ng it physically
separately is best.
---
Roland Dobbins
budgets,
ASIC resources, LC-CPU resources, etc. are held in common in such
scenarios.
---
Roland Dobbins
it's running on (at least some
of) the same hardware. It isn't as good as true physical separation,
but there's no sense in making the perfect the enemy of the merely good.
---
Roland Dobbins
minimally. Progress is being made in this arena, but as you
indicate, it's unevenly distributed.
---
Roland Dobbins
On 2 Sep 2015, at 23:29, Serge Vautour wrote:
> I assume if someone has the ability to do so, you've got bigger problems.
This is the key, IMHO.
---
Roland Dobbins
for it).
---
Roland Dobbins
download message on
demand, only download attachments on demand, etc.
---
Roland Dobbins
round!
---
Roland Dobbins
.
---
Roland Dobbins
raffic to/from router interfaces would
potentially pick that up, as well.
-------
Roland Dobbins
to get this sort of thing instituted on one's upstreams.
---
Roland Dobbins
which has gone down under the onslaught.
And so forth.
-----------
Roland Dobbins
r flow telemetry analysis.
-----------
Roland Dobbins
On 25 Sep 2015, at 5:58, Ian Clark wrote:
Any advice would be awesome!
There is no inherent correlation between IP addressing and geopolitical
boundaries.
---
Roland Dobbins
On 25 Sep 2015, at 7:47, William Herrin wrote:
> Maxmind does not concur.
<https://news.ycombinator.com/item?id=7888280>
-------
Roland Dobbins
On 25 Sep 2015, at 8:02, Eric Tykwinski wrote:
Why ask, I guess it worked in the past?
Because folks need to obviate 'GeoIP' filtering so that their
services/content can be accessed.
-------
Roland Dobbins
On 25 Sep 2015, at 14:22, Fred Hollis wrote:
See big telco's announcing /12's and having these IPs spread all over
the country.
All over the *world*.
-------
Roland Dobbins
On 25 Sep 2015, at 23:44, valdis.kletni...@vt.edu wrote:
Which is why Akamai (and any other *sane* CDN) make their decisions
based on network topology, not physical location
+1
---
Roland Dobbins
On 30 Sep 2015, at 10:17, Mike Hammett wrote:
If NANOG isn't developing and publishing BCOPs, what's the point of
NANOG other than a mailing list?
<https://en.wikipedia.org/wiki/North_American_Network_Operators'_Group>
-----------
Roland Dobbins
understand that the problem
space exists is The Problem, writ large.
-------
Roland Dobbins
people's money.
;>
-------
Roland Dobbins
I'd inadvertently failed to upload the final revision of the DD4BC
presentation file from NANOG 65 - please find the updated .pdf file
here, apologies for my confusion:
<https://app.box.com/s/2kpbqfdl1ko3qhfhe4y8ekd1rvj24vfd>
-------
Roland Dobbins
On 14 Nov 2015, at 3:01, John Levine wrote:
> Civilians definitely use these.
A very tiny percentage. The power of the default reigns supreme.
---
Roland Dobbins
On 14 Nov 2015, at 5:22, David Conrad wrote:
Thank you. I was wondering if anyone would mention this.
+1. This is done in some countries which are heavy-handed with Internet
censorship.
---
Roland Dobbins
this list are not representative of the
global user base.
---
Roland Dobbins
On 14 Nov 2015, at 10:02, John Levine wrote:
> People in New Zealand said differently.
This is a corner-case, however.
---
Roland Dobbins
selection of random passers-by if they
know what a VPN is, if they know how to install one, if they've
installed one.
-------
Roland Dobbins
rs have no idea how computers actually work. They
certainly don't know what a VPN is, or how (or why) to set one up. This
state of affairs will continue until VPN technology becomes subsumed
into applications and is enabled as a default, if it ever does.
-------
Roland Dobbins
On 14 Nov 2015, at 13:38, Royce Williams wrote:
> They don't have to know what a VPN is in order to to use it -- and to pass
> it on to their friends.
