RE: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email

2018-03-21 Thread Keith Medcalf 

LaBrea Tarpit http://labrea.sourceforge.net/ can do this as well, though 
perhaps only for IPv4.  Basically it looks for unanswered ARP requests and 
answers them.  What it does with the ensuing session data is configurable.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


>-Original Message-
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Stephen
>Satchell
>Sent: Tuesday, 20 March, 2018 19:39
>To: nanog@nanog.org
>Subject: Fwd: RE: [EXT] Fwd: Re: problems sending to prodigy.net
>hosted email
>
>Linux systems have the ability, given enough RAM, to associate almost
>any number of IP addresses to a given interface.  Our IP allocation
>database kept track of who was using what IP address.  I wrote some
>queries to collect all unassigned IP addresses, and to construct the
>appropriate shell commands to assign those IP addresses to Ackbar's
>interface.  Part of the program would also remove any allocated IP
>addresses from the server automtically.
>
>Worked like a charm.
>
>Whenever someone would nmap our address space, there would be at most
>one ARP request for the address; the router would then remember the
>IP->MAC association for the subsequent scans for a period of time --
>30
>minutes if we were renumbering, 12 hours otherwise.
>
>The Ackbar server lived attached to our main distribution switch, so
>that subsequent traffic to those unused IP addresses stayed out of
>the
>server farm.  We had some, er, "interesting" denial of service
>attacks
>that didn't do as much damage as they could have.
>
>
> Forwarded Message 
>Subject: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted
>email
>Date: Tue, 20 Mar 2018 17:15:25 +
>From: Charles Bronson <cbron...@iec-electronics.com>
>To: nanog@nanog.org <nanog@nanog.org>
>
>If this isn't pertinent to the list, feel free to answer privately.
>How
>did you implement the server that got rid of ARP storms?
>
>
>Charles Bronson
>
>
>
>-Original Message-----
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Stephen
>Satchell
>Sent: Monday, March 19, 2018 9:31 PM
>To: nanog@nanog.org
>Subject: [EXT] Fwd: Re: problems sending to prodigy.net hosted email
>
>Two DNS servers hosted on one box (or VM object), even with two
>addresses, is easily compromised by DDoS amplification attacks.
>That's
>the norm for a number of "web control panel" systems like Plesk and
>CPanel.
>
>It depends on the scale of your operations.  Last time I was in that
>situation, I had roughly 25,000 domains spread across 30 servers.
>Life
>became MUCH simpler when I put up dedicated, and high-power, physical
>systems running non-recursive BIND for DNS1 and DNS2, as well as
>another
>pair of boxes running recursive servers as DNS3 and DNS4.
>
>Getting QMail and Exim to "smart host" to my monster MX servers
>proved
>to be pretty easy, and I even was able to get the web servers to tell
>me
>when a mailbox was full so I could reject the SMTP exchange at the
>edge,
>instead of generating backscatter.
>
>And, with a pool of roughly 4,000 IP addresses, I got rid of ARP
>storms
>in our network by putting up a little server called "ackbar", that
>was
>configured to respond to all otherwise unused IP address in our pool.
>(Edge routers were Cisco 7000 class, with DS3 uplinks.)
>
>Lessons learned well.
>
> Forwarded Message 
>Subject: Re: problems sending to prodigy.net hosted email
>Date: Mon, 19 Mar 2018 17:55:33 +0100
>From: Chris <chris2...@postbox.xyz>
>To: C. Jon Larsen <jlar...@richweb.com>
>CC: nanog@nanog.org
>
>On Mon, 19 Mar 2018 11:56:16 -0400 (EDT) C. Jon Larsen wrote:
>
>> > Why not? Never had a problem with multiple services on linux, in
>> > contrast to windows where every service requires its own box (or
>at
>> > least vm).
>>
>> Go for it ! Failure is an awesome teacher :)
>
>Don't really see a problem, especially since you normally always have
>two DNS servers...
>
>--
>Papst Franziskus ruft zum Kampf gegen Fake News auf. Wir finden, der
>Mann, der sich als Stellvertreter Christi ausgibt, von dem er
>behauptet,
>dessen Mutter sei zeitlebens Jungfrau gewesen, er hätte über Wasser
>gehen und selbiges in Wein verwandeln können, hat vollkommen recht.

