0x0010: 405e eebf 0818 6987 0009 10f8 4300
> @^i.C...
>0x0020: ......
Source port 2072, destination port 27015.
--
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
On Aug 26, 2014, at 11:02 PM, valdis.kletni...@vt.edu wrote:
> Took me a few seconds to figure it out too, am a tad low on caffeine today. :)
doh, lack of proper sanitization/escaping strikes again!
--
Roland Dobbins // &l
router-security-strategies-securing-ip-network-traffic-9781587053368>
<http://www.ciscopress.com/store/mpls-vpn-security-9781587051838>
------
Roland Dobbins // <http://www.arbornetworks.com>
Eq
On Sep 16, 2014, at 11:26 PM, David Conrad wrote:
> Don’t get me started on why SU is exceptionally reserved instead of
> transitionally reserved.
Just in case?
;>
------
Roland Dobbins // <http://www.arbor
volving
significant sturm und drang.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
On Sep 17, 2014, at 8:37 AM, Justin Wilson wrote:
> But, I can find things in a real book easier.
Full-text search in the Kindle app, .pdf viewer app, et. al. is pretty useful
for finding things, IMHO.
;>
--
Roland D
y phone, these days.
Again, they're available via Amazon.
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
mes which have consistent outcomes?
This kind of thing is generally far more trouble than it's worth, in my
experience.
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne c
twork are
likely to have done so. And by definition, the endpoint networks where the
spoofed traffic originates aren't likely to do so, nor are their immediate
peers/upstream transits - or they would've done so long ago.
------
y hunch is that there're a relatively small number of
networks from which the spoofed attack traffic is emitted.
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo
th is not a defense against
*criminal* defamation charges, much less in civil suits.
And there are more than a few networks in APAC which haven't implemented
source-address validation to the degree possible . . .
----------
ll of the above is uninformed
speculation and may be completely wrong.]
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
On Oct 8, 2014, at 9:43 PM, Paige Thompson wrote:
> Any thoughts on this are appreciated,
<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
<https://app.box.com/s/e6hdt0iansu1sdb6m42t> pp. 30-36.
--
Beyond that, reverse-proxy caches are useful, as well, as noted in the cited
historical email.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
ungry potential applications in mind.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
, soda cans, etc.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
boundaries. The virtual topologies you describe
> will likely also have related prefix consequences.
Concur, but my guess is that they will be essentially superimposed, without any
increase in hierarchy - in fact, quite the opposite.
---
fc6752>
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
yping the same
things all over again.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
, and then protect your infrastructure using
iACLs, GTSM, CoPP, et. al.
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
I cited it.
------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
nt so he must be
> an idiot
That is incorrect. You've been told repeatedly that troubleshooting unnumbered
links is highly suboptimal; you've merely dismissed those arguments for reasons
best known to yourself.
----------
#x27;s inclined to repeat this suboptimal practice on the IPv6 side in the name
of 'consistency'.
But he knows best, and we oughtn't to try and dissuade him any further, as that
just upsets him.
----------
Roland Dobbins
eir
loopbacks, so that *all* their interfaces are sinkholes.
But the BCOP also talks about /128s.
--
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
address are a 'sinkhole' the only reason ? )
That's a pretty big reason not to use /64s.
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
pbacks.
--
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
icient to needs?
These permanently-inline boxes and blades that dork around with general
Internet traffic to/from eyeball networks can be a support/troubleshooting
headache . . .
---
Roland Dobbins
against BGP speakers which haven't implemented
the BCPs could result in inadvertent disruption of BGP sessions.
-------
Roland Dobbins
On 5 Nov 2014, at 0:17, valdis.kletni...@vt.edu wrote:
> Am I the only guy wondering how many boxes out there are *still*
> vulnerable to forged RST packets?
That's covered by ' . . . and the like . . . '
;>
-------
Roland Dobbins
On 8 Nov 2014, at 1:56, srn.na...@prgmr.com wrote:
> But right now how should we be doing it?
<http://www.team-cymru.org/Services/ip-to-asn.html>
-------
Roland Dobbins
e CPE.
Generally speaking, networks running misconfigured, abusable devices by
definition aren't very actively managed - and so those operators don't
often respond, unless one has personal contacts within the relevant
group(s).
YMMV, of course.
-------
Roland Dobbins
//app.box.com/s/xznjloitly2apixr5xge>
Here's a preso which discusses reflection/amplification attacks,
including chargen reflection/amplification attacks such as the one you
describe:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
-----------
Roland Dobbins
on, as the
programmatically-generated attack traffic ends up 'crowding out'
legitimate traffic.
S/RTBH, flowspec, and other methods tend to produce better results.
-------
Roland Dobbins
which are larger than 512
Bytes – these are commonly found in DNS DoS Amplification attacks.
This *breaks the Internet*. Don't do it.
---
Roland Dobbins
it, heh.
This is applicable:
<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
-----------
Roland Dobbins
s a last resort.
-------
Roland Dobbins
nuisances', which is yet another
reason it's important to have visibility into your network traffic (it's
easy to get started with NetFlow and open-source tools).
