, there are ways to 'comply' with the PCI-DSS security theater regime
without placing the availability and overall security of one's public-facing
servers at
On Jan 9, 2011, at 12:11 AM, Sam Stickland wrote:
Why do you say there is zero state at the server, but the not at the client?
Because every incoming connection to the server is unsolicited - therefore,
there's no pre-existing state to evaluate.
On Jan 7, 2011, at 4:14 PM, Mark Smith wrote:
Doesn't this risk already exist in IPv4?
There are various vendor knobs/features to ameliorate ARP-level issues in
switching gear. Those same knobs aren't viable in IPv6 due to the way ND/NS
work, and as you mention, the ND stuff is
On Jan 7, 2011, at 4:02 PM, Owen DeLong wrote:
No, it hasn't always been a Bad Idea.
Yes, it has. There're lots of issues with embedding IP addresses directly into
apps and so forth which have nothing to do with NAT.
On Jan 7, 2011, at 9:30 PM, TJ wrote:
Today (IPv4) they may not, but many recommendations for tomorrow (IPv6) are
to use discrete network allocations for your infrastructure (loopbacks and
PtP links, specifically) and to filter traffic destined to those at your
edges ...
Actually, this
On Jan 7, 2011, at 9:23 PM, Tim Chown wrote:
The main operational problem we see is denial of service caused by
unintentional IPv6 RAs from hosts.
Which is a whole other can of IPv6 worms, heh.
;
Roland Dobbins
On Jan 8, 2011, at 3:29 AM, Deepak Jain wrote:
There are now years of security dogma that says NAT is a good thing,
Actually, this isn't the case. There's some *security theater* dogma which
makes totally unsupported claims about the supposed security benefits of NAT,
but that's not quite
On Jan 8, 2011, at 5:44 AM, Owen DeLong wrote:
You say dogma, I say mythology.
Concur 100%.
Stateful inspection provides security.
To clarify, stateful inspection only provides security in a context where
there's state to inspect - i.e., at the southernmost end of access networks,
On Jan 8, 2011, at 4:28 AM, Mark Smith wrote:
The problem is that somebody on the Internet
could send 1000s of UDP packets (i.e. an offlink traffic source) towards
destinations that don't exist on the target subnet.
I meant to type 'ND-triggering stuff', concur 100%.
On Jan 8, 2011, at 8:54 AM, William Herrin wrote:
I presume you don't intend us to conclude that a bastion host firewall
provides no security benefit to the equipment it
protects.
If it's protecting workstations, yes, it has some positive security value - but
not due to NAT.
If it's
On Jan 6, 2011, at 9:29 PM, Joe Greco wrote:
Sorry, but I see this as not grasping a fundamental security concept.
I see it as avoiding a common security misconception.
Making a host harder to find (or more specifically to address from remote) is
a worthwhile goal.
As I've stated
On Jan 6, 2011, at 11:28 PM, valdis.kletni...@vt.edu wrote:
Playing devil's advocate for a moment...
I don't see this as devil's advocacy, since I've said a) we're already hosed
(i.e., what you said) and b), we're going to get even more hosed with IPv6.
;
On Jan 6, 2011, at 11:48 PM, Jack Bates wrote:
It is not the intentional that we should fear, but the unintentional.
This is the single largest issue with IPv6 and the whole ND mess in a nutshell
- unintentional DoS becomes much more likely.
On Jan 7, 2011, at 1:20 AM, Owen DeLong wrote:
You are mistaken... Host scanning followed by port sweeps is a very common
threat and still widely practiced in IPv4.
I know it's common and widely-practiced. My point is that if the host is
security properly, this doesn't matter; and that if
On Jan 5, 2011, at 1:15 PM, Jeff Wheeler wrote:
I notice that this document, in its nearly 200 pages, makes only casual
mention of ARP/NDP table overflow attacks, which may be among
the first real DoS challenges production IPv6 networks, and equipmentvendors,
have to resolve.
They also
On Jan 5, 2011, at 4:39 PM, Dobbins, Roland wrote:
They also only make small mention of DNS- and broadcast-hinted scanning, and
none at all of routing-hinted scanning.
I meant to include, ' . . . and the strain that this hinted scanning will place
on the DNS and routing/switching
On Jan 5, 2011, at 7:21 PM, Jeff Wheeler wrote:
please explain why this is in any way better than operating the same LAN with
a subnet similar in size to its existing IPv4 subnets, e.g. a /120.
Using /64s is insane because a) it's unnecessarily wasteful (no lectures on how
large the space
On Jan 6, 2011, at 1:02 AM, TJ wrote:
if you are permitting external hosts the ability to scan your internal
network in an unrestricted
fashion
DCN aside, how precisely does one define 'internal network' in, say, the
context of the production network of a broadband access SP, or
On Jan 6, 2011, at 1:14 AM, Jeff Wheeler wrote:
A stateful firewall on every router interface has been suggested already on
this thread. It is unrealistic.
It isn't just unrealistic, it's highly undesirable, since it represents an huge
DoS state vector.
On Jan 6, 2011, at 8:57 AM, Joe Greco wrote:
The switch from IPv4 to IPv6 itself is such a change; it renders random
trolling through IP space much less productive.
And renders hinted trolling far more productive/necessary, invariably leading
to increased strain on
On Jan 6, 2011, at 9:38 AM, ML wrote:
At least not without some painful rebuilds of criticals systems which have
these IPs deeply embedded in their configs.
