Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Denys Fedoryshchenko

On 2014-11-21 03:12, Roland Dobbins wrote:

On 21 Nov 2014, at 6:22, Denys Fedoryshchenko wrote:


Netflow is stateful stuff,


This is factually incorrect; NetFlow flows are unidirectional in
nature, and in any event have no effect on processing of data-plane
traffic.
Word stateful has nothing common with stateful firewall.Stateful 
protocol. a protocol which requires keeping of the internal state on 
the server is known as a stateful protocol. And sure 
unidirectional/bidirectional is totally unrelated.




and just to run it on wirespeed, on hardware, you need to utilise 
significant part of TCAM,


Again, this is factually incorrect.

http://en.wikipedia.org/wiki/NetFlow#NetFlow_support
Proof, that majority of solutions runs *flow not in software.

Cisco 65xx (yes, they are obsolete, but they run stuff wirespeed)
Aug 24 12:30:53: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold 
exceeded, TCAM Utilization [97%]
This is best example. Also on many Cisco's if you use UBRL, then you 
cannot use NetFlow, just because they use same part of TCAM resources. 
Others, for example Juniper, are using sampling (read - missing data), 
just to not overflow resources, and has various limitations, such as 
RE-DPC communication pps limit, licensing limit.
For example MS-DPC is pretty good one, few million flows in hardware, 
7-8Gbps of traffic, and... cost $12.


i am not talking that on some hardware it is just impossible to run 
it.


This is also factually incorrect.  Some platforms/linecards do not in
fact support NetFlow (or other varieties of flow telemetry) due to
hardware limitations.

But still they can run fine mirroring, and fastnetmon will do it's job.



And last thing, from one of public papers, netflow delaying factors:
1. Flow record expiration


This is tunable.
In certain limits. You can't set flow-active-timeout less than 60 
seconds in Junos 14 for example.
On some platforms even if you can, you just run in the limits of 
platforms again (forwarding - management communications).



• Typical delay: 15-60 sec.


This is an entirely subjective assessment, and does not reflect
operational realities.  These are typically *maximum values* - and
they are well within operationally-useful timeframes.  Also, the
effect of NetFlow cache size and resultant FIFOing of flow records is
not taken into account, nor is the effect on flow termination and
flow-record export of TCP FIN or RST flags denoting TCP traffic taken
into account.

So for a small hosting(up to 10G), i believe, FastNetMon is best 
solution.


This is a gross over-generalization unsupported by facts.  Many years
of operational experience with NetFlow and other forms of flow
telemetry by large numbers of network operators of all sizes and
varieties contract this over-generalization.

Fastnetmon and similar tools popularity says for itself.


It is generally unwise to make sweeping statements regarding
operational impact which are not borne out by significant operational
experience in production networks.
What can be asserted without evidence can be dismissed without 
evidence.





Faster, and no significant investments to equipment.


This statement indicates a lack of understanding of opex costs,
irrespective of capex costs.
Sweet marketing buzzwords, that is used together with some unclear 
calculations,
to sell suffering hosting providers various expensive tools, that is not 
necessary for them.
OPEX of fastnetmon is a small fee for qualified sysadmin, and often not 
required,

because already hosting operator should have him.



Bigger hosting providers might reuse their existing servers, segment 
the network, and implement inexpensive monitoring on aggregation 
switches without any additional cost again.


This statement indicates a lack of operational experience in networks
of even minimal scale.

Ah, and there is one more huge problem with netflow vs FastNetMon - 
netflow just by design cannot be adapted to run pattern matching, 
while it is trivial to patch FastNetMon for that, turning it to 
mini-IDS for free.


This statement betrays a lack of understanding of NetFlow-based (and
other flow telemetry-based) detection and classification, as well as
the undesirability and negative operational impact of stateful
IDS/'IPS' deployments in production networks.

You should also note that FastNetMon is far from unique; there are
multiple other open-source tools which provide the same type of
functionality, and none of them have replaced flow telemetry, either.
Thats a power of opensource. Since FastNetMon is not only tool, worth to 
mention others,
people here will benefit from using it, for free. And i'm sure, author 
of FastNetMon will

not feel offended at all.



Tools such as FastNetMon supplement flow telemetry, in situations in
which such tools can be deployed.  They do not begin to replace flow
telemetry, and they are not inherently superior to flow telemetry.

Again, I'm sure FastNetMon is a useful tool in many circumstances.

Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Denys Fedoryshchenko

On 2014-11-21 06:45, freed...@freedman.net wrote:
Netflow is stateful stuff, and just to run it on wirespeed, on 
hardware,

you need to utilise significant part of TCAM,


Cisco ASRs and MXs with inline jflow can do hundreds of K flows/second
without affecting packet forwarding.
Yes, i agree,those are good for netflow, but when they already exist in 
network.
Does it worth to buy ASR, if L3 switch already doing the job 
(BGP/ACL/rate-limit/routing)?


i am not talking that on some hardware it is just impossible to run 
it.
So everything about netflow are built on assumption that hosting or 
ISP

can run it. And based on some observations, majority of small/middle
hosting providers are using minimal,just BGP capable L3 switch as 
core,
and cheapest but reliable L2/L3 on aggregation, and both are capable 
in

best case to run sampled sFlow.


Actually, sFlow from many vendors is pretty good (per your points about 
flow

burstiness and delays), and is good enough for dDoS detection.  Not for
security forensics, or billing at 99.99% accuracy, but good enough for
traffic visibility, peering analytics, and (d)DoS detection.
Well, if it is available, except hardware limitations, there is second 
obstacle,
software licensing cost. On latest JunOS, for example on EX2200, you 
need
to purchase license (EFL), and if am not wrong it is $3000 for 48port 
units.
So if only sFlow feature is on stake, it worth to think, to purchase 
license,
or to purchase server. Prices for JFlow license on MX, just for 5/10G is 
way above cost

of very decent server.



snip


So for a small hosting(up to 10G), i believe, FastNetMon is best
solution. Faster, and no significant investments to equipment. Bigger
hosting providers might reuse their existing servers, segment the
network, and implement inexpensive monitoring on aggregation switches
without any additional cost again.


It can be useful to have a 10G network monitoring box of course...

And with the right setup you can run FastNetMon or other tools in
addition to generating flow that can be of use for other purposes
as well...
Technically there is ipt_NETFLOW, that can generate netflow on same box, 
for
statistical/telemetry purposes. But i am not sure it is possible to run 
them

together.




Ah, and there is one more huge problem with netflow vs FastNetMon -
netflow just by design cannot be adapted to run pattern matching, 
while

it is trivial to patch FastNetMon for that, turning it to mini-IDS for
free.


It's true, having a network tap can be useful for doing PCAP-y stuff.

But taps can be difficult or at least time consuming for people to
put in at scale.  Even, we've seen, for folks with 10G networks.
Often because they can get 90% of what they need for 4 different
business purposes from just flow :)
About scaling, i guess it depends on proper deployment strategy and 
sysadmins/developers
capabilities. For example to deploy new ruleset for my pcap-based 
homemade

analyser to 150 probes across the country - is just one click.


---
Best regards,
Denys


Re: Multi-homing with multiple ASNs

2014-11-21 Thread Mark Tinka
On Friday, November 21, 2014 12:00:47 AM Curtis L. Parish 
wrote:

 We have recently added a second ISP  (third if you count
 I2).  Our first ISP is actually a private state
 network that peers with two Tier 1 providers.  We own an
 AS number and our IP space but at the last minute
 learned our state network is advertising our network
 using two different ASNs (neither ours) so they can load
 balance their connections.If you hit the right
 looking glass server you can see our network advertised
 by three different ASNs.We were told by the new ISP
 that this is a problem but the state network says it is
 not.
 
 Looking for opinions and words of wisdom on this split
 advertising issue.

Why aren't you originating your own prefixes and ASN by 
yourselves, since you own both?

