Re: Cogent revisited
On 11 August 2015 at 21:47, Adam Greene wrote: Perhaps that depends on were are you in the world and your traffic types. I have worked with two UK ISPs that have Cogent as one of their transit providers, neither have had any problems in the 5+ years they've both had the Cogent transit, it has always "just worked". Cheers, James.
Re: Data Center operations mail list?
I was actually surprised with how many people subscribed already. I think we are close to 100 already in less than 24 hours. I could use some help drafting some basic mailing list rules (no spam, no soliciting, etc) and if anyone has any suggestions, please let me know. On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka wrote: > > > On 11/Aug/15 17:46, Alex Brooks wrote: > > With the lack of interest compared to NANOG (especially seeing how the > > old list simply dried up) it might be best making the list global > > rather than North America only to get the traffic levels up a bit. > > Tend to agree that a list with global scope might be more useful. > > Mark. >
Re: Data Center operations mail list?
I missed the subscription info. Can you repost please? I can be #100 :) On Wed, Aug 12, 2015 at 8:33 AM, Rafael Possamai wrote: > I was actually surprised with how many people subscribed already. I think > we are close to 100 already in less than 24 hours. > > I could use some help drafting some basic mailing list rules (no spam, no > soliciting, etc) and if anyone has any suggestions, please let me know. > > > On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka wrote: > > > > > > > On 11/Aug/15 17:46, Alex Brooks wrote: > > > With the lack of interest compared to NANOG (especially seeing how the > > > old list simply dried up) it might be best making the list global > > > rather than North America only to get the traffic levels up a bit. > > > > Tend to agree that a list with global scope might be more useful. > > > > Mark. > > > -- :o@>
Re: Experience on Wanguard for 'anti' DDOS solutions
> > > Date: Tue, 11 Aug 2015 08:14:54 +0200 > From: "marcel.durega...@yahoo.fr" > To: nanog@nanog.org > Subject: Re: Experience on Wanguard for 'anti' DDOS solutions > Message-ID: <55c992de.3020...@yahoo.fr> > Content-Type: text/plain; charset=windows-1252; format=flowed > > anybody from this impressive list ?: > > https://www.andrisoft.com/company/customers > > -- Marcel > > > Anybody here compared Wanguard's performance with the DDoS vendors in the market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? Another question, have anybody from the reviewers tested the false positives of the box, or experienced any false positive incidents? Thanks, Ramy
Re: Data Center operations mail list?
> On Aug 12, 2015, at 7:53 AM, Oliver O'Boyle wrote: > > I missed the subscription info. Can you repost please? I can be #100 :) http://lists.nadcog.org Welcome aboard. —Chris
Re: Data Center operations mail list?
Done, thanks! On Wed, Aug 12, 2015 at 10:36 AM, Chris Boyd wrote: > > > On Aug 12, 2015, at 7:53 AM, Oliver O'Boyle > wrote: > > > > I missed the subscription info. Can you repost please? I can be #100 :) > > http://lists.nadcog.org > > Welcome aboard. > > —Chris > > -- :o@>
Re: Data Center operations mail list?
Interesting... I just went to the web site to subscribe and I received an email that I was already subscribed. I don't remember doing that... So how did this happen?? Robert On Wed, 12 Aug 2015 07:33:05 -0500 Rafael Possamai wrote: I was actually surprised with how many people subscribed already. I think we are close to 100 already in less than 24 hours. I could use some help drafting some basic mailing list rules (no spam, no soliciting, etc) and if anyone has any suggestions, please let me know. On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka wrote: On 11/Aug/15 17:46, Alex Brooks wrote: > With the lack of interest compared to NANOG (especially seeing how the > old list simply dried up) it might be best making the list global > rather than North America only to get the traffic levels up a bit. Tend to agree that a list with global scope might be more useful. Mark.