Fwd: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email

2018-03-20 Thread Stephen Satchell 
Linux systems have the ability, given enough RAM, to associate almost 
any number of IP addresses to a given interface.  Our IP allocation 
database kept track of who was using what IP address.  I wrote some 
queries to collect all unassigned IP addresses, and to construct the 
appropriate shell commands to assign those IP addresses to Ackbar's 
interface.  Part of the program would also remove any allocated IP 
addresses from the server automtically.


Worked like a charm.

Whenever someone would nmap our address space, there would be at most 
one ARP request for the address; the router would then remember the 
IP->MAC association for the subsequent scans for a period of time -- 30 
minutes if we were renumbering, 12 hours otherwise.


The Ackbar server lived attached to our main distribution switch, so 
that subsequent traffic to those unused IP addresses stayed out of the 
server farm.  We had some, er, "interesting" denial of service attacks 
that didn't do as much damage as they could have.



 Forwarded Message 
Subject: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email
Date: Tue, 20 Mar 2018 17:15:25 +
From: Charles Bronson <cbron...@iec-electronics.com>
To: nanog@nanog.org <nanog@nanog.org>

If this isn't pertinent to the list, feel free to answer privately. How 
did you implement the server that got rid of ARP storms?



Charles Bronson



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Stephen Satchell
Sent: Monday, March 19, 2018 9:31 PM
To: nanog@nanog.org
Subject: [EXT] Fwd: Re: problems sending to prodigy.net hosted email

Two DNS servers hosted on one box (or VM object), even with two 
addresses, is easily compromised by DDoS amplification attacks.  That's 
the norm for a number of "web control panel" systems like Plesk and CPanel.


It depends on the scale of your operations.  Last time I was in that 
situation, I had roughly 25,000 domains spread across 30 servers.  Life 
became MUCH simpler when I put up dedicated, and high-power, physical 
systems running non-recursive BIND for DNS1 and DNS2, as well as another 
pair of boxes running recursive servers as DNS3 and DNS4.


Getting QMail and Exim to "smart host" to my monster MX servers proved 
to be pretty easy, and I even was able to get the web servers to tell me 
when a mailbox was full so I could reject the SMTP exchange at the edge, 
instead of generating backscatter.


And, with a pool of roughly 4,000 IP addresses, I got rid of ARP storms 
in our network by putting up a little server called "ackbar", that was 
configured to respond to all otherwise unused IP address in our pool. 
(Edge routers were Cisco 7000 class, with DS3 uplinks.)


Lessons learned well.

 Forwarded Message 
Subject: Re: problems sending to prodigy.net hosted email
Date: Mon, 19 Mar 2018 17:55:33 +0100
From: Chris <chris2...@postbox.xyz>
To: C. Jon Larsen <jlar...@richweb.com>
CC: nanog@nanog.org

On Mon, 19 Mar 2018 11:56:16 -0400 (EDT) C. Jon Larsen wrote:

> Why not? Never had a problem with multiple services on linux, in 
> contrast to windows where every service requires its own box (or at 
> least vm).


Go for it ! Failure is an awesome teacher :)


Don't really see a problem, especially since you normally always have 
two DNS servers...


--
Papst Franziskus ruft zum Kampf gegen Fake News auf. Wir finden, der 
Mann, der sich als Stellvertreter Christi ausgibt, von dem er behauptet, 
dessen Mutter sei zeitlebens Jungfrau gewesen, er hätte über Wasser 
gehen und selbiges in Wein verwandeln können, hat vollkommen recht.

Managing ARP traffic [ was Re: [EXT] Fwd: Re: problems sending to prodigy.net hosted email ]

2018-03-20 Thread Hugo Slabbert 


On Tue 2018-Mar-20 17:15:25 +, Charles Bronson 
 wrote:


If this isn't pertinent to the list, feel free to answer privately. How did you 
implement the server that got rid of ARP storms?


Perhaps something like an ARP sponge?
https://ams-ix.net/technical/specifications-descriptions/controlling-arp-traffic-on-ams-ix-platform

--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


signature.asc
Description: Digital signature

RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email

2018-03-20 Thread Charles Bronson 
If this isn't pertinent to the list, feel free to answer privately. How did you 
implement the server that got rid of ARP storms?


