Re: I don't need no stinking firewall!

On Jan 10, 2010, at 1:32 PM, Dobbins, Roland wrote: > One can spout all the buzzwords and catchphrases one wishes, but at the end > of the day, it's all dead wrong - and anyone naive enough to fall for it is > setting himself up for a world of hurt. mike , You deserve a better response than t

Re: D/DoS mitigation hardware/software needed.

On Jan 10, 2010, at 1:27 PM, Roger Marquis wrote: > Reads like a sales pitch to me. My employer's products don't compete with firewalls, they *protect* them; if anything, it's in my pecuniary interest to *encourage* firewall deployments, so said firewalls will fall down and need protection, he

Re: he.net down/slow?

On Sat, 9 Jan 2010, James Hess wrote: Spam filter your inbox on /CONFIDENTIALITY NOTICE.*intended recipient.*destroy.*copies/siand be done with it.The individual sender normally has no control over the matter, so their only two choices are: (a) Post with the notice, or (b) Don't post

Re: I don't need no stinking firewall!

On Jan 10, 2010, at 1:22 PM, harbor235 wrote: > Again, a firewall has it's place just like any other device in the network, > defense in >>> depth is a prudent philosophy to reduce the chances of > compromise, it does not >>>eliminate it nor does any architecture you can > think of, period Wh

RE: D/DoS mitigation hardware/software needed.

> > Firewalls are not designed to mitigate large scale DDoS, Generally speaking, if it didn't being the firewall to its knees, it wasn't a DoS. It was just sort of an annoying attempt at a DoS. I think that more or less the definition of a DoS is one that exploits the resource limitations of t

Re: D/DoS mitigation hardware/software needed.

Dobbins, Roland wrote: See here for a high-profile example: Reads like a sales pitch to me. No apples to apples comparisons, nothing like an ANOVA of PPS, payload sizes, and other vectors across different types of border defenses. Your presentation

Re: I don't need no stinking firewall!

> > Other security features in an Enterprise Class firewall; > >-Inside source based NAT, reinforces secure traffic flow by allowing > outside to inside flows based on > > configured translations and allowed security policies > > Terrible from an availability perspective, troubleshooting perspe

Re: he.net down/slow?

On Sat, Jan 9, 2010 at 6:27 PM, Martin Hannigan wrote: > Some NDA's require that you must state your intent for each > communication that should be covered by the NDA.  As much as everyone > would like to believe these are wothless, they are not. Applying them > globally to your email  protects yo

Re: more inane confidentiality notices, was he.net down/slow?

The point is that rather than try to enforce agreements individually, automatically slapping the notices on is not so unreasonable all considered. While it may be annoying, its not baseless. It certaintly isn't useless in discovery. Once again, I would be most interested in any statute or case

Re: qwest outage no notice

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Martin Hannigan wrote: > On Sat, Jan 9, 2010 at 9:37 AM, Paul Wall wrote: > >> On Thu, Jan 7, 2010 at 5:04 AM, Mike >> wrote: >>> We just had a qwest outage of about 2 mins at 1:41am pst. When I called >> to >>> report it I was told it was a

Re: D/DoS mitigation hardware/software needed.

On Jan 10, 2010, at 10:33 AM, Christopher Morrow wrote: > separate the portions of the pie... only let the attack break the minimal > portion of your deployment. Use the right tool in the right place. An excellent point. A Web front-end server should be that - merely the front-end. Situation

Re: JunOS remote DoS code has been posted to FD

And here is the direct link for anyone who's interested: http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072340.html - Original Message From: Brian Keefer To: NANOG list Sent: Sun, 10 January, 2010 2:59:50 Subject: JunOS remote DoS code has been posted to FD I haven't

Re: D/DoS mitigation hardware/software needed.

On Sat, Jan 9, 2010 at 10:21 PM, Dobbins, Roland wrote: > > On Jan 10, 2010, at 10:05 AM, Roger Marquis wrote: >> Have you noticed how easily Drupal servers go down with corrupt MyISAM >> tables?  How would S/RTBH and/or flow-spec protect against that? > > We're talking about DDoS mitigation in

Re: D/DoS mitigation hardware/software needed.

On Jan 10, 2010, at 10:05 AM, Roger Marquis wrote: > Ok, I'll bite. What firewalls are you referring to? Hardware-based commercial firewalls from the major vendors, open-source/DIY, and anything in between. All stateful firewalls ever made, period (as discussed previously in the thread). >

Re: he.net down/slow?

On Sat, Jan 9, 2010 at 8:09 PM, Martin Hannigan wrote: >.. > is reasonable to inject it and everyone who can ignore it should > simply ignore it. "confidentiality notices" are non-innocuous for recipients who pay per kilobyte for data service, or who are frustrated by time wasted by reading the

Re: D/DoS mitigation hardware/software needed.

Dobbins, Roland wrote: Firewalls are not designed to mitigate large scale DDoS, unlike Arbors, but they do a damn good job of mitigating small scale attacks of all kinds including DDoS. Not been my experience at all - quite the opposite. Ok, I'll bite. What firewalls are you referring to?

JunOS remote DoS code has been posted to FD

I haven't tested the code myself, but no reason to think it doesn't work. Consider this your "exploits are in the wild" notice. -- bk

Re: D/DoS mitigation hardware/software needed.

On Jan 10, 2010, at 9:03 AM, Roger Marquis wrote: > That hasn't been my experience but then I'm not selling anything that might > have a lower ROI than firewalls, in small to mid-sized installations. I loudly evinced this position when I worked for the world's largest firewall vendor, so that

Re: he.net down/slow?