Re: Experience on Wanguard for 'anti' DDOS solutions
Hello My 2 cents You can use Wanguard for the detection and A10 for the mitigation, you have just to play with the API. Regards Fabien > Le 12 août 2015 à 16:28, Ramy Hashish a écrit : > >> >> >> Date: Tue, 11 Aug 2015 08:14:54 +0200 >> From: "marcel.durega...@yahoo.fr" >> To: nanog@nanog.org >> Subject: Re: Experience on Wanguard for 'anti' DDOS solutions >> Message-ID: <55c992de.3020...@yahoo.fr> >> Content-Type: text/plain; charset=windows-1252; format=flowed >> >> anybody from this impressive list ?: >> >> https://www.andrisoft.com/company/customers >> >> -- Marcel >> >> >> > Anybody here compared Wanguard's performance with the DDoS vendors in the > market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? > > Another question, have anybody from the reviewers tested the false > positives of the box, or experienced any false positive incidents? > > Thanks, > > Ramy
Re: Branch Location Over The Internet
Josh, Just an FYI, I've successfully used these two EoIP implementations on Linux: https://code.google.com/p/linux-eoip/ https://github.com/bbonev/eoip So I wouldn't say EoIP is Mikrotik only -- these interop perfectly with Mikrotik. I started using these due to stability problems we were having with CCRs. Pat Tue, Aug 11, 2015 at 06:32:55PM -0400, Josh Luthman wrote: > Eoip is Mikrotik only > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > On Aug 11, 2015 6:28 PM, "Colton Conor" wrote: > > > EoIP seems to be what I am looking for, however this recent Mikrotik > > session says: > > > > EoIP could be a solution for tunneling L2 over L3. > > ? EoIP disadvantages: ? Fragmentation of L2 frames over multiple L3 packets > > ? Performance issues ? > > VPLS advantages: ? No fragmentation. ? 60% more performance then EoIP. > > > > So it sounds like VPLS might be better than EoIP? I can't find much about > > EoIP online, so is this a Mikrotik only protocol? > > > > On Tue, Aug 11, 2015 at 1:46 PM, J?rgen Jaritsch wrote: > > > > > Hi, > > > > > > Mikrotik Routerboard + (encrypted) Ethernet over IP (EoIP). If required: > > > MPLS+OSPF+BGP in the EoIP for additional features. > > > > > > Build the pseudo Layer2 with two dedicated boxes. In the HQ you can hand > > > it over directly to the MX80 and at the new office you can work with > > small > > > boxes like Cisco 7301 (also available with redundant PS) or if you need > > > more ports: 19xx ... > > > > > > #) cheap setup > > > #) can easily transport a few hundred Meg > > > #) you can use refurb parts if required > > > #) big community support for Mikrotik Routerboards > > > #) encrypted transport possible > > > #) works with dynamic IPs > > > #) MPLS in the EoIP allows you to transport VRFs with BGP signaling > > > > > > Etc etc > > > > > > Best regards > > > > > > > > > J?rgen Jaritsch > > > Head of Network & Infrastructure > > > > > > ANEXIA Internetdienstleistungs GmbH > > > > > > Telefon: +43-5-0556-300 > > > Telefax: +43-5-0556-500 > > > > > > E-Mail: j...@anexia.at > > > Web: http://www.anexia.at > > > > > > Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt > > > Gesch?ftsf?hrer: Alexander Windbichler > > > Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT > > > U63216601 > > > > > > > > > > > > -Original Message- > > > *From:* Colton Conor [colton.co...@gmail.com] > > > *Received:* Dienstag, 11 Aug. 2015, 20:23 > > > *To:* NANOG [nanog@nanog.org] > > > *Subject:* Branch Location Over The Internet > > > > > > We have an enterprise that has a headquarter office with redundant fiber > > > connections, its own ASN, its own /22 IP block from ARIN, and a couple of > > > gigabit internet connections from multiple providers. The office is > > taking > > > full BGP routes from tier 1 providers using a Juniper MX80. > > > > > > They are establishing their first branch location, and need the branch > > > location to be able to securely communicate back to headquarters, AND