Charles Bronson



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Stephen Satchell
Sent: Monday, March 19, 2018 9:31 PM
To: nanog@nanog.org
Subject: [EXT] Fwd: Re: problems sending to prodigy.net hosted email

Two DNS servers hosted on one box (or VM object), even with two addresses, is 
easily compromised by DDoS amplification attacks.  That's the norm for a number 
of "web control panel" systems like Plesk and CPanel.

It depends on the scale of your operations.  Last time I was in that situation, 
I had roughly 25,000 domains spread across 30 servers.  Life became MUCH 
simpler when I put up dedicated, and high-power, physical systems running 
non-recursive BIND for DNS1 and DNS2, as well as another pair of boxes running 
recursive servers as DNS3 and DNS4.

Getting QMail and Exim to "smart host" to my monster MX servers proved to be 
pretty easy, and I even was able to get the web servers to tell me when a 
mailbox was full so I could reject the SMTP exchange at the edge, instead of 
generating backscatter.

And, with a pool of roughly 4,000 IP addresses, I got rid of ARP storms in our 
network by putting up a little server called "ackbar", that was configured to 
respond to all otherwise unused IP address in our pool. 
(Edge routers were Cisco 7000 class, with DS3 uplinks.)

Lessons learned well.

 Forwarded Message 
Subject: Re: problems sending to prodigy.net hosted email
Date: Mon, 19 Mar 2018 17:55:33 +0100
From: Chris <chris2...@postbox.xyz>
To: C. Jon Larsen <jlar...@richweb.com>
CC: nanog@nanog.org

On Mon, 19 Mar 2018 11:56:16 -0400 (EDT) C. Jon Larsen wrote:

> > Why not? Never had a problem with multiple services on linux, in 
> > contrast to windows where every service requires its own box (or at 
> > least vm).
> 
> Go for it ! Failure is an awesome teacher :)

Don't really see a problem, especially since you normally always have two DNS 
servers...

--
Papst Franziskus ruft zum Kampf gegen Fake News auf. Wir finden, der Mann, der 
sich als Stellvertreter Christi ausgibt, von dem er behauptet, dessen Mutter 
sei zeitlebens Jungfrau gewesen, er hätte über Wasser gehen und selbiges in 
Wein verwandeln können, hat vollkommen recht.

Fwd: Re: problems sending to prodigy.net hosted email

2018-03-19 Thread Stephen Satchell 
Two DNS servers hosted on one box (or VM object), even with two 
addresses, is easily compromised by DDoS amplification attacks.  That's 
the norm for a number of "web control panel" systems like Plesk and CPanel.


It depends on the scale of your operations.  Last time I was in that 
situation, I had roughly 25,000 domains spread across 30 servers.  Life 
became MUCH simpler when I put up dedicated, and high-power, physical 
systems running non-recursive BIND for DNS1 and DNS2, as well as another 
pair of boxes running recursive servers as DNS3 and DNS4.


Getting QMail and Exim to "smart host" to my monster MX servers proved 
to be pretty easy, and I even was able to get the web servers to tell me 
when a mailbox was full so I could reject the SMTP exchange at the edge, 
instead of generating backscatter.


And, with a pool of roughly 4,000 IP addresses, I got rid of ARP storms 
in our network by putting up a little server called "ackbar", that was 
configured to respond to all otherwise unused IP address in our pool. 
(Edge routers were Cisco 7000 class, with DS3 uplinks.)


Lessons learned well.

 Forwarded Message 
Subject: Re: problems sending to prodigy.net hosted email
Date: Mon, 19 Mar 2018 17:55:33 +0100
From: Chris 
To: C. Jon Larsen 
CC: nanog@nanog.org

On Mon, 19 Mar 2018 11:56:16 -0400 (EDT)
C. Jon Larsen wrote:


> Why not? Never had a problem with multiple services on linux, in
> contrast to windows where every service requires its own box (or at
> least vm).  


Go for it ! Failure is an awesome teacher :)


Don't really see a problem, especially since you normally always have
two DNS servers...

--
Papst Franziskus ruft zum Kampf gegen Fake News auf. Wir finden, der
Mann, der sich als Stellvertreter Christi ausgibt, von dem er
behauptet, dessen Mutter sei zeitlebens Jungfrau gewesen, er hätte über
Wasser gehen und selbiges in Wein verwandeln können, hat vollkommen
recht.