Re: [WISPA] Well, it was time to stir the pot for the new year...
Yeah, what he said. Al to often people tend to fall into the trap that their way is the only way. And in THEIR back yard, it's probably very true. But we don't all live in the same yard. One of the great things about this business is it's flexibility! DSL works basically one way. Cable, very narrow. Wireless has more options than anything else I've ever seen. The hard thing, sometimes, is remembering that all options work in the right case. laters, marlon - Original Message - From: "Matt Larsen - Lists" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Friday, January 05, 2007 11:01 PM Subject: Re: [WISPA] Well, it was time to stir the pot for the new year... Well, lets really spice it up thenI'm going to stir the pot in this direction for this post Alvarion has done a great job of producing a product that does an excellent job delivering value to their customers and has several unique features that will keep it on a different level above what the open source/standard hardware crew will ever be capable of. They maintain strict control over the hardware components and feel it is important to keep continuity with their already existing products. There are some valid technical reasons for doing things that way, and some equally valid business reasons for having equipment that is non-standard. Alvarion is in business TO MAKE MONEY - and they have done an excellent job retaining value and delivering a consistently usable product to the WISP industry while making money. This is not a hobby for them. Mark, you unfortunately fall into the hardware trap of "humping your radios" and spending a heck of a lot of time worrying about having the neatest gadget for your wisp. You are in a rural area and don't have to worry about issues of scale. If you continue to spend all that time putting together each radio and trying to micromanage each customer connection you will not scale beyond a couple hundred customers. Alvarion has put together products that have a steeper initial learning curve but are very flexible, very manageable and will scale. I know of one Alvarion operator that is at 18,000 customers - you don't reach that level putting your own CPEs together and requiring the high level of installation skill to put a StarOS or MT based CPE into service. You might think that Alvarion and others are "Late to the Party" but you have "Missed the Boat" when it comes to building your core business around a scalable, manageable product. I am personally really glad to see Alvarion taking a more involved interest in the WISP market. I think they have recognized that they can learn a lot from some of the cowboys out there. Just remember that we can learn a lot from them as well. Matt Larsen [EMAIL PROTECTED] Mark Koskenmaki wrote: - Original Message - From: "Patrick Leary" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Friday, December 29, 2006 12:52 AM Subject: RE: [WISPA] StarOS or Microtik with TRCPQ clients... When a market knows it must contend with fraudulent product AND that a good percentage of that market will support the fraud, what's the decision you think vendors will make when it comes to prioritizing investments in this business? Licensed or unlicensed? WISPs or a market segment that buys only legal product? For Pete's sake people, you think your actions don't have actual consequences just because you are staying within the legal power limits? Some of you make guys make the jobs of guys like me who seriously give a rip real, real hard. Aw, give it a rest, Patrick. Valemount's product runs rings around many in terms of features.So, how many MILLIONS would it take for Alvarion to produce a box that does what WISP's need it to do? Not even as much as you spend producing stuff that costs too much for some to use. So, exactly WHO is to blame when software vendor X produces what we REALLY need, hardware vendor Y produces what we REALLY need, and the people who want to have the "secret black boxes" with unknown guts under the hood won't listen and learn? The fact is, that the little guy... the Joe Blow Schmuck is 5 X more capable of figuring out what it is he wants than a whole team of highly paid product developers who won't listen. While you may get engineers to figure out every last possible means of adjusting the 802.11 MAC and doing really cool stuff with it, who's to blame for thinking we should BRIDGE our networks together?If Schmuck A can figure out how to build a workable board in China, Schmuck B can find some great working little mini-pci radios with INDUSTRY STANDARD connectors on both the cpu board and the card and Schmuck C can figure out how to put a FREE OS together and then develop some drivers to do the cool RF stuff, and all the rest of us dullard schmucks are still bright enough to figure out how to PUT THEM ALL TOGETHER and use them to dramatic advant
RE: [WISPA] Fiar use policy
FAP's are needed because the industry sells an "unlimited" product for $30 to $50 per month which is simply not economically feasible if everyone really ran their connections 24x7. In other words, we trained the consumer incorrectly. IMHO, we will be seeing more and more FAP's as video over the Internet gets more popular. Notice that AOL just added one to their broadband subscribers (http://www.uk-bug.net/Article1411.html). It's going to be hard for customers to swallow the true cost of dedicated Internet bandwidth delivered to their home or business -- retraining users will be painful. Joe > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Marlon K. > Schafer (509) 982-2181 > Sent: Friday, December 29, 2006 10:24 AM > To: wireless@wispa.org > Subject: [WISPA] Fiar use policy > > This looks like it's well written and makes a ton of sense to me. > > http://go.gethughesnet.com/HUGHES/Rooms/DisplayPages/LayoutIni > tial?pageid=fairaccess&Container=com.webridge.entity.Entity[OI > D[BD8BE0839F414B4FB7CDDCA10EFA5369]] > > Anyone else implementing a program like this? > > Any suggested specifics? > Marlon > (509) 982-2181 Equipment sales > (408) 907-6910 (Vonage)Consulting services > 42846865 (icq)And I run > my own wisp! > [EMAIL PROTECTED] > www.odessaoffice.com/wireless > www.odessaoffice.com/marlon/cam > > > > -- > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Dual-WAN routers