---
Roland Dobbins
On 10 Nov 2014, at 8:23, Larry Sheldon wrote:
> The whole thing> Really?
Breaking DNS for your customers pretty much breaks the Internet for them, yes.
---
Roland Dobbins
o
and subsequent DDoS, DDoS attacks against Spamhaus, etc.
-----------
Roland Dobbins
te statements about other technologies which
are in wide use by network operators and which have a proven track
record in the field is probably not the best way to encourage folks to
try FastNetMon.
-----------
Roland Dobbins
-established, widely-used technologies which have demonstrable track
records within the global operational community.
-----------
Roland Dobbins
these allow one to get up and running quickly, and to gain
valuable operational experience with which to evaluate more
sophisticated tools, if they're needed.
---
Roland Dobbins
On 21 Nov 2014, at 12:08, Paul S. wrote:
> WANguard from andrisoft has worked well on this for us.
I believe the thread was focusing on open-source tools.
---
Roland Dobbins
ope that such a potentially useful tool as
FastNetMon isn't tarnished in the view of those who have read this
thread due to such uninformed, erroneous misadvocacy.
---
Roland Dobbins
On 2 Dec 2014, at 17:18, Pavel Odintsov wrote:
In near future I will add netflow v5 support.
Good job - you should really go for NetFlow v9 when you can, as it
supports IPv6 and MPLS labels.
Next would be IPFIX.
---
Roland Dobbins
ation.
Roland Dobbins
ropaganda in the above-linked .pdf preso.]
----------
Roland Dobbins // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
easy to be an Internet supervillain.
-------
Roland Dobbins
aling with DDoS attacks for a couple of decades,
now. If it were a simple problem, we would've solved it long ago.
Here's a hint: scale alone makes any problem literally orders of
magnitude more difficult than any given instance thereof.
-------
Roland Dobbins
hat we're doing.
-------
Roland Dobbins
which are beyond their control.
As you yourself know, through hard-won experience.
;>
-------
Roland Dobbins
case.
S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
-------
Roland Dobbins
heir whole network gets blocked a /32 at a
time. *shrugs* Their loss.
Again, it isn't that simple.
---
Roland Dobbins
On 11 Jan 2015, at 22:07, Job Snijders wrote:
You can also consider adding CHARGEN and SSDP.
People run all sorts of strange things on arbitrary ports - like VPNs,
for example. It isn't that simple.
---
Roland Dobbins
and the end.
-------
Roland Dobbins
On 11 Jan 2015, at 23:09, valdis.kletni...@vt.edu wrote:
> Sounds like RFC1925, section 4 should be top of the list?
Indeed - as well as section 8.
;>
---
Roland Dobbins
providers utilizing Juniper aggregation edge routers could do it
now - why they don't, I don't know.
And now Cisco are now supporting flowspec on some of their platforms, as
well.
-------
Roland Dobbins
On 12 Jan 2015, at 3:28, Colin Johnston wrote:
> ips rules and active web source ip monitoring works well
Until it doesn't:
<https://app.box.com/s/a3oqqlgwe15j8svojvzl>
-------
Roland Dobbins
with DDoS attacks. All it takes is the
willingness to devote a bit of time to educating oneself.
-------
Roland Dobbins
need to invest the time to learn from the experiences of
others, so that we can then make our own contributions starting from a
firm foundation.
-------
Roland Dobbins
7ce58f8gg>
---
Roland Dobbins
done!
;>
---
Roland Dobbins
On 2 Feb 2015, at 19:53, Michael Hallgren wrote:
> Real life limitations?
<https://app.box.com/s/a3oqqlgwe15j8svojvzl>
-------
Roland Dobbins
On 5 Feb 2015, at 13:51, Michael Hallgren wrote:
> So, need another inspection strategy I think.
The real question is, why 'inspect', at all?
-------
Roland Dobbins
omise.
---
Roland Dobbins
'protected' by these devices,
militates against your proposition.
---
Roland Dobbins
On 6 Feb 2015, at 0:38, Raymond Burkholder wrote:
> There must some sort of value in that?
No - patch the servers.
---
Roland Dobbins
erse proxies, on-box systems like ModSecurity,
et. al.); or take them offline.
-------
Roland Dobbins
tely, such people are relatively rare, even within the
self-selected ranks of network operators - as several posts on this
thread clearly demonstrate.
---
Roland Dobbins
ght - especially if such a person spent a not-inconsiderable
amount of time working for the world's largest manufacturer of such
devices, and heard no such plausible anecdote during his time there,
even though he asked repeatedly for same.
---
Roland Dobbins
that they don't make your
network
less secure via DDoS susceptibility, or reduce availability due to
non-existent or subpar redundancy/survivability engineering, then you
shouldn't deploy IPS's.
By their very nature, it's impossible to do so.
-----------
Roland Dobbins
others of an operational nature; if you
believe it wise to discount the well-understood negative impact of such
devices on availability, that is your choice.