Mark.


signature.asc
Description: This is a digitally signed message part.


Re: Multi-homing with multiple ASNs

2014-11-21 Thread William Waites
On Fri, 21 Nov 2014 11:07:49 +0200, Mark Tinka mark.ti...@seacom.mu said:

  We own an AS number and our IP space but at the last minute
 learned our state network is advertising our network using two
 different ASNs (neither ours)

This will work, as in the BGP path selection algorithm will work as
designed in this situation. But it also means that the routing policy
is out of your control which is kind of the point of having an ASN! It
also makes it harder to track down who is operationally responsible
for that address space since it appears to the outside world to be in
two (or three! different places). I'd say don't do this unless you
really have no choice.

 Why aren't you originating your own prefixes and ASN by
 yourselves, since you own both?

Good question.

We (AS60241) almost ended up doing similarly for a while. Because of a
close association with the universities in Scotland, we discussed the
possibility of transit via JANET. This turned out to be difficult
because they run a whole bunch of private ASNs internally -- unlike in
North America where universities typically have their own real one. So
it would have been us - private stuff - AS786 and for some reason
that I forget they were unable to remove private ASNs from the
path. The best that might have been possible would be to have had them
announce our networks with synchronisation on, which would have meant
the outside world would have seen them originating in both AS786 and
AS60241. Icky. We (mutually) decided against this.

Just to say that there are strange, but not completely unreasonable
circumstances in which this can happen...

-w


pgpohqpKewJg4.pgp
Description: PGP signature


Re: Multi-homing with multiple ASNs

2014-11-21 Thread William Herrin
On Thu, Nov 20, 2014 at 5:00 PM, Curtis L. Parish curtis.par...@mtsu.edu
wrote:
 We have recently added a second ISP  (third if you count I2).
 Our first ISP is actually a private state network that peers with
 two Tier 1 providers.  We own an AS number and our IP space
 but at the last minute learned our state network is advertising
 our network using two different ASNs (neither ours) so they can
 load balance their connections.If you hit the right looking glass
 server you can see our network advertised by three different
 ASNs.We were told by the new ISP that this is a problem but
 the state network says it is not.

Howdy,

If you drop your connection to the state network, do the routes with their
AS numbers drop out of the looking glasses? If not, then there's a problem.

If you depreference your connection to the state network by prepending your
AS number, do comparable prepends appear at the looking glasses or does the
state network continue to give its advertisement of your address space top
billing? If the state network's behavior strips your ability to load
balance your network then there's a problem.

Conventionally, the state network should be adding its AS number after
yours, not stripping your AS number. More often than not, this convention
is also the technically correct course of action.

Regards,
Bill Herrin


--
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: http://www.dirtside.com/
May I solve your unusual networking challenges?


Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Roland Dobbins


On 21 Nov 2014, at 15:17, Denys Fedoryshchenko wrote:

Word stateful has nothing common with stateful firewall.Stateful 
protocol. a protocol which requires keeping of the internal state on 
the server is known as a stateful protocol.


Correct - and NetFlow is not stateful, by this definition.


And sure unidirectional/bidirectional is totally unrelated.


On the contrary, it is quite relevant.


Cisco 65xx (yes, they are obsolete, but they run stuff wirespeed)


They are not obsolete - they perform very well with Sup2T and 
EARL8-based linecards.


Aug 24 12:30:53: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold 
exceeded, TCAM Utilization [97%]


This is from a 6500 with either an EARL6 or EARL7 ASIC, which had many 
caveats with regards to NetFlow, including a lack of packet-sampled 
control of flow creation - i.e., sampled NetFlow.  As part of the 
extended team which defined requirements for the EARL8 ASIC, which is 
utilized in the Sup2T and DFC-4 enabled linecards, I can assure you that 
this is no longer an issue with 6500s running EARL8-based Sups and 
linecards.


Also on many Cisco's if you use UBRL, then you cannot use NetFlow, 
just because they use same part of TCAM resources.


This is where TCAM carving comes into play.  Also, it is not so much an 
issue with newer hardware, per the above.  Also, URBL is not commonly 
used in ISP networks.



Others, for example Juniper, are using sampling (read - missing data),


The largest networks in the world use sampled NetFlow every hour of 
every day for many purposes, including DDoS 
detection/classification/traceback.  It works quite well for all those 
purposes.


just to not overflow resources, and has various limitations, such as 
RE-DPC communication pps limit, licensing limit.
For example MS-DPC is pretty good one, few million flows in hardware, 
7-8Gbps of traffic, and... cost $12.


You get what you pay for.

But still they can run fine mirroring, and fastnetmon will do it's 
job.


On the contrary - SPAN nee port mirroring cuts into the 
frames-per-second budget of linecards, as the traffic is in essence 
being duplicated.  It is not 'free', and it has a profound impact on the 
the switch's data-plane traffic forwarding capacity.


Unlike NetFlow.

In certain limits. You can't set flow-active-timeout less than 60 
seconds in Junos 14 for example.


Platforms vary, this is true.  However, I have never run into an issue 
with an active flow timer of 60s, nor have I ever run into anyone who 
has done so.


On some platforms even if you can, you just run in the limits of 
platforms again (forwarding - management communications).


This is incorrect.


Fastnetmon and similar tools popularity says for itself.


Yes, it does - they are far less popular that NetFlow, because they do 
not scale on networks of any size, nor do they provide traceback (given 
your lack of comments on traceback elsewhere in this thread, it appears 
that you aren't familiar with this concept).



What can be asserted without evidence can be dismissed without 
evidence.


You make my point very well, thank you.  There is overwhelming evidence 
that NetFlow and similar forms of flow telemetry scale well and provide 
real, measurable, actionable operational value on networks of all types 
and sizes.  The reason for the popularity of flow telemetry is that it 
is low-opex (no probes to deply); low-capex (no probes to deploy); 
scales to tb/sec speeds; is practicable for large networks (no probes to 
deploy); provides instantaneous traceback (probes can't do this); and 
provides statistics on dropped traffic (probes can't do this, either).



Sweet marketing buzzwords,


It's pretty obvious which half of this 'conversation' is focused on 
marketing; and it isn't mine.



that is used together with some unclear calculations,


No calculations have been discussed during the course of this 
'conversation'.



to sell suffering hosting providers various expensive tools,


I'm uninterested in selling anyone anything.  What I'm interested in 
doing is correcting the misinformation you are promulgating regarding 
the utility of flow telemetry coupled with open-source flow analysis 
systems.  There has been no mention of any commercial systems or 
products in my half of this 'conversation'.



that is not necessary for them.


Again, the benefits of flow telemetry are quite clear for networks of 
any size.


OPEX of fastnetmon is a small fee for qualified sysadmin, and often 
not required, because already hosting operator should have him.


You obviously do not know what the term opex actually means, nor what it 
encompasses.



I can agree only that arguing about this subject is waste of time.


Yes, it isn't a profitable use of time to argue with someone who does 
not have the degree of operational expertise nor experience to back his 
demonstrably incorrect assertions.



where netflow just by design cannot outperform it


Again, this is a completely unsupported 

Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Denys Fedoryshchenko

On 2014-11-21 14:50, Roland Dobbins wrote:

On 21 Nov 2014, at 15:17, Denys Fedoryshchenko wrote:

Word stateful has nothing common with stateful firewall.Stateful 
protocol. a protocol which requires keeping of the internal state on 
the server is known as a stateful protocol.


Correct - and NetFlow is not stateful, by this definition.

Not stateful, if you pick on server word.
To be able to make bytes/packets accounting for a flow, you need to keep 
this specific flow previous state. To be able to differentiate between 
flows with same src/dst ip+ports (if one is ended, next is started with 
same data) you need to track it's state, again. And just to keep track 
of _flows_ in packet switched network you need states. Surprising lack 
of knowledge.





And sure unidirectional/bidirectional is totally unrelated.


On the contrary, it is quite relevant.