Another thing for my R&D department! Thanks! -RickG On 1/7/07, Butch Evans <[EMAIL PROTECTED]> wrote: On Sat, 6 Jan 2007, David E. Smith wrote: >> This is for the end user cpe side. I'd like to see both fail-over and >> load balancing but fail-over is priority. No need for wireless. I'll >> look into the microtik. Thanks! -RickG Rick, keeping in mind that "load balancing" where you don't control both ends of both links is not truly possible, there is a way to SORT OF get this effect. The problem is that some things have to be treated in a special way when you are using NAT (actually, masquerade, but we won't go there). VoIP, P2P, VPN and a few others come to mind. Either way, there are some things you can do to make this work with MT, and it's not that hard, but it IS a bit time consuming to get it right. As for failover, there are several ways to do this, and some of them are pretty simple. A bit of scripting knowledge is required, but other than that, it is not that bad to do. There are some examples in the manual (as David pointed out) >Mikrotik RouterOS manual. In a pinch, I know we've got one or two >Mikrotik trainers on the list; you could get them to show you how >to do it. You only have to pay for it once, then you can just >copy-and-paste the configuration from there on out. :D Well, copy/paste for policy routing is not really that cut and dried. It is best to understand what the policy states, then moving it to a new system is not that hard. As I said, it is somewhat time consuming to get it working, however. >Fair warning, I haven't used the RouterBoard 150 hardware I >mentioned, but most of their other hardware has treated me well, so >I wouldn't expect that board to be any different. I like the 150...it is a very inexpensive solution for a low end router (just $70 plus a case and powersupply). The 153 is only $120 and you can add radio cards. -- Butch Evans Network Engineering and Security Consulting 573-276-2879 http://www.butchevans.com/ My calendar: http://tinyurl.com/y24ad6 Training Partners: http://tinyurl.com/smfkf Mikrotik Certified Consultant http://www.mikrotik.com/consultants.html -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- -RickG -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Optimally taking advantage of GB Ethernet
Take note that this problem that I am discussing with GB ethernet also may apply to GB wireless. I'm trying to determine if GB wireless needs to be the full path to be useful, or if its an adequate backhaul in specific areas. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Tom DeReggi" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Sunday, January 07, 2007 8:16 PM Subject: Re: [WISPA] Optimally taking advantage of GB Ethernet Understand a major difference AT&T for example sells GB fiber for $8000 per month. But they are selling layers 2 end to end to the subsciber. So because GB fiber is the customers first HOP, the customer's MTU can adjust to 9600MTU jumbo frames. For example if the customer has a GB switch on premise, they are already using Jumbo frames, and easy to interface to GB Ethernet WAN connection. The other LECs doing GB fiber are often using something other than Ethernet, such as Sonet, ATM, or whatever. There may be something there taht deals with it. The problem I brought up is that ISPs hookkup the customer's initial connection with less than 100mbps which is NOT Jumbo frames. The reason is that most Ethernet Fiber/CAT5 (<100mbps) equipment does not allow over 1500MTU, and only a few equipment manufacturers even support allowing allow around 1540 MTU to supprot things like MPLS and VLANs. I do not believe that people like ATT&T are passing over 200mbps on their GB Ethernet fiber links, when they are using them as backbones or extensions to existing customer's connection, for the reason I brought up. I just don't think that the end user custoemr base is smart enough to know the difference. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Travis Johnson" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Saturday, January 06, 2007 11:42 PM Subject: Re: [WISPA] Optimally taking advantage of GB Ethernet Tom, How are the "big boys" doing it? Surely AT&T and others are transporting more than 200Mbps across their 1GB fiber links. Travis Microserv Tom DeReggi wrote: Gigabit Ethernet, can pass 1 gbps when it uses greater than a 9600 MTU frame. But with a 1500MTU frame, it can barely pass 200 mbps. The problem is that most Internet and subscriber traffic is using a 1500MTU or smaller frame. So in theory, its would be just as efficient and fast to bond two 100 mbps fiber connections than it would to buy 1- 1GB fiber connection. So the question is How do we most efficiently use 1GB fiber to get the advantage of the full 1GB of capacity? Do we need to use some sort of packet agreegation/stuffing technology? Is GB etherner pointless for Internet transit backbones? Is GB just good for high capacity Transports, recognizing that routers will likely split traffic to different smaller bandwidth peers? Is there a special router or router feature used to solve this problem? Is that method available to Linux? The reason I ask is several fold. In a network design where all traffic flows to a single source (for example many 100mbps baclhauls to remote areas to 1 central data center), it would be beneficial because the cost of 1 big 1GB pipe could be shared to deliver capacity to everything, better apt to handle peak traffic and get higher oversubscription rates. However, if teh GB INternet pipe can not be efficiently used, this method would be severally flawed. It might be better to have multipel 100mvps transit connections spread out across one's network, so there was a shorter path to transit, and the network's bandwdith spread out amungst multiple 100mbps transit connection, for better over all throughput. In other words, in a 10 city network, 1- 100mbps pipe in each of teh 10 cities would allow a full combined 1 gbps of Internet transit, where as agregating 100mbps from each city to one central source where their was a single 1GB transit, would result in only a 200mbps throughput, assuming traffic was delivered to it as a 1500 MTU. Any feedback? Take note that my comment that a 1500MTU frame 1 Gbps Ethernet card could only pass 200kbps was based on some lab tests. With the 1500MTU frame acheiving only 200kbps, our routers CPU utilization was less than 20%, so it was not a saturated router. The second we changed MTU to 9600, we got over 800 mbps, and CPU utilization was still very low, forget exact number but under 40%. These tests were replicated going PC to PC (no switch) and with a high end SMC GB switch in-line. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.w
