Re: FastNetMon Usage in the wild

2023-10-18 Thread Dobbins, Roland via NANOG 


On 18 Oct 2023, at 19:49, Adam Thompson  wrote:

Sightline *Insight* is the piece the sales team won't sell me, and TAC won't 
support me, for deployment in our private-cloud environment

Insight isn’t used for first-order DDoS 
detection/classification/traceback/mitigation; Sightline/TMS provides those 
functions.

Insight is a forensics, peering analysis, and traffic-engineering tool.

I am using Sightline/TMS virtually and it's fine there.

Thanks for the clarification!

[Full disclosure:  I am an employee of NETSCOUT.]

Re: FastNetMon Usage in the wild

2023-10-18 Thread Mirai Azayaka 
We (AperNet) have an open-source anti-ddos flow monitor called apermon
that provides some interesting capabilities.

https://github.com/apernet/apermon

On Wed, Oct 18, 2023 at 8:51 AM Adam Thompson  wrote:
>
> Sorry for the late reply... Sightline *Insight* is the piece the sales team 
> won't sell me, and TAC won't support me, for deployment in our private-cloud 
> environment: it has to be hosted on one of 3 canned server configurations.
>
> I am using Sightline/TMS virtually and it's fine there.
>
> -Adam
>
>
> Adam Thompson
>
> Consultant, Infrastructure Services
>
> MERLIN
>
> 100 - 135 Innovation Drive
>
> Winnipeg, MB R3T 6A8
>
> (204) 977-6824 or 1-800-430-6404 (MB only)
>
> https://www.merlin.mb.ca
>
> Chat with me on Teams
>
> 
> From: NANOG  on behalf of 
> Dobbins, Roland via NANOG 
> Sent: Tuesday, October 10, 2023 9:34:21 PM
> To: nanog@nanog.org 
> Subject: Re: FastNetMon Usage in the wild
>
>
> On 11 Oct 2023, at 01:50, Adam Thompson  wrote:
>
> you need to buy a moderately-expensive hardware server (they don’t let you 
> virtualize it)
>
>
> To clarify, Sightline has supported virtualization for many years, FYI.
>
>  I’m not aware of any anti-DDoS products at ISP scale that aren’t SFlow + 
> Flowspec, possibly including “scrubbing” (diverter box);
>
>
>  I don’t know if it’s an in-band appliance, or a “scrubber”-on-a-stick
>
>
> In addition to flow telemetry, D/RTBH, S/RTBH, and flowspec, Sightline/TMS 
> supports intelligent DDoS mitigation directly in-line or via 
> diversion/reinjection.
>
> [Full disclosure:  I am an employee of NETSCOUT.]

Re: FastNetMon Usage in the wild

2023-10-18 Thread Adam Thompson 
Sorry for the late reply... Sightline *Insight* is the piece the sales team 
won't sell me, and TAC won't support me, for deployment in our private-cloud 
environment: it has to be hosted on one of 3 canned server configurations.

I am using Sightline/TMS virtually and it's fine there.

-Adam



Adam Thompson

Consultant, Infrastructure Services

MERLIN

100 - 135 Innovation Drive

Winnipeg, MB R3T 6A8

(204) 977-6824 or 1-800-430-6404 (MB only)

https://www.merlin.mb.ca<https://www.merlin.mb.ca/>

Chat with me on 
Teams<https://teams.microsoft.com/l/chat/0/0?users=athomp...@merlin.mb.ca>


From: NANOG  on behalf of 
Dobbins, Roland via NANOG 
Sent: Tuesday, October 10, 2023 9:34:21 PM
To: nanog@nanog.org 
Subject: Re: FastNetMon Usage in the wild


On 11 Oct 2023, at 01:50, Adam Thompson  wrote:

you need to buy a moderately-expensive hardware server (they don’t let you 
virtualize it)

To clarify, Sightline has supported virtualization for many years, FYI.

 I’m not aware of any anti-DDoS products at ISP scale that aren’t SFlow + 
Flowspec, possibly including “scrubbing” (diverter box);

 I don’t know if it’s an in-band appliance, or a “scrubber”-on-a-stick

In addition to flow telemetry, D/RTBH, S/RTBH, and flowspec, Sightline/TMS 
supports intelligent DDoS mitigation directly in-line or via 
diversion/reinjection.