be > > > able to use a /24 of headquarters public IP addresses. Ideally the > > device > > > at the HQ location would hand out public IP address using DHCP to the > > other > > > side of the tunnel at the branch location. > > > > > > We know that in an ideal world it would be wise to get layer 2 transport > > > connections from HQ to the branch location, but lets assume that is not > > an > > > option. Please don't flood this thread about how it could be an option > > > because it's not at this time. This setup will be temporary and in > > service > > > for the next year until we get fiber to the branch site. > > > > > > Let's assume at the branch location we can get a DOCSIS cable internet > > > connection from a incumbent cable provider such as Comcast, and that > > > provider will give us a couple static IP address. Assume as a backup, we > > > have a PPPoE DSL connection from the ILEC such as Verizon who gives us a > > > dynamic IP address. > > > > > > What solution could we put at the HQ site and the branch site to achieve > > > this? Ideally we would want the solution to load balance between the > > > connections based on the connections speeds, and failover if one is down. > > > The cable connection will be much faster speed (probably 150Mbps down and > > > 10 Upload) compared to the DSL connection (10 download and 1 upload). If > > we > > > need more speed we can upgrade the cable modem to a higher package, but > > for > > > DSL that is the max speed so we might have to get multiple DSL lines. The > > > cable solution could always be used as the primary, and the DSL > > connection > > > could only be used as backup if that makes things easier. > > > > > > If you were to do this with Juniper or Cisco gear what would you have at > > > each location? What technology would you use? > > > > > > I know there is Pepewave and a couple of other software solutions that > > seem > > >
Live-streaming the Root Zone Key-Signing Key Ceremony 22
FYI, (Apologies if you see duplicates of this message.) ICANN, as the IANA Functions Operator, will be live-streaming the Root Zone Key-Signing Key Ceremony (number 22) on Thursday, August 13. The "main" ceremony that day is scheduled to begin at 2000UTC. (This is an activity related to DNSSEC.) For more information about the event see: https://www.iana.org/dnssec/ceremonies/22 On Thursday there will be two cermonies as listed on that web page. The first ceremnoy will rotate cryptographic officer duties, basically, a change in some of the trusted community representatives participating in the key ceremonies. The second ceremony (the "main") will feature the introduction of two new Hardware Security Modules. This is the ceremony that will start at 2000 UTC. Please see the above link for more information. The live-streaming link is at the bottom of the page. (https://icann.adobeconnect.com/kskceremony) smime.p7s Description: S/MIME cryptographic signature
AW: Branch Location Over The Internet
Patrick, which CCR did you test? Best regards -Ursprüngliche Nachricht- Von: NANOG [mailto:nanog-boun...@nanog.org] Im Auftrag von Patrick Cole Gesendet: Mittwoch, 12. August 2015 00:49 An: Josh Luthman Cc: NANOG list Betreff: Re: Branch Location Over The Internet Josh, Just an FYI, I've successfully used these two EoIP implementations on Linux: https://code.google.com/p/linux-eoip/ https://github.com/bbonev/eoip So I wouldn't say EoIP is Mikrotik only -- these interop perfectly with Mikrotik. I started using these due to stability problems we were having with CCRs. Pat Tue, Aug 11, 2015 at 06:32:55PM -0400, Josh Luthman wrote: > Eoip is Mikrotik only > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > On Aug 11, 2015 6:28 PM, "Colton Conor" wrote: > > > EoIP seems to be what I am looking for, however this recent Mikrotik > > session says: > > > > EoIP could be a solution for tunneling L2 over L3. > > ? EoIP disadvantages: ? Fragmentation of L2 frames over multiple L3 packets > > ? Performance issues ? > > VPLS advantages: ? No fragmentation. ? 