Re: DDOS, IDS, RTBH, and Rate limiting
On 2014-11-21 03:12, Roland Dobbins wrote: On 21 Nov 2014, at 6:22, Denys Fedoryshchenko wrote: Netflow is stateful stuff, This is factually incorrect; NetFlow flows are unidirectional in nature, and in any event have no effect on processing of data-plane traffic. Word stateful has nothing common with stateful firewall.Stateful protocol. a protocol which requires keeping of the internal state on the server is known as a stateful protocol. And sure unidirectional/bidirectional is totally unrelated. and just to run it on wirespeed, on hardware, you need to utilise significant part of TCAM, Again, this is factually incorrect. http://en.wikipedia.org/wiki/NetFlow#NetFlow_support Proof, that majority of solutions runs *flow not in software. Cisco 65xx (yes, they are obsolete, but they run stuff wirespeed) Aug 24 12:30:53: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [97%] This is best example. Also on many Cisco's if you use UBRL, then you cannot use NetFlow, just because they use same part of TCAM resources. Others, for example Juniper, are using sampling (read - missing data), just to not overflow resources, and has various limitations, such as RE-DPC communication pps limit, licensing limit. For example MS-DPC is pretty good one, few million flows in hardware, 7-8Gbps of traffic, and... cost $12. i am not talking that on some hardware it is just impossible to run it. This is also factually incorrect. Some platforms/linecards do not in fact support NetFlow (or other varieties of flow telemetry) due to hardware limitations. But still they can run fine mirroring, and fastnetmon will do it's job. And last thing, from one of public papers, netflow delaying factors: 1. Flow record expiration This is tunable. In certain limits. You can't set flow-active-timeout less than 60 seconds in Junos 14 for example. On some platforms even if you can, you just run in the limits of platforms again (forwarding - management communications). • Typical delay: 15-60 sec. This is an entirely subjective assessment, and does not reflect operational realities. These are typically *maximum values* - and they are well within operationally-useful timeframes. Also, the effect of NetFlow cache size and resultant FIFOing of flow records is not taken into account, nor is the effect on flow termination and flow-record export of TCP FIN or RST flags denoting TCP traffic taken into account. So for a small hosting(up to 10G), i believe, FastNetMon is best solution. This is a gross over-generalization unsupported by facts. Many years of operational experience with NetFlow and other forms of flow telemetry by large numbers of network operators of all sizes and varieties contract this over-generalization. Fastnetmon and similar tools popularity says for itself. It is generally unwise to make sweeping statements regarding operational impact which are not borne out by significant operational experience in production networks. What can be asserted without evidence can be dismissed without evidence. Faster, and no significant investments to equipment. This statement indicates a lack of understanding of opex costs, irrespective of capex costs. Sweet marketing buzzwords, that is used together with some unclear calculations, to sell suffering hosting providers various expensive tools, that is not necessary for them. OPEX of fastnetmon is a small fee for qualified sysadmin, and often not required, because already hosting operator should have him. Bigger hosting providers might reuse their existing servers, segment the network, and implement inexpensive monitoring on aggregation switches without any additional cost again. This statement indicates a lack of operational experience in networks of even minimal scale. Ah, and there is one more huge problem with netflow vs FastNetMon - netflow just by design cannot be adapted to run pattern matching, while it is trivial to patch FastNetMon for that, turning it to mini-IDS for free. This statement betrays a lack of understanding of NetFlow-based (and other flow telemetry-based) detection and classification, as well as the undesirability and negative operational impact of stateful IDS/'IPS' deployments in production networks. You should also note that FastNetMon is far from unique; there are multiple other open-source tools which provide the same type of functionality, and none of them have replaced flow telemetry, either. Thats a power of opensource. Since FastNetMon is not only tool, worth to mention others, people here will benefit from using it, for free. And i'm sure, author of FastNetMon will not feel offended at all. Tools such as FastNetMon supplement flow telemetry, in situations in which such tools can be deployed. They do not begin to replace flow telemetry, and they are not inherently superior to flow telemetry. Again, I'm sure FastNetMon is a useful tool in many circumstances.
Re: DDOS, IDS, RTBH, and Rate limiting
On 2014-11-21 06:45, freed...@freedman.net wrote: Netflow is stateful stuff, and just to run it on wirespeed, on hardware, you need to utilise significant part of TCAM, Cisco ASRs and MXs with inline jflow can do hundreds of K flows/second without affecting packet forwarding. Yes, i agree,those are good for netflow, but when they already exist in network. Does it worth to buy ASR, if L3 switch already doing the job (BGP/ACL/rate-limit/routing)? i am not talking that on some hardware it is just impossible to run it. So everything about netflow are built on assumption that hosting or ISP can run it. And based on some observations, majority of small/middle hosting providers are using minimal,just BGP capable L3 switch as core, and cheapest but reliable L2/L3 on aggregation, and both are capable in best case to run sampled sFlow. Actually, sFlow from many vendors is pretty good (per your points about flow burstiness and delays), and is good enough for dDoS detection. Not for security forensics, or billing at 99.99% accuracy, but good enough for traffic visibility, peering analytics, and (d)DoS detection. Well, if it is available, except hardware limitations, there is second obstacle, software licensing cost. On latest JunOS, for example on EX2200, you need to purchase license (EFL), and if am not wrong it is $3000 for 48port units. So if only sFlow feature is on stake, it worth to think, to purchase license, or to purchase server. Prices for JFlow license on MX, just for 5/10G is way above cost of very decent server. snip So for a small hosting(up to 10G), i believe, FastNetMon is best solution. Faster, and no significant investments to equipment. Bigger hosting providers might reuse their existing servers, segment the network, and implement inexpensive monitoring on aggregation switches without any additional cost again. It can be useful to have a 10G network monitoring box of course... And with the right setup you can run FastNetMon or other tools in addition to generating flow that can be of use for other purposes as well... Technically there is ipt_NETFLOW, that can generate netflow on same box, for statistical/telemetry purposes. But i am not sure it is possible to run them together. Ah, and there is one more huge problem with netflow vs FastNetMon - netflow just by design cannot be adapted to run pattern matching, while it is trivial to patch FastNetMon for that, turning it to mini-IDS for free. It's true, having a network tap can be useful for doing PCAP-y stuff. But taps can be difficult or at least time consuming for people to put in at scale. Even, we've seen, for folks with 10G networks. Often because they can get 90% of what they need for 4 different business purposes from just flow :) About scaling, i guess it depends on proper deployment strategy and sysadmins/developers capabilities. For example to deploy new ruleset for my pcap-based homemade analyser to 150 probes across the country - is just one click. --- Best regards, Denys
Re: Multi-homing with multiple ASNs
On Friday, November 21, 2014 12:00:47 AM Curtis L. Parish wrote: We have recently added a second ISP (third if you count I2). Our first ISP is actually a private state network that peers with two Tier 1 providers. We own an AS number and our IP space but at the last minute learned our state network is advertising our network using two different ASNs (neither ours) so they can load balance their connections.If you hit the right looking glass server you can see our network advertised by three different ASNs.We were told by the new ISP that this is a problem but the state network says it is not. Looking for opinions and words of wisdom on this split advertising issue. Why aren't you originating your own prefixes and ASN by yourselves, since you own both? Mark. signature.asc Description: This is a digitally signed message part.