Cisco 65xx (yes, they are obsolete, but they run stuff wirespeed)


They are not obsolete - they perform very well with Sup2T and
EARL8-based linecards.
Seems yes, i'm wrong on that point, i was not successful to run netflow 
reliable way , but it was before CSCul90377 and CSCui17732 fixed.





Others, for example Juniper, are using sampling (read - missing data),


The largest networks in the world use sampled NetFlow every hour of
every day for many purposes, including DDoS
detection/classification/traceback.  It works quite well for all those
purposes.
Use case of fastnetmon is not largest networks. Sampled netflow is 
useless for per-traffic billing purpose for example.




just to not overflow resources, and has various limitations, such as 
RE-DPC communication pps limit, licensing limit.
For example MS-DPC is pretty good one, few million flows in hardware, 
7-8Gbps of traffic, and... cost $12.


You get what you pay for.
While i can pay $1500 for a server, and get netflow and ~3second BGP 
blackholing with fastnetmon.




But still they can run fine mirroring, and fastnetmon will do it's 
job.


On the contrary - SPAN nee port mirroring cuts into the
frames-per-second budget of linecards, as the traffic is in essence
being duplicated.  It is not 'free', and it has a profound impact on
the the switch's data-plane traffic forwarding capacity.

Unlike NetFlow.
In hosting case mirroring usually done for uplink port, but i have to 
agree, it might be a problem.



Yes, it does - they are far less popular that NetFlow, because they do
not scale on networks of any size, nor do they provide traceback
(given your lack of comments on traceback elsewhere in this thread, it
appears that you aren't familiar with this concept).
You make my point very well, thank you.  There is overwhelming
evidence that NetFlow and similar forms of flow telemetry scale well
and provide real, measurable, actionable operational value on networks
of all types and sizes.  The reason for the popularity of flow
telemetry is that it is low-opex (no probes to deply); low-capex (no
probes to deploy); scales to tb/sec speeds; is practicable for large
networks (no probes to deploy); provides instantaneous traceback
(probes can't do this); and provides statistics on dropped traffic
(probes can't do this, either).
And again and again we are going to tb/s. I don't need TB/s, i dont need 
traceback,nor on relatively small ISP nor on VDS provider i dont need 
all that above. I just need inexpensive way to block attacked ip and/or 
announce it from different location within minimal timeframe, to 
minimize impact on other customers.
You might be highly professional with large scale operators, but small 
guys needs and capabilities are very different.
I had developed tool similar to fastnetmon for almost same purpose, 
detecting attacks and switching affected network by BGP to protected 
backbone. After calculating OPEX/CAPEX, capable server turned to be 
much cheaper alternative in short and long term than buying netflow 
capable hardware (and support for it) just for netflow purposes, and 
buying hardware for netflow collector.

Let's talk numbers.
My case is small hosting, 4G, C4948-10G, one 10G uplink, one 10G port is 
free. Switch is not capable to run sFlow or Netflow.
Decent server is available already, since it is hosting company, so the 
only expenses are 10G 82599 card, which is around $500. Even in case 
server is not available, based on data from fastnetmon author still 
total cost is within $1500. Deployment time - hours from installing 
hardware, without distrupting existing traffic.
Major expenses - tuning server according author recommendations, and 
writing shell script that will send to 4948 command to blackhope IP. For 
qualified sysadmin it is 2 hours of work, and $500 max as a labor 
cost. Thats it. What can be cheaper than $2000 in this case? I guess i 
wont get answer.



I'm uninterested in selling anyone anything.  What I'm interested in
doing is correcting the misinformation you are promulgating regarding
the utility of flow telemetry coupled with open-source flow 

RE: Multi-homing with multiple ASNs

2014-11-21 Thread Curtis L. Parish
Thanks for all the responses.  I will answer a few questions that have come on 
and off list.   (Sorry for length)

We advertise our ASN into the state network with more specific routes that we 
advertise via ISP2 via our ASN.This is done because the state (vendor 
managed) network runs stateful firewalls and we have to force other multi-home 
entities on the state network to use our state connection instead of ISP2.   
Our network has been removed from the state firewall due to previous problems 
with asymmetric routing with our I2 circuit.I am told the state network 
does drop our network from their advertisements when our network is 
unreachable.  That has not been explained or tested.

What we did not realize until about a week before turning up ISP2 was the state 
was consolidating all state networks to use two of the vendor’s ASNs when it 
peers with their two ISPs.  Our ASN is not part of the path.We had no 
choice but to turn up ISP2 due to bandwidth reasons. Miraculously we 
achieved almost a 50/50 balance of traffic.Bandwidth will be increased on 
ISP2 as demand grows so we will need the ability to prepend on the state 
network to make ISP2 look more desirable.

I believe the state will modify their advertisements to add our ASN to the path 
but changes to advertising via the state network has to go through a design and 
change management process and then be scheduled into maintenance windows.
Any attempts to balance the traffic via prepending will take weeks.As long 
as the traffic stays balanced we are OK.When replaying BGP route changes I 
normally see our network only advertised out one of state ASNs but occasionally 
I see it with two so traffic balance may be impacted depending on which ISP the 
state is egressing.


Here is a question.   I know that having one network advertised by multiple 
ASNs is unconventional and thus it will probably be harder to get help 
troubleshooting routing problems when they arise.Do you see a situation 
where our network might be caught in a loop or black hole due to asymmetric 
routing and conflicting advertisements?

Thanks again. New to the list but have already learned much by reading the 
archives.

Curtis


Curtis Parish
Senior Network Engineer
Middle Tennessee State University





Subject: Re: Multi-homing with multiple ASNs
Howdy,
If you drop your connection to the state network, do the routes with their AS 
numbers drop out of the looking glasses? If not, then there's a problem.
If you depreference your connection to the state network by prepending your AS 
number, do comparable prepends appear at the looking glasses or does the state 
network continue to give its advertisement of your address space top billing? 
If the state network's behavior strips your ability to load balance your 
network then there's a problem.
Conventionally, the state network should be adding its AS number after yours, 
not stripping your AS number. More often than not, this convention is also the 
technically correct course of action.



Transit, Exchange Point Agreements, and Acceptable Use?

2014-11-21 Thread Paul Ferguson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'll apologize up front if this offends anyone's sensitivities as to
what is relevant for list conversation... but one sentence in this
Channel4 News story (from what I understand, Channel4 is a very
popular news source in the UK) struck me as perhaps in violation of
some sort of peering and/or transit agreement. Cable and Wireless:

...even went as far as providing traffic from a rival foreign
communications company, handing information sent by millions of
internet users worldwide over to spies.

The entire article is here:

http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq

My question is this: Do willful actions such as these violate peering,
transit, and/or exchange agreements in any way?

Thanks,

- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAlRvUzsACgkQKJasdVTchbKc3AD+OBNKXfYJ/Vjsa2pYL7+ewvql
629C4Ie5jzPgIpAgrToA/1gdeKQX69OHOc79RwsI6uUq99cRoDsHOSf3zTDnwsZy
=7Xps
-END PGP SIGNATURE-


Re: Transit, Exchange Point Agreements, and Acceptable Use?

2014-11-21 Thread Daniel Corbe

Paul Ferguson fergdawgs...@mykolab.com writes:

 I'll apologize up front if this offends anyone's sensitivities as to
 what is relevant for list conversation... but one sentence in this
 Channel4 News story (from what I understand, Channel4 is a very
 popular news source in the UK) struck me as perhaps in violation of
 some sort of peering and/or transit agreement. Cable and Wireless:

 ...even went as far as providing traffic from a rival foreign
 communications company, handing information sent by millions of
 internet users worldwide over to spies.

 The entire article is here:

 http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq

 My question is this: Do willful actions such as these violate peering,
 transit, and/or exchange agreements in any way?

