On Mon, Dec 6, 2010 at 01:50, Sean Donelan s...@donelan.com wrote:
February 2000 weren't the first DDOS attacks, but the attacks on multiple
well-known sites did raise DDOS' visibility.
What progress has been made during the last decade at stopping DDOS
attacks?
SMURF attacks creating a
Contact me off list please.
Thanks,
-john
Besides having *alot* of bandwidth theres not really much you can do to
mitigate. Once you have the bandwidth you can filter (w/good hardware).
Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.
Spoofed attacks have reduced significally probably because the use of
RPF.
* John Curran:
I agree with Chris; this (and any other returns) won't change the IPv4
depletion/IPv6 deployment timeline substantially,
I guess there are a lots of unused assignments within
provider-dependent address space. In my experience with a couple of
LIRs, none of them was very eager
On Dec 6, 2010, at 2:50 PM, Sean Donelan wrote:
Other than buying lots of bandwidth and scrubber boxes, have any other DDOS
attack vectors been stopped or rendered useless during the last
decade?
These .pdf presos pretty much express my view of the situation, though I do
need to rev the
On Sunday 05 December 2010 15:50:32 Gadi Evron wrote:
I withhold comment... discuss amongst yourselves.
Since it is an uncommon but occasional complaint that someones site is indexed
in Google by IP address not domain name, I assume simply that since wikileaks
were redirecting to URLs with IP
Hi,
there has been a lot of ethics and religio, ...
but what is really important for operation:
The cloud is a failure. Too easy to get it down.
I guess wikileaks returning to dedicated hosting proofs that.
Next time the board wants to convince me of cloud computing,
I'll propose a botnet is
The Cloud went down? I think not.
Having ones account terminated as opposed to an outage caused by DDoS are
two very different things.
I'm certainly not an advocate of public cloud computing (I love it inside my
own private network though :) ), but in this case asserting that the cloud
is a
The cloud is a failure. Too easy to get it down.
I guess wikileaks returning to dedicated hosting proofs that.
No, it just proves that organizational decisions are made by human beings that
have values. Whether or not those values are 'right' isn't the point - the
point is that the
On Monday 06 December 2010 09:47:43 Jay Mitchell wrote:
The Cloud went down? I think not.
It did for at least one customer.
Having ones account terminated as opposed to an outage caused by DDoS are
two very different things.
Although not for all DNS providers.
There are operational lessons
On Mon, Dec 6, 2010 at 3:08 PM, Peter Dambier pe...@peter-dambier.de
wrote:
The cloud is a failure. Too easy to get it down.
I guess wikileaks returning to dedicated hosting proofs that.
I haven't used this sign in nearly a decade. And certainly not on nanog.
Anyway .. I'll end this thread
On Saturday, 4 December 2010 at K:40:50 -0500, Mark Radabaugh wrote:
Probably a case of something being blindingly obvious but...
I have seen plenty of information on IPv6 from a internal network
standpoint. I have seen very little with respect to how a ISP is
supposed to handle routing
On Dec 5, 2010, at 5:28 PM, Franck Martin wrote:
- Original Message -
From: Owen DeLong o...@delong.com
To: John Levine jo...@iecc.com
Cc: nanog@nanog.org
Sent: Sunday, 5 December, 2010 2:54:43 PM
Subject: Re: How do you do rDNS for IPv6 ?
On Dec 5, 2010, at 2:13 PM, John
On Fri, 3 Dec 2010, Valdis.Kletnieks at vt.edu wrote:
On Fri, 03 Dec 2010 17:30:38 PST, Brent Jones said:
For example, below shows the same MX at Google responding with and
without TLS. I attempted about a dozen times over a few minutes to the
same MX until I got STARTTLS listed in the
Kevin Oberman ober...@es.net writes:
From: valdis.kletni...@vt.edu
From: valdis.kletni...@vt.edu
Date: Fri, 03 Dec 2010 20:00:15 -0500
On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said:
It is speculated that no later than Q1, two more /8's will be allocated,
triggering a policy
On Dec 6, 2010, at 6:43 PM, Chris Nicholls wrote:
I found the following very helpful, Hardest thing for me was nailing
DHCPv6-PD without an DHCP server :)
This is the best/most complete work on IPv6 security to date, IMHO:
http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945
On Mon, Dec 6, 2010 at 5:27 AM, Dobbins, Roland rdobb...@arbor.net wrote:
On Dec 6, 2010, at 6:43 PM, Chris Nicholls wrote:
I found the following very helpful, Hardest thing for me was nailing
DHCPv6-PD without an DHCP server :)
This is the best/most complete work on IPv6 security to
On 12/6/10 6:58 AM, Michael Wildpaner wrote:
PIPELINING and STARTTLS are unrelated issues, and both are currently
working as intended.