60% more performance then EoIP. > > > > So it sounds like VPLS might be better than EoIP? I can't find much about > > EoIP online, so is this a Mikrotik only protocol? > > > > On Tue, Aug 11, 2015 at 1:46 PM, J?rgen Jaritsch wrote: > > > > > Hi, > > > > > > Mikrotik Routerboard + (encrypted) Ethernet over IP (EoIP). If required: > > > MPLS+OSPF+BGP in the EoIP for additional features. > > > > > > Build the pseudo Layer2 with two dedicated boxes. In the HQ you can hand > > > it over directly to the MX80 and at the new office you can work with > > small > > > boxes like Cisco 7301 (also available with redundant PS) or if you need > > > more ports: 19xx ... > > > > > > #) cheap setup > > > #) can easily transport a few hundred Meg > > > #) you can use refurb parts if required > > > #) big community support for Mikrotik Routerboards > > > #) encrypted transport possible > > > #) works with dynamic IPs > > > #) MPLS in the EoIP allows you to transport VRFs with BGP signaling > > > > > > Etc etc > > > > > > Best regards > > > > > > > > > J?rgen Jaritsch > > > Head of Network & Infrastructure > > > > > > ANEXIA Internetdienstleistungs GmbH > > > > > > Telefon: +43-5-0556-300 > > > Telefax: +43-5-0556-500 > > > > > > E-Mail: j...@anexia.at > > > Web: http://www.anexia.at > > > > > > Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt > > > Gesch?ftsf?hrer: Alexander Windbichler > > > Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT > > > U63216601 > > > > > > > > > > > > -Original Message- > > > *From:* Colton Conor [colton.co...@gmail.com] > > > *Received:* Dienstag, 11 Aug. 2015, 20:23 > > > *To:* NANOG [nanog@nanog.org] > > > *Subject:* Branch Location Over The Internet > > > > > > We have an enterprise that has a headquarter office with redundant fiber > > > connections, its own ASN, its own /22 IP block from ARIN, and a couple of > > > gigabit internet connections from multiple providers. The office is > > taking > > > full BGP routes from tier 1 providers using a Juniper MX80. > > > > > > They are establishing their first branch location, and need the branch > > > location to be able to securely communicate back to headquarters, AND be > > > able to use a /24 of headquarters public IP addresses. Ideally the > > device > > > at the HQ location would hand out public IP address using DHCP to the > > other > > > side of the tunnel at the branch location. > > > > > > We know that in an ideal world it would be wise to get layer 2 transport > > > connections from HQ to the branch location, but lets assume that is not > > an > > > option. Please don't flood this thread about how it could be an option > > > because it's not at this time. This setup will be temporary and in > > service > > > for the next year until we get fiber to the branch site. > > > > > > Let's assume at the branch location we can get a DOCSIS cable internet > > > connection from a incumbent cable provider such as Comcast, and that > > > provider will give us a couple static IP address. Assume as a backup, we > > > have a PPPoE DSL connection from the ILEC such as Verizon who gives us a > > > dynamic IP address. > > > > > > What solution could we put at the HQ site and the branch site to achieve > > > this? Ideally we would want the solution to load balance between the > > > connections based on the connections speeds, and failover if one is down. > > > The cable connection will be much faster speed (probably 150Mbps down and > > > 10 Upload) compared to the DSL connection (10 download and 1 upload). If > > we > > > need more speed we can upgrade the cable modem to a higher package, but > > for > > > DSL that is the max speed so we might have to get multiple DSL lines. The > > > cable solution could always be used as the primary, and the DSL > > connection > > > could only
Re: Data Center operations mail list?