Re: [WISPA] churn, double play and why WLP is key - I finally understand it
Interesting technique. I guess thats the beauty of having a CPE that will let us Tag traffic. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Gino A. Villarini" <[EMAIL PROTECTED]> To: "'WISPA General List'" Sent: Sunday, January 07, 2007 12:37 PM Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it Well, I haven't replied to this earlier cause Im on vacation (skiing @ Vail ) but now, let me add some info... I don't want to get involved in a gear fight, but a brand x gear has a Per Sector prioritization of traffic. It works like this: You set the cpe to identify the traffic to be prioritized using Diffserv, ( it can be any type of traffic not just voip) Then you activate on the cpe the "high priority channel" option Set how much bandwidth this "high priority channel" would use And you are done, The Sector AP identifies all the cpes on the sector using this feature and assings them a 2nd slot of time for this traffic for each cpe, so cpe's using this feature have 2 slots of time to talk to the ap, 1 for priority traffic, the other for regural traffic. Sector wide , all high priority channels of all cpes have "priority" over regular cpes... So Patrick, what do you think Gino A. Villarini [EMAIL PROTECTED] Aeronet Wireless Broadband Corp. tel 787.273.4143 fax 787.273.4145 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Leary Sent: Saturday, January 06, 2007 12:59 AM To: WISPA General List Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it I don't think so Gino, but I'm open to be proven wrong. Tell me who else can actually prioritize over the air sector wide. I'm talking about not just pushing out the voice first on any given CPE, I'm talking about ALL the CPE on a sector being able to send its que'd voice out before any CPE can release data into the sector? Patrick Leary AVP WISP Markets Alvarion, Inc. o: 650.314.2628 c: 760.580.0080 Vonage: 650.641.1243 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gino A. Villarini Sent: Friday, January 05, 2007 2:19 PM To: 'WISPA General List' Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it Patrick, not to rain on you parade but you guys area actually 2nd on this RF prioritization feature Gino A. Villarini [EMAIL PROTECTED] Aeronet Wireless Broadband Corp. tel 787.273.4143 fax 787.273.4145 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Leary Sent: Friday, January 05, 2007 4:13 PM To: WISPA General List Subject: [WISPA] churn,double play and why WLP is key - I finally understand it ...So I'm here at our annual national meeting and our project manager is explaining the Wireless Link Prioritization feature available for BreezeACCESS VL. Frankly, it has always seemed esoteric to those of us non-technical types, but now I got and it is simple enough. First, I learned the statistical improvement in churn when a provider has double play VoIP + data customers. We have had a few CLECs report to us that with a single play model their churn is about 9%. Adding double play takes it down to close to 1%. This is critical to the business model because they said a 10% reduction in churn translates into about a 20% improvement in NPV per subscriber. That's obviously huge. So what's the WLP feature available in BreezeACCESS VL have to do with any of this? BreezeACCESS VL can already do QoS priority tagging of packets per CPE using layer 2 (802.11p), layer 3 (IP TOS, DSCP) or layer 4 (TCP/UDP port ranges common with Cisco, for example). That's good and already better than most brands of BWA gear. BUT, that's only PER CPE. In a typical situation, this does not help at all when multiple CPE are on a sector -- there is no prioritization at the RF level in unlicensed from any brand...until now. WLP (also called multimedia application prioritization) actually solves this and enables over-the-air prioritization for the first time in the industry. The translation for this is that BreezeACCESS VL can now deliver massive VoIP, up to 288 concurrent calls per sector with a MOS (mean opinion score - a rating of voice quality) of 4.1. That's a phenomenal quantity that is more than 10x our main competitor as spelled out in their own relevant VoIP document. So why not just use VL with firmware version 4.0 without getting the WLP feature? The WLP is the key to get the quantity AND THE QUALITY of service since it reserves air priority for the VoIP. So, in a double play business model, it is essential to get MOS voice quality of at least 4.1 and even 4.33 you must implement the WLP. I believe it can now be said without reservation, that if you are using unlicensed and wanting to implement a double play of VoIP + data, the ONLY produc
Re: [WISPA] SSH DOS Killing Linux
Thanks Steve! I think that should help alot. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Steve" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Sunday, January 07, 2007 11:52 AM Subject: Re: [WISPA] SSH DOS Killing Linux Have you installed software such as fail2ban which will block the ip address after n number of failed ssh logins for n number of seconds. Depending on the purpose of the server it may block internet access for the client, but I wouldn't worry about that for my network. I have it installed on all my linux boxes and it blocks the routine ssh attacks that are all too common these days. -- Tom DeReggi wrote: We recently had a really nasty DOS attack that took down a large part of our network across several cell sites, from the infected client all the way to the Internet transit. Take note that we identified the problem quickly and cured it quickly. But This is the first time that this has occured in 5 years, as we have a good number of smart design characteristics that have limited the effects of most viruses on our network. We stopped the attack, by blocking SSH to the infected sub. The average amount of traffic crossing the entire network path from the client to the Internet was about 500 kbps on average. (This was a 20 mbps wireless link, and a 100mbps fiber trnasport link to the transit.). The two routers were a P4 2Ghz, and a Dual XEON 2.2Ghz w/ 10,000rpm SCSI3. The damage was that the