That's still a very small proportion of the user base.
-------
Roland Dobbins
izable minority.
-------
Roland Dobbins
e in the
first place.
I'm wondering if perhaps major OS vendors/developers may start
offering/OEMing VPN services, or at least distributing profiles in the
same way as browser vendors/developers distribute CA certs?
-------
Roland Dobbins
isn't a simple default.
If it ever becomes a simple default, we'll start to see greater
adoption. And probably not in the form of 'tunneling-everything' VPNs,
but 'application VPNs' which automagically utilize SSL/TLS
-----------
Roland Dobbins
, the other concern is that governments which don't already
interfere with VPNs will outlaw VPNs in the name of 'national security'.
Answering my own question, the OS/device vendors won't get into the
VPN business due to this issue.
---
Roland Dobbins
they might need one, and aren't especially adept at installing
applications, even from 'apps stores'.
-----------
Roland Dobbins
or the sake of discussion that it's reasonably
accurate.
Do you believe that percentage is going to significantly increase over
time?
-------
Roland Dobbins
TM.
Again, as compared to 3.2 billion.
Most of those users probably don't know what "encryption" is. But
they're
using it.
Sure, via http/s. But VPNs used in the sense of this discussion tend to
imply topological masking, as well.
---
Roland Dobbins
making applications and data and services available to people, and
keeping them that way.
-----------
Roland Dobbins
On 15 Nov 2015, at 9:00, Sean Hunter wrote:
While in China recently, I noticed that my Project Fi phone was
accessing Google.
Accessing, or attempting to access?
Were you using a local SIM card, or roaming w/data? What about WiFi?
---
Roland Dobbins
On 15 Nov 2015, at 11:02, Yury Shefer wrote:
The phone uses roaming data to access Google and your phone gets IP
assigned by your home mobile
network packet gateway (P-GW).
This is what I thought, as well - thanks for confirming!
---
Roland Dobbins
On 14 Nov 2015, at 14:32, Jaap Akkerhuis wrote:
> There is now a push to forbid the sales of these thingies.
A push to forbid the sale of Raspberry Pis, of VPNs, or of both?
Where?
Thanks!
---
Roland Dobbins
On 18 Nov 2015, at 17:06, Randy Bush wrote:
> we need a name for 7007 other then vinnie
Mis-distribution?
---
Roland Dobbins
On 18 Nov 2015, at 21:40, William Herrin wrote:
> Creating jargon down in the weeds, though, that's a bad thing.
'AS 7007' is jargon to those unaware of the history and context.
-----------
Roland Dobbins
ed out'
by programmatically-generated attack traffic).
The real solution to this entire problem set is source-address
validation, as you indicate. Until the happy day when we've achieved
universal source-address validation arrives, various combinations of the
above.
-----------
Roland Dobbins
On 2 Dec 2015, at 0:14, Roland Dobbins wrote:
Until the happy day when we've achieved universal source-address
validation arrives, various combinations of the above.
I forgot to mention RRL on authoritative servers, apologies.
---
Roland Dobbins
ontact me 1:1 and I'll work to hook you up with the right
folks.
---
Roland Dobbins
On 3 Dec 2015, at 22:26, Nick Hilliard wrote:
> If you believe that someone who issues a ransom threat will stop if you pay
> them off, you're smoking crack.
+1
These attacks aren't rocket-science to defend against.
OP, ping me 1:1.
-------
Roland Dobbins
On 3 Dec 2015, at 22:04, Josh Reynolds wrote:
> None of those names you just mentioned have made the international news.
Of course they have.
---
Roland Dobbins
On 4 Dec 2015, at 2:38, Dovid Bender wrote:
> The last I spoke with NTT they said the largest they ever saw was > 300GB
That wasn't DD4BC or Armada Collective.
-------
Roland Dobbins
pe.
Start with the BCPs, then move to the macroanalytical. Only dip into
the microanalytical when required, and even then, do so very
selectively.