 Thanks,

 - ferg

Welcome to the modern age of communications.  The privacy nuts and
tinfoil hat types turned out to be correct.  Assume that you have no
privacy and encrypt everything you do.  Or just stop caring about
privacy all together.  Either way, not much has actually changed.



RE: Transit, Exchange Point Agreements, and Acceptable Use?

2014-11-21 Thread Siegel, David
Most written peering agreements have a clause that says you can't provide that 
data unless required to by authorities and only in compliance with applicable 
local law.

The article says that's still an open question:

Channel 4 News has been unable to establish whether Reliance Communications 
was served with a warrant to authorise this and the company has not responded 
to our calls.

Dave


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Paul Ferguson
Sent: Friday, November 21, 2014 7:59 AM
To: NANOG
Subject: Transit, Exchange Point Agreements, and Acceptable Use?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'll apologize up front if this offends anyone's sensitivities as to what is 
relevant for list conversation... but one sentence in this
Channel4 News story (from what I understand, Channel4 is a very popular news 
source in the UK) struck me as perhaps in violation of some sort of peering 
and/or transit agreement. Cable and Wireless:

...even went as far as providing traffic from a rival foreign communications 
company, handing information sent by millions of internet users worldwide over 
to spies.

The entire article is here:

http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq

My question is this: Do willful actions such as these violate peering, transit, 
and/or exchange agreements in any way?

Thanks,

- - ferg


- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -BEGIN 
PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAlRvUzsACgkQKJasdVTchbKc3AD+OBNKXfYJ/Vjsa2pYL7+ewvql
629C4Ie5jzPgIpAgrToA/1gdeKQX69OHOc79RwsI6uUq99cRoDsHOSf3zTDnwsZy
=7Xps
-END PGP SIGNATURE-


Re: Transit, Exchange Point Agreements, and Acceptable Use?

2014-11-21 Thread Paul Ferguson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11/21/2014 7:07 AM, Daniel Corbe wrote:

 
 Paul Ferguson fergdawgs...@mykolab.com writes:
 
 I'll apologize up front if this offends anyone's sensitivities as
 to what is relevant for list conversation... but one sentence in
 this Channel4 News story (from what I understand, Channel4 is a
 very popular news source in the UK) struck me as perhaps in
 violation of some sort of peering and/or transit agreement. Cable
 and Wireless:
 
 ...even went as far as providing traffic from a rival foreign 
 communications company, handing information sent by millions of 
 internet users worldwide over to spies.
 
 The entire article is here:
 
 http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq


 
My question is this: Do willful actions such as these violate peering,
 transit, and/or exchange agreements in any way?
 
 Thanks,
 
 - ferg
 
 Welcome to the modern age of communications.  The privacy nuts and 
 tinfoil hat types turned out to be correct.  Assume that you have
 no privacy and encrypt everything you do.  Or just stop caring
 about privacy all together.  Either way, not much has actually
 changed.
 

Well, yes, of course I understand that you should encrypt any  every
thing that you wish to protect, and believe me -- I (more than most)
understand the long tug of war between telecommunications companies
and national intelligence services.

But you did not address my question... ;-)

Cheers,

- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAlRvVnAACgkQKJasdVTchbIviwEAk1UQEY/sCwGi0Qua15lCzdPv
NWHofFXWJkk+GEjGYMMA/RuOJcL4r+DCr526WsFU/8lGYk80M78pB7rhogN9pgs2
=Oxw/
-END PGP SIGNATURE-


Re: Transit, Exchange Point Agreements, and Acceptable Use?

2014-11-21 Thread Paul Ferguson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11/21/2014 7:09 AM, Siegel, David wrote:

 Most written peering agreements have a clause that says you can't
 provide that data unless required to by authorities and only in
 compliance with applicable local law.
 
 The article says that's still an open question:
 
 Channel 4 News has been unable to establish whether Reliance
 Communications was served with a warrant to authorise this and the
 company has not responded to our calls.
 

Right, I noticed that bit. :-)

Cheers,

- - ferg


 Dave
 
 
 -Original Message- From: NANOG
 [mailto:nanog-boun...@nanog.org] On Behalf Of Paul Ferguson Sent:
 Friday, November 21, 2014 7:59 AM To: NANOG Subject: Transit,
 Exchange Point Agreements, and Acceptable Use?
 
 I'll apologize up front if this offends anyone's sensitivities as
 to what is relevant for list conversation... but one sentence in
 this Channel4 News story (from what I understand, Channel4 is a
 very popular news source in the UK) struck me as perhaps in
 violation of some sort of peering and/or transit agreement. Cable
 and Wireless:
 
 ...even went as far as providing traffic from a rival foreign
 communications company, handing information sent by millions of
 internet users worldwide over to spies.
 
 The entire article is here:
 
 http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq

  My question is this: Do willful actions such as these violate
 peering, transit, and/or exchange agreements in any way?
 
 Thanks,
 
 - ferg
 
 
 

- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAlRvVqQACgkQKJasdVTchbJ6kgEAi3mOTZJ0FxEOg0b/x049hwyE
CdrWUHXSsxRlu4P5KZUA/0KT0XzPzvH0O/ZUhjT8xL+gWxGXPQcwSNk1slJ6oQE4
=tXZ4
-END PGP SIGNATURE-


Incident notification

2014-11-21 Thread Thijs Stuurman
Nanog list members,

I was looking at some statistic and noticed we are sending out a massive amount 
of SMS messages from our monitoring systems.
This left me wondering if there isn't a better (and cheaper) alternative to 
this, something just as reliant but IP based. We all have smartphones these 
days anyway.

Therefore my question, what are you using to notify admins of incidents?

Kind regards / Met vriendelijke groet,

Thijs Stuurman



[IS Logo]




IS Group

Wielingenstraat 8

T

+31 (0)299 476 185

i...@is.nlmailto:i...@is.nl

1441 ZR Purmerend

F

+31 (0)299 476 288

www.is.nlhttp://www.is.nl



IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 
certified. De datacenters zijn PCI DSS en ISO 14001 compliant.




RE: Incident notification

2014-11-21 Thread Matthew Huff
The advantage of SMS is that it is out of band. Any smtp or other IP based 
solution requires a stable and working network environment, which is what the 
alert may be trying to tell you is down.



Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-694-5669

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Thijs Stuurman
Sent: Friday, November 21, 2014 10:52 AM
To: nanog@nanog.org
Subject: Incident notification

Nanog list members,

I was looking at some statistic and noticed we are sending out a massive amount 
of SMS messages from our monitoring systems.
This left me wondering if there isn't a better (and cheaper) alternative to 
this, something just as reliant but IP based. We all have smartphones these 
days anyway.

Therefore my question, what are you using to notify admins of incidents?

Kind regards / Met vriendelijke groet,

Thijs Stuurman



[IS Logo]




IS Group

Wielingenstraat 8

T

+31 (0)299 476 185

i...@is.nlmailto:i...@is.nl

1441 ZR Purmerend

F

+31 (0)299 476 288

www.is.nlhttp://www.is.nl



IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 
certified. De datacenters zijn PCI DSS en ISO 14001 compliant.




Re: Incident notification

2014-11-21 Thread Josh Luthman
Pagerduty for phone calls.  Can do SMS as well, I believe.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Nov 21, 2014 at 10:52 AM, Thijs Stuurman thijs.stuur...@is.nl
wrote:

 Nanog list members,

 I was looking at some statistic and noticed we are sending out a massive
 amount of SMS messages from our monitoring systems.
 This left me wondering if there isn't a better (and cheaper) alternative
 to this, something just as reliant but IP based. We all have smartphones
 these days anyway.

 Therefore my question, what are you using to notify admins of incidents?

 Kind regards / Met vriendelijke groet,

 Thijs Stuurman



 [IS Logo]


 

 IS Group

 Wielingenstraat 8

 T

 +31 (0)299 476 185

 i...@is.nlmailto:i...@is.nl

 1441 ZR Purmerend

 F

 +31 (0)299 476 288

 www.is.nlhttp://www.is.nl

 

 IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE
 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant.





