RE: The market must be coming back
Chance: that want 4 X 10 GbE on each module (8 slot chassis). I expect this will be a perfect 40G throughput since I've never seen us do anything less than perfect (been working here since August). Oh phuleeese Stop drinking your own Kool-Aid(tm). To honestly suggest that Foundry, or any other vendor for that matter, never does 'anything less than perfect' is nothing less than idiotic. If Foundry does things so 'perfect' why do they have a TAC? Why do they have bugs? Why do they even need to release new software ever again? Obviously what is out now will solve every possible issue - its 'perfect' right? The only possible answer according to your logic, is to support customers who are 'doing it wrong' and need to be educated. Topic is performance. Not sugary beverages. Sorry for not making that clear. Let me reword. My bad: perfect performance on 10GbE. I believe I also mentioned our 8G per slot throughput limitation not to mislead people to think we do 10GbE non-blocking. Same limitation as the Cat6500 once it gets up to speed. Go find the nice black shirts that were passed out at Foundry's last Kool-Aid fest. You are in obvious need of one. This is NOT the place to post vendor FUD. All you are doing is making Foundry look bad, and making yourself look even worse. Didn't you pass out those shirts? Everything I posted concerning performance of 10GbE I saw for myself. All other information was publicly available and concerns operators interested in 10GbE. Many of them are unaware of their options and I wanted to bring Foundry to light. Reading NANOG you would think that the only way to spot Nimda would be NBAR and the only MPLS is Juniper. The post I replied to is a person considering 10GbE in a 6500. I've seen the performance on this at a customer site with SmartBits. The channel became a Foundry reseller because of this specific issue. Now the same configuration comes up on NANOG and I wanted the person thinking about the 6500/10GbE solution to be aware of what I saw. Perhaps the performance is faster than 4G today (My info is a month old). If I were to leave Foundry today (to make them look better) and work for another company (McDonalds?), I would have sent the same post (would you like fries with that?). You can't forget what you see. I have tested our 10GbE personally. Gary
RE: Cisco 7200 VXR with NPE-400 (was RE: The market must be coming back)
Richard: And if^H^Hwhen you run into a really fun issue, don't even think about calling Foundry TAC after hours, all you'll get is someone's house with their screaming kids in the background. Our TAC is 24/7 and has been 24/7 for years. I work in the Support Center for Japan. We have not gone 24/7 yet, but it is under investigation. Sitting 2 feet from me is a gentleman who has been working with Foundry products since '97. He has called almost every day since then and not once has had the problem you described. I did not mention to him why I was asking these questions and he is honest. Did you call the wrong number? This looks a bit personal... Gary
DoS on ftp port
Just wondering if anyone else has seen this happen recently: https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html We maxed out at about 10,000 flows/sec. I'm currently going back through our argus logs and collecting a list of source hosts (all appear to be spoofed of course). In a 15 minute period we had 4.2 million unique hosts pounding one of our servers. The only reason I post this is that on some other off-campus machines I maintain, I've seen an increase in ftp connections. So, I was wondering if this is some new worm, ddos, or something of that nature. If anyone would care to comment, I'm all ears. Brian -- Brian Wilson [EMAIL PROTECTED] Network Analyst W: 919.513.3472 Communication TechnologiesF: 919.513.1893 North Carolina State Universityhttp://www.ncstate.net
Re: DoS on ftp port