I never said otherwise. I did say that from a liability standpoint it is reasonable to inject it and everyone who can ignore it should simply ignore it. Best, -M< On 1/9/10, joel jaeggli wrote: > Martin Hannigan wrote: >> Some NDA's require that you must state your intent for each >> communic

Re: more inane confidentiality notices, was he.net down/slow?

Well, sure. So don't read the notice then. The point is that rather than try to enforce agreements individually, automatically slapping the notices on is not so unreasonable all considered. While it may be annoying, its not baseless. It certaintly isn't useless in discovery. YMMV. Best, -M< O

Re: D/DoS mitigation hardware/software needed.

Dobbins, Roland wrote: Firewalls do have their place in DDoS mitigation scenarios, but if used as the "ultimate" solution you're asking for trouble. In my experience, their role is to fall over and die, without exception. That hasn't been my experience but then I'm not selling anything that m

Re: he.net down/slow?

Martin Hannigan wrote: > Some NDA's require that you must state your intent for each > communication that should be covered by the NDA. As much as everyone > would like to believe these are wothless, they are not. Applying them > globally to your email protects your legal rights. It is also > inn

Re: I don't need no stinking firewall!

On Jan 10, 2010, at 5:51 AM, harbor235 wrote: > Other security features in an Enterprise Class firewall; >-Inside source based NAT, reinforces secure traffic flow by allowing > outside to inside flows based on >configured translations and allowed security policies Terrible from an a

Re: D/DoS mitigation hardware/software needed.

On Jan 10, 2010, at 12:57 AM, Jeffrey Lyon wrote: > I would love to provide you with some new experiences. I get new experiences of this type and plenty of new ideas every day, thanks. ;> --- Roland Dobbins //

Re: more inane confidentiality notices, was he.net down/slow?

> Some NDA's require that you must state your intent for each > communication that should be covered by the NDA. I can believe that such NDAs may exist, but I'm pretty sure I didn't sign one as a condition of subscribing to nanog. In reality, boilerplate confidentiality notices merely document th

trying to analyze vispa isp outage

Hi to all, I have try to check BGP traffic behaviors related to recent VISPA ISP DDOS. For this task I have using BGplay and I need feedback about my analysis. If you are interested check http://extraexploit.blogspot.com/2010/01/trying-to-analyze-vispa-isp-outage_08.html Thank you for your attent

Re: he.net down/slow?

Some NDA's require that you must state your intent for each communication that should be covered by the NDA. As much as everyone would like to believe these are wothless, they are not. Applying them globally to your email protects your legal rights. It is also innocous. Don't them it if you don'

Re: I don't need no stinking firewall!

I think we are over looking what an enterprise class firewall accomplishes from a security perspective and what a firewalls function is in the overall security posture of a network. First, statefull inspection by itself is not the only security feature of a firewall, it is one security feature of

Re: qwest outage no notice

On Sat, Jan 9, 2010 at 9:37 AM, Paul Wall wrote: > On Thu, Jan 7, 2010 at 5:04 AM, Mike > wrote: > > We just had a qwest outage of about 2 mins at 1:41am pst. When I called > to > > report it I was told it was a 200+ emergency software upgrade due to a > > security concern, and that we will get

Re: D/DoS mitigation hardware/software needed.

We should circle up one day, I would love to provide you with some new experiences. There is no sense in chalk talking it, too often I also disagree with new ideas until I see them in action. Best regards, Jeff On Sat, Jan 9, 2010 at 10:03 AM, Dobbins, Roland wrote: > > In my experience, their

Re: qwest outage no notice

On Sat, 09 Jan 2010 07:00:42 -0800, Mike wrote: >Qwest NEVER EVER provides SLA adjustments, no longer how long it's down >or what their own role in it being down is. They toss it from department If they honored every SLA adjustment they would not be able to pay the current stockholders a 6.8%

RE: D/DoS mitigation hardware/software needed.

> -Original Message- > From: Dobbins, Roland [mailto:rdobb...@arbor.net] > Sent: Saturday, January 09, 2010 10:03 AM > > On Jan 9, 2010, at 9:57 PM, Stefan Fouant wrote: > > > Firewalls do have their place in DDoS mitigation scenarios, but if > used as > > the "ultimate" solution you're a

Re: D/DoS mitigation hardware/software needed.

On Jan 9, 2010, at 9:57 PM, Stefan Fouant wrote: > Firewalls do have their place in DDoS mitigation scenarios, but if used as > the "ultimate" solution you're asking for trouble. In my experience, their role is to fall over and die, without exception. I can't imagine what possible use a statef

Re: qwest outage no notice

Paul Wall wrote: On Thu, Jan 7, 2010 at 5:04 AM, Mike wrote: We just had a qwest outage of about 2 mins at 1:41am pst. When I called to report it I was told it was a 200+ emergency software upgrade due to a security concern, and that we will get a notice later after the fact. That's n

RE: D/DoS mitigation hardware/software needed.

> -Original Message- > From: Łukasz Bromirski [mailto:luk...@bromirski.net] > Sent: Saturday, January 09, 2010 6:11 AM > > You mean Juniper SRX? The biggest box is a 5800, and it can handle > up to 350k new sessions each second, up to maximum of 10 million > (let's skip the fact that it's

Re: qwest outage no notice

On Thu, Jan 7, 2010 at 5:04 AM, Mike wrote: > We just had a qwest outage of about 2 mins at 1:41am pst. When I called to > report it I was told it was a 200+ emergency software upgrade due to a > security concern, and that we will get a notice later after the fact. That's not a maintenance, that'

Re: D/DoS mitigation hardware/software needed.

On 2010-01-05 03:17, Tim Eberhard wrote: > Kinda funny you state that Roland. I know of at least two very large > carriers that uses Netscreens (and soon SRX's) for their DoS/DDoS > mitigation. You mean Juniper SRX? The biggest box is a 5800, and it can handle up to 350k new sessions each second,