-------
Roland Dobbins
DDoS attacks, FYI.
---
Roland Dobbins
On 7 Dec 2015, at 13:41, Laurent Dumont wrote:
> I appreciate any input on the matter!
1. cisco-nsp is a better list for this type of question.
2. The ASR9K is an edge router, not an access switch.
3. Why not just ask Cisco, for starters?
---
Rol
tuationally-specific.
-------
Roland Dobbins
lt;https://app.box.com/s/776tkb82634ewvzvp26nnout6v4ij39q>
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
-----------
Roland Dobbins
some preemptive ACLs so that you
aren't forced into completing the DDoS.
---
Roland Dobbins
On 13 Dec 2015, at 0:23, Jim Shankland wrote:
Am I missing something, or is an even distribution of originating IP
addresses virtually impossible *without* using spoofing?
If his remarks were reported correctly, they are incorrect.
---
Roland Dobbins
x, or . . . ?
---
Roland Dobbins
On 29 Jan 2016, at 0:05, Crane, Todd wrote:
> Imagine the issues if EoL'ed and EoS'ed those iPads.
Um, I think they are . . .
-------
Roland Dobbins
he DNS
changes.
-------
Roland Dobbins
, apart from the immediate upstream.
-------
Roland Dobbins
ly emanate from
broadband access networks due to abusable CPE. Others, as well, of
course, but those are generally the most prevalent.
-------
Roland Dobbins
ckets *destined* for
UDP/53 on broadband access networks, not *sourced from*.
---
Roland Dobbins
esponsible.
-------
Roland Dobbins
fiers (which is
often the case).
And even that small tenth of a percent who're deliberately running their
own DNS servers can end up inadvertently causing disruption if they're
running those DNS servers as open recursors.
-----------
Roland Dobbins
s://app.box.com/s/r7an1moswtc7ce58f8gg>
-------
Roland Dobbins
running out-of-date software that is abusable in multiple
ways.
---
Roland Dobbins
ew up.
Also, see this article:
<http://arstechnica.com/security/2016/02/asus-lawsuit-puts-entire-industry-on-notice-over-shoddy-router-security/>
and this .pdf preso:
<https://app.box.com/s/rblnddlhda44giwfa8hy>
-----------
Roland Dobbins
nnection.
Caveat emptor.
-----------
Roland Dobbins
what's being
discussed in this thread.
It's a different story for transit operators.
-------
Roland Dobbins
On 27 Feb 2016, at 4:03, John Levine wrote:
A certain number of us work from home and connect to headquarters with
a VPN. and have SIP phones, you know.
Not typically via/requiring the protocols you mentioned.
---
Roland Dobbins
On 27 Feb 2016, at 7:23, John Levine wrote:
The VoIP phones sure use SIP.
True, but how prevalent are 'bare' SIP phones vs. VoIP systems utilized
by remote workers via VPNs?
-------
Roland Dobbins
On 27 Feb 2016, at 7:59, John Levine wrote:
I think that most if not all of the consumer over the top VoIP phones
like Vonage use SIP.
That's true. One would hope that they're not globally reachable,
however.
-------
Roland Dobbins
On 27 Feb 2016, at 8:06, Keith Medcalf wrote:
Consumer Narrowband Access Networks use these protocols all the time.
Most broadband access customers do not actively use these protocols,
themselves, with the partial exception of SIP.
---
Roland Dobbins
27;t support 1:1.
-------
Roland Dobbins
acket, anyways.
---
Roland Dobbins
incorrect, and reflects an inaccurate understanding of how
NetFlow/IPFIX actually works, in practice. It's often repeated by those
with little or no operational experience with NetFlow/IPFIX.
---
Roland Dobbins
pes of DDoS attacks
utilizing NetFlow implementations (with the exceptions of crippled
implementations like the aforementioned EARL6/EARL7 and pre-Sup7 Cisco
4500) are simply untrue.