CPU was nailed on both routers to about 99.9% using "TOP" to monitor stats. We varified that successful SSH sessions were not made directly to the protected routers themselves. Take note that the wireless links were barely effected, it was the router 2 hops away (Dual XEON) that got over loaded the most. Our routers have been tested to pass over 2 gbps of throughput easilly. And have been load tested to survive very small packets and high PPS adequately. The infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for PPS. So I'm looking for reasons that the CPU got overloaded. My theory is that the DOS attack resulted in a large number of disk writes, ( maybe logging?) causing the CPU saturation. I've had a hard time locating the cause. And have not discovered which virus yet, although I should have more info soon from my clients. So my question What needs to be done on a Linux machine to harden it, to protect against CPU oversaturation, during DOS attacks? What should and shouldn't be logged? Connection Tracking? Firewall logging? Traffic stats? Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] SSH DOS Killing Linux
And how would I do that? Yes I know, I think that is a VL feature, and my radio is not VL. If I were able to limit the PPS then that would solve the problem. But technically why should I have to limit the PPS, because the radios themselves are no where near getting saturated by the amount of PPS currently going through. What is getting saturated is the HDD based XEON rotuers. My point here is that a XEON base GB router should not be able to handle less PPS than a 100Mhz Pentium based Radio. I should be able to tweak our Linux configuration to solve the problem and allow the Linux box to run optimally without risk. Lastly, what is the appropriate PPS limit that would not compromise a custoemr's traffic? Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Marty Dougherty" <[EMAIL PROTECTED]> To: "'WISPA General List'" Sent: Sunday, January 07, 2007 8:24 AM Subject: RE: [WISPA] SSH DOS Killing Linux "The infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for PPS." Tom- Why don't you just limit the number PPS at the customers radio? Marty -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom DeReggi Sent: Saturday, January 06, 2007 9:27 PM To: WISPA General List Subject: [WISPA] SSH DOS Killing Linux We recently had a really nasty DOS attack that took down a large part of our network across several cell sites, from the infected client all the way to the Internet transit. Take note that we identified the problem quickly and cured it quickly. But This is the first time that this has occured in 5 years, as we have a good number of smart design characteristics that have limited the effects of most viruses on our network. We stopped the attack, by blocking SSH to the infected sub. The average amount of traffic crossing the entire network path from the client to the Internet was about 500 kbps on average. (This was a 20 mbps wireless link, and a 100mbps fiber trnasport link to the transit.). The two routers were a P4 2Ghz, and a Dual XEON 2.2Ghz w/ 10,000rpm SCSI3. The damage was that the CPU was nailed on both routers to about 99.9% using "TOP" to monitor stats. We varified that successful SSH sessions were not made directly to the protected routers themselves. Take note that the wireless links were barely effected, it was the router 2 hops away (Dual XEON) that got over loaded the most. Our routers have been tested to pass over 2 gbps of throughput easilly. And have been load tested to survive very small packets and high PPS adequately. The infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for PPS. So I'm looking for reasons that the CPU got overloaded. My theory is that the DOS attack resulted in a large number of disk writes, ( maybe logging?) causing the CPU saturation. I've had a hard time locating the cause. And have not discovered which virus yet, although I should have more info soon from my clients. So my question What needs to be done on a Linux machine to harden it, to protect against CPU oversaturation, during DOS attacks? What should and shouldn't be logged? Connection Tracking? Firewall logging? Traffic stats? Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Optimally taking advantage of GB Ethernet
Yes we also can psuh 800 mbps on a GB link Miktoik router to Mikrotik Router. But the test initiates on a Jumbo frame device and end on a jumbo frame device. Now try this test Connect 4 computers each to its own 100mbps switch (support only 1500mtu), Then take the 4 switches and plug into 100m/1000gb switch, then plug that switch (9600MTU) to the end router on a GB ethernet port. Do a simultaneous test from all 4 pcs to the end GB router, and see what you get. I bet you'll find that the agreegate throughput is around 200mbps FDX. Linux on most Ethernet ports will auto adjust its MTU, so testing in a lab router to router may not show desired results as the testing PC will start with Jumbo frames from the beginning. .>Checking the router Interfaces show a 1500MTU setting Because it is set to 1500MTU, does not necessarilly mean that it is pushing only 1500 MTU. Many ethernet drivers are configured to allow larger size packets to pass. I won;t try and try to explain that situation because I will get it wrong. The customer;s traffic is almost always using a 1500 MTU. so 1500 byte packets or smaller is what will pass across any backbone transport links. The gear must be capable of pushing the 1500 MTU packets at full speed. For what ever reason it usually is NOT possible. Most GB gear will only push full capacity when pushing Jumbo 9600 or greater packets. Unless there is some sort of trunking mode that agreegates the packets. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Brad Belton" <[EMAIL PROTECTED]> To: "'WISPA General List'" Sent: Saturday, January 06, 2007 11:50 PM Subject: RE: [WISPA] Optimally taking advantage of GB Ethernet Hello Tom, First let me saydamn Cowboys... I'm not sure I follow exactly what you are saying, but we have pushed better than 800Mbps HDX and more than 700Mbps FDX aggregate between GigE MT routers. Checking the router Interfaces show a 1500MTU setting. Is that what you are talking about? Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis Johnson Sent: Saturday, January 06, 2007 10:43 PM To: WISPA General List Subject: Re: [WISPA] Optimally taking advantage of GB Ethernet Tom, How are the "big boys" doing it? Surely AT&T and others are transporting more than 200Mbps across their 1GB fiber links. Travis Microserv Tom DeReggi wrote: Gigabit Ethernet, can pass 1 gbps when it uses greater than a 9600 MTU frame. But with a 1500MTU frame, it can barely pass 200 mbps. The problem is that most Internet and subscriber traffic is using a 1500MTU or smaller frame. So in theory, its would be just as efficient and fast to bond two 100 mbps fiber connections than it would to buy 1- 1GB fiber connection. So the question is How do we most efficiently use 1GB fiber to get the advantage of the full 1GB of capacity? Do we need to use some sort of packet agreegation/stuffing technology? Is GB etherner pointless for Internet transit backbones? Is GB just good for high capacity Transports, recognizing that routers will likely split traffic to different smaller bandwidth peers? Is there a special router or router feature used to solve this problem? Is that method available to Linux? The reason I ask is several fold. In a network design where all traffic flows to a single source (for example many 100mbps baclhauls to remote areas to 1 central data center), it would be beneficial because the cost of 1 big 1GB pipe could be shared to deliver capacity to everything, better apt to handle peak traffic and get higher oversubscription rates. However, if teh GB INternet pipe can not be efficiently used, this method would be severally flawed. It might be better to have multipel 100mvps transit connections spread out across one's network, so there was a shorter path to transit, and the network's bandwdith spread out amungst multiple 100mbps transit connection, for better over all throughput. In other words, in a 10 city network, 1- 100mbps pipe in each of teh 10 cities would allow a full combined 1 gbps of Internet transit, where as agregating 100mbps from each city to one central source where their was a single 1GB transit, would result in only a 200mbps throughput, assuming traffic was delivered to it as a 1500 MTU. Any feedback? Take note that my comment that a 1500MTU frame 1 Gbps Ethernet card could only pass 200kbps was based on some lab tests. With the 1500MTU frame acheiving only 200kbps, our routers CPU utilization was less than 20%, so it was not a saturated router. The second we changed MTU to 9600, we got over 800 mbps, and CPU utilization was still very low, forget exact number but under 40%. These tests were replicated going PC to PC (no switch) and with a high end SMC GB switch in-line. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsu
Re: [WISPA] Optimally taking advantage of GB Ethernet
Understand a major difference AT&T for example sells GB fiber for $8000 per month. But they are selling layers 2 end to end to the subsciber. So because GB fiber is the customers first HOP, the customer's MTU can adjust to 9600MTU jumbo frames. For example if the customer has a GB switch on premise, they are already using Jumbo frames, and easy to interface to GB Ethernet WAN connection. The other LECs doing GB fiber are often using something other than Ethernet, such as Sonet, ATM, or whatever. There may be something there taht deals with it. The problem I brought up is that ISPs hookkup the customer's initial connection with less than 100mbps which is NOT Jumbo frames. The reason is that most Ethernet Fiber/CAT5 (<100mbps) equipment does not allow over 1500MTU, and only a few equipment manufacturers even support allowing allow around 1540 MTU to supprot things like MPLS and VLANs. I do not believe that people like ATT&T are passing over 200mbps on their GB Ethernet fiber links, when they are using them as backbones or extensions to existing customer's connection, for the reason I brought up. I just don't think that the end user custoemr base is smart enough to know the difference. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Travis Johnson" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Saturday, January 06, 2007 11:42 PM Subject: Re: [WISPA] Optimally taking advantage of GB Ethernet Tom, How are the "big boys" doing it? Surely AT&T and others are transporting more than 200Mbps across their 1GB fiber links. Travis Microserv Tom DeReggi wrote: Gigabit Ethernet, can pass 1 gbps when it uses greater than a 9600 MTU frame. But with a 1500MTU frame, it can barely pass 200 mbps. The problem is that most Internet and subscriber traffic is using a 1500MTU or smaller frame. So in theory, its would be just as efficient and fast to bond two 100 mbps fiber connections than it would to buy 1- 1GB fiber connection. So the question is How do we most efficiently use 1GB fiber to get the advantage of the full 1GB of capacity? Do we need to use some sort of packet agreegation/stuffing technology? Is GB etherner pointless for Internet transit backbones? Is GB just good for high capacity Transports, recognizing that routers will likely split traffic to different smaller bandwidth peers? Is there a special router or router feature used to solve this problem? Is that method available to Linux? The reason I ask is several fold. In a network design where all traffic flows to a single source (for example many 100mbps baclhauls to remote areas to 1 central data center), it would be beneficial because the cost of 1 big 1GB pipe could be shared to deliver capacity to everything, better apt to handle peak traffic and get higher oversubscription rates. However, if teh GB INternet pipe can not be efficiently used, this method would be severally flawed. It might be better to have multipel 100mvps transit connections spread out across one's network, so there was a shorter path to transit, and the network's bandwdith spread out amungst multiple 100mbps transit connection, for better over all throughput. In other words, in a 10 city network, 1- 100mbps pipe in each of teh 10 cities would allow a full combined 1 gbps of Internet transit, where as agregating 100mbps from each city to one central source where their was a single 1GB transit, would result in only a 200mbps throughput, assuming traffic was delivered to it as a 1500 MTU. Any feedback? Take note that my comment that a 1500MTU frame 1 Gbps Ethernet card could only pass 200kbps was based on some lab tests. With the 1500MTU frame acheiving only 200kbps, our routers CPU utilization was less than 20%, so it was not a saturated router. The second we changed MTU to 9600, we got over 800 mbps, and CPU utilization was still very low, forget exact number but under 40%. These tests were replicated going PC to PC (no switch) and with a high end SMC GB switch in-line. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] churn, double play and why WLP is key - I finally understand it