Re: Multi-homing with multiple ASNs
On Fri, 21 Nov 2014 11:07:49 +0200, Mark Tinka mark.ti...@seacom.mu said: We own an AS number and our IP space but at the last minute learned our state network is advertising our network using two different ASNs (neither ours) This will work, as in the BGP path selection algorithm will work as designed in this situation. But it also means that the routing policy is out of your control which is kind of the point of having an ASN! It also makes it harder to track down who is operationally responsible for that address space since it appears to the outside world to be in two (or three! different places). I'd say don't do this unless you really have no choice. Why aren't you originating your own prefixes and ASN by yourselves, since you own both? Good question. We (AS60241) almost ended up doing similarly for a while. Because of a close association with the universities in Scotland, we discussed the possibility of transit via JANET. This turned out to be difficult because they run a whole bunch of private ASNs internally -- unlike in North America where universities typically have their own real one. So it would have been us - private stuff - AS786 and for some reason that I forget they were unable to remove private ASNs from the path. The best that might have been possible would be to have had them announce our networks with synchronisation on, which would have meant the outside world would have seen them originating in both AS786 and AS60241. Icky. We (mutually) decided against this. Just to say that there are strange, but not completely unreasonable circumstances in which this can happen... -w pgpohqpKewJg4.pgp Description: PGP signature
Re: Multi-homing with multiple ASNs
On Thu, Nov 20, 2014 at 5:00 PM, Curtis L. Parish curtis.par...@mtsu.edu wrote: We have recently added a second ISP (third if you count I2). Our first ISP is actually a private state network that peers with two Tier 1 providers. We own an AS number and our IP space but at the last minute learned our state network is advertising our network using two different ASNs (neither ours) so they can load balance their connections.If you hit the right looking glass server you can see our network advertised by three different ASNs.We were told by the new ISP that this is a problem but the state network says it is not. Howdy, If you drop your connection to the state network, do the routes with their AS numbers drop out of the looking glasses? If not, then there's a problem. If you depreference your connection to the state network by prepending your AS number, do comparable prepends appear at the looking glasses or does the state network continue to give its advertisement of your address space top billing? If the state network's behavior strips your ability to load balance your network then there's a problem. Conventionally, the state network should be adding its AS number after yours, not stripping your AS number. More often than not, this convention is also the technically correct course of action. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: DDOS, IDS, RTBH, and Rate limiting
On 21 Nov 2014, at 15:17, Denys Fedoryshchenko wrote: Word stateful has nothing common with stateful firewall.Stateful protocol. a protocol which requires keeping of the internal state on the server is known as a stateful protocol. Correct - and NetFlow is not stateful, by this definition. And sure unidirectional/bidirectional is totally unrelated. On the contrary, it is quite relevant. Cisco 65xx (yes, they are obsolete, but they run stuff wirespeed) They are not obsolete - they perform very well with Sup2T and EARL8-based linecards. Aug 24 12:30:53: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [97%] This is from a 6500 with either an EARL6 or EARL7 ASIC, which had many caveats with regards to NetFlow, including a lack of packet-sampled control of flow creation - i.e., sampled NetFlow. As part of the extended team which defined requirements for the EARL8 ASIC, which is utilized in the Sup2T and DFC-4 enabled linecards, I can assure you that this is no longer an issue with 6500s running EARL8-based Sups and linecards. Also on many Cisco's if you use UBRL, then you cannot use NetFlow, just because they use same part of TCAM resources. This is where TCAM carving comes into play. Also, it is not so much an issue with newer hardware, per the above. Also, URBL is not commonly used in ISP networks. Others, for example Juniper, are using sampling (read - missing data), The largest networks in the world use sampled NetFlow every hour of every day for many purposes, including DDoS detection/classification/traceback. It works quite well for all those purposes. just to not overflow resources, and has various limitations, such as RE-DPC communication pps limit, licensing limit. For example MS-DPC is pretty good one, few million flows in hardware, 7-8Gbps of traffic, and... cost $12. You get what you pay for. But still they can run fine mirroring, and fastnetmon will do it's job. On the contrary - SPAN nee port mirroring cuts into the frames-per-second budget of linecards, as the traffic is in essence being duplicated. It is not 'free', and it has a profound impact on the the switch's data-plane traffic forwarding capacity. Unlike NetFlow. In certain limits. You can't set flow-active-timeout less than 60 seconds in Junos 14 for example. Platforms vary, this is true. However, I have never run into an issue with an active flow timer of 60s, nor have I ever run into anyone who has done so. On some platforms even if you can, you just run in the limits of platforms again (forwarding - management communications). This is incorrect. Fastnetmon and similar tools popularity says for itself. Yes, it does - they are far less popular that NetFlow, because they do not scale on networks of any size, nor do they provide traceback (given your lack of comments on traceback elsewhere in this thread, it appears that you aren't familiar with this concept). What can be asserted without evidence can be dismissed without evidence. You make my point very well, thank you. There is overwhelming evidence that NetFlow and similar forms of flow telemetry scale well and provide real, measurable, actionable operational value on networks of all types and sizes. The reason for the popularity of flow telemetry is that it is low-opex (no probes to deply); low-capex (no probes to deploy); scales to tb/sec speeds; is practicable for large networks (no probes to deploy); provides instantaneous traceback (probes can't do this); and provides statistics on dropped traffic (probes can't do this, either). Sweet marketing buzzwords, It's pretty obvious which half of this 'conversation' is focused on marketing; and it isn't mine. that is used together with some unclear calculations, No calculations have been discussed during the course of this 'conversation'. to sell suffering hosting providers various expensive tools, I'm uninterested in selling anyone anything. What I'm interested in doing is correcting the misinformation you are promulgating regarding the utility of flow telemetry coupled with open-source flow analysis systems. There has been no mention of any commercial systems or products in my half of this 'conversation'. that is not necessary for them. Again, the benefits of flow telemetry are quite clear for networks of any size. OPEX of fastnetmon is a small fee for qualified sysadmin, and often not required, because already hosting operator should have him. You obviously do not know what the term opex actually means, nor what it encompasses. I can agree only that arguing about this subject is waste of time. Yes, it isn't a profitable use of time to argue with someone who does not have the degree of operational expertise nor experience to back his demonstrably incorrect assertions. where netflow just by design cannot outperform it Again, this is a completely unsupported
Re: DDOS, IDS, RTBH, and Rate limiting