They shouldn't be using IP addresses in configs, they should be using DNS
names. Time to bite the bullet and get this fixed prior to
On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
Packing everything densely is an obvious problem with IPv4; we learned early
on that having a 48-bit (32 address, 16 port) space to scan made
port-scanning easy, attractive, productive, and commonplace.
I don't believe that host-/port-scanning
On Jan 6, 2011, at 10:42 AM, George Bonser wrote:
It will be a problem if people learn they can DoS routers by doing it by
maxing out the neighbor table.
I understand this - that's a completely separate issue from the supposed
benefits of sparse addressing for endpoint host security.
I
On Jan 6, 2011, at 11:16 AM, George Bonser wrote:
I thought the entire notion of actually getting to a host was orthogonal to
the discussion as that wasn't the point. It wasn't about
exploitation of anything on the host, the discussion was about the act of
scanning a network itself being
On Jan 6, 2011, at 11:16 AM, Randy Bush wrote:
actually, the formal rpki-based origin-validation stuff is measured to take
*less* cpu, a lot less, than ACLs
On the platforms which really matter in terms of rPKI, ACLs are handled in
hardware, so this is pretty much a wash.
Concur on all
On Jan 6, 2011, at 12:17 PM, Joe Greco wrote:
If you don't understand the value of such an increase in magnitude,
I can count as well as you can, I assure you.
I invite you to switch all your ssh keys to 56 bit.
The difference is that if someone compromises/brute-forces one of my ssh keys,
On Jan 6, 2011, at 12:54 PM, Joe Greco wrote:
Generally speaking, security professionals prefer for there to be more
roadblocks rather than fewer.
The soi-disant security 'professionals' who espouse layering unnecessary
multiple, inefficient, illogical, and iatrogenic roadblocks in
On Jan 6, 2011, at 1:26 PM, Joe Greco wrote:
A bunch of very smart people have worked on IPv6 for a very long time, and
justification for /64's was hashed out at extended length
over the period of years.
Very smart people can and do come up with bad ideas, and IPv6 is a textbook
example of
On Jan 6, 2011, at 2:03 PM, Matthew Petach wrote:
I think what people are trying to say is that it doesn't matter whether or
not your host is easily findable or not, if I can trivially take out your
upstream router.
That's part of it - the other part is that the host will be found,
On Jan 6, 2011, at 2:42 PM, Joel Jaeggli wrote:
icmp6 rate limiting both reciept and origination is not rocket science.
But it's *considerably* more complex and has far more potential implications
than ICMP rate-limiting in IPv4 (which in and of itself is more complex and has
more
On Jan 6, 2011, at 1:51 PM, Joe Greco wrote:
There are numerous parallels between physical and electronic security.
Let's just concede that for a moment.
I can't, and here's why:
1. In the physical world, attackers run a substantial risk of being
caught, and of tangible, severe
On Jan 3, 2011, at 10:31 AM, Lynda wrote:
My guess is that you'll never find it on Google, since it happened around
1993-4 or so.
I remember that there were several high-profile instances of duplicate MAC
addresses being burnt into NICs during the 1990s - once every 2-3 years, IIRC.
And
On Jan 2, 2011, at 10:33 AM, Graham Wooden wrote:
What are the odds, that HP would dup’d them and that both would eventually
end up at my shop?
There may be some setting you're overlooking or a bug which needs an update to
fix, or you may simply have purchased HP ProLiant *cases*, rather
On Dec 14, 2010, at 2:04 AM, Bill Bogstad wrote:
A single data point on current DDOS traffic levels.
In the 2009 Arbor WWISR, the largest attack reported was 49gb/sec. We're
currently wrapping up the 2010 WWISR, and the largest attack report was
considerably larger.
On Dec 14, 2010, at 2:40 AM, Jeffrey Lyon jeffrey.l...@blacklotus.net wrote:
The only larger ones that i've seen were in company's marketing collateral vs.
real life.
Here's a link to last year's Report (previous editions may be downloaded, as
well):
http://www.arbornetworks.com/report
The
On Dec 11, 2010, at 5:51 AM, Joel Jaeggli wrote:
Paying for DOS mitigation you rarely if ever use is quite expensive.
Some operators offer 'Clean Pipes' commercial DDoS mitigation services; they
have various fee models, and they charge their end-customers for it. It's
positioned as a form
On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
front lines of this cyberwar?
Warfare isn't the correct metaphor.
Espionage/covert action is the correct metaphor.
---
Roland Dobbins rdobb...@arbor.net //
On Dec 10, 2010, at 10:01 AM, Robert E. Seastrom wrote:
cyber-intifada was the proper trope, but so far it has failed to grow legs.
The problem is that non-ironic use of the appellation 'cyber-' is generally
inversely proportional to actual clue, so it should be avoided at all costs.
;
On Dec 8, 2010, at 5:58 PM, bmann...@vacation.karoshi.com wrote:
actually, botnets are an artifact. claiming that the tool is the problem
might be a bit short sighted. with the evolution of Internet technologies
(IoT) i suspect botnet-like structures to become much more prevelent and
On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets)
may be completely unaware that they are part of a DDoS. I do not mean the bot
machine, I mean the ISP connecting those.
The technology exists to detect and classify
On Dec 8, 2010, at 10:04 PM, Thomas Mangin wrote:
So IIMHO the best way is still a good router with some basic QOS to protect
BGP on the link.
iACLs and GTSM are your friends.
;
---
Roland Dobbins rdobb...@arbor.net //
301 - 400 of 560 matches
Mail list logo
