Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread John Levine 
>> Well...by anycast, I meant BGP anycast, spreading the "target"
>> geographically to a dozen or more well connected/peered origins.  At that
>> point, your ~600G DDoS might only be around
>
>anycast and tcp? the heck you say! :)

People who've tried it say it works fine.  Routes don't flap that often.

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Bill Woodcock 

> On Sep 24, 2016, at 7:47 AM, John Levine  wrote:
> 
>>> Well...by anycast, I meant BGP anycast, spreading the "target"
>>> geographically to a dozen or more well connected/peered origins.  At that
>>> point, your ~600G DDoS might only be around
>> 
>> anycast and tcp? the heck you say! :)
> 
> People who've tried it say it works fine.

It’s worked fine for 28 years, for me.

-Bill






signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Christopher Morrow 
On Sat, Sep 24, 2016 at 12:28 PM, Bill Woodcock  wrote:

>
> > On Sep 24, 2016, at 7:47 AM, John Levine  wrote:
> >
> >>> Well...by anycast, I meant BGP anycast, spreading the "target"
> >>> geographically to a dozen or more well connected/peered origins.  At
> that
> >>> point, your ~600G DDoS might only be around
> >>
> >> anycast and tcp? the heck you say! :)
> >
> > People who've tried it say it works fine.
>
> It’s worked fine for 28 years, for me.
>
>
>

boy, it'd sure be nice if there were some 'science' and 'measurement'
behind such statements.
Didn't k-root do some anycast studies ~8-10 years back?

-chris
(note I'm totally a believer in anycast for tcp in the 'right'
circumstances, but often it feels like talking to climate-change-deniers
when proffering it as a solution)

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Niels Bakker 

* morrowc.li...@gmail.com (Christopher Morrow) [Sat 24 Sep 2016, 18:55 CEST]:
boy, it'd sure be nice if there were some 'science' and 
'measurement' behind such statements.

Didn't k-root do some anycast studies ~8-10 years back?


Not k-root but CacheFly 2006: 
https://www.nanog.org/meetings/nanog37/presentations/matt.levine.pdf



-- Niels.

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Christopher Morrow 
On Sat, Sep 24, 2016 at 2:43 PM, Niels Bakker 
wrote:

> * morrowc.li...@gmail.com (Christopher Morrow) [Sat 24 Sep 2016, 18:55
> CEST]:
>
>> boy, it'd sure be nice if there were some 'science' and 'measurement'
>> behind such statements.
>> Didn't k-root do some anycast studies ~8-10 years back?
>>
>
> Not k-root but CacheFly 2006: https://www.nanog.org/meetings
> /nanog37/presentations/matt.levine.pdf
>
>
>
that's not the one I was thinking of, this is:
  

which references your presentation, nice! and is about J-root, not K-root,
but mentions Lorenzo's work on K-root studies... In anycase, both seem to
say that 'tcp anycast works fine' (inside some set of parameters).

thanks!
-chris

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Brett Watson 

>> 
> that's not the one I was thinking of, this is:
>  
> 
> which references your presentation, nice! and is about J-root, not K-root,
> but mentions Lorenzo's work on K-root studies... In anycase, both seem to
> say that 'tcp anycast works fine' (inside some set of parameters).
> 

Right… and we’ve known this since about… ? 1996?

One Year On: IPv4 Exhaust

2016-09-24 Thread Jay R. Ashworth 
One year ago today, at 12:36pm EDT, Facebook On This Day reminds me, John
Curran announced that the last IPv4 address block in ARIN's Free Pool had
been assigned.

How's that been workin' out for everyone?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Justin Paine via NANOG 

DNS Results for query A krebsonsecurity.comAnswer:krebsonsecurity.com 157 IN A 
130.211.45.45

On Google now. 

 
Justin Paine 
Head of Trust & Safety 
CloudFlare Inc. 
PGP: BBAA 6BCE 3305 7FD6 6452 711557B6 0114 DE0B 314D




On Sat, Sep 24, 2016 at 2:17 PM -0700, "Brett Watson"  
wrote:











>> 
> that's not the one I was thinking of, this is:
>  
> 
> which references your presentation, nice! and is about J-root, not K-root,
> but mentions Lorenzo's work on K-root studies... In anycase, both seem to
> say that 'tcp anycast works fine' (inside some set of parameters).
> 

Right… and we’ve known this since about… ? 1996?

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Jared Mauch 

> On Sep 24, 2016, at 9:28 PM, Justin Paine via NANOG  wrote:
> 
> 
> DNS Results for query A krebsonsecurity.comAnswer:krebsonsecurity.com 157 IN 
> A 130.211.45.45


I recommend running this command (or similar):

rndc flushname krebsonsecurity.com

if you still see 127.0.0.1

- Jared

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Jay Farrell via NANOG 
And of course on windows ipconfig /flushdns

Still I had to wait for my corporate caching servers to update; I think the
TTL on the old A record was an hour.

On Sat, Sep 24, 2016 at 9:51 PM, Jared Mauch  wrote:

>
> > On Sep 24, 2016, at 9:28 PM, Justin Paine via NANOG 
> wrote:
> >
> >
> > DNS Results for query A krebsonsecurity.comAnswer:krebsonsecurity.com
> 157 IN A 130.211.45.45
>
>
> I recommend running this command (or similar):
>
> rndc flushname krebsonsecurity.com
>
> if you still see 127.0.0.1
>
> - Jared

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Ca By 
On Saturday, September 24, 2016, Justin Paine via NANOG 
wrote:

>
> DNS Results for query A krebsonsecurity.comAnswer:krebsonsecurity.com 157
> IN A 130.211.45.45
>
> On Google now.
>
>
Next question.

Will google use the information from the telemetry, rumored to be webcams,
to defang the bot ?  Like post an informative message that the source
network is hosting a bad actor (same nat ipv4, /25, ... ). Or , work with
the access networks (Comcast, rcs/rds, china telecom) to disconnect and
manage the abusers ?


>

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-24 Thread Jay R. Ashworth 
- Original Message -
> From: "Jay Farrell via NANOG" 

> And of course on windows ipconfig /flushdns
> 
> Still I had to wait for my corporate caching servers to update; I think the
> TTL on the old A record was an hour.

Are big eyeball networks still flooring A record TTLs on resolution?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274