RE: Incident notification

2014-11-21 Thread Thijs Stuurman

 The advantage of SMS is that it is out of band. Any smtp or other IP based 
 solution requires a stable and working network environment, which is what the 
 alert may be trying to tell you is down.

I do not worry so much about that, part of the monitoring solution is out of 
band for that reason.

Kind regards / Met vriendelijke groet,
Thijs Stuurman



Re: Incident notification

2014-11-21 Thread Derek Andrew
While we do not do this ourseleves, I wonder why we would not use Twitter.
You can receive SMS, or texts in the app on a smart phone, or look at a
webpage. You can make them private and have lots of subscribers. I find
Twitter more reliable that our local SMS providers too.

d

On Fri, Nov 21, 2014 at 9:52 AM, Thijs Stuurman thijs.stuur...@is.nl
wrote:

 Nanog list members,

 I was looking at some statistic and noticed we are sending out a massive
 amount of SMS messages from our monitoring systems.
 This left me wondering if there isn't a better (and cheaper) alternative
 to this, something just as reliant but IP based. We all have smartphones
 these days anyway.

 Therefore my question, what are you using to notify admins of incidents?

 Kind regards / Met vriendelijke groet,

 Thijs Stuurman



 [IS Logo]


 

 IS Group

 Wielingenstraat 8

 T

 +31 (0)299 476 185

 i...@is.nlmailto:i...@is.nl

 1441 ZR Purmerend

 F

 +31 (0)299 476 288

 www.is.nlhttp://www.is.nl

 

 IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE
 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant.





-- 
Copyright 2014 Derek Andrew (excluding quotations)

+1 306 966 4808
Information Systems
University of Saskatchewan
Peterson 120; 54 Innovation Boulevard
Saskatoon,Saskatchewan,Canada. S7N 2V3
Timezone GMT-6

Typed but not read.


Re: Incident notification

2014-11-21 Thread Peter Kristolaitis
We use OpsGenie for notifications (and on-call scheduling, etc). There 
are other similar options such as PagerDuty, etc, as well.


Notifications can be submitted to the service in a variety of ways 
(email, web API, etc), has a variety of integrations with other tools 
(Nagios, Pingdom, etc) to aggregate all of your alerts, and there is a 
callback mechanism where the user can trigger custom actions right from 
the app (for example, I wrote an interface for it such that when we get 
an alert, the on-call person can choose to restart the affected service 
-- or even reboot the entire VM hosting it -- right from within the 
OpsGenie app).


Each user can choose their method of contact (notification to the 
smartphone app, SMS, phone call, email, whatever), and on-call schedules 
(and exceptions) are easily managed.


It works for us... YMMV. ;)

- Peter


On 11/21/2014 10:52 AM, Thijs Stuurman wrote:

Nanog list members,

I was looking at some statistic and noticed we are sending out a massive amount 
of SMS messages from our monitoring systems.
This left me wondering if there isn't a better (and cheaper) alternative to 
this, something just as reliant but IP based. We all have smartphones these 
days anyway.

Therefore my question, what are you using to notify admins of incidents?

Kind regards / Met vriendelijke groet,

Thijs Stuurman



[IS Logo]




IS Group

Wielingenstraat 8

T

+31 (0)299 476 185

i...@is.nlmailto:i...@is.nl

1441 ZR Purmerend

F

+31 (0)299 476 288

www.is.nlhttp://www.is.nl



IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 
certified. De datacenters zijn PCI DSS en ISO 14001 compliant.






Level3 NOC contact

2014-11-21 Thread N M
Could a NOC engineer from Level3 contact me off list? I am having issues
out of Dallas on a circuit with traffic on your network -- Latency above
100ms --- My peer claims the issue is fixed but I am still seeing the same
problem -- Thanks


*Nathan Mallory*

*Network Engineer*
Opelika Power Services
600 Fox Run Pkwy
Opelika, Al 36801
Office:  (334) 705-1601


Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Peter Phaal
 Actually, sFlow from many vendors is pretty good (per your points about
 flow
 burstiness and delays), and is good enough for dDoS detection.  Not for
 security forensics, or billing at 99.99% accuracy, but good enough for
 traffic visibility, peering analytics, and (d)DoS detection.

 Well, if it is available, except hardware limitations, there is second
 obstacle,
 software licensing cost. On latest JunOS, for example on EX2200, you need
 to purchase license (EFL), and if am not wrong it is $3000 for 48port units.
 So if only sFlow feature is on stake, it worth to think, to purchase
 license,
 or to purchase server.

Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf

I am not aware of any vendor requiring an additional license to enable sFlow.

sFlow (packet sampling) works extremely well for the DDoS flood
detection / mitigation use case. The measurements are build into low
cost commodity switch hardware and can be enabled operationally
without adversely impacting switch performance.  A flood attack
generates high packet rates and sampling a 10G port at 1-in-10,000
will reliably detect flood attacks within seconds.

For most use cases, it is much less expensive to use switches to
perform measurement than to attach taps / mirror port probes. If your
switches don't already support sFlow, you can buy a 10G capable white
box switch for a few thousand dollars that will let you monitor 1.2
Terabits/sec. If you go with an open platform such as Cumulus Linux,
you could even run your DDoS mitigation software on the switch and
dispense with the external server. Embedded instrumentation is simple
to deploy and reduces operational complexity and cost when compared to
add on probe solutions.

Peter Phaal
InMon Corp.


RE: Incident notification

2014-11-21 Thread Sameer Khosla
I know of a firend that is using Growl / Prowl to push out the notifications to 
their phones, even to their TV's at home.

Sk.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Thijs Stuurman
Sent: Friday, November 21, 2014 10:52 AM
To: nanog@nanog.org
Subject: Incident notification

Nanog list members,

I was looking at some statistic and noticed we are sending out a massive amount 
of SMS messages from our monitoring systems.
This left me wondering if there isn't a better (and cheaper) alternative to 
this, something just as reliant but IP based. We all have smartphones these 
days anyway.

Therefore my question, what are you using to notify admins of incidents?

Kind regards / Met vriendelijke groet,

Thijs Stuurman



[IS Logo]




IS Group

Wielingenstraat 8

T

+31 (0)299 476 185

i...@is.nlmailto:i...@is.nl

1441 ZR Purmerend

F

+31 (0)299 476 288

www.is.nlhttp://www.is.nl



IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 
certified. De datacenters zijn PCI DSS en ISO 14001 compliant.




Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Denys Fedoryshchenko

On 2014-11-21 18:41, Peter Phaal wrote:
Actually, sFlow from many vendors is pretty good (per your points 
about

flow
burstiness and delays), and is good enough for dDoS detection.  Not 
for
security forensics, or billing at 99.99% accuracy, but good enough 
for

traffic visibility, peering analytics, and (d)DoS detection.


Well, if it is available, except hardware limitations, there is second
obstacle,
software licensing cost. On latest JunOS, for example on EX2200, you 
need
to purchase license (EFL), and if am not wrong it is $3000 for 48port 
units.

So if only sFlow feature is on stake, it worth to think, to purchase
license,
or to purchase server.


Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf

I am not aware of any vendor requiring an additional license to enable 
sFlow.


sFlow (packet sampling) works extremely well for the DDoS flood
detection / mitigation use case. The measurements are build into low
cost commodity switch hardware and can be enabled operationally
without adversely impacting switch performance.  A flood attack
generates high packet rates and sampling a 10G port at 1-in-10,000
will reliably detect flood attacks within seconds.

For most use cases, it is much less expensive to use switches to
perform measurement than to attach taps / mirror port probes. If your
switches don't already support sFlow, you can buy a 10G capable white
box switch for a few thousand dollars that will let you monitor 1.2
Terabits/sec. If you go with an open platform such as Cumulus Linux,
you could even run your DDoS mitigation software on the switch and
dispense with the external server. Embedded instrumentation is simple
to deploy and reduces operational complexity and cost when compared to
add on probe solutions.

