RE: DDOS solution recommendation

Hi Mike, About trying to hit the mail ports... It is very easy for a domain to set its MX to a random host name. So before you block you might want to check the To-domain in the header of the mail. Otherwise it is too easy to DoS yourself (by planting email addresses in systems, such as mine,

Re: DDOS solution recommendation

> On 12 Jan 2015, at 08:29, David Hofstee wrote: > > Hi Mike, > > About trying to hit the mail ports... It is very easy for a domain to set its > MX to a random host name. So before you block you might want to check the > To-domain in the header of the mail. Otherwise it is too easy to DoS y

Re: DDOS solution recommendation

* "Roland Dobbins" > On 11 Jan 2015, at 20:52, Ca By wrote: > > > 3. Have RTBH ready for some special case. > > S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too). But are there any transit providers that support flowspec these days? As I understand it, only GTT used to, but they sto

Re: DDOS solution recommendation

On 12 Jan 2015, at 16:19, Tore Anderson wrote: I'd love to use flowspec over D/RTBH, but to me it seems like vapourware. I meant on your own infrastructure, apologies for the confusion. Transit providers can't offer S/RTBH to their downstreams for obvious reasons. Transit providers utiliz

Re: DDOS solution recommendation

* "Roland Dobbins" > On 12 Jan 2015, at 16:19, Tore Anderson wrote: > > > I'd love to use flowspec over D/RTBH, but to me it seems like > > vapourware. > > I meant on your own infrastructure, apologies for the confusion. Right. So if I first need to accept the traffic onto my infrastructure b

command that can display routes containing AS loops

Hi everyone, I am curious about the AS loops in the AS-path. I think there should be a very, very few received BGP routes that contain the local AS#. But because such routes will be dropped and not installed in Loc-RIB, I want to know if there is a command that can display the dropped routes

Re: Recommended L2 switches for a new IXP

I look forward to this thread. I think one important thing is who is your addressable market size? I'm working with a startup IXP and there's only 20 carriers in the building. A chassis based switch would be silly as there would never be that many people present. 2x 1U switches would be more t

Re: command that can display routes containing AS loops

On a Juniper, you could do something like: show route hidden aspath-regex .*.* Regards, Dave On 12 January 2015 at 13:05, Song Li wrote: > Hi everyone, > > I am curious about the AS loops in the AS-path. I think there should be a > very, very few received BGP routes that contain the local AS#.

Re: command that can display routes containing AS loops

Hi Dave, thanks! I tried the command and found that it works. Do you know the similar command on cisco? Regards, Song 在 2015/1/12 21:16, Dave Bell 写道: On a Juniper, you could do something like: show route hidden aspath-regex .*.* Regards, Dave On 12 January 2015 at 13:05, Song Li wrot

Re: DDOS solution recommendation

unfortunately chinanet antispam/abuse email box is always full, after a while people block . always check arin/ripe for known good provider blocks and actively exclude from rules ddos protection via careful overview ips rules and active web source ip monitoring works well, the hard part is da

Re: Office 365 Expert - I am not. I have a customer that...

>Wonder when Cloud providers get a clue, step up and help recommend a >circuit size based on users and the services their customer buy from them. When they think that poor customer word of mouth will cost them more sales then they are currently gaining from customers who would *not* move away from

IEEE International Workshop on Manageability and Security of Network Function Virtualization and Software Defined Network (MASONS)

--- Apologies for cross-postings! --- Call for Papers IEE

MISSION 2015 - IEEE Workshop on Management Issues in SDN, SDI and NFV

--- Apologies for cross-postings! --- IEEE Workshop on Man

Re: DDOS solution recommendation

On 12 Jan 2015, at 3:28, Colin Johnston wrote: > ips rules and active web source ip monitoring works well Until it doesn't: --- Roland Dobbins

Re: Office 365 Expert - I am not. I have a customer that...

>>Wonder when Cloud providers get a clue, step up and help recommend a >>circuit size based on users and the services their customer buy from >> them. > > When they think that poor customer word of mouth will cost them more sales > then they are currently gaining from customers who would *not* move

Re: Recommended L2 switches for a new IXP

We used to use Brocade FastIrons until we needed more 10G port density. We moved to Brocade SX's. Originally, when it was 2 or 3 peers, we used an old Netgear switch. :) Aaron On 1/12/2015 7:07 AM, Mike Hammett wrote: I look forward to this thread. I think one important thing is who is your

Re: Recommended L2 switches for a new IXP

Like Mike says, it depends on your market. Are these markets where there are existing exchanges? Cost per port is what we always look at. If we are going into a market where there won’t be much growth we look at Cisco and Force 10. Their cost per port is usually cheaper for smaller 10 Gig