On 2014-11-21 14:50, Roland Dobbins wrote: On 21 Nov 2014, at 15:17, Denys Fedoryshchenko wrote: Word stateful has nothing common with stateful firewall.Stateful protocol. a protocol which requires keeping of the internal state on the server is known as a stateful protocol. Correct - and NetFlow is not stateful, by this definition. Not stateful, if you pick on server word. To be able to make bytes/packets accounting for a flow, you need to keep this specific flow previous state. To be able to differentiate between flows with same src/dst ip+ports (if one is ended, next is started with same data) you need to track it's state, again. And just to keep track of _flows_ in packet switched network you need states. Surprising lack of knowledge. And sure unidirectional/bidirectional is totally unrelated. On the contrary, it is quite relevant. Cisco 65xx (yes, they are obsolete, but they run stuff wirespeed) They are not obsolete - they perform very well with Sup2T and EARL8-based linecards. Seems yes, i'm wrong on that point, i was not successful to run netflow reliable way , but it was before CSCul90377 and CSCui17732 fixed. Others, for example Juniper, are using sampling (read - missing data), The largest networks in the world use sampled NetFlow every hour of every day for many purposes, including DDoS detection/classification/traceback. It works quite well for all those purposes. Use case of fastnetmon is not largest networks. Sampled netflow is useless for per-traffic billing purpose for example. just to not overflow resources, and has various limitations, such as RE-DPC communication pps limit, licensing limit. For example MS-DPC is pretty good one, few million flows in hardware, 7-8Gbps of traffic, and... cost $12. You get what you pay for. While i can pay $1500 for a server, and get netflow and ~3second BGP blackholing with fastnetmon. But still they can run fine mirroring, and fastnetmon will do it's job. On the contrary - SPAN nee port mirroring cuts into the frames-per-second budget of linecards, as the traffic is in essence being duplicated. It is not 'free', and it has a profound impact on the the switch's data-plane traffic forwarding capacity. Unlike NetFlow. In hosting case mirroring usually done for uplink port, but i have to agree, it might be a problem. Yes, it does - they are far less popular that NetFlow, because they do not scale on networks of any size, nor do they provide traceback (given your lack of comments on traceback elsewhere in this thread, it appears that you aren't familiar with this concept). You make my point very well, thank you. There is overwhelming evidence that NetFlow and similar forms of flow telemetry scale well and provide real, measurable, actionable operational value on networks of all types and sizes. The reason for the popularity of flow telemetry is that it is low-opex (no probes to deply); low-capex (no probes to deploy); scales to tb/sec speeds; is practicable for large networks (no probes to deploy); provides instantaneous traceback (probes can't do this); and provides statistics on dropped traffic (probes can't do this, either). And again and again we are going to tb/s. I don't need TB/s, i dont need traceback,nor on relatively small ISP nor on VDS provider i dont need all that above. I just need inexpensive way to block attacked ip and/or announce it from different location within minimal timeframe, to minimize impact on other customers. You might be highly professional with large scale operators, but small guys needs and capabilities are very different. I had developed tool similar to fastnetmon for almost same purpose, detecting attacks and switching affected network by BGP to protected backbone. After calculating OPEX/CAPEX, capable server turned to be much cheaper alternative in short and long term than buying netflow capable hardware (and support for it) just for netflow purposes, and buying hardware for netflow collector. Let's talk numbers. My case is small hosting, 4G, C4948-10G, one 10G uplink, one 10G port is free. Switch is not capable to run sFlow or Netflow. Decent server is available already, since it is hosting company, so the only expenses are 10G 82599 card, which is around $500. Even in case server is not available, based on data from fastnetmon author still total cost is within $1500. Deployment time - hours from installing hardware, without distrupting existing traffic. Major expenses - tuning server according author recommendations, and writing shell script that will send to 4948 command to blackhope IP. For qualified sysadmin it is 2 hours of work, and $500 max as a labor cost. Thats it. What can be cheaper than $2000 in this case? I guess i wont get answer. I'm uninterested in selling anyone anything. What I'm interested in doing is correcting the misinformation you are promulgating regarding the utility of flow telemetry coupled with open-source flow
RE: Multi-homing with multiple ASNs
Thanks for all the responses. I will answer a few questions that have come on and off list. (Sorry for length) We advertise our ASN into the state network with more specific routes that we advertise via ISP2 via our ASN.This is done because the state (vendor managed) network runs stateful firewalls and we have to force other multi-home entities on the state network to use our state connection instead of ISP2. Our network has been removed from the state firewall due to previous problems with asymmetric routing with our I2 circuit.I am told the state network does drop our network from their advertisements when our network is unreachable. That has not been explained or tested. What we did not realize until about a week before turning up ISP2 was the state was consolidating all state networks to use two of the vendor’s ASNs when it peers with their two ISPs. Our ASN is not part of the path.We had no choice but to turn up ISP2 due to bandwidth reasons. Miraculously we achieved almost a 50/50 balance of traffic.Bandwidth will be increased on ISP2 as demand grows so we will need the ability to prepend on the state network to make ISP2 look more desirable. I believe the state will modify their advertisements to add our ASN to the path but changes to advertising via the state network has to go through a design and change management process and then be scheduled into maintenance windows. Any attempts to balance the traffic via prepending will take weeks.As long as the traffic stays balanced we are OK.When replaying BGP route changes I normally see our network only advertised out one of state ASNs but occasionally I see it with two so traffic balance may be impacted depending on which ISP the state is egressing. Here is a question. I know that having one network advertised by multiple ASNs is unconventional and thus it will probably be harder to get help troubleshooting routing problems when they arise.Do you see a situation where our network might be caught in a loop or black hole due to asymmetric routing and conflicting advertisements? Thanks again. New to the list but have already learned much by reading the archives. Curtis Curtis Parish Senior Network Engineer Middle Tennessee State University Subject: Re: Multi-homing with multiple ASNs Howdy, If you drop your connection to the state network, do the routes with their AS numbers drop out of the looking glasses? If not, then there's a problem. If you depreference your connection to the state network by prepending your AS number, do comparable prepends appear at the looking glasses or does the state network continue to give its advertisement of your address space top billing? If the state network's behavior strips your ability to load balance your network then there's a problem. Conventionally, the state network should be adding its AS number after yours, not stripping your AS number. More often than not, this convention is also the technically correct course of action.
Transit, Exchange Point Agreements, and Acceptable Use?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I'll apologize up front if this offends anyone's sensitivities as to what is relevant for list conversation... but one sentence in this Channel4 News story (from what I understand, Channel4 is a very popular news source in the UK) struck me as perhaps in violation of some sort of peering and/or transit agreement. Cable and Wireless: ...even went as far as providing traffic from a rival foreign communications company, handing information sent by millions of internet users worldwide over to spies. The entire article is here: http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq My question is this: Do willful actions such as these violate peering, transit, and/or exchange agreements in any way? Thanks, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF4EAREIAAYFAlRvUzsACgkQKJasdVTchbKc3AD+OBNKXfYJ/Vjsa2pYL7+ewvql 629C4Ie5jzPgIpAgrToA/1gdeKQX69OHOc79RwsI6uUq99cRoDsHOSf3zTDnwsZy =7Xps -END PGP SIGNATURE-
Re: Transit, Exchange Point Agreements, and Acceptable Use?