- STARTTLS on MX is in the process of being rolled out and not visible
from all client locations at this point.
- PIPELINING is not offered under
[peter's theory]
The cloud is a failure. Too easy to get it down.
I guess wikileaks returning to dedicated hosting proofs that.
No, it just proves that organizational decisions are made by human beings t=
hat have values. Whether or not those values are 'right' isn't the point -=
the
On Dec 6, 2010, at 4:49 AM, Nathan Eisenberg wrote:
The cloud is a failure. Too easy to get it down.
I guess wikileaks returning to dedicated hosting proofs that.
No, it just proves that organizational decisions are made by human beings
that have values. Whether or not those values are
On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote:
Speaking of IPV6 security, is there any movement towards any open source
IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date indicates no support, nor
any planned support in upcoming
On Dec 6, 2010, at 6:55 AM, Jared Mauch wrote:
On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote:
Speaking of IPV6 security, is there any movement towards any open source
IPV6 firewall solutions for the consumer / small business?
Almost all the info I've managed to find to date
In a cloud hosting environment, you typically don't know where your
data and servers are, and thus you don't know what legal and political
pressures they may be subject to. If that means that in practice you
are subject to the combination of any pressure that can be applied to
any one of the
On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore patr...@ianai.net wrote:
On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
Besides having *alot* of bandwidth theres not really much you can do to
mitigate. Once you have the bandwidth you can filter (w/good hardware).
Even if
On Dec 6, 2010, at 10:34 AM, David Ulevitch da...@ulevitch.com wrote:
On Mon, Dec 6, 2010 at 6:10 AM, Patrick W. Gilmore patr...@ianai.net wrote:
On Dec 6, 2010, at 4:07 AM, Jonas Frey (Probe Networks) wrote:
Besides having *alot* of bandwidth theres not really much you can do to
mitigate.
On 12/6/2010 9:07 AM, Owen DeLong wrote:
Seriously, though, you're welcome to use fd00::/8 for exactly that
purpose. The problem is that you (and hopefully it stays this way)
won't have much luck finding a vendor that will provide the NAT for
you to do it with.
Corporate IT community
First, let's clarify things a bit. I don't think unintended routing is =
what concerns your IT guys. Afterall, even with the NAT
box today, there's routing from the outside to the inside. It's just =
controlled by stateful inspection.
It might be better stated differently.
With NAT, routing
On 12/5/2010 4:25 PM, Felipe Zanchet Grazziotin wrote:
There are other useful tips too, including ideas for PowerDNS and Bind.
Yeah, PowerDNS already supports generating /PTR on the fly. I'm more
of the opinion that generic hosts shouldn't have rDNS, but that will
depend on banks and
On Dec 6, 2010, at 10:49 PM, Jack Bates wrote:
So does NAT add to security? Yes; just not very much.
It adds nothing which can't be added in another, better way, and it subtracts a
great deal in terms of instantiating unnecessary DoSable stateful chokepoints
in the network, not to mention
On Saturday, December 04, 2010 05:52:09 pm Kevin Oberman wrote:
Lead-acid batteries can deliver way over 100 amps of current and a
conductor across safe voltage will get hot and, if not heavy enough,
will vaporize.
Our smallish 540Ah -48VDC plant has a 35,000A short circuit rating; important
On 12/5/2010 9:50 AM, Gadi Evron wrote:
I withhold comment... discuss amongst yourselves.
Best,
Gadi.
Original Message
Subject: [funsec] And Google becomes a DNS..
Date: Sun, 5 Dec 2010 17:34:50 +0200
From: Imri Goldberg lorgan...@gmail.com
To: funsec fun...@linuxbox.org
On 12/6/2010 9:29 AM, Nathan Eisenberg wrote:
How is it more or less unattractive than having one's own servers in
one's own office? Lieberman and Co would simply have leaned on Mom's
Best BGP (r) and Pop's Fastest Packets (r) instead of on Amazon, and
the result would have been the same.
Is there anyone out there who has a position on whether it is worth the effort
to map Multi-root EVPL (E-TREE) atop VPLS or to await for PBB-TE and MEF to
come up with somekind of a common roadmap ?
F.