On Tue, 21 May 2002, Brian Wilson wrote: Just wondering if anyone else has seen this happen recently: https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html We maxed out at about 10,000 flows/sec. I'm currently going back through our argus logs and collecting a list of source hosts (all appear to be spoofed of course). In a 15 minute period we had 4.2 million unique hosts pounding one of our servers. The only reason I post this is that on some other off-campus machines I maintain, I've seen an increase in ftp connections. So, I was wondering if this is some new worm, ddos, or something of that nature. If anyone would care to comment, I'm all ears. Oh, FYI.. This happened between 6 and 7 am EST this morning (5/21/2002). Normal traffic for us at this time is 50Mbps, but at this time it peaked out at about 130Mbps. Also, and someone referred me to this: http://www.dshield.org/port_report.php?port=21 Brian -- Brian Wilson [EMAIL PROTECTED] Network Analyst W: 919.513.3472 Communication TechnologiesF: 919.513.1893 North Carolina State Universityhttp://www.ncstate.net
Re: Cisco 7200 VXR with NPE-400 (was RE: The market must be coming back)
On 2002-05-21-01:12:25, Gary [EMAIL PROTECTED] wrote: I used a Cisco 7200 VXR with NPE-400. I used two different 7200's with the exact same results. Bidirectional throughput on 1GbE is a fraction above 10%. Unidirectional is a bit better (23%). Singl line ACL drops it to 8% (permit ip any any). FE performance doesn't start to drop below line rate until you put more than two in the box. I have a powerpoint if you'd like it, but it is not meant to slander Cisco, just to convince my customers NOT to put GbE in a 7200! It is not a GbE platform! Send it over, I'd be interested in how you're conducting these tests. I'm not trying to accuse you of lying or slandering your competitors or anything, but well, those numbers sound a bit funny. Besides, that's really an apples to oranges comparison. [...] My powerpoint compares the 7200 with the FastIron 4802 Premium. It is line rate with less than 7 us latency on the two GbE ports. I tested this myself. I can forward this to you if you like. It is a bunch of SmartApps screen captures of the testing. Not a meaningful comparison; vastly different architectures and purposes. I'd be more interested in seeing empirical data comparing the FastIron 4802 to... say... a Catalyst 2948G-L3 or Extreme Summit 48i. Maybe a Cat6k/MSFC2 as well, seeing as the pricing is roughly comparable in the used hardware market, even if the density is not. I really like the 7200 VXR. It is a good 10M and minimum FE platform. It can switch DS0 on the midplane and it supports a wide array of interfaces! Sounds reminiscent of the dot.gone wastefulness that killed many companies. :-) -a
Re: portscans (was Re: Arbor Networks DoS defense product)
In the immortal words of Mitch Halmu ([EMAIL PROTECTED]): (Rev. Martin Niemoller, 1945) Congratulations, Mitch, you have done what many of us would have considered impossible: you have surpassed your own previous high-water mark for tasteless, self-involved bullshit. (Which, for the short-of-memory, was when you used the 9/11 attacks as justification for demanding that MAPS be turned off.) My dead relatives have nothing to do with your desire to run an open relay with no consequences. Kindly go fuck yourself. -n p.s. cc'ed to nanog-request: please consider this to be yet another request to have Mitch removed from this list. p.p.s. I believe this counts as a Godwin invocation. Thread closed. --[EMAIL PROTECTED] The life of a sysadmin is always intense. http://blank.org/memory/--
Re: DoS on ftp port
Hi, Brian. ] https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html There is a huge increase in FTP scanning as well as the building of warez botnets. The warez scanning is generally for anonymous FTP servers with plentiful bandwidth, copious disk space, and generous write permissions. Yes, the folks behind these activities do test for all three. The warez botnet scanning is generally for Windows hosts vulnerable to a cornucopia of sploits. These machines are then infected with a bot that will join a warez botnet. These warez bots will then respond to the commands issued in the channel. Some of them even issue helpful messages when you join the warez channel (real log snippet): To request a file type: /msg A send FILE Sadly, some malware is more user friendly than commercial software. :p The tools to locate the anonymous FTP servers are automated, though they are not worms. The tools to spread the warez bots can have worm-like behaviours. Now about your flows... It is very possible that you have a server that has been tagged. This server may be part of a distributed wareznet serving up movies, MP3s, malware, pr0n, and other nasties. If the server(s) now part of the warez network have popular things on them, you will take quite a beating on bandwidth. By the way, several of the warez bots are also flooders, e.g. can be used to packet victims. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: Cisco 7200 VXR with NPE-400 (was RE: The market must be coming back)
On Tue, May 21, 2002 at 04:55:51PM +0900, Gary wrote: Richard: And if^H^Hwhen you run into a really fun issue, don't even think about calling Foundry TAC after hours, all you'll get is someone's house with their screaming kids in the background. Our TAC is 24/7 and has been 24/7 for years. I work in the Support Center for Japan. We have not gone 24/7 yet, but it is under investigation. Sitting 2 feet from me is a gentleman who has been working with Foundry products since '97. He has called almost every day since then and not once has had the problem you described. I did not mention to him why I was asking these questions and he is honest. Did you call the wrong number? This looks a bit personal... I didn't say it wasn't 24/7, I just said it rang through to someones house with their screaming kids in the background on a regular basis. I do know how to operate a telephone, thanks. :) And it's nothing personal, I have actually been one of Foundry's biggest supporters compared to almost every other engineer I know. Everyone else gave up using them in layer 3 a long time ago. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: DoS on ftp port
Rob Thomas wrote: There is a huge increase in FTP scanning as well as the building of warez botnets. The warez scanning is generally for anonymous FTP servers with plentiful bandwidth, copious disk space, and generous write permissions. ... One things I know of that helps here is to make sure you never have a single directory that is both readable and writeable to an anonymous user. In general, restrict writing to users with logins and passwords. If you must have an anonymous-write directory (like an incoming folder), make sure that that directory is not also readable by anonymous users. This probably won't eliminate all the abuse, but it should make it impractical enough that the warez servers will probably start looking elsewhere. -- David
Re: DoS on ftp port
In addition to David's suggestion, you would also want to ensure that newly create files are umasked unreadable as well. Should the directory be masked unreadable but still executable (which it must be to actually enter it) users could still externally link to the files, even though one could not view them in a directory listing. [EMAIL PROTECTED] wrote: Rob Thomas wrote: There is a huge increase in FTP scanning as well as the building of warez botnets. The warez scanning is generally for anonymous FTP servers with plentiful bandwidth, copious disk space, and generous write permissions. ... One things I know of that helps here is to make sure you never have a single directory that is both readable and writeable to an anonymous user. In general, restrict writing to users with logins and passwords. If you must have an anonymous-write directory (like an incoming folder), make sure that that directory is not also readable by anonymous users. This probably won't eliminate all the abuse, but it should make it impractical enough that the warez servers will probably start looking elsewhere. -- David
Re: DoS on ftp port