Paul Ferguson fergdawgs...@mykolab.com writes: I'll apologize up front if this offends anyone's sensitivities as to what is relevant for list conversation... but one sentence in this Channel4 News story (from what I understand, Channel4 is a very popular news source in the UK) struck me as perhaps in violation of some sort of peering and/or transit agreement. Cable and Wireless: ...even went as far as providing traffic from a rival foreign communications company, handing information sent by millions of internet users worldwide over to spies. The entire article is here: http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq My question is this: Do willful actions such as these violate peering, transit, and/or exchange agreements in any way? Thanks, - ferg Welcome to the modern age of communications. The privacy nuts and tinfoil hat types turned out to be correct. Assume that you have no privacy and encrypt everything you do. Or just stop caring about privacy all together. Either way, not much has actually changed.
RE: Transit, Exchange Point Agreements, and Acceptable Use?
Most written peering agreements have a clause that says you can't provide that data unless required to by authorities and only in compliance with applicable local law. The article says that's still an open question: Channel 4 News has been unable to establish whether Reliance Communications was served with a warrant to authorise this and the company has not responded to our calls. Dave -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Paul Ferguson Sent: Friday, November 21, 2014 7:59 AM To: NANOG Subject: Transit, Exchange Point Agreements, and Acceptable Use? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I'll apologize up front if this offends anyone's sensitivities as to what is relevant for list conversation... but one sentence in this Channel4 News story (from what I understand, Channel4 is a very popular news source in the UK) struck me as perhaps in violation of some sort of peering and/or transit agreement. Cable and Wireless: ...even went as far as providing traffic from a rival foreign communications company, handing information sent by millions of internet users worldwide over to spies. The entire article is here: http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq My question is this: Do willful actions such as these violate peering, transit, and/or exchange agreements in any way? Thanks, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF4EAREIAAYFAlRvUzsACgkQKJasdVTchbKc3AD+OBNKXfYJ/Vjsa2pYL7+ewvql 629C4Ie5jzPgIpAgrToA/1gdeKQX69OHOc79RwsI6uUq99cRoDsHOSf3zTDnwsZy =7Xps -END PGP SIGNATURE-
Re: Transit, Exchange Point Agreements, and Acceptable Use?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/21/2014 7:07 AM, Daniel Corbe wrote: Paul Ferguson fergdawgs...@mykolab.com writes: I'll apologize up front if this offends anyone's sensitivities as to what is relevant for list conversation... but one sentence in this Channel4 News story (from what I understand, Channel4 is a very popular news source in the UK) struck me as perhaps in violation of some sort of peering and/or transit agreement. Cable and Wireless: ...even went as far as providing traffic from a rival foreign communications company, handing information sent by millions of internet users worldwide over to spies. The entire article is here: http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq My question is this: Do willful actions such as these violate peering, transit, and/or exchange agreements in any way? Thanks, - ferg Welcome to the modern age of communications. The privacy nuts and tinfoil hat types turned out to be correct. Assume that you have no privacy and encrypt everything you do. Or just stop caring about privacy all together. Either way, not much has actually changed. Well, yes, of course I understand that you should encrypt any every thing that you wish to protect, and believe me -- I (more than most) understand the long tug of war between telecommunications companies and national intelligence services. But you did not address my question... ;-) Cheers, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF4EAREIAAYFAlRvVnAACgkQKJasdVTchbIviwEAk1UQEY/sCwGi0Qua15lCzdPv NWHofFXWJkk+GEjGYMMA/RuOJcL4r+DCr526WsFU/8lGYk80M78pB7rhogN9pgs2 =Oxw/ -END PGP SIGNATURE-
Re: Transit, Exchange Point Agreements, and Acceptable Use?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/21/2014 7:09 AM, Siegel, David wrote: Most written peering agreements have a clause that says you can't provide that data unless required to by authorities and only in compliance with applicable local law. The article says that's still an open question: Channel 4 News has been unable to establish whether Reliance Communications was served with a warrant to authorise this and the company has not responded to our calls. Right, I noticed that bit. :-) Cheers, - - ferg Dave -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Paul Ferguson Sent: Friday, November 21, 2014 7:59 AM To: NANOG Subject: Transit, Exchange Point Agreements, and Acceptable Use? I'll apologize up front if this offends anyone's sensitivities as to what is relevant for list conversation... but one sentence in this Channel4 News story (from what I understand, Channel4 is a very popular news source in the UK) struck me as perhaps in violation of some sort of peering and/or transit agreement. Cable and Wireless: ...even went as far as providing traffic from a rival foreign communications company, handing information sent by millions of internet users worldwide over to spies. The entire article is here: http://www.channel4.com/news/spy-cable-revealed-how-telecoms-firm-worked-with-gchq My question is this: Do willful actions such as these violate peering, transit, and/or exchange agreements in any way? Thanks, - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF4EAREIAAYFAlRvVqQACgkQKJasdVTchbJ6kgEAi3mOTZJ0FxEOg0b/x049hwyE CdrWUHXSsxRlu4P5KZUA/0KT0XzPzvH0O/ZUhjT8xL+gWxGXPQcwSNk1slJ6oQE4 =tXZ4 -END PGP SIGNATURE-
Incident notification
Nanog list members, I was looking at some statistic and noticed we are sending out a massive amount of SMS messages from our monitoring systems. This left me wondering if there isn't a better (and cheaper) alternative to this, something just as reliant but IP based. We all have smartphones these days anyway. Therefore my question, what are you using to notify admins of incidents? Kind regards / Met vriendelijke groet, Thijs Stuurman [IS Logo] IS Group Wielingenstraat 8 T +31 (0)299 476 185 i...@is.nlmailto:i...@is.nl 1441 ZR Purmerend F +31 (0)299 476 288 www.is.nlhttp://www.is.nl IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant.
RE: Incident notification
The advantage of SMS is that it is out of band. Any smtp or other IP based solution requires a stable and working network environment, which is what the alert may be trying to tell you is down. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669 -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Thijs Stuurman Sent: Friday, November 21, 2014 10:52 AM To: nanog@nanog.org Subject: Incident notification Nanog list members, I was looking at some statistic and noticed we are sending out a massive amount of SMS messages from our monitoring systems. This left me wondering if there isn't a better (and cheaper) alternative to this, something just as reliant but IP based. We all have smartphones these days anyway. Therefore my question, what are you using to notify admins of incidents? Kind regards / Met vriendelijke groet, Thijs Stuurman [IS Logo] IS Group Wielingenstraat 8 T +31 (0)299 476 185 i...@is.nlmailto:i...@is.nl 1441 ZR Purmerend F +31 (0)299 476 288 www.is.nlhttp://www.is.nl IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant.