Peter Phaal
InMon Corp.
Wow, that's great news then, i'm using mostly Cisco gear now, but seems 
will have to take a look to Juniper, thanks for information.
If it is free, then if EX2200 available, it is much easier to run sFlow 
and write custom collector for it, than installing custom probe(in most 
common cases).


---
Best regards,
Denys


Re: Need Godaddy Contac

2014-11-21 Thread Anne P. Mitchell, Esq.
Larry, please contact me offlist and we'll ping one of our GD contacts for you.

Anne

Anne P. Mitchell, Esq.
CEO/President
ISIPP SuretyMail Email Accreditation  Certification
Your mail system + SuretyMail accreditation = delivered to their inbox!
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

Author: Section 6 of the Federal CAN-SPAM Act of 2003
Member, California Bar Cyberspace Law Committee
Ret. Professor of Law, Lincoln Law School of San Jose
https://www.linkedin.com/in/annemitchell
303-731-2121 | amitch...@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell 



 I have a question that Godaddy support will not answer.
 
 
 
 My son moved a word press site to Godaddy from another host.
 
 
 
 Apparently, unbeknowest to him, the original wordpress site was also the
 email host.
 
 
 
 The mail was moved from the old server to the new server but the email was
 never properly set up via the GoDaddy Cpanel
 
 
 
 Question for a Godaddy Guru.  
 
 
 
 if we set up the email through the cpanel, will it erase any mail currently
 in the accounts on the linux wordpress machine, or even acknowledge that the
 exist email is there?
 
 
 
 Any help would be GREATLY appreciated and Thanks..
 
 



Weekly Routing Table Report

2014-11-21 Thread Routing Analysis Role Account
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG,
CaribNOG and the RIPE Routing Working Group.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith pfsi...@gmail.com.

Routing Table Report   04:00 +10GMT Sat 22 Nov, 2014

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  517859
Prefixes after maximum aggregation:  200304
Deaggregation factor:  2.59
Unique aggregates announced to Internet: 254592
Total ASes present in the Internet Routing Table: 48629
Prefixes per ASN: 10.65
Origin-only ASes present in the Internet Routing Table:   36296
Origin ASes announcing only one prefix:   16305
Transit ASes present in the Internet Routing Table:6210
Transit-only ASes present in the Internet Routing Table:176
Average AS path length visible in the Internet Routing Table:   4.5
Max AS path length visible:  78
Max AS path prepend of ASN ( 55644)  71
Prefixes from unregistered ASNs in the Routing Table:  1631
Unregistered ASNs in the Routing Table: 439
Number of 32-bit ASNs allocated by the RIRs:   7978
Number of 32-bit ASNs visible in the Routing Table:6123
Prefixes from 32-bit ASNs in the Routing Table:   21952
Number of bogon 32-bit ASNs visible in the Routing Table: 6
Special use prefixes present in the Routing Table:0
Prefixes being announced from unallocated address space:391
Number of addresses announced to Internet:   2712292420
Equivalent to 161 /8s, 170 /16s and 76 /24s
Percentage of available address space announced:   73.3
Percentage of allocated address space announced:   73.3
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   96.9
Total number of prefixes smaller than registry allocations:  176514

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   127765
Total APNIC prefixes after maximum aggregation:   37043
APNIC Deaggregation factor:3.45
Prefixes being announced from the APNIC address blocks:  132174
Unique aggregates announced from the APNIC address blocks:53894
APNIC Region origin ASes present in the Internet Routing Table:4990
APNIC Prefixes per ASN:   26.49
APNIC Region origin ASes announcing only one prefix:   1200
APNIC Region transit ASes present in the Internet Routing Table:869
Average APNIC Region AS path length visible:4.7
Max APNIC Region AS path length visible: 78
Number of APNIC region 32-bit ASNs visible in the Routing Table:   1178
Number of APNIC addresses announced to Internet:  737083776
Equivalent to 43 /8s, 239 /16s and 1 /24s
Percentage of available APNIC address space announced: 86.1

APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 63488-64098, 131072-135580
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:171222
Total ARIN prefixes after maximum aggregation:85507
ARIN Deaggregation factor: 2.00
Prefixes being announced from the ARIN address blocks:   173175
Unique aggregates announced from the ARIN address blocks: 81727
ARIN Region origin ASes present in the Internet Routing Table:16386
ARIN Prefixes per ASN: 

Re: Level3 NOC contact

2014-11-21 Thread N M
A NOC engineer has reached out -- Thanks for the quick response



*Nathan Mallory*

*Network Engineer*
Opelika Power Services
600 Fox Run Pkwy
Opelika, Al 36801
Office:  (334) 705-1601

On Fri, Nov 21, 2014 at 10:29 AM, N M digitallysto...@gmail.com wrote:

 Could a NOC engineer from Level3 contact me off list? I am having issues
 out of Dallas on a circuit with traffic on your network -- Latency above
 100ms --- My peer claims the issue is fixed but I am still seeing the same
 problem -- Thanks


 *Nathan Mallory*

 *Network Engineer*
 Opelika Power Services
 600 Fox Run Pkwy
 Opelika, Al 36801
 Office:  (334) 705-1601



Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Tim Jackson
pmacct includes sfacctd which is an sflow collector.. Accessible via
the same methods as it's nfacctd collector or pcap based collector..

--
Tim

On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko de...@visp.net.lb wrote:
 On 2014-11-21 18:41, Peter Phaal wrote:

 Actually, sFlow from many vendors is pretty good (per your points about
 flow
 burstiness and delays), and is good enough for dDoS detection.  Not for
 security forensics, or billing at 99.99% accuracy, but good enough for
 traffic visibility, peering analytics, and (d)DoS detection.


 Well, if it is available, except hardware limitations, there is second
 obstacle,
 software licensing cost. On latest JunOS, for example on EX2200, you need
 to purchase license (EFL), and if am not wrong it is $3000 for 48port
 units.
 So if only sFlow feature is on stake, it worth to think, to purchase
 license,
 or to purchase server.


 Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):


 http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf

 I am not aware of any vendor requiring an additional license to enable
 sFlow.

 sFlow (packet sampling) works extremely well for the DDoS flood
 detection / mitigation use case. The measurements are build into low
 cost commodity switch hardware and can be enabled operationally
 without adversely impacting switch performance.  A flood attack
 generates high packet rates and sampling a 10G port at 1-in-10,000
 will reliably detect flood attacks within seconds.

 For most use cases, it is much less expensive to use switches to
 perform measurement than to attach taps / mirror port probes. If your
 switches don't already support sFlow, you can buy a 10G capable white
 box switch for a few thousand dollars that will let you monitor 1.2
 Terabits/sec. If you go with an open platform such as Cumulus Linux,
 you could even run your DDoS mitigation software on the switch and
 dispense with the external server. Embedded instrumentation is simple
 to deploy and reduces operational complexity and cost when compared to
 add on probe solutions.

 Peter Phaal
 InMon Corp.

 Wow, that's great news then, i'm using mostly Cisco gear now, but seems will
 have to take a look to Juniper, thanks for information.
 If it is free, then if EX2200 available, it is much easier to run sFlow and
 write custom collector for it, than installing custom probe(in most common
 cases).

 ---
 Best regards,
 Denys


Re: Incident notification

2014-11-21 Thread William Herrin
On Fri, Nov 21, 2014 at 10:56 AM, Matthew Huff mh...@ox.com wrote:
 The advantage of SMS is that it is out of band. Any smtp
 or other IP based solution requires a stable and working
 network environment, which is what the alert may be
 trying to tell you is down.

Which is why you locate a small NMS outside your network (on a VM
somewhere) whose only job is to start alerting when it can't reach the NMS
inside your network. That also helps when your interior NMS system gets
gummed up or when a general emergency in your locality damages your
infrastructure at the same time as the SMS provider's infrastructure.