-----------
Roland Dobbins
ation about traffic via FNF or IPFIX EE
mechanisms isn't desirable. But you are simply wrong about the utility
of NetFlow and/or IPFIX with classical flow templates.
I really like to hear feedback about my vision.
See above.
---
Roland Dobbins
grow wearisome. I
will not reply any further to this thread, so as to avoid further
spamming the list.
---
Roland Dobbins
rvers just lying around in random rooms, and that
those rooms are de facto government data centers, whether those who're
responsible for said rooms/servers know it or not . . .
-------
Roland Dobbins
On 13 Mar 2016, at 3:03, George Herbert wrote:
> It's a symptom of trying to save a few cents at the risk of dollars.
Concur 100%.
Not to mention the related security issues.
---
Roland Dobbins
regate at the target will be relatively high.
Another very real possibility is that the person or thing which sent you
the abuse email doesn't know what he's/it's talking about.
;>
-------
Roland Dobbins
tworks.
---
Roland Dobbins
On 18 Mar 2015, at 9:13, Roland Dobbins wrote:
Also, asking your upstreams/peers to block traffic sourced from this
IP to your netblock(s) on their networks.
It would also be a good idea to ensure that your systems which are being
targeted aren't themselves compromised, and being us
same, if necessary.
Even if that's not the case, that's how DDoS attacks are routinely and
cooperatively mitigated between providers, when it's possible to block
based on source, number of sources isn't overwhelming, etc.
-----------
Roland Dobbins
S
provider against hosts belonging to another customer of the same
provider, for example; we've even seen the same server compromised by
two different groups of miscreants attacked by both groups of
miscreants, in this context.
---
Roland Dobbins
n one form or
another to end-customers who request same.
-------
Roland Dobbins
via S/RTBH and/or flowspec).
---
Roland Dobbins
On 18 Mar 2015, at 17:00, Roland Dobbins wrote:
This is not an optimal approach, and most providers are unlikely to
engage in such behavior due to its potential negative impact (I'm
assuming you mean via S/RTBH and/or flowspec).
Here's one counterexample:
<https://ri
abled? Or some kind of content filtering capability which amounts
to the same thing?
---
Roland Dobbins
On 5 May 2015, at 17:27, Ramy Hashish wrote:
Assume two ASs connected through two tier 1 networks, will the tier
one networks trust any DSCP markings done from an AS to the other?
The BCP is to re-color on ingress.
---
Roland Dobbins
On 6 May 2015, at 8:22, Joel Mulkey wrote:
> But don't trust that's going to be the rule.
Yes, that's always the caveat.
Just do what you can within your own span of administrative control.
-----------
Roland Dobbins
.
---
Roland Dobbins
e.facebook.com/posts/360346274145943/introducing-data-center-fabric-the-next-generation-facebook-data-center-network/>
-----------
Roland Dobbins
t;
<https://app.box.com/s/4h2l6f4m8is6jnwk28cg>
-------
Roland Dobbins
On 24 May 2015, at 3:14, Scott Weeks wrote:
Those that care (NANOG type folks) already have deployed it and those
that don't care have not and will not.
Concur 100%.
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
-------
Roland Dobbins
TNI_Info_Sheet_01-04-2015.pdf>
-------
Roland Dobbins
of my customer . . . ].
It's customers all the way down.
<http://en.wikipedia.org/wiki/Turtles_all_the_way_down#History>
;>
-----------
Roland Dobbins
On 25 May 2015, at 20:31, Steve via NANOG wrote:
Application layer DDoS attacks , in most (all?) cases require a valid
TCP/IP connection
DNS query-floods are a notable exception.
---
Roland Dobbins
attacks, but isn't intended to handle non-spoofed query-floods (hence
S/RTBH, flowspec, IDMS, et. al.) like the particular ANY query-flood
directed at your auths.
---
Roland Dobbins
es offer a market-based solution.
I know Bill Woodcock has some experience in this general arena.
-------
Roland Dobbins
201 - 300 of 437 matches
Mail list logo