Re: Incident notification
Pagerduty for phone calls. Can do SMS as well, I believe. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Nov 21, 2014 at 10:52 AM, Thijs Stuurman thijs.stuur...@is.nl wrote: Nanog list members, I was looking at some statistic and noticed we are sending out a massive amount of SMS messages from our monitoring systems. This left me wondering if there isn't a better (and cheaper) alternative to this, something just as reliant but IP based. We all have smartphones these days anyway. Therefore my question, what are you using to notify admins of incidents? Kind regards / Met vriendelijke groet, Thijs Stuurman [IS Logo] IS Group Wielingenstraat 8 T +31 (0)299 476 185 i...@is.nlmailto:i...@is.nl 1441 ZR Purmerend F +31 (0)299 476 288 www.is.nlhttp://www.is.nl IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant.
RE: Incident notification
The advantage of SMS is that it is out of band. Any smtp or other IP based solution requires a stable and working network environment, which is what the alert may be trying to tell you is down. I do not worry so much about that, part of the monitoring solution is out of band for that reason. Kind regards / Met vriendelijke groet, Thijs Stuurman
Re: Incident notification
While we do not do this ourseleves, I wonder why we would not use Twitter. You can receive SMS, or texts in the app on a smart phone, or look at a webpage. You can make them private and have lots of subscribers. I find Twitter more reliable that our local SMS providers too. d On Fri, Nov 21, 2014 at 9:52 AM, Thijs Stuurman thijs.stuur...@is.nl wrote: Nanog list members, I was looking at some statistic and noticed we are sending out a massive amount of SMS messages from our monitoring systems. This left me wondering if there isn't a better (and cheaper) alternative to this, something just as reliant but IP based. We all have smartphones these days anyway. Therefore my question, what are you using to notify admins of incidents? Kind regards / Met vriendelijke groet, Thijs Stuurman [IS Logo] IS Group Wielingenstraat 8 T +31 (0)299 476 185 i...@is.nlmailto:i...@is.nl 1441 ZR Purmerend F +31 (0)299 476 288 www.is.nlhttp://www.is.nl IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant. -- Copyright 2014 Derek Andrew (excluding quotations) +1 306 966 4808 Information Systems University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
Re: Incident notification
We use OpsGenie for notifications (and on-call scheduling, etc). There are other similar options such as PagerDuty, etc, as well. Notifications can be submitted to the service in a variety of ways (email, web API, etc), has a variety of integrations with other tools (Nagios, Pingdom, etc) to aggregate all of your alerts, and there is a callback mechanism where the user can trigger custom actions right from the app (for example, I wrote an interface for it such that when we get an alert, the on-call person can choose to restart the affected service -- or even reboot the entire VM hosting it -- right from within the OpsGenie app). Each user can choose their method of contact (notification to the smartphone app, SMS, phone call, email, whatever), and on-call schedules (and exceptions) are easily managed. It works for us... YMMV. ;) - Peter On 11/21/2014 10:52 AM, Thijs Stuurman wrote: Nanog list members, I was looking at some statistic and noticed we are sending out a massive amount of SMS messages from our monitoring systems. This left me wondering if there isn't a better (and cheaper) alternative to this, something just as reliant but IP based. We all have smartphones these days anyway. Therefore my question, what are you using to notify admins of incidents? Kind regards / Met vriendelijke groet, Thijs Stuurman [IS Logo] IS Group Wielingenstraat 8 T +31 (0)299 476 185 i...@is.nlmailto:i...@is.nl 1441 ZR Purmerend F +31 (0)299 476 288 www.is.nlhttp://www.is.nl IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant.
Level3 NOC contact
Could a NOC engineer from Level3 contact me off list? I am having issues out of Dallas on a circuit with traffic on your network -- Latency above 100ms --- My peer claims the issue is fixed but I am still seeing the same problem -- Thanks *Nathan Mallory* *Network Engineer* Opelika Power Services 600 Fox Run Pkwy Opelika, Al 36801 Office: (334) 705-1601
Re: DDOS, IDS, RTBH, and Rate limiting
Actually, sFlow from many vendors is pretty good (per your points about flow burstiness and delays), and is good enough for dDoS detection. Not for security forensics, or billing at 99.99% accuracy, but good enough for traffic visibility, peering analytics, and (d)DoS detection. Well, if it is available, except hardware limitations, there is second obstacle, software licensing cost. On latest JunOS, for example on EX2200, you need to purchase license (EFL), and if am not wrong it is $3000 for 48port units. So if only sFlow feature is on stake, it worth to think, to purchase license, or to purchase server. Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2): http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf I am not aware of any vendor requiring an additional license to enable sFlow. sFlow (packet sampling) works extremely well for the DDoS flood detection / mitigation use case. The measurements are build into low cost commodity switch hardware and can be enabled operationally without adversely impacting switch performance. A flood attack generates high packet rates and sampling a 10G port at 1-in-10,000 will reliably detect flood attacks within seconds. For most use cases, it is much less expensive to use switches to perform measurement than to attach taps / mirror port probes. If your switches don't already support sFlow, you can buy a 10G capable white box switch for a few thousand dollars that will let you monitor 1.2 Terabits/sec. If you go with an open platform such as Cumulus Linux, you could even run your DDoS mitigation software on the switch and dispense with the external server. Embedded instrumentation is simple to deploy and reduces operational complexity and cost when compared to add on probe solutions. Peter Phaal InMon Corp.
RE: Incident notification
I know of a firend that is using Growl / Prowl to push out the notifications to their phones, even to their TV's at home. Sk. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Thijs Stuurman Sent: Friday, November 21, 2014 10:52 AM To: nanog@nanog.org Subject: Incident notification Nanog list members, I was looking at some statistic and noticed we are sending out a massive amount of SMS messages from our monitoring systems. This left me wondering if there isn't a better (and cheaper) alternative to this, something just as reliant but IP based. We all have smartphones these days anyway. Therefore my question, what are you using to notify admins of incidents? Kind regards / Met vriendelijke groet, Thijs Stuurman [IS Logo] IS Group Wielingenstraat 8 T +31 (0)299 476 185 i...@is.nlmailto:i...@is.nl 1441 ZR Purmerend F +31 (0)299 476 288 www.is.nlhttp://www.is.nl IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 certified. De datacenters zijn PCI DSS en ISO 14001 compliant.