If your monitoring system is structured well to begin with, email has
efficacy comparable to sms. A smartphone app expecting heartbeats via your
in-band infrastructure has effectiveness superior to both.

Regards,
Bill Herrin

--
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: http://www.dirtside.com/
May I solve your unusual networking challenges?


Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-21 Thread Denys Fedoryshchenko
Thanks! Most important there is plugin API,so it is easy to write custom 
code to do some analysis and on events - actions.


On 2014-11-21 20:32, Tim Jackson wrote:

pmacct includes sfacctd which is an sflow collector.. Accessible via
the same methods as it's nfacctd collector or pcap based collector..

--
Tim

On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko 
de...@visp.net.lb wrote:

On 2014-11-21 18:41, Peter Phaal wrote:


Actually, sFlow from many vendors is pretty good (per your points 
about

flow
burstiness and delays), and is good enough for dDoS detection.  Not 
for
security forensics, or billing at 99.99% accuracy, but good enough 
for

traffic visibility, peering analytics, and (d)DoS detection.



Well, if it is available, except hardware limitations, there is 
second

obstacle,
software licensing cost. On latest JunOS, for example on EX2200, you 
need
to purchase license (EFL), and if am not wrong it is $3000 for 
48port

units.
So if only sFlow feature is on stake, it worth to think, to purchase
license,
or to purchase server.



Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2):


http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf

I am not aware of any vendor requiring an additional license to 
enable

sFlow.

sFlow (packet sampling) works extremely well for the DDoS flood
detection / mitigation use case. The measurements are build into low
cost commodity switch hardware and can be enabled operationally
without adversely impacting switch performance.  A flood attack
generates high packet rates and sampling a 10G port at 1-in-10,000
will reliably detect flood attacks within seconds.

For most use cases, it is much less expensive to use switches to
perform measurement than to attach taps / mirror port probes. If your
switches don't already support sFlow, you can buy a 10G capable white
box switch for a few thousand dollars that will let you monitor 1.2
Terabits/sec. If you go with an open platform such as Cumulus Linux,
you could even run your DDoS mitigation software on the switch and
dispense with the external server. Embedded instrumentation is simple
to deploy and reduces operational complexity and cost when compared 
to

add on probe solutions.

Peter Phaal
InMon Corp.


Wow, that's great news then, i'm using mostly Cisco gear now, but 
seems will

have to take a look to Juniper, thanks for information.
If it is free, then if EX2200 available, it is much easier to run 
sFlow and
write custom collector for it, than installing custom probe(in most 
common

cases).

---
Best regards,
Denys


---
Best regards,
Denys


Re: Outbound traffic on a circuit?

2014-11-21 Thread Justin Wilson
But I am buying 1 Gig on a 1 Gig circuit.  I could see if it were
burstable but it was being billed as 1Gig on a Gig circuit.

Justin


--
Justin Wilson j...@mtin.net
http://www.mtin.net http://www.mtin.net/blog
Managed Services ­ xISP Solutions ­ Data Centers
http://www.thebrotherswisp.com
Podcast about xISP topics
http://www.midwest-ix.com
Peering ­ Transit ­ Internet Exchange


 



On 11/19/14, 8:40 PM, joel jaeggli joe...@bogus.com wrote:

On 11/19/14 12:40 PM, Justin Wilson wrote:
 I am looking at an order for a well known upstream provider.  They are
 handing me a circuit at a data center.  The contract reads if we use
more
 than 50% of the outbound the price gets re-priced and almost doubles.
How
 many folks have ran into this?

if you're buying 500Mb/s commit 95th percentile on a 1Gb/s circuit or
5Gb/s on 10 then you can expect a contract to specify an upcharge
accordingly if you bust your commit.

I generally look for terms that provide a relavitily short notification
window for uping my commit. e.g. 6 weeks or less.

 Justin
 
 --
 Justin Wilson j...@mtin.net
 http://www.mtin.net http://www.mtin.net/blog
 Managed Services ­ xISP Solutions ­ Data Centers
 http://www.thebrotherswisp.com
 Podcast about xISP topics
 http://www.midwest-ix.com
 Peering ­ Transit ­ Internet Exchange
 
 
 
 






The Cidr Report

2014-11-21 Thread cidr-report
This report has been generated at Fri Nov 21 21:14:20 2014 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.

Check http://www.cidr-report.org/2.0 for a current version of this report.

Recent Table History
Date  PrefixesCIDR Agg
14-11-14529142  292269
15-11-14529099  292324
16-11-14528626  292487
17-11-14529189  292529
18-11-14525180  291108
19-11-14524073  291010
20-11-14523781  290774
21-11-14524001  290386


AS Summary
 48906  Number of ASes in routing system
 19638  Number of ASes announcing only one prefix
  3041  Largest number of prefixes announced by an AS
AS10620: Telmex Colombia S.A.,CO
  120110336  Largest address span announced by an AS (/32s)
AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street,CN


Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as 
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').

 --- 21Nov14 ---
ASnumNetsNow NetsAggr  NetGain   % Gain   Description

Table 523120   290391   23272944.5%   All ASes

AS6389  2894  126 276895.6%   BELLSOUTH-NET-BLK -
   BellSouth.net Inc.,US
AS17974 2846   83 276397.1%   TELKOMNET-AS2-AP PT
   Telekomunikasi Indonesia,ID
AS22773 2853  176 267793.8%   ASN-CXA-ALL-CCI-22773-RDC -
   Cox Communications Inc.,US
AS28573 2372  284 208888.0%   NET Serviços de Comunicação
   S.A.,BR
AS4766  2960 1341 161954.7%   KIXS-AS-KR Korea Telecom,KR
AS7303  1770  290 148083.6%   Telecom Argentina S.A.,AR
AS10620 3041 1574 146748.2%   Telmex Colombia S.A.,CO
AS9808  1485   55 143096.3%   CMNET-GD Guangdong Mobile
   Communication Co.Ltd.,CN
AS8402  1365   29 133697.9%   CORBINA-AS OJSC Vimpelcom,RU
AS4755  1928  646 128266.5%   TATACOMM-AS TATA
   Communications formerly VSNL
   is Leading ISP,IN
AS20115 1823  560 126369.3%   CHARTER-NET-HKY-NC - Charter
   Communications,US
AS4323  1650  414 123674.9%   TWTC - tw telecom holdings,
   inc.,US
AS7545  2472 1246 122649.6%   TPG-INTERNET-AP TPG Telecom
   Limited,AU
AS9498  1316  112 120491.5%   BBIL-AP BHARTI Airtel Ltd.,IN
AS6147  1300  102 119892.2%   Telefonica del Peru S.A.A.,PE
AS18566 2043  868 117557.5%   MEGAPATH5-US - MegaPath
   Corporation,US
AS6983  1625  484 114170.2%   ITCDELTA - Earthlink, Inc.,US
AS34984 1896  860 103654.6%   TELLCOM-AS TELLCOM ILETISIM
   HIZMETLERI A.S.,TR
AS7552  1080   53 102795.1%   VIETEL-AS-AP Viettel
   Corporation,VN
AS22561 1311  334  97774.5%   AS22561 - CenturyTel Internet
   Holdings, Inc.,US
AS7738   999   83  91691.7%   Telemar Norte Leste S.A.,BR
AS38285  975  130  84586.7%   M2TELECOMMUNICATIONS-AU M2
   Telecommunications Group
   Ltd,AU
AS24560 1180  347  83370.6%   AIRTELBROADBAND-AS-AP Bharti
   Airtel Ltd., Telemedia
   Services,IN
AS31148 1045  234  81177.6%   FREENET-AS Freenet Ltd.,UA
AS8151  1481  697  78452.9%   Uninet S.A. de C.V.,MX
AS26615  914  133  78185.4%   Tim Celular S.A.,BR
AS4780  1047  281  76673.2%   SEEDNET Digital United Inc.,TW
AS18101  955  194  76179.7%   RELIANCE-COMMUNICATIONS-IN
   Reliance Communications
   Ltd.DAKC MUMBAI,IN
AS855799   57  74292.9%   CANET-ASN-4 - Bell Aliant
   Regional Communications,
   Inc.,CA
AS17908  834   97  73788.4%   TCISL Tata Communications,IN