I saw a similar type of attack at the same time to one of my customers.. not got all the details in yet, odd tho. If anyone knows more will you CC me in case its related, Cheers STeve On Tue, 21 May 2002, Brian Wilson wrote: On Tue, 21 May 2002, Brian Wilson wrote: Just wondering if anyone else has seen this happen recently: https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html We maxed out at about 10,000 flows/sec. I'm currently going back through our argus logs and collecting a list of source hosts (all appear to be spoofed of course). In a 15 minute period we had 4.2 million unique hosts pounding one of our servers. The only reason I post this is that on some other off-campus machines I maintain, I've seen an increase in ftp connections. So, I was wondering if this is some new worm, ddos, or something of that nature. If anyone would care to comment, I'm all ears. Oh, FYI.. This happened between 6 and 7 am EST this morning (5/21/2002). Normal traffic for us at this time is 50Mbps, but at this time it peaked out at about 130Mbps. Also, and someone referred me to this: http://www.dshield.org/port_report.php?port=21 Brian
Linux routing
I don't really trust the vmstat system time numbers. Based on some suggestions I received, I ran some CPU intensive benchmarks during different traffic loads, and determined how much system time was being used by comparing the real and user times. The results seem to show that if I want to do 50Mbps full-duplex on 2 ports (200M aggregate) that the standard Linux 2.2.20 routing code won't cut it. Unloaded Duron 1G root@TO-VS ~# time bzip2 /tmp/words real0m0.414s user0m0.400s sys 0m0.010s 750Mhz Duron, ~20Mbps traffic, 8K int/sec vmstat reported CPU idle: 98% (2% system) root@tor-router ~# time bzip2 /tmp/words real0m0.628s user0m0.380s sys 0m0.160s CPU load ~= 40% root@tor-router ~# time bzip2 /tmp/words real0m0.552s user0m0.460s sys 0m0.090s CPU load ~=16% 750Mhz Duron, ~60Mbps traffic, 20K int/sec vmstat reported CPU idle: 95% (5% system) root@tor-router ~# time bzip2 /tmp/words real0m1.071s user0m0.370s sys 0m0.690s CPU load ~= 65% root@tor-router ~# time bzip2 /tmp/words real0m1.041s user0m0.440s sys 0m0.600s CPU load ~= 58%
Spammers could face fines
We can hope cant we? Forward from another list: Spammers could face fines Reuters May 17, 2002, 12:20 PM PT A bill aimed at limiting unwanted junk e-mail was approved and sent to the floor by the Senate Commerce Committee on Friday with unanimous support from Democrats and Republicans. It would strengthen the Federal Trade Commission's enforcement authority by allowing it to impose fines of up to $10 each on e-mails that violate existing laws against spam, with a cap of $500,000. Sen. Conrad Burns, a Montana Republican and co-sponsor of the legislation, said the bill would help both e-commerce and consumers burdened by unsolicited junk or pornographic e-mails. Rampant pornography and fraudulent credit deals were never the destiny of the Internet, but they have become commonplace fixtures in in-boxes everywhere, he said. No similar measure is pending in the U.S. House of Representatives. New Mexico Republican Rep. Heather Wilson's bill requiring spammers to use a legitimate return address--so unwanted e-mail can more easily be blocked--has not yet been scheduled for a vote. Twenty-two states have passed anti-spam legislation. Spam has especially been a problem for rural consumers, many of whom pay long-distance charges for Internet connections and waste time and money erasing their unwanted e-mails, Burns said. The Senate Commerce Committee on Friday approved an amendment by Sen. Barbara Boxer, a California Democrat, that would prohibit transmitting unwanted e-mails to addresses that were illegally obtained from Web sites. Co-sponsor Sen. Ron Wyden, an Oregon Democrat, said moving the bill would help the FTC deal with thousands of complaints it has received about spam. The problem is, the technology is on the side of the spammer, Wyden said. The proposal would also require e-marketers to include a working return address to allow recipients the option of refusing further e-mails, and give Internet service providers the ability to bring suit to keep unlawful spam off their networks. It would also subject spammers who intentionally disguise their identities to misdemeanor criminal penalties.