Re: DDOS, IDS, RTBH, and Rate limiting
On 2014-11-21 18:41, Peter Phaal wrote: Actually, sFlow from many vendors is pretty good (per your points about flow burstiness and delays), and is good enough for dDoS detection. Not for security forensics, or billing at 99.99% accuracy, but good enough for traffic visibility, peering analytics, and (d)DoS detection. Well, if it is available, except hardware limitations, there is second obstacle, software licensing cost. On latest JunOS, for example on EX2200, you need to purchase license (EFL), and if am not wrong it is $3000 for 48port units. So if only sFlow feature is on stake, it worth to think, to purchase license, or to purchase server. Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2): http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf I am not aware of any vendor requiring an additional license to enable sFlow. sFlow (packet sampling) works extremely well for the DDoS flood detection / mitigation use case. The measurements are build into low cost commodity switch hardware and can be enabled operationally without adversely impacting switch performance. A flood attack generates high packet rates and sampling a 10G port at 1-in-10,000 will reliably detect flood attacks within seconds. For most use cases, it is much less expensive to use switches to perform measurement than to attach taps / mirror port probes. If your switches don't already support sFlow, you can buy a 10G capable white box switch for a few thousand dollars that will let you monitor 1.2 Terabits/sec. If you go with an open platform such as Cumulus Linux, you could even run your DDoS mitigation software on the switch and dispense with the external server. Embedded instrumentation is simple to deploy and reduces operational complexity and cost when compared to add on probe solutions. Peter Phaal InMon Corp. Wow, that's great news then, i'm using mostly Cisco gear now, but seems will have to take a look to Juniper, thanks for information. If it is free, then if EX2200 available, it is much easier to run sFlow and write custom collector for it, than installing custom probe(in most common cases). --- Best regards, Denys
Re: Need Godaddy Contac
Larry, please contact me offlist and we'll ping one of our GD contacts for you. Anne Anne P. Mitchell, Esq. CEO/President ISIPP SuretyMail Email Accreditation Certification Your mail system + SuretyMail accreditation = delivered to their inbox! http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Author: Section 6 of the Federal CAN-SPAM Act of 2003 Member, California Bar Cyberspace Law Committee Ret. Professor of Law, Lincoln Law School of San Jose https://www.linkedin.com/in/annemitchell 303-731-2121 | amitch...@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell I have a question that Godaddy support will not answer. My son moved a word press site to Godaddy from another host. Apparently, unbeknowest to him, the original wordpress site was also the email host. The mail was moved from the old server to the new server but the email was never properly set up via the GoDaddy Cpanel Question for a Godaddy Guru. if we set up the email through the cpanel, will it erase any mail currently in the accounts on the linux wordpress machine, or even acknowledge that the exist email is there? Any help would be GREATLY appreciated and Thanks..
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith pfsi...@gmail.com. Routing Table Report 04:00 +10GMT Sat 22 Nov, 2014 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary BGP routing table entries examined: 517859 Prefixes after maximum aggregation: 200304 Deaggregation factor: 2.59 Unique aggregates announced to Internet: 254592 Total ASes present in the Internet Routing Table: 48629 Prefixes per ASN: 10.65 Origin-only ASes present in the Internet Routing Table: 36296 Origin ASes announcing only one prefix: 16305 Transit ASes present in the Internet Routing Table:6210 Transit-only ASes present in the Internet Routing Table:176 Average AS path length visible in the Internet Routing Table: 4.5 Max AS path length visible: 78 Max AS path prepend of ASN ( 55644) 71 Prefixes from unregistered ASNs in the Routing Table: 1631 Unregistered ASNs in the Routing Table: 439 Number of 32-bit ASNs allocated by the RIRs: 7978 Number of 32-bit ASNs visible in the Routing Table:6123 Prefixes from 32-bit ASNs in the Routing Table: 21952 Number of bogon 32-bit ASNs visible in the Routing Table: 6 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space:391 Number of addresses announced to Internet: 2712292420 Equivalent to 161 /8s, 170 /16s and 76 /24s Percentage of available address space announced: 73.3 Percentage of allocated address space announced: 73.3 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 96.9 Total number of prefixes smaller than registry allocations: 176514 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 127765 Total APNIC prefixes after maximum aggregation: 37043 APNIC Deaggregation factor:3.45 Prefixes being announced from the APNIC address blocks: 132174 Unique aggregates announced from the APNIC address blocks:53894 APNIC Region origin ASes present in the Internet Routing Table:4990 APNIC Prefixes per ASN: 26.49 APNIC Region origin ASes announcing only one prefix: 1200 APNIC Region transit ASes present in the Internet Routing Table:869 Average APNIC Region AS path length visible:4.7 Max APNIC Region AS path length visible: 78 Number of APNIC region 32-bit ASNs visible in the Routing Table: 1178 Number of APNIC addresses announced to Internet: 737083776 Equivalent to 43 /8s, 239 /16s and 1 /24s Percentage of available APNIC address space announced: 86.1 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-64098, 131072-135580 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:171222 Total ARIN prefixes after maximum aggregation:85507 ARIN Deaggregation factor: 2.00 Prefixes being announced from the ARIN address blocks: 173175 Unique aggregates announced from the ARIN address blocks: 81727 ARIN Region origin ASes present in the Internet Routing Table:16386 ARIN Prefixes per ASN:
Re: Level3 NOC contact
A NOC engineer has reached out -- Thanks for the quick response *Nathan Mallory* *Network Engineer* Opelika Power Services 600 Fox Run Pkwy Opelika, Al 36801 Office: (334) 705-1601 On Fri, Nov 21, 2014 at 10:29 AM, N M digitallysto...@gmail.com wrote: Could a NOC engineer from Level3 contact me off list? I am having issues out of Dallas on a circuit with traffic on your network -- Latency above 100ms --- My peer claims the issue is fixed but I am still seeing the same problem -- Thanks *Nathan Mallory* *Network Engineer* Opelika Power Services 600 Fox Run Pkwy Opelika, Al 36801 Office: (334) 705-1601
Re: DDOS, IDS, RTBH, and Rate limiting