Re: Recommended L2 switches for a new IXP

On 12/01/2015 06:35, Manuel Marín wrote: > We are trying to build a new IXP in some US Metro areas where we have > multiple POPs and I was wondering what do you recommend for L2 switches. I > know that some IXPs use Nexus, Brocade, Force10 but I don't personally have > experience with these switche

Re: Recommended L2 switches for a new IXP

Substantial amounts of hive mind went into this topic in the formation of Open-IX and particularly around optimizing costs and maximizing traffic. See http://bit.ly/N-OIX1 for a reference. Best, -M< On Mon, Jan 12, 2015 at 10:34 AM, Justin Wilson - MTIN wrote: > Like Mike says, it depends o

Re: Recommended L2 switches for a new IXP

> On Jan 12, 2015, at 10:34 AM, Justin Wilson - MTIN wrote: > Cost per port is what we always look at. If we are going into a market where > there won’t be much growth we look at Cisco and Force 10. Their cost per > port is usually cheaper for smaller 10 Gig switches. You need something that

Re: Recommended L2 switches for a new IXP

On Mon, Jan 12, 2015 at 10:43 AM, Nick Hilliard wrote: [ clip, good stuff ] - you should get in with the open-ix crowd and chat to people over pizza or > peanuts. You will learn a lot from in an afternoon of immersion with > peers. > And you can find that crowd here http://mailman.open-ix.o

129.250.35.250/251 NTT DNS Instability

Hi We've seen some DNS instability and want to know if anyone of you have seen the same thing. Your comments will be appreciated. Thank you Karim

Re: 129.250.35.250/251 NTT DNS Instability

Can you give examples? 129.250.35.250/251 are anycasted so a trace route would be helpful as well. - jared > On Jan 12, 2015, at 11:17 AM, A MEKKAOUI wrote: > > Hi > > > > We've seen some DNS instability and want to know if anyone of you have seen > the same thing. Your comments will be ap

RE: 129.250.35.250/251 NTT DNS Instability

What we've seen is that this morning some of our clients cannot connect to internet and when we change the DNS to use Google DNS internet works fine. I'll see if I can get a tracert to 129.250.35.250 and will send it. Thank you A MEKKAOUI MEKTEL INC www.mektel.ca -Original Message- From

Re: 129.250.35.250/251 NTT DNS Instability

Traceroute from my home connection in Dubai, United Arab Emirates: traceroute to 129.250.35.250 (129.250.35.250), 64 hops max, 52 byte packets 1 192.168.1.1 (192.168.1.1) 2.293 ms 1.549 ms 7.657 ms 2 94.203.22.1 (94.203.22.1) 3.281 ms 8.348 ms 8.494 ms 3 10.39.162.65 (10.39.162.65) 5.

Re: DDOS solution recommendation

On Mon, 12 Jan 2015 18:06:57 +1100, Mark Andrews said: > > The ISP will very likely not see ANY traffic originating from spoofed > > IP destined to your server. > > They will see the reply traffic and will see the acks increasing etc. Assuming they think to *look* for it. 99.8% of ISPs will ge

Re: DDOS solution recommendation

On Sun, 11 Jan 2015 15:08:45 -0600, Mike Hammett said: > If that were to happen, it'd be for 30 days and it'd be whatever random > residential account or APNIC address that was doing it. Not really a big > loss. OK. I'll bite. When you get home today, blackhole www.google.com for your home IP

Re: Google's Safe Browsing Alerts for Network Administrators

I've not found it very usefull. As for Shadowserver.org I really wish folks trying to save the internet from mis-configurations would stop randomly scanning networks to fix. These folks are one of many "do-gooders" that are adding to the traffic being dropped and logged. Its only contibuting to the

Root and ARPA DNSSEC operational message - signature validity period

DNSSEC signatures in the Root and ARPA zones were initially given a validity period of 7 days. The validity period is being increased to 10 days. Both the Root and ARPA zones publish their NS RRsets with a TTL of 6 days. A signature validity period of 7 days means that a root server instance that

RE: Google's Safe Browsing Alerts for Network Administrators

Thanks for that feedback on Google’s Safe Browsing Alerts. We’ll have to see how that works out for us over time. In regards to ShadowServer, I don’t think they’re randomly scanning networks, and neither are folks like OpenResolver – I think it’s pretty systematic, albeit from perhaps only

FL-IX in Miami is ready for new members

Hi all, FL-IX has started issuing LOAs for both 36 NE 2nd Street and NOTA in Miami. If you have a network that peers at either location, we'd love to have you as a member. We've committed to keeping the IX platform free for 3 years (you bring the cross connect; we have pre-negotiated deals for in

Re: DDOS solution recommendation

> On Jan 11, 2015, at 12:28 , Colin Johnston wrote: > > unfortunately chinanet antispam/abuse email box is always full, after a while > people block . > always check arin/ripe for known good provider blocks and actively exclude > from rules ARIN and RIPE do not provide address reputation info