It does sound like a similar smart mechanism Gino -- I stand corrected. If this is who I assume it is though, then why do they report such low VoIP performance per SM and per AP? ...but don't answer any of this until after you leave Vail. Better that you should just enjoy your vacation. Sounds great. Patrick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gino A. Villarini Sent: Sunday, January 07, 2007 9:37 AM To: 'WISPA General List' Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it Well, I haven't replied to this earlier cause Im on vacation (skiing @ Vail ) but now, let me add some info... I don't want to get involved in a gear fight, but a brand x gear has a Per Sector prioritization of traffic. It works like this: You set the cpe to identify the traffic to be prioritized using Diffserv, ( it can be any type of traffic not just voip) Then you activate on the cpe the "high priority channel" option Set how much bandwidth this "high priority channel" would use And you are done, The Sector AP identifies all the cpes on the sector using this feature and assings them a 2nd slot of time for this traffic for each cpe, so cpe's using this feature have 2 slots of time to talk to the ap, 1 for priority traffic, the other for regural traffic. Sector wide , all high priority channels of all cpes have "priority" over regular cpes... So Patrick, what do you think Gino A. Villarini [EMAIL PROTECTED] Aeronet Wireless Broadband Corp. tel 787.273.4143 fax 787.273.4145 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Leary Sent: Saturday, January 06, 2007 12:59 AM To: WISPA General List Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it I don't think so Gino, but I'm open to be proven wrong. Tell me who else can actually prioritize over the air sector wide. I'm talking about not just pushing out the voice first on any given CPE, I'm talking about ALL the CPE on a sector being able to send its que'd voice out before any CPE can release data into the sector? Patrick Leary AVP WISP Markets Alvarion, Inc. o: 650.314.2628 c: 760.580.0080 Vonage: 650.641.1243 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gino A. Villarini Sent: Friday, January 05, 2007 2:19 PM To: 'WISPA General List' Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it Patrick, not to rain on you parade but you guys area actually 2nd on this RF prioritization feature Gino A. Villarini [EMAIL PROTECTED] Aeronet Wireless Broadband Corp. tel 787.273.4143 fax 787.273.4145 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Leary Sent: Friday, January 05, 2007 4:13 PM To: WISPA General List Subject: [WISPA] churn,double play and why WLP is key - I finally understand it ...So I'm here at our annual national meeting and our project manager is explaining the Wireless Link Prioritization feature available for BreezeACCESS VL. Frankly, it has always seemed esoteric to those of us non-technical types, but now I got and it is simple enough. First, I learned the statistical improvement in churn when a provider has double play VoIP + data customers. We have had a few CLECs report to us that with a single play model their churn is about 9%. Adding double play takes it down to close to 1%. This is critical to the business model because they said a 10% reduction in churn translates into about a 20% improvement in NPV per subscriber. That's obviously huge. So what's the WLP feature available in BreezeACCESS VL have to do with any of this? BreezeACCESS VL can already do QoS priority tagging of packets per CPE using layer 2 (802.11p), layer 3 (IP TOS, DSCP) or layer 4 (TCP/UDP port ranges common with Cisco, for example). That's good and already better than most brands of BWA gear. BUT, that's only PER CPE. In a typical situation, this does not help at all when multiple CPE are on a sector -- there is no prioritization at the RF level in unlicensed from any brand...until now. WLP (also called multimedia application prioritization) actually solves this and enables over-the-air prioritization for the first time in the industry. The translation for this is that BreezeACCESS VL can now deliver massive VoIP, up to 288 concurrent calls per sector with a MOS (mean opinion score - a rating of voice quality) of 4.1. That's a phenomenal quantity that is more than 10x our main competitor as spelled out in their own relevant VoIP document. So why not just use VL with firmware version 4.0 without getting the WLP feature? The WLP is the key to get the quantity AND THE QUALITY of service since it reserves air priority for the VoIP. So, in a double play business model, it is essential to get MOS voice quality of at least 4.1 and even 4.33 you must implement the
RE: [WISPA] churn, double play and why WLP is key - I finally understand it
Well, I haven't replied to this earlier cause Im on vacation (skiing @ Vail ) but now, let me add some info... I don't want to get involved in a gear fight, but a brand x gear has a Per Sector prioritization of traffic. It works like this: You set the cpe to identify the traffic to be prioritized using Diffserv, ( it can be any type of traffic not just voip) Then you activate on the cpe the "high priority channel" option Set how much bandwidth this "high priority channel" would use And you are done, The Sector AP identifies all the cpes on the sector using this feature and assings them a 2nd slot of time for this traffic for each cpe, so cpe's using this feature have 2 slots of time to talk to the ap, 1 for priority traffic, the other for regural traffic. Sector wide , all high priority channels of all cpes have "priority" over regular cpes... So Patrick, what do you think Gino A. Villarini [EMAIL PROTECTED] Aeronet Wireless Broadband Corp. tel 787.273.4143 fax 787.273.4145 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Leary Sent: Saturday, January 06, 2007 12:59 AM To: WISPA General List Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it I don't think so Gino, but I'm open to be proven wrong. Tell me who else can actually prioritize over the air sector wide. I'm talking about not just pushing out the voice first on any given