On 2010-12-03, at 10:26 AM, Manu Chao wrote:
I have only GRT and L3VPN traffic and would
On Dec 5, 2010, at 9:41 PM, Jima wrote:
On 12/5/2010 4:13 PM, John Levine wrote:
In IPv4 land, it is standard to assign matching forward and reverse
DNS for every live IP, and a fair number of services treat requests
from hosts without rDNS with added scepticism. For consumer networks,
it's
Original Message -
From: Jared Mauch ja...@puck.nether.net
Anyone done this dynamic synthesis w/ bind? dnssec thoughts as well? i
know this isn't namedroppers, but perhaps someone can post some code
or examples, or a link to a webpage with them?
Earthlink, I believe; DENTS has a
At my current place of work, we use all Linux routers. I need to do some IP
accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer
can use netstream, jstream, ipfix, netflow, and sflow data without qualms.
My only issue is that I can't seem to find any good software for Linux
IPtraf can be setup to look at flows per-block, per interface, per vlan, etc
and export the data every minute / 5 minutes. Back in the day I had it
scripted to dump data into rrdtool and give pretty graphs. See the man page,
it's well written.
Cheers,
-Jack Carrozzo
On Mon, Dec 6, 2010 at 2:15
On Mon, Dec 06, 2010 at 02:15:10PM -0500, Thomas York wrote:
I've had the best luck with ipcad. The only thing that seems to not work
with it is that it doesn't correctly give the interface number in the flow
information. It refers to all interfaces as interface 65535. I've tried the
config
I've used fprobe with great success. You can run multiple instances of
fprobe for the different interfaces.
--Samuel
fprobe: a NetFlow probe - libpcap-based tool that collects
network traffic data and emit it as NetFlow flows towards the
specified collector.
WWW:
fprobe doesn't work properly because it has the input and output interface
IDs as both 0. In Scrutinizer, this makes the flow look like all the data
came in the interface and immediately left via the same interface. Also,
this causes problems when running multiple instances of fprobe.
This seems
Have you considered argus?
It can deliver argus flows from multiple interfaces.
From http://www.qosient.com/argus/ :
Argus can be considered an implementation of the architecture
described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and
the project has actively contributed to the
Never heard of it. I'll give it a shot. Another project that uses argus also
looks interesting.. http://nautilus.oshean.org/wiki/Periscope
-Original Message-
From: Ken A [mailto:k...@pacific.net]
Sent: Monday, December 06, 2010 4:04 PM
To: nanog@nanog.org
Subject: Re: ipfix/netflow/sflow
On Dec 7, 2010, at 3:44 AM, Thomas York wrote:
fprobe doesn't work properly because it has the input and output interface
IDs as both 0.
IIRC, this can be altered via a config change.
---
Roland Dobbins rdobb...@arbor.net
It can, but then you are setting the input/output IDs statically. That would
work fine if your router only had 2 interfaces. We currently have routers
with a single (or few) WAN interfaces and multiple internal interfaces and
there isn't any way to statically categorize the data.
-Original
On Dec 7, 2010, at 4:24 AM, Thomas York wrote:
It can, but then you are setting the input/output IDs statically. That would
work fine if your router only had 2 interfaces.
With a probe of this type, northbound/southbound tagging is generally
sufficient, in my experience (i.e., let's not
Try PMACCT, it is pretty handy.
Yiming
On 12/06/2010 01:15 PM, Thomas York wrote:
At my current place of work, we use all Linux routers. I need to do some IP
accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer
can use netstream, jstream, ipfix, netflow, and sflow data
fprobe doesn't work properly because it has the input and output interface
IDs as both 0.
fprobe-ulog fixes this. From the http://fprobe.sourceforge.net/ front page:
fprobe-ulog - libipulog-based fork of fprobe. It obtains packets
through linux netfilter code (iptables ULOG
From: valdis.kletni...@vt.edu
From: valdis.kletni...@vt.edu
Date: Fri, 03 Dec 2010 20:00:15 -0500
224/3
Oh. And don't forget to do *bidirectional* filtering of these addresses. ;)
Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues
if you accept multicast traffic from
On 6 Dec 2010, at 11:07 PM, Owen DeLong wrote:
On Dec 6, 2010, at 6:55 AM, Jared Mauch wrote:
On Dec 6, 2010, at 8:35 AM, Jeff Johnstone wrote:
Speaking of IPV6 security, is there any movement towards any open source
IPV6 firewall solutions for the consumer / small business?
Almost
49 matches
Mail list logo