pmacct includes sfacctd which is an sflow collector.. Accessible via the same methods as it's nfacctd collector or pcap based collector.. -- Tim On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko de...@visp.net.lb wrote: On 2014-11-21 18:41, Peter Phaal wrote: Actually, sFlow from many vendors is pretty good (per your points about flow burstiness and delays), and is good enough for dDoS detection. Not for security forensics, or billing at 99.99% accuracy, but good enough for traffic visibility, peering analytics, and (d)DoS detection. Well, if it is available, except hardware limitations, there is second obstacle, software licensing cost. On latest JunOS, for example on EX2200, you need to purchase license (EFL), and if am not wrong it is $3000 for 48port units. So if only sFlow feature is on stake, it worth to think, to purchase license, or to purchase server. Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2): http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf I am not aware of any vendor requiring an additional license to enable sFlow. sFlow (packet sampling) works extremely well for the DDoS flood detection / mitigation use case. The measurements are build into low cost commodity switch hardware and can be enabled operationally without adversely impacting switch performance. A flood attack generates high packet rates and sampling a 10G port at 1-in-10,000 will reliably detect flood attacks within seconds. For most use cases, it is much less expensive to use switches to perform measurement than to attach taps / mirror port probes. If your switches don't already support sFlow, you can buy a 10G capable white box switch for a few thousand dollars that will let you monitor 1.2 Terabits/sec. If you go with an open platform such as Cumulus Linux, you could even run your DDoS mitigation software on the switch and dispense with the external server. Embedded instrumentation is simple to deploy and reduces operational complexity and cost when compared to add on probe solutions. Peter Phaal InMon Corp. Wow, that's great news then, i'm using mostly Cisco gear now, but seems will have to take a look to Juniper, thanks for information. If it is free, then if EX2200 available, it is much easier to run sFlow and write custom collector for it, than installing custom probe(in most common cases). --- Best regards, Denys
Re: Incident notification
On Fri, Nov 21, 2014 at 10:56 AM, Matthew Huff mh...@ox.com wrote: The advantage of SMS is that it is out of band. Any smtp or other IP based solution requires a stable and working network environment, which is what the alert may be trying to tell you is down. Which is why you locate a small NMS outside your network (on a VM somewhere) whose only job is to start alerting when it can't reach the NMS inside your network. That also helps when your interior NMS system gets gummed up or when a general emergency in your locality damages your infrastructure at the same time as the SMS provider's infrastructure. If your monitoring system is structured well to begin with, email has efficacy comparable to sms. A smartphone app expecting heartbeats via your in-band infrastructure has effectiveness superior to both. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: DDOS, IDS, RTBH, and Rate limiting
Thanks! Most important there is plugin API,so it is easy to write custom code to do some analysis and on events - actions. On 2014-11-21 20:32, Tim Jackson wrote: pmacct includes sfacctd which is an sflow collector.. Accessible via the same methods as it's nfacctd collector or pcap based collector.. -- Tim On Fri, Nov 21, 2014 at 9:06 AM, Denys Fedoryshchenko de...@visp.net.lb wrote: On 2014-11-21 18:41, Peter Phaal wrote: Actually, sFlow from many vendors is pretty good (per your points about flow burstiness and delays), and is good enough for dDoS detection. Not for security forensics, or billing at 99.99% accuracy, but good enough for traffic visibility, peering analytics, and (d)DoS detection. Well, if it is available, except hardware limitations, there is second obstacle, software licensing cost. On latest JunOS, for example on EX2200, you need to purchase license (EFL), and if am not wrong it is $3000 for 48port units. So if only sFlow feature is on stake, it worth to think, to purchase license, or to purchase server. Juniper no longer charges for sFlow on the EX2200 (as of Junos 11.2): http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf I am not aware of any vendor requiring an additional license to enable sFlow. sFlow (packet sampling) works extremely well for the DDoS flood detection / mitigation use case. The measurements are build into low cost commodity switch hardware and can be enabled operationally without adversely impacting switch performance. A flood attack generates high packet rates and sampling a 10G port at 1-in-10,000 will reliably detect flood attacks within seconds. For most use cases, it is much less expensive to use switches to perform measurement than to attach taps / mirror port probes. If your switches don't already support sFlow, you can buy a 10G capable white box switch for a few thousand dollars that will let you monitor 1.2 Terabits/sec. If you go with an open platform such as Cumulus Linux, you could even run your DDoS mitigation software on the switch and dispense with the external server. Embedded instrumentation is simple to deploy and reduces operational complexity and cost when compared to add on probe solutions. Peter Phaal InMon Corp. Wow, that's great news then, i'm using mostly Cisco gear now, but seems will have to take a look to Juniper, thanks for information. If it is free, then if EX2200 available, it is much easier to run sFlow and write custom collector for it, than installing custom probe(in most common cases). --- Best regards, Denys --- Best regards, Denys
Re: Outbound traffic on a circuit?
But I am buying 1 Gig on a 1 Gig circuit. I could see if it were burstable but it was being billed as 1Gig on a Gig circuit. Justin -- Justin Wilson j...@mtin.net http://www.mtin.net http://www.mtin.net/blog Managed Services xISP Solutions Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering Transit Internet Exchange On 11/19/14, 8:40 PM, joel jaeggli joe...@bogus.com wrote: On 11/19/14 12:40 PM, Justin Wilson wrote: I am looking at an order for a well known upstream provider. They are handing me a circuit at a data center. The contract reads if we use more than 50% of the outbound the price gets re-priced and almost doubles. How many folks have ran into this? if you're buying 500Mb/s commit 95th percentile on a 1Gb/s circuit or 5Gb/s on 10 then you can expect a contract to specify an upcharge accordingly if you bust your commit. I generally look for terms that provide a relavitily short notification window for uping my commit. e.g. 6 weeks or less. Justin -- Justin Wilson j...@mtin.net http://www.mtin.net http://www.mtin.net/blog Managed Services xISP Solutions Data Centers http://www.thebrotherswisp.com Podcast about xISP topics http://www.midwest-ix.com Peering Transit Internet Exchange
The Cidr Report