CPE, I'm talking about ALL the CPE on a sector being able to send its que'd voice out before any CPE can release data into the sector? Patrick Leary AVP WISP Markets Alvarion, Inc. o: 650.314.2628 c: 760.580.0080 Vonage: 650.641.1243 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gino A. Villarini Sent: Friday, January 05, 2007 2:19 PM To: 'WISPA General List' Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it Patrick, not to rain on you parade but you guys area actually 2nd on this RF prioritization feature Gino A. Villarini [EMAIL PROTECTED] Aeronet Wireless Broadband Corp. tel 787.273.4143 fax 787.273.4145 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Leary Sent: Friday, January 05, 2007 4:13 PM To: WISPA General List Subject: [WISPA] churn,double play and why WLP is key - I finally understand it ...So I'm here at our annual national meeting and our project manager is explaining the Wireless Link Prioritization feature available for BreezeACCESS VL. Frankly, it has always seemed esoteric to those of us non-technical types, but now I got and it is simple enough. First, I learned the statistical improvement in churn when a provider has double play VoIP + data customers. We have had a few CLECs report to us that with a single play model their churn is about 9%. Adding double play takes it down to close to 1%. This is critical to the business model because they said a 10% reduction in churn translates into about a 20% improvement in NPV per subscriber. That's obviously huge. So what's the WLP feature available in BreezeACCESS VL have to do with any of this? BreezeACCESS VL can already do QoS priority tagging of packets per CPE using layer 2 (802.11p), layer 3 (IP TOS, DSCP) or layer 4 (TCP/UDP port ranges common with Cisco, for example). That's good and already better than most brands of BWA gear. BUT, that's only PER CPE. In a typical situation, this does not help at all when multiple CPE are on a sector -- there is no prioritization at the RF level in unlicensed from any brand...until now. WLP (also called multimedia application prioritization) actually solves this and enables over-the-air prioritization for the first time in the industry. The translation for this is that BreezeACCESS VL can now deliver massive VoIP, up to 288 concurrent calls per sector with a MOS (mean opinion score - a rating of voice quality) of 4.1. That's a phenomenal quantity that is more than 10x our main competitor as spelled out in their own relevant VoIP document. So why not just use VL with firmware version 4.0 without getting the WLP feature? The WLP is the key to get the quantity AND THE QUALITY of service since it reserves air priority for the VoIP. So, in a double play business model, it is essential to get MOS voice quality of at least 4.1 and even 4.33 you must implement the WLP. I believe it can now be said without reservation, that if you are using unlicensed and wanting to implement a double play of VoIP + data, the ONLY product out there that can do it in scale and with toll quality is BreezeACCESS VL. Regards, Patrick Leary AVP WISP Markets Alvarion, Inc. o: 650.314.2628 c: 760.580.0080 Vonage: 650.641.1243 [EMAIL PROTECTED] This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of m
Re: [WISPA] SSH DOS Killing Linux
Have you installed software such as fail2ban which will block the ip address after n number of failed ssh logins for n number of seconds. Depending on the purpose of the server it may block internet access for the client, but I wouldn't worry about that for my network. I have it installed on all my linux boxes and it blocks the routine ssh attacks that are all too common these days. -- Tom DeReggi wrote: > We recently had a really nasty DOS attack that took down a large part > of our network across several cell sites, from the infected client all > the way to the Internet transit. > Take note that we identified the problem quickly and cured it quickly. > But This is the first time that this has occured in 5 years, as we > have a good number of smart design characteristics that have limited > the effects of most viruses on our network. We stopped the attack, by > blocking SSH to the infected sub. The average amount of traffic > crossing the entire network path from the client to the Internet was > about 500 kbps on average. (This was a 20 mbps wireless link, and a > 100mbps fiber trnasport link to the transit.). The two routers were a > P4 2Ghz, and a Dual XEON 2.2Ghz w/ 10,000rpm SCSI3. The damage was > that the CPU was nailed on both routers to about 99.9% using "TOP" to > monitor stats. We varified that successful SSH sessions were not made > directly to the protected routers themselves. Take note that the > wireless links were barely effected, it was the router 2 hops away > (Dual XEON) that got over loaded the most. Our routers have been > tested to pass over 2 gbps of throughput easilly. And have been load > tested to survive very small packets and high PPS adequately. The > infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir, > but not anything for PPS. So I'm looking for reasons that the CPU got > overloaded. My theory is that the DOS attack resulted in a large > number of disk writes, ( maybe logging?) causing the CPU saturation. > I've had a hard time locating the cause. And have not discovered which > virus yet, although I should have more info soon from my clients. > > So my question > > What needs to be done on a Linux machine to harden it, to protect > against CPU oversaturation, during DOS attacks? > > What should and shouldn't be logged? Connection Tracking? Firewall > logging? Traffic stats? > > Tom DeReggi > RapidDSL & Wireless, Inc > IntAirNet- Fixed Wireless Broadband -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
RE: [WISPA] churn, double play and why WLP is key - I finally understand it