Re: Recommended L2 switches for a new IXP

On Monday, January 12, 2015 05:54:38 PM Bill Woodcock wrote: > We see a lot of IXPs being formed or upgrading with Cisco > Nexus 3524 switches, which have 48 1G-10G SFP/SFP+ > physical ports, license-limited to 24 active, > upgradeable to 48 active. > > FWIW, 83% of IXPs have 48 or fewer particip

Re: DDOS solution recommendation

On Sun, 11 Jan 2015, Mike Hammett wrote: I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page hits, etc. would be spoofed as they'd have to know the response to be of any good. Okay, so I'm curious. Are you saying that you do not automatically

Re: DDOS solution recommendation

On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross wrote: > On Sun, 11 Jan 2015, Mike Hammett wrote: > >> I know that UDP can be spoofed, but it's not likely that the SSH, mail, >> etc. login attempts, web page hits, etc. would be spoofed as they'd have to >> know the response to be of any good. > > >

Re: DDOS solution recommendation

So the preferred alternative is to simply do nothing at all? That seems fair. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "Christopher Morrow" To: "Brandon Ross" Cc: "Mike Hammett" , "NANOG list" Sent: Monday, Januar

Re: DDOS solution recommendation

--- na...@ics-il.net wrote: From: Mike Hammett So the preferred alternative is to simply do nothing at all? That seems fair. --- No, the answer is to find the groups that have already looked into the issues, learn what they've done and see if you can pro

RE: Recommended L2 switches for a new IXP

People seem to be avoiding recommending actual devices, well I would recommend the Juniper EX4600 - http://www.juniper.net/us/en/products-services/switching/ex-series/ex4600/ They are affordable, highly scalable, stackable and run JunOS. cheers

Re: DDOS solution recommendation

On Mon, Jan 12, 2015 at 4:35 PM, Mike Hammett wrote: > So the preferred alternative is to simply do nothing at all? That seems fair. fairly certain I didn't say that, no. I think that lots of smarter-than-me folk have already chimed in with options... All I wanted to do with this was to note I d

Re: DDOS solution recommendation

On 13 Jan 2015, at 4:35, Mike Hammett wrote: So the preferred alternative is to simply do nothing at all? Straw man. Nobody's said that. Quite the opposite, in point of fact. As noted previously in this thread, there's a lot of information out there about how operators deal with DDoS atta

Re: Recommended L2 switches for a new IXP

That's what I had recommended him directly ;) Mehmet > On Jan 12, 2015, at 1:41 PM, Tony Wicks wrote: > > People seem to be avoiding recommending actual devices, well I would > recommend the Juniper EX4600 - > > http://www.juniper.net/us/en/products-services/switching/ex-series/ex4600/ > > T

Re: Recommended L2 switches for a new IXP

On Mon, Jan 12, 2015 at 4:41 PM, Tony Wicks wrote: > People seem to be avoiding recommending actual devices, well I would > recommend the Juniper EX4600 - > > http://www.juniper.net/us/en/products-services/switching/ex-series/ex4600/ > > They are affordable, highly scalable, stackable and run JunO

Re: DDOS solution recommendation

On Mon, 12 Jan 2015, Mike Hammett wrote: So the preferred alternative is to simply do nothing at all? That seems fair. Not at all. But it is your network and only you know what the suggested approaches others have already run through are best for your environment. But if you haven't yet d

Re: DDOS solution recommendation

Ditto - we've been seeing average attack size pushing the 40-50 Gbps mark. The "serious" attacks are much, much larger. On Sat, Jan 10, 2015 at 8:50 PM, Ammar Zuberi wrote: > I'd beg to differ on this one. The average attacks we're seeing are double > that, around the 30-40g mark. Since NTP and

Re: DDOS solution recommendation

In looking at this thread, it's apparent that some are trying to over-simplify a not-so-simple problem. As someone brought out earlier, there is no silver bullet to fix for several reasons. Some reasons that I can come up with at the top of my head are: 1) DDOS types vary. 2) Not every network is

Re: DDOS solution recommendation

On 13 Jan 2015, at 4:51, Scott Fisher wrote: The questions should be much more narrow. "How should I mitigate an NTP reflection" or "what are common mistakes people make when mitigating attacks" are questions that more specific that all can glean from. The answers to a lot of those question

Re: Recommended L2 switches for a new IXP

On Monday, January 12, 2015 11:41:20 PM Tony Wicks wrote: > People seem to be avoiding recommending actual devices, > well I would recommend the Juniper EX4600 - > > http://www.juniper.net/us/en/products-services/switching/ > ex-series/ex4600/ > > They are affordable, highly scalable, stackable

Re: Office 365 Expert - I am not. I have a customer that...

Dave Pooser wrote: > then they are currently gaining from customers who would *not* move away > from on-prem if they understood all the costs including increased > bandwidth? The extra bandwidth needed to utilize most SaaS-based applications is not significant. I would say the larger problems in