BGP Update Report

2014-11-21 Thread cidr-report
BGP Update Report
Interval: 13-Nov-14 -to- 20-Nov-14 (7 days)
Observation Point: BGP Peering with AS131072

TOP 20 Unstable Origin AS
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS12897  1723660 29.3%   246237.1 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 2 - AS23752  278395  4.7%2899.9 -- NPTELECOM-NP-AS Nepal 
Telecommunications Corporation, Internet Services,NP
 3 - AS9829   193219  3.3% 153.8 -- BSNL-NIB National Internet 
Backbone,IN
 4 - AS702979518  1.4%  36.4 -- WINDSTREAM - Windstream 
Communications Inc,US
 5 - AS53249   73466  1.2%   36733.0 -- LAWA-AS - Los Angeles World 
Airport,US
 6 - AS958756535  1.0%1949.5 -- DTACNETWORK-TH-AP 26th Floor  
333/3 Moo 14 Chai Building,TH
 7 - AS48159   38843  0.7% 125.3 -- TIC-AS Telecommunication 
Infrastructure Company,IR
 8 - AS28885   36232  0.6% 218.3 -- OMANTEL-NAP-AS OmanTel NAP,OM
 9 - AS840236115  0.6%  22.9 -- CORBINA-AS OJSC Vimpelcom,RU
10 - AS38197   35819  0.6%  35.0 -- SUNHK-DATA-AS-AP Sun Network 
(Hong Kong) Limited,HK
11 - AS37693   30493  0.5% 272.3 -- TUNISIANA,TN
12 - AS42337   28878  0.5% 178.3 -- RESPINA-AS Respina Networks  
Beyond PJSC,IR
13 - AS14420   28436  0.5% 118.5 -- CORPORACION NACIONAL DE 
TELECOMUNICACIONES - CNT EP,EC
14 - AS381626128  0.4%  51.8 -- COLOMBIA TELECOMUNICACIONES 
S.A. ESP,CO
15 - AS3   23691  0.4%1306.0 -- MIT-GATEWAYS - Massachusetts 
Institute of Technology,US
16 - AS23342   21980  0.4%   21980.0 -- UNITEDLAYER - Unitedlayer, 
Inc.,US
17 - AS10620   21295  0.4%  10.7 -- Telmex Colombia S.A.,CO
18 - AS60725   20028  0.3%4005.6 -- O3B-AS O3b Limited,JE
19 - AS25003   20025  0.3% 667.5 -- INTERNET_BINAT Internet Binat 
Ltd,IL
20 - AS45899   19807  0.3%  45.6 -- VNPT-AS-VN VNPT Corp,VN


TOP 20 Unstable Origin AS (Updates per announced prefix)
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS12897  1723660 29.3%   246237.1 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 2 - AS53249   73466  1.2%   36733.0 -- LAWA-AS - Los Angeles World 
Airport,US
 3 - AS23342   21980  0.4%   21980.0 -- UNITEDLAYER - Unitedlayer, 
Inc.,US
 4 - AS3   23691  0.4%1306.0 -- MIT-GATEWAYS - Massachusetts 
Institute of Technology,US
 5 - AS18135   10850  0.2%   10850.0 -- BTV BTV Cable television,JP
 6 - AS621744107  0.1%4107.0 -- INTERPAN-AS INTERPAN LTD.,BG
 7 - AS60725   20028  0.3%4005.6 -- O3B-AS O3b Limited,JE
 8 - AS23752  278395  4.7%2899.9 -- NPTELECOM-NP-AS Nepal 
Telecommunications Corporation, Internet Services,NP
 9 - AS106742629  0.0%2629.0 -- GRUCOM - Gainesville Regional 
Utilities,US
10 - AS566362230  0.0%2230.0 -- ASVEDARU VEDA Ltd.,RU
11 - AS42067  0.0%1465.0 -- ISI-AS - University of Southern 
California,US
12 - AS125213930  0.1%1965.0 -- NOVA_INTERNET_AS12521 Nova 
Internet Network,ES
13 - AS958756535  1.0%1949.5 -- DTACNETWORK-TH-AP 26th Floor  
333/3 Moo 14 Chai Building,TH
14 - AS350933604  0.1%1802.0 -- RO-HTPASSPORT High Tech 
Passport Ltd SUA California San Jose SUCURSALA BUCURESTI ROMANIA,RO
15 - AS388081721  0.0%1721.0 -- IMZAK-TRANSIT-AS-AP DSL Service 
Provider Servers,PK
16 - AS309441657  0.0%1657.0 -- DKD-AS Bendra Lietuvos, JAV ir 
Rusijos imone uzdaroji akcine bendrove DKD,LT
17 - AS332815997  0.3%1599.7 -- -Reserved AS-,ZZ
18 - AS117281424  0.0%1424.0 -- INTERNETXT - Internet Exchange 
Technology, Inc.,US
19 - AS561338072  0.1%1345.3 -- TASMANET-AS-AP Tasmanet Pty 
Ltd,AU
20 - AS617081257  0.0%1257.0 -- INFOCAT INFORMÁTICA LTDA,BR


TOP 20 Unstable Prefixes
Rank Prefix Upds % Origin AS -- AS Name
 1 - 94.16.64.0/21247495  4.0%   AS12897 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 2 - 94.16.80.0/20247386  4.0%   AS12897 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 3 - 94.16.72.0/21247305  4.0%   AS12897 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 4 - 185.9.28.0/22246034  4.0%   AS12897 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 5 - 194.127.204.0/23 245774  4.0%   AS12897 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 6 - 194.99.108.0/23  245433  4.0%   AS12897 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 7 - 194.45.104.0/23  244233  4.0%   AS12897 -- HEAGMEDIANET HSE Medianet 
GmbH,DE
 8 - 202.70.64.0/21   142246  2.3%   AS23752 -- NPTELECOM-NP-AS Nepal 
Telecommunications Corporation, Internet Services,NP
 9 - 202.70.88.0/21   135152  2.2%   AS23752 -- NPTELECOM-NP-AS Nepal 
Telecommunications Corporation, Internet Services,NP
10 - 198.140.114.0/24  36755  0.6%   AS53249 -- LAWA-AS - Los Angeles World 
Airport,US
11 - 198.140.115.0/24  36711  0.6%   AS53249 -- 

Re: abuse reporting tools

2014-11-21 Thread Jimmy Hess
On Tue, Nov 18, 2014 at 7:41 PM, Robert Drake rdr...@direcpath.com wrote:
 On 11/18/2014 8:11 PM, Michael Brown wrote:
[snip]
 amelioration.  So I'm left with a very unsatisfactory feeling of either
 shutting down a possibly innocent customer based on a machines word, or
 attempting to start a dialog with random_script_user...@hotmail.com.

Under those circumstances,  how do you know it's not a
social-engineering based DoS being attempted?   Preferably,  take no
action to shutdown services without decent confirmation;  as malicious
reports of a fraudulent, bogus, dramatized, or otherwise misleading
nature are sometimes used by malicious actors  to target a legitimate
user.

My suggestion would be table the report of a single SSH connection and
really do nothing with it.If there is actually abuse being
conducted, you should either be able to independently verify the
actual abuse, e.g.  by checking packet level data or netflow data,
or  you should begin to receive a pattern of complaints;  more unique
contacts,  that you can investigate and verify are legit. contacts
from unique networks.

If neither occurs, then just keep a log as an unconfirmed abuse
report,   which if unconfirmed for a few days may be forwarded to the
end user  for their information/records.

-- 
-JH
 Robert