Re: Network Performance Testing Equipment
On Jun 18, 2004, at 5:50 PM, Jonathan Slivko wrote: Hmmm. Netperf usually does the trick for network load testing. At least thats what we use at work :) -- Jonathan On a related note, are there any test suites that measure the success/failure rate of TCP connections while measuring throughput? For example, pushing 10k TCP sessions and measuring time to complete _and_ success rate? Normally, the httpd benchmark stuff would suffice, but it would be ideal to avoid any end-application latency and ensure that you're testing the quality of the device (firewall) in between. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: What HTTP exploit?
On May 31, 2004, at 12:45 PM, Bob Martin wrote: The real irony is that it doesn't bother Apache running on NT :) In all fairness, somewhere along the line there was a patch for this. All my Apache servers do is put "request failed: URI too long" in the error log. Even without the fix it really wasn't anything more than a nuisance. Killing off one child process had no effect on valid sessions or the parent process. This also has no effect on Apache 1.3.28 on OpenBSD 3.4 (-stable), other than logging an extremely long request string. Of course, the OpenBSD folks audit/patch their own version of Apache, so it might have the patch you mention. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Ad blocking with squid
On Apr 19, 2004, at 4:33 PM, Paul Khavkine wrote: Anyone doing ad blocking with Squid cache engine out there ? I'm not sure if this is a kosher question for nanog, but what the hell. Personally, I've been very pleased with Privoxy, especially if you don't want or need to install a full-blown proxy like Squid. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Anti-Spam Router -- opinions?
On Apr 5, 2004, at 10:49 AM, Andy Johnson wrote: Has anyone had any experience with this device? Turntide.com. Looks like a traffic-shaping device designed specifically for cutting down spammers throughput to your inbound SMTP servers. My main concern is, how does it make the distinction between legitimate mass-mailings (e.g.: mailing lists such as this one), and spam? Interesting approach to killing spam though I must say. You might want to consider an inexpensive mail relay running OpenBSD's spamd (not to be confused with SpamAssassin's spamd) in conjunction with PF. Spamd is really nice for hurting spammers and/or relays where it can... in their spool. Granted, it's based on address lists like spamhaus or spews, but it's better than content filtering in one very important way... bandwidth savings. With content filtering, the payload is already at your doorstep. http://www.openbsd.org/cgi-bin/man.cgi?query=spamd http://www.benzedrine.cx/relaydb.html -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Alternative Satellite news feed needed
On Thu, 2003-10-02 at 15:55, Adam Maloney wrote: > > It was extremely nice to take the NNTP load off of our upstream links when > > we first set it up. As I understood it, they were not doing well on binary > > feeds towards the end there though. > > I think they ended up filtering posts over a certain length over a year > ago (?). They were approaching 45-50MBit/s, and when they implemented > that filter they cut it back to about 30. Not exactly a full feed, but > how much porn do you actually need? :) I don't want to start speculating on certain issues, but I worked there between 4/00 and 4/01 as one of the engineers responsible for maintaining the uplink servers and other satellite doohickeys, so I can speak factually on certain events and paths we went down. Although Mike Donovan or Lisa Peoples would be able to explain much of this better than yours truly, I'll give it my best shot (as I remember it). As the Internet grew, NNTP traffic grew exponentially. Binary attachments were the bane of our existence, but... so long as we had the transponder throughput to accomodate our recipe of HTTP/NNTP/AV/etc, we avoided filtering as long as technically feasible. Unfortunately, it quickly became obvious that while NNTP was what was paying the bills (hypothetically... since too many ISP's were apparently too damn cheap to pay their bills), it was also choking the 45MB we could fit through the transponder. At one point in time, we were trying to push 250-260Gb/day across the transponder (roughly 22-30Mbps peak, IIRC). This left very little for our other "products". When it started to smother the rest, we were forced to start filtering on incomplete multi-part binaries. Some of our clients started bitching (some did from the beginning), as they would miss the occassional multi-part binary and blame Cidera. This was *not* any fault of ours, as we would push out everything we had. As a usenet peer, we were victim to incompletes just like anyone else (even with our excellent range of peer sources... thanks to M.D.). The only other type of "filtering" that might have occurred was throttling on the uplink. I have no doubt that things had changed drastically since the day I was laid off in April '01 (coincidentally, the day our SysEng staff went from 2 to 1). NNTP continued to increase, and likely always will. Folks like Donovan, Peoples, McGuire, Krokes, Humphrey and the rest did their damndest to provide a kick-ass product at a fraction of the cost of conventional terrestrial lines. I miss that place and the work we did with a serious passion. It was just one of those ideas and opportunities that doesn't come across very often, and I was damn lucky to be considered a [very] small part of it. *sigh* Cheers to the happy fun ball. -- Jason Dixon Former Systems Engineer Cidera, Inc.
Re: Paypal off-the-air?
On Fri, 2003-08-29 at 09:45, John Ferriby wrote: > It seems that PayPal is off-the-air. We're seeing all connections die via > uunet and sprint routes. Anyone know what's going on? I recall they were going offline from 12:30am to 3:00am Pacific Time for maintenance. I'm not seeing any problems with the site right now, from the east coast. Traceroutes timeout in San Jose AlterNet (starting on EC), but http works fine. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Server Redundancy
On Wed, 2003-08-06 at 13:39, Allan Liska wrote: > On 6 Aug 2003, Jason Greenberg wrote: > > > > Can I have some suggestions on how to load balance servers that are on > > seperate IP blocks? Is there any way to perform translation at this > > level? Exclude DNS based balancing please... > > > > Take a look at Nortel's Alteon product line, Cisco's CSS product line, or > F5's BigIP Product Line. All of which have Global Server Load Balancing > capability. The GSLB can be done a number of different ways on these > boxes including stupid DNS tricks (not your typical round robin stuff, but > still DNS) and using a BGP configuration. I second this suggestion. I worked briefly at F5 Networks in 2001 and was responsible for supporting Big-IP and 3DNS. Both are very nice products, but NOT cheap. -J.
Re: Learning more about authentication and passwords
On Tue, 2003-07-29 at 09:37, Dave Israel wrote: > On 7/29/2003 at 04:37:01 -0400, Sean Donelan said: > > > > If you would like to learn more about the strengths and weaknesses > > of various authentication methods, I highly recommend the book > > > > Authentication: From Passwords to Public Keys > > by Richard E. Smith ISBN: 0201615991 > > > > I'll add: > > Network Security: Private Communication in a Public World > by Charlie Kaufman, Radia Perlman, Mike Speciner, Charles Kaufman > Prentice Hall PTR > ISBN: 0130460192 > > I have not read the 2nd Edition, but the 1st was excellent. I *have* read the 2nd Edition, and highly recommend it. Hi Dave. :) -J.