Robert, the first few people who expressed interested were subscribed manually. Everyone else has been using the list website to subscribe! There should have been a message sent out with the subscription email explaining it :) On Wed, Aug 12, 2015 at 10:28 AM, Robert Webb wrote: > Interesting... I just went to the web site to subscribe and I received an > email that I was already subscribed. > > I don't remember doing that... So how did this happen?? > > Robert > > > On Wed, 12 Aug 2015 07:33:05 -0500 > Rafael Possamai wrote: > >> I was actually surprised with how many people subscribed already. I think >> we are close to 100 already in less than 24 hours. >> >> I could use some help drafting some basic mailing list rules (no spam, no >> soliciting, etc) and if anyone has any suggestions, please let me know. >> >> >> On Wed, Aug 12, 2015 at 1:34 AM, Mark Tinka wrote: >> >> >>> On 11/Aug/15 17:46, Alex Brooks wrote: >>> > With the lack of interest compared to NANOG (especially seeing how the >>> > old list simply dried up) it might be best making the list global >>> > rather than North America only to get the traffic levels up a bit. >>> >>> Tend to agree that a list with global scope might be more useful. >>> >>> Mark. >>> >>> > >
Re: Experience on Wanguard for 'anti' DDOS solutions
hi ramy On 08/12/15 at 05:28pm, Ramy Hashish wrote: > > Anybody here compared Wanguard's performance with the DDoS vendors in the > market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? wouldn't the above "comparison" be kinda funky comparing software solutions with hardware appliances and/or cloud scubbers ?? comparisons between vendors should be between sw solutions, or hw appliances vs other hw, or cloud vs other clouds wanguard should be compared with other sw options or vendors using sflow, netflow, jflow, etc etc http://www.andrisoft.com/software/wanguard http://bitbucket.org/tortoiselabs/ddosmon http://www.github.com/FastVPSEestiOu/fastnetmon http://nfdump.sourceforge.net http://nfsen.sourceforge.net wanguard - software solution using sflow http://www.andrisoft.com/software/wanguard arbor hardware/software solutions -- "peakflow" http://www.arbornetworks.com/products/peakflow radware -- hardware/software/cloud solutions -- "defenseflow" http://www.radware.com/products/attack-mitigation-service/ http://www.radware.com/Products/DefenseFlow/ nsfocus -- hardware/cloud solutions http://www.nsfocus.com/products/ A10 -- hardware solution http://www.a10network.com/products riorey --- hardware solution http://www.riorey.com/riorey-ddos-products staminus - hardware/cloud solutions http://www.staminus.net/shield # and to add to the ddos confusion .. akamai/prolexic --- hardware/cloud solution f5 hardware/cloud solutions http://www.f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology fortinet -- custom ASIC hardware and cloud solution http://www.fortinet.com/products/fortiddos/ddos-mitigation-appliances.html - simulated ddos attacks should include: == == you are already getting hourly low level DDoS attacks from your script kiddies ==try to defend against those mostly harmless attacks first == # # some trivial benchmark DDoS attacks to generate -- internally only # - never send DDoS packets outside of your bldg/gateway # # DDoS-Simulator.net == generate any DDoS packets per your desires # - use nc, socat, *perf, nping or hping to generate most of these DDoS attacks # - use dsniff/arpspoof to break everything # within your own network, send few packets per second attacks within your own network, send x,000 packets per second attacks within your own network, send xxx,000 packet per second attacks sustained sporadically over hours/days - arp-based attacks - udp-based attacks nping -v -d1 -c 1 --data-length 1511 --rate 12345 --udp 127.0.0.1 hping -c 1 -d 1511 -i u 81 --rand-source -p 123 -S --udp -p 123 127.0.0.1 - icmp-based attacks ping -c 1 -s 1511 -i 0.8 127.0.0.1 nping -v -d1 -c 1 --data-length 1511 --rate 12345 --icmp 127.0.0.1 hping -c 1 -d 1501 --rand-source --file TeraByteFile.bin --icmp 127.0.0.1 