Tom, This can be addressed in a number of ways. The configuration options include setting for burst durations within both the AU and SUs for both high (voice) and low priority traffic (data) and there is a specific "starvation prevention" setting in 4.0. Also, those that implement DRAP via the optional Alvarion voice gateways (sold widely in Europe and other places, but not yet sold much in the U.S.) have the ability to limit the number of calls per SU and per sector. When the calls exceed the settings, then the caller receives a busy signal when they try to dial versus opening a call session that was choppy. So the DRAP call admission settings would be adjusted per client based on what you sold to them -- that guy could not sneak 40 calls across his CPE because you'd have set him a cap based on his service plan. For full details you should read the short (19 page) VoIP over Wireless Networks whitepaper I sent out some months ago. I can send you another copy if you need it. Patrick Leary AVP WISP Markets Alvarion, Inc. o: 650.314.2628 c: 760.580.0080 Vonage: 650.641.1243 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom DeReggi Sent: Saturday, January 06, 2007 5:55 PM To: WISPA General List Subject: Re: [WISPA] churn,double play and why WLP is key - I finally understand it Patrick, >I'm talking about ALL >the CPE on a sector being able to send its que'd voice out before any >CPE can release data into the sector? Thats pretty cool. But I'd be interested in learning more on how that protocol method interacts with bandwidth allocation per subscriber. This is the problem that I see from the provider point of view. They have two profiles of subscribers, the ones that use their bandwdith, and the ones that don't. The ones that don't can be oversubscribed heavilly, therefore can be sold to at a much lower cost to compete agaisnt commodity cable and DSL competitors. The ones that do, monompolize the network, and need to be sold to at a higher price, often designated at a business class CIR type service, or however else the ISP tends to market the hgiher QOS guarantee service. When the ISP qualifies the prospect appropriately in advance correctly, everyone wins. The ISP gets paid, The High QOS client gets the priority he needs, and the low cost client does not get starved of broadband. The problem occurs when the ISP does not qualify the prospect appropriately. We've learned that every client starts their conversation out, "I barely use bandwidth. I just need a very low cost service like ADSL for $49. I'm just doing VOIP, basic Internet use, and creating a VPN between my offices for a central file server. Maybe some occassional video conferencing. But nothing demanding." Or they lie, and say they have one computer just doing limited internet browsing, and you learn they are hosting about 20 web servers and a search engine, or a Bulk Email service. Or if I make it relevent to this thread, they end up putting 20-30 VOIP phones on the service, that they say is just a limited web browsing service. The truth is Managed VOIP is the big bnadwdith hog today. So globally Giving VOIP users first priority over all other traffic could be a big flaw. It would allow the one that misrepresented their need to chew up all the good honest customer's bandwdith. Meaning if VOIP had first priority above all data traffic, the Client paying $49 a month and inappropriately putting 30 VOIP calls on the service, would have better service than the other 20 customers paying $200/month for data services that bought the appropriate bandwidth for their need. So their is a catch 22 on Prioritizing VOIP above all. So the question is... Does Alvarion do anything smart about this, to deliver a fair amount of bandwidth to ALL subs, when prioritizing VOIP? Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Patrick Leary" <[EMAIL PROTECTED]> To: "WISPA General List" Sent: Friday, January 05, 2007 11:58 PM Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it I don't think so Gino, but I'm open to be proven wrong. Tell me who else can actually prioritize over the air sector wide. I'm talking about not just pushing out the voice first on any given CPE, I'm talking about ALL the CPE on a sector being able to send its que'd voice out before any CPE can release data into the sector? Patrick Leary AVP WISP Markets Alvarion, Inc. o: 650.314.2628 c: 760.580.0080 Vonage: 650.641.1243 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gino A. Villarini Sent: Friday, January 05, 2007 2:19 PM To: 'WISPA General List' Subject: RE: [WISPA] churn,double play and why WLP is key - I finally understand it Patrick, not to rain on you parade but you guys area actually 2nd on this RF prioritization feature Gino
RE: [WISPA] SSH DOS Killing Linux
"The infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for PPS." Tom- Why don't you just limit the number PPS at the customers radio? Marty -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom DeReggi Sent: Saturday, January 06, 2007 9:27 PM To: WISPA General List Subject: [WISPA] SSH DOS Killing Linux We recently had a really nasty DOS attack that took down a large part of our network across several cell sites, from the infected client all the way to the Internet transit. Take note that we identified the problem quickly and cured it quickly. But This is the first time that this has occured in 5 years, as we have a good number of smart design characteristics that have limited the effects of most viruses on our network. We stopped the attack, by blocking SSH to the infected sub. The average amount of traffic crossing the entire network path from the client to the Internet was about 500 kbps on average. (This was a 20 mbps wireless link, and a 100mbps fiber trnasport link to the transit.). The two routers were a P4 2Ghz, and a Dual XEON 2.2Ghz w/ 10,000rpm SCSI3. The damage was that the CPU was nailed on both routers to about 99.9% using "TOP" to monitor stats. We varified that successful SSH sessions were not made directly to the protected routers themselves. Take note that the wireless links were barely effected, it was the router 2 hops away (Dual XEON) that got over loaded the most. Our routers have been tested to pass over 2 gbps of throughput easilly. And have been load tested to survive very small packets and high PPS adequately. The infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir, but not anything for PPS. So I'm looking for reasons that the CPU got overloaded. My theory is that the DOS attack resulted in a large number of disk writes, ( maybe logging?) causing the CPU saturation. I've had a hard time locating the cause. And have not discovered which virus yet, although I should have more info soon from my clients. So my question What needs to be done on a Linux machine to harden it, to protect against CPU oversaturation, during DOS attacks? What should and shouldn't be logged? Connection Tracking? Firewall logging? Traffic stats? Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/