This report has been generated at Fri Nov 21 21:14:20 2014 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/2.0 for a current version of this report. Recent Table History Date PrefixesCIDR Agg 14-11-14529142 292269 15-11-14529099 292324 16-11-14528626 292487 17-11-14529189 292529 18-11-14525180 291108 19-11-14524073 291010 20-11-14523781 290774 21-11-14524001 290386 AS Summary 48906 Number of ASes in routing system 19638 Number of ASes announcing only one prefix 3041 Largest number of prefixes announced by an AS AS10620: Telmex Colombia S.A.,CO 120110336 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street,CN Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 21Nov14 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 523120 290391 23272944.5% All ASes AS6389 2894 126 276895.6% BELLSOUTH-NET-BLK - BellSouth.net Inc.,US AS17974 2846 83 276397.1% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia,ID AS22773 2853 176 267793.8% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc.,US AS28573 2372 284 208888.0% NET Serviços de Comunicação S.A.,BR AS4766 2960 1341 161954.7% KIXS-AS-KR Korea Telecom,KR AS7303 1770 290 148083.6% Telecom Argentina S.A.,AR AS10620 3041 1574 146748.2% Telmex Colombia S.A.,CO AS9808 1485 55 143096.3% CMNET-GD Guangdong Mobile Communication Co.Ltd.,CN AS8402 1365 29 133697.9% CORBINA-AS OJSC Vimpelcom,RU AS4755 1928 646 128266.5% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP,IN AS20115 1823 560 126369.3% CHARTER-NET-HKY-NC - Charter Communications,US AS4323 1650 414 123674.9% TWTC - tw telecom holdings, inc.,US AS7545 2472 1246 122649.6% TPG-INTERNET-AP TPG Telecom Limited,AU AS9498 1316 112 120491.5% BBIL-AP BHARTI Airtel Ltd.,IN AS6147 1300 102 119892.2% Telefonica del Peru S.A.A.,PE AS18566 2043 868 117557.5% MEGAPATH5-US - MegaPath Corporation,US AS6983 1625 484 114170.2% ITCDELTA - Earthlink, Inc.,US AS34984 1896 860 103654.6% TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S.,TR AS7552 1080 53 102795.1% VIETEL-AS-AP Viettel Corporation,VN AS22561 1311 334 97774.5% AS22561 - CenturyTel Internet Holdings, Inc.,US AS7738 999 83 91691.7% Telemar Norte Leste S.A.,BR AS38285 975 130 84586.7% M2TELECOMMUNICATIONS-AU M2 Telecommunications Group Ltd,AU AS24560 1180 347 83370.6% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services,IN AS31148 1045 234 81177.6% FREENET-AS Freenet Ltd.,UA AS8151 1481 697 78452.9% Uninet S.A. de C.V.,MX AS26615 914 133 78185.4% Tim Celular S.A.,BR AS4780 1047 281 76673.2% SEEDNET Digital United Inc.,TW AS18101 955 194 76179.7% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI,IN AS855799 57 74292.9% CANET-ASN-4 - Bell Aliant Regional Communications, Inc.,CA AS17908 834 97 73788.4% TCISL Tata Communications,IN
BGP Update Report
BGP Update Report Interval: 13-Nov-14 -to- 20-Nov-14 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS12897 1723660 29.3% 246237.1 -- HEAGMEDIANET HSE Medianet GmbH,DE 2 - AS23752 278395 4.7%2899.9 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 3 - AS9829 193219 3.3% 153.8 -- BSNL-NIB National Internet Backbone,IN 4 - AS702979518 1.4% 36.4 -- WINDSTREAM - Windstream Communications Inc,US 5 - AS53249 73466 1.2% 36733.0 -- LAWA-AS - Los Angeles World Airport,US 6 - AS958756535 1.0%1949.5 -- DTACNETWORK-TH-AP 26th Floor 333/3 Moo 14 Chai Building,TH 7 - AS48159 38843 0.7% 125.3 -- TIC-AS Telecommunication Infrastructure Company,IR 8 - AS28885 36232 0.6% 218.3 -- OMANTEL-NAP-AS OmanTel NAP,OM 9 - AS840236115 0.6% 22.9 -- CORBINA-AS OJSC Vimpelcom,RU 10 - AS38197 35819 0.6% 35.0 -- SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited,HK 11 - AS37693 30493 0.5% 272.3 -- TUNISIANA,TN 12 - AS42337 28878 0.5% 178.3 -- RESPINA-AS Respina Networks Beyond PJSC,IR 13 - AS14420 28436 0.5% 118.5 -- CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP,EC 14 - AS381626128 0.4% 51.8 -- COLOMBIA TELECOMUNICACIONES S.A. ESP,CO 15 - AS3 23691 0.4%1306.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US 16 - AS23342 21980 0.4% 21980.0 -- UNITEDLAYER - Unitedlayer, Inc.,US 17 - AS10620 21295 0.4% 10.7 -- Telmex Colombia S.A.,CO 18 - AS60725 20028 0.3%4005.6 -- O3B-AS O3b Limited,JE 19 - AS25003 20025 0.3% 667.5 -- INTERNET_BINAT Internet Binat Ltd,IL 20 - AS45899 19807 0.3% 45.6 -- VNPT-AS-VN VNPT Corp,VN TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS12897 1723660 29.3% 246237.1 -- HEAGMEDIANET HSE Medianet GmbH,DE 2 - AS53249 73466 1.2% 36733.0 -- LAWA-AS - Los Angeles World Airport,US 3 - AS23342 21980 0.4% 21980.0 -- UNITEDLAYER - Unitedlayer, Inc.,US 4 - AS3 23691 0.4%1306.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US 5 - AS18135 10850 0.2% 10850.0 -- BTV BTV Cable television,JP 6 - AS621744107 0.1%4107.0 -- INTERPAN-AS INTERPAN LTD.,BG 7 - AS60725 20028 0.3%4005.6 -- O3B-AS O3b Limited,JE 8 - AS23752 278395 4.7%2899.9 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 9 - AS106742629 0.0%2629.0 -- GRUCOM - Gainesville Regional Utilities,US 10 - AS566362230 0.0%2230.0 -- ASVEDARU VEDA Ltd.,RU 11 - AS42067 0.0%1465.0 -- ISI-AS - University of Southern California,US 12 - AS125213930 0.1%1965.0 -- NOVA_INTERNET_AS12521 Nova Internet Network,ES 13 - AS958756535 1.0%1949.5 -- DTACNETWORK-TH-AP 26th Floor 333/3 Moo 14 Chai Building,TH 14 - AS350933604 0.1%1802.0 -- RO-HTPASSPORT High Tech Passport Ltd SUA California San Jose SUCURSALA BUCURESTI ROMANIA,RO 15 - AS388081721 0.0%1721.0 -- IMZAK-TRANSIT-AS-AP DSL Service Provider Servers,PK 16 - AS309441657 0.0%1657.0 -- DKD-AS Bendra Lietuvos, JAV ir Rusijos imone uzdaroji akcine bendrove DKD,LT 17 - AS332815997 0.3%1599.7 -- -Reserved AS-,ZZ 18 - AS117281424 0.0%1424.0 -- INTERNETXT - Internet Exchange Technology, Inc.,US 19 - AS561338072 0.1%1345.3 -- TASMANET-AS-AP Tasmanet Pty Ltd,AU 20 - AS617081257 0.0%1257.0 -- INFOCAT INFORMÁTICA LTDA,BR TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 94.16.64.0/21247495 4.0% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 2 - 94.16.80.0/20247386 4.0% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 3 - 94.16.72.0/21247305 4.0% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 4 - 185.9.28.0/22246034 4.0% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 5 - 194.127.204.0/23 245774 4.0% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 6 - 194.99.108.0/23 245433 4.0% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 7 - 194.45.104.0/23 244233 4.0% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 8 - 202.70.64.0/21 142246 2.3% AS23752 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 9 - 202.70.88.0/21 135152 2.2% AS23752 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 10 - 198.140.114.0/24 36755 0.6% AS53249 -- LAWA-AS - Los Angeles World Airport,US 11 - 198.140.115.0/24 36711 0.6% AS53249 --
Re: abuse reporting tools
On Tue, Nov 18, 2014 at 7:41 PM, Robert Drake rdr...@direcpath.com wrote: On 11/18/2014 8:11 PM, Michael Brown wrote: [snip] amelioration. So I'm left with a very unsatisfactory feeling of either shutting down a possibly innocent customer based on a machines word, or attempting to start a dialog with random_script_user...@hotmail.com. Under those circumstances, how do you know it's not a social-engineering based DoS being attempted? Preferably, take no action to shutdown services without decent confirmation; as malicious reports of a fraudulent, bogus, dramatized, or otherwise misleading nature are sometimes used by malicious actors to target a legitimate user. My suggestion would be table the report of a single SSH connection and really do nothing with it.If there is actually abuse being conducted, you should either be able to independently verify the actual abuse, e.g. by checking packet level data or netflow data, or you should begin to receive a pattern of complaints; more unique contacts, that you can investigate and verify are legit. contacts from unique networks. If neither occurs, then just keep a log as an unconfirmed abuse report, which if unconfirmed for a few days may be forwarded to the end user for their information/records. -- -JH Robert