[Full disclosure:  I am an employee of NETSCOUT.]

Re: FastNetMon Usage in the wild

2023-10-10 Thread Mark Tinka 




On 10/11/23 04:34, Dobbins, Roland via NANOG wrote:


To clarify, Sightline has supported virtualization for many years, FYI.


It does do, yes. But pricing for the software license is not too far off 
from if you chose to buy Netscout's own hardware.


Not a major drama for me - I appreciate that competence has to be 
compensated. What I am saying is that attempts to make it more palatable 
to more operators are not making too much of a dent.


Mark.

Re: FastNetMon Usage in the wild

2023-10-10 Thread Dobbins, Roland via NANOG 

On 11 Oct 2023, at 01:50, Adam Thompson  wrote:

you need to buy a moderately-expensive hardware server (they don’t let you 
virtualize it)

To clarify, Sightline has supported virtualization for many years, FYI.

 I’m not aware of any anti-DDoS products at ISP scale that aren’t SFlow + 
Flowspec, possibly including “scrubbing” (diverter box);

 I don’t know if it’s an in-band appliance, or a “scrubber”-on-a-stick

In addition to flow telemetry, D/RTBH, S/RTBH, and flowspec, Sightline/TMS 
supports intelligent DDoS mitigation directly in-line or via 
diversion/reinjection.

[Full disclosure:  I am an employee of NETSCOUT.]

RE: FastNetMon Usage in the wild

2023-10-10 Thread Adam Thompson 
We use Arbor’s Sightline in an SFlow + Flowspec topology.  It… works.  It needs 
a lot of tuning.  It’s moderately expensive to deploy in this topology, unlike 
in-band which is holy-cow-expensive at our speeds.  If you want 
historical/forensic data, you need to buy a moderately-expensive hardware 
server (they don’t let you virtualize it) for their Insight module.  Arbor’s 
tech support is Quite Good Indeed, and their SE team is FANTASTIC.  Sales, 
however, not so much.  We don’t feel Sightline is doing all that much for us, 
but we also aren’t able to put the required amount of daily care and feeding 
into it that it needs, so YMMV.

My overall impression is that all the on-prem anti-DDOS products out there do 
the same thing, and work much the same way – thresholds, hopefully with 
auto-baselining.  The differentiating factors IMHO are whether the 
auto-baselining can take time-of-day, day-of-week, and month into account (e.g. 
business day, K-12 school year, etc.); we believe Sightline’s auto-baselining 
doesn’t do a great job here.  Beyond that, any product that uses an evolving 
statistical model (probably branded as “AI”, sigh) will have a slightly better 
chance of improving the successful hit ratio.

I’m not aware of any anti-DDoS products at ISP scale that aren’t SFlow + 
Flowspec, possibly including “scrubbing” (diverter box); having said that, I do 
know one of my upstreams has a large Sightline h/w appliance of some sort, I 
don’t know if it’s an in-band appliance, or a “scrubber”-on-a-stick, but it’s 
too expensive for them to upgrade and they’re apparently dropping it instead… 
once we stop telling them quite so loudly to NOT get rid of it , I guess??

AFAIK, FastNetMon is basically the same thing as Sightline, with a 
less-polished UI. (read: doesn’t make mgmt. as happy to look at it) and you 
need some external support bits to do the Flowspec.

-Adam

Adam Thompson
Consultant, Infrastructure Services
[cid:image001.png@01D9FB80.2D14BDE0]
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
https://www.merlin.mb.ca
[cid:image002.png@01D9FB80.2D14BDE0]Chat with me on 
Teams


From: NANOG  On Behalf Of 
Javier Gutierrez
Sent: Friday, October 6, 2023 5:20 PM
To: nanog@nanog.org
Subject: FastNetMon Usage in the wild

Hi,
I wanted to drop a quick question as I would like to evaluate the FastNetMon 
solution to do DDoS protection and wanted to see what other companies are using 
it out there so I can have a base of how much should I recommend this.

Thanks in advance for your responses


Kind regards,


Javier Gutierrez,