The business side of the coin. WAS RE: The market must be coming back
I recall that, early in my career I had the opportunity to build a new LAN backbone for a 6 story office building. It was going to be Category 5! Woohoo. With a 12/24 fiber backbone. ATM in a LAN environment was new at the time but I was going to make sure I had an OC3 backhauling each of the floors to a central switch. I thought this design was beautiful and marvelous. There was a neat new company that made LAN-style ATM gear with performance specs that would just blow your mind. So when I took the design to the board they loved the fastethernet fiber blah blah and gave approval. But when it came down to selecting vendors for the hardware I ran right into a brick wall with questions like: How long has this company been in business? Are they using open standards? Do they have knowldgeable tech support? ..and so on. So, regardless of whether the hardware is the fastest thing on the block, pushing 10 nanobits at a megaflop, you can look like a fool if you don't consider the business repercussions of the vendor you choose. In the end, I didn't get my design approved until I chose Cisco. Was I pissed, sure! Did I ship off white papers and other propaganda to support my case? Yes! But the company went bankrupt about 2 weeks after I submitted the bid. Just my .02, Regards, Christopher J. Wolff, VP CIO Broadband Laboratories http://www.bblabs.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gary Sent: Tuesday, May 21, 2002 12:37 AM To: Richard A Steenbergen Cc: [EMAIL PROTECTED] Subject: RE: The market must be coming back Richard: Personally I would say that Foundry does EVERYTHING less than perfect. Nearly everyone I'm aware of (including myself) who has had to misfortune to try and use their devices in a service provider environment and a layer 3 role has come away with a universal loathing of biblical proportions. Not worth a response. Can't please everybody and you CAN'T design everyone's network for them. Sort of like EIGRP. Even the worst network engineer can look great with it. Perhaps you should read JANOG. Maybe they can help you. Search for フアウンドリ。 (note, if you cannot read this, it is Japanese for Foundry in unicode). I really can't stress this enough, it DOES NOT MATTER how many gigabits your box forwards. A router is ONLY as useful as the quality of its software and support, if you can't login to it or have working routing protocols, it's just a big paperweight. The only "wannabe cisco" company I have seen learn this lesson is Juniper, and I am firmly convinced this is the reason for their success in the core. Juniper is an OUSTANDING company. Much better than many networking companies in many respects. I've also heard nothing but good things about Unisphere here in Japan, so perhaps this will be a good marriage with benefits to service providers. I'll enjoy competing. We will compete. Whenever I read a press release about Foundry in the core, I stop and take a moment to laugh uncontrollably. It has nothing to do with ISIS or MPLS, it has to do with making your existing functionality work correctly and behave in a sensible fashion. Nothing personal against Foundry, but the people in charge couldn't possibly "not get it" any more than they do now. Remember what you said in this paragraph. I will refer to it later. Yoroshiku, Gary
Re: The business side of the coin. WAS RE: The market must becoming back
On Tue, 21 May 2002, Christopher J. Wolff wrote: So, regardless of whether the hardware is the fastest thing on the block, pushing 10 nanobits at a megaflop, you can look like a fool if you don't consider the business repercussions of the vendor you choose. In the end, I didn't get my design approved until I chose Cisco. Was I pissed, sure! Did I ship off white papers and other propaganda to support my case? Yes! But the company went bankrupt about 2 weeks after I submitted the bid. No one gets fired for buying IBM. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Asking the wrong questions is the leading cause of wrong answers \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
RE: The business side of the coin. WAS RE: The market must be coming back
Good point! The other one is Choose your battles wisely. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Patrick Sent: Tuesday, May 21, 2002 9:52 PM To: Christopher J. Wolff Cc: [EMAIL PROTECTED] Subject: Re: The business side of the coin. WAS RE: The market must be coming back On Tue, 21 May 2002, Christopher J. Wolff wrote: So, regardless of whether the hardware is the fastest thing on the block, pushing 10 nanobits at a megaflop, you can look like a fool if you don't consider the business repercussions of the vendor you choose. In the end, I didn't get my design approved until I chose Cisco. Was I pissed, sure! Did I ship off white papers and other propaganda to support my case? Yes! But the company went bankrupt about 2 weeks after I submitted the bid. No one gets fired for buying IBM. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ /\/\/\ Patrick Greenwell Asking the wrong questions is the leading cause of wrong answers \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ \/\/\/
Cisco quality
For those saying Cisco is so great, it's still fucked up pretty bad. IOS 12.1 and later doesn't allow an MTU 1460 on L2TP, while 12.0.7(T) works fine with a 1492 MTU that my PPPoE customers expect. Every rev I've tried from 12.0 and up has problems with CEF when using ISL VLAN sub-interfaces, and without CEF, mac-accounting is screwed up. Now if they charged 1/5th of what they do, I'd say you're getting reasonable value for your dollar... Ralph Doncaster principal, IStop.com div. of Doncaster Consulting Inc.