gazillionPingApps - tcp-based attacks --- ez to send malicious packets and to defend against # 10,000 random src add hping -c 1 -d 1511 -i u 81 --rand-source -xxTCPflags 127.0.0.1 # -S = set SYN flag # -F = set FIN flag # -A = set ACK flag - application layer tests --- http, ssh, mail and 65,532 other ports hping -c 1 -d 1511 -i u 81 --rand-source -p 22 -S 127.0.0.1 hping -c 1 -d 1511 -i u 81 --rand-source -p 25 -S 127.0.0.1 hping -c 1 -d 1511 -i u 81 --rand-source -p 80 -S 127.0.0.1 hping -c 1 -d 1511 -i u 81 --rand-source -p 53 -S --udp 127.0.0.1 - these attack the servers or client desktop/laptops - volumetric attacks -- almost everybody will fail this test - volumetric attacks are pointless, you'll always fail at some point ping -f iperf socat - send spam .. mitigated separately ... - send virus and worms to the list ... mitigated separately ... - cloud solutions - if you have regulatory compliance requirements, your options are extemely limited to a few certified amd expensive clouds - what triggers the packets to go to the cloud for scrubbing - you do NOT want somebody "looking" at millions of packets to decide to send it off the cloud for scrubbing or not - you might NOT want to send everything to the cloud and incurr un-necessary expenses if you're NOT under xxxGbit/sec DDoS attacks - ddos mitigation should be able to distinguish legit traffic from real ddos traffic - eg folks downloading or sending 4GB dvd or larger files - eg silly folks sending 4GB dvd via emails # simplified way to distinguish legit users from ddos attackers if web servers are
Re: Experience on Wanguard for 'anti' DDOS solutions
Hello Fabien, And why don't you use A10 for both detection and mitigation? Thanks, Ramy On Wed, Aug 12, 2015 at 6:42 PM, Fabien Delmotte wrote: > Hello > > My 2 cents > You can use Wanguard for the detection and A10 for the mitigation, you > have just to play with the API. > > Regards > > Fabien > > > Le 12 août 2015 à 16:28, Ramy Hashish a écrit > : > > > >> > >> > >> Date: Tue, 11 Aug 2015 08:14:54 +0200 > >> From: "marcel.durega...@yahoo.fr" > >> To: nanog@nanog.org > >> Subject: Re: Experience on Wanguard for 'anti' DDOS solutions > >> Message-ID: <55c992de.3020...@yahoo.fr> > >> Content-Type: text/plain; charset=windows-1252; format=flowed > >> > >> anybody from this impressive list ?: > >> > >> https://www.andrisoft.com/company/customers > >> > >> -- Marcel > >> > >> > >> > > Anybody here compared Wanguard's performance with the DDoS vendors in the > > market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? > > > > Another question, have anybody from the reviewers tested the false > > positives of the box, or experienced any false positive incidents? > > > > Thanks, > > > > Ramy > >
Can someone from Cogentco.com contact me offlist?
A routing/filtering problem probably between be2185.ccr22.cle04.atlas.cogentco.com and be2009.ccr21.alb02.atlas.cogentco.com. -- -=[Lou Katz]=- Composed on an ASR33
Re: Experience on Wanguard for 'anti' DDOS solutions
you can try to get some financials (probably poor technical) view on DDOS : http://www.infonetics.com/pr/2014/1H14-DDoS-Prevention-Appliances-Market-Highlights.asp The DDOS prevention Appliances report is not free, and I doubt it's really technical :-) But at least you could know what your financial guys might think. Could help you if you want to convince them to buy Arbor :-). - Marcel On 12.08.2015 16:28, Ramy Hashish wrote: Date: Tue, 11 Aug 2015 08:14:54 +0200 From: "marcel.durega...@yahoo.fr" To: nanog@nanog.org Subject: Re: Experience on Wanguard for 'anti' DDOS solutions Message-ID: <55c992de.3020...@yahoo.fr> Content-Type: text/plain; charset=windows-1252; format=flowed anybody from this impressive list ?: https://www.andrisoft.com/company/customers -- Marcel Anybody here compared Wanguard's performance with the DDoS vendors in the market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? Another question, have anybody from the reviewers tested the false positives of the box, or experienced any false positive incidents? Thanks, Ramy