-------
Roland Dobbins
whitelist certain things which ought never to be S/RTBHed
via appropriate route filtering on the trigger and/or edge devices where
traffic will be dropped.
-----------
Roland Dobbins
On 6 Feb 2015, at 21:27, Darden, Patrick wrote:
I understand the whole argument against state, and dismiss it.
One can 'dismiss' the speed of light in a vacuum or the Planck constant,
but that doesn't exempt one from their constraints.
-------
Roland Dobbins
nd at
6kpps - yes, 6kpps - of HOIC.
And so on, and so forth.
'Dismiss' it all you like, but it's a real issue, as others on this list
know from bitter experience.
---
Roland Dobbins
- stateless ACLs for
policy enforcement, S/RTBH, flowspec, IDMS, and so forth.'
from p.28 of the presentation in question:
'Reverse-proxy farms must be protected from DDoS via S/RTBH, flowspec,
IDMS, et. al.'
-------
Roland Dobbins
ready have an OOB/DCN network for managing your
routers/switches/hosts, no? Use that, after ensuring its scaled
adequately.
---
Roland Dobbins
On 1 Sep 2015, at 22:39, Mark Tinka wrote:
> Have been doing so for years, no major drama.
Until there is.
;>
---
Roland Dobbins
thread.
---
Roland Dobbins
;s what flow telemetry is) should be segregated from
the production network data plane.
-----------
Roland Dobbins
y. And then you'll understand.
-------
Roland Dobbins
On 2 Sep 2015, at 0:32, Shane Ronan wrote:
So in your world, the money always exists for a separate flow
telemetry network?
It should've already been spent for an OOB/DCN network, which should've
been provisioned with flow telemetry in mind.
----
On 2 Sep 2015, at 2:47, Tarko Tikan wrote:
In-band netflow works on all platforms without such issues.
There's no law that says that you must only plug designated management
ports into OOB/DCN management networks.
---
Roland Dobbins
Which is utter nonsense, of course, since Cisco a) invented flow
telemetry and b) has been the consistent leader in innovating flow
telemetry (FNF, IPFIX, anyone?). The EARL6/EARL7 problems are the only
stumbles Cisco has made in this regard.
-------
Roland Dobbins
ing so.
---
Roland Dobbins
e of redundancy.
Since, it's like, *what you use to control your entire network*.
Underinvesting in management capabilities and capacities has always been
a problem, of course. Some organizations just won't learn until they've
gone through a disaster or three.
-----------
Roland Dobbins
telemetry from many,
many vendors/platforms, and I can confidently assert that Cisco are
nowhere near the bottom of the heap when it comes to the verisimilitude
and functionality of their flow telemetry export. Quite the opposite
-------
Roland Dobbins
;re underprovisioned
for flow telemetry.
Which is why using VLANs, VRFs, whatever on the production network gear
is completely understandable, and a lot of folks do just as you say.
-----------
Roland Dobbins
porting it, do
distributed analysis (depending upon what tools they're using for
collection/analysis), and then the analysis results are what's
long-hauled - and this is much less than the raw flow telemetry volume.
-------
Roland Dobbins
it
causes.
-------
Roland Dobbins
n't support serial console at all, which is highly
annoying).
---
Roland Dobbins
es in a given DDoS attack. My response
was that there is no 'typical'; and that for IPv4, the theoretical
potential is 2^32 sources, while in IPv6, the theoretical potential is
for 2^128 sources.
It was a light-bulb moment.
;>
---
Roland Dobbins
sults except for the lowest of bitrates.
Concur 100%. I spend a non-trivial amount of time talking folks down
from the assumption that unnecessarily-low flow sampling ratios are
required (these are mainly 'security' folks, not network engineers).
-----------
Roland Dobbins
On 2 Sep 2015, at 7:27, Avi Freedman wrote:
We see well under 20% doing logical separation but definitely folks
doing it...
~20% matches our subjective observations, as well.
We're doing our best to increase that number.
---
Roland Dobbins
topology
(e.g., not just within the IDC) is going to lead to more separation of
management-plane traffic from customer data-plane traffic, as the
implications sink in.
---
Roland Dobbins
On 2 Sep 2015, at 13:02, Mark Tinka wrote:
Not very straight forward when you have a network spanning several
continents.
Again, VLANs/VRFs are generally Good Enough, and more than a few
globe-spanning networks do just that.
---
Roland Dobbins
even. The key is that
traffic between the elements of those types of deployments *must* not be
disrupted; true OOB is preferred, but VLAN/VRF is still the norm, there.
-------
Roland Dobbins
o be able to do just that.
-------
Roland Dobbins
e, was that the OoB network is physically
separate from the routers it is supporting. This is less feasible at
scale.
Ideally, it should be - that's what I was trying to get across. I
understand that this isn't free, either from a capex or opex
perspective.
-----------
Roland Dobbins
e example, yes.
You don't want flow exports there, to give just one counterexample to
your earlier assertions.
On that particular category of OOB, of course not.
-----------
Roland Dobbins
101 - 200 of 437 matches
Mail list logo
