RE: Blackholes and IXs and Completing the Attack.
On Sat, 2 Feb 2008, Tomas L. Byrnes wrote: I sincerely doubt that any backbone provider will filter at a /32. That means they have to check EVERY PACKET AT FULL IP DEST against your AS advertised routes. Since most backbone routers build circuits at the /18 and above mask on MPLS, just to keep up with traffic, I sincerely doubt they are going to expend the CPU, and potentially RAM, never mind prefix table entries (you know, those things we're running out of) to have a full table of every host that every hoster says is being DDOSed. In this case, there's a clear economic cost, for no economic benefit (they do actually make money delivering that DDOS traffic). most backbone routers build circuits at the /18 and above mask on MPLS - that part is seriously funny. However: a) Yes, if such proposal was to be widely accepted, it would generate more entries in RIB/FIB. b) However, if this service was actually operated by IX's, the limits to prevent too much growth could be applied centrally (max-prefixes per ASN, automatic removal of those routes after X days, unless manually requested by host, etc). c) Since only your peers will have those :666 entries, it is less route growth than than the alternative of announcing the affected block as /24 (which you seem to suggest). A better approach would be to move your DDOS target and all the rest of its co-subnet hosts into a different /24, update the DNS RRs, and cease advertising that /24. That...is...perverted. Not to mention, you can't cease advertising /24. what you would need to do is to deaggregate your (say) /20 into /21, /22, /23 and /24. That's 3 extra entries in FIB for everyone in the world to carry. If you really want to be nice, they don't need to renumber, you just need to stop advertising the target subnet, change the DNS RR's and NAT at your borders, if you control DNS and IP. The added benefit of this is that you can swap them back when the DDOs is over, and they get to stay up while it's happening. All you need to do this is some spare, never to be allocated, IP space. That...is...perverted. -alex [not speaking as mlc anything]
RE: Blackholes and IXs and Completing the Attack.
yes absolutely, if an agreement could be reached - then that is a neater solution, but I wonder if an agreement could ever be reached in a timescale that doesn't make deployment of the alternative more attractive as it doesn't require everyone to agree. From: Rick Astley [mailto:[EMAIL PROTECTED] Sent: 03 February 2008 06:56 To: Ben Butler Cc: nanog@merit.edu Subject: Re: Blackholes and IXs and Completing the Attack. I see your point, but I think maintaining the box for the control session would also require a decent amount of work. Presumably, since you must all adhere to some quasi-standard to communicate with the control peer, you could probably also agree on creating a standard BGP community (ie. 64666:666 no-export) to use and just skip the middle man. Granted, I am kind of new as well, and I assume if the solution were that simple more people would be using it. On Feb 2, 2008 9:07 PM, Ben Butler [EMAIL PROTECTED] wrote: Hi, Agreed, but when you have 100 peers that is still a fair bit of work. I know technically how to do it and am doing this with transits but then there are only seven of those. It is not a question of how or can, but should / is it valuable / constructive? The starting point in the thought process having just done it for transits was right ok, now how do we sensibly scale this to apply it at IXes without everyone having to run round contacting everyone else and to see if there was an easier way of doing things, hence the suggestion. Plus it keeps things nice a separated, your IX peering sessions announce just the main prefixes, the session to the blackhole reflector can be in a separate peer-group and you only send the /32s to the reflector. You don't have to worry about who uses which communities as each member that chooses to peer with the reflector is able to apply an inbound routemaps of their own choosing to any prefixes they receive from this reflector at each individual IX. Given that an ISP has elected to Complete the attack on a host that is being DoSed, for whatever reason, and they have chosen to send blackhole announcements to transit the logical extension seems to be to automate the sending of them to IXs to try to further cut down on traffic. This seems like a easy way, internally you just community tag on the trigger box for where you want the announcement to go, transit, internal, customers, IX all,1 2 not 3 - whatever - and BGP sends it out. Easy, and a single system to send out all updates when you choose to and easy to remove when you want to take it out again. If you subscribe to completing the attack as a strategy, then the suggestion seemed like an easy way of rolling it out to the next logical point after transit. Kind Regards Ben
RE: Blackholes and IXs and Completing the Attack.
Hi, I am no lawyer, but I question whether ATT can patent anything that uses the existing technology and commands implemented in BGP. The idea that you can patent a persons intent in advertising a prefix in BGP seems somewhat bizarre. Surely a patent relates to the use of a new bit of technology that they have developed. Btw, I think I might be a good idea to do all sort of things, that doesn't mean I can file legally enforceable patents in case someone in the future shares my point of view. With regards to: A better approach would be to move your DDOS target and all the rest of its co-subnet hosts into a different /24, update the DNS RRs, and cease advertising that /24. I just think you don't get it. Apart from the impracticality of renumbering all the other non-effected hosts in the same /24 and all the associated DNS records and the amount of time that is going to take. Plus then announce another /24 for the renumbered hosts. You are are saying that I should de-aggregate the /19 announcement into components so that I can stop advertising the original /24 - because your worried about route table prefix pollution If I blackhole a /32 to my transits, it does not appear in your routing table. If I blackhole a /32 to one of my peers and you are not even at the same IX, then there is no change of it appearing in your route table either. Conversely you seem to be suggesting I announce a bunch of prefixes to everyone? Kind Regards Ben -Original Message- From: Tomas L. Byrnes [mailto:[EMAIL PROTECTED] Sent: 03 February 2008 07:54 To: Ben Butler; nanog@merit.edu Subject: RE: Blackholes and IXs and Completing the Attack. Well then they wouldn't be peering with this route reflector Well then, the utility is probably close to 0, isn't it? I doubt most of the sources of DDOS traffic, especially those without ingress source filtering, are going to peer with your route reflector. What's their economic incentive to expend the engineering time to do so? I sincerely doubt that any backbone provider will filter at a /32. That means they have to check EVERY PACKET AT FULL IP DEST against your AS advertised routes. Since most backbone routers build circuits at the /18 and above mask on MPLS, just to keep up with traffic, I sincerely doubt they are going to expend the CPU, and potentially RAM, never mind prefix table entries (you know, those things we're running out of) to have a full table of every host that every hoster says is being DDOSed. In this case, there's a clear economic cost, for no economic benefit (they do actually make money delivering that DDOS traffic). A better approach would be to move your DDOS target and all the rest of its co-subnet hosts into a different /24, update the DNS RRs, and cease advertising that /24. If you really want to be nice, they don't need to renumber, you just need to stop advertising the target subnet, change the DNS RR's and NAT at your borders, if you control DNS and IP. The added benefit of this is that you can swap them back when the DDOs is over, and they get to stay up while it's happening. All you need to do this is some spare, never to be allocated, IP space. Works with the existing infrastructure, doesn't require an Internet God, and in general, is likely to be more effective in the real world. That whole rough consensus and running code ethos of the IETF thing, as opposed to the Cathedral mentality of the ITU (and ICANNt), which your approach would imply. You control which routes you advertise, after all. Plus, ATT's legal beagles don't get to send you a dunning notice when their patent gets granted. -Original Message- From: Ben Butler [mailto:[EMAIL PROTECTED] Sent: Saturday, February 02, 2008 2:42 PM To: Tomas L. Byrnes; nanog@merit.edu Subject: RE: Blackholes and IXs and Completing the Attack. If you're trying to do it on a /32 basis, I doubt you'd find too many border router operators interested in accepting a route that small, but I may be wrong. Well then they wouldn't be peering with this route reflector in the first place. -Original Message- From: Tomas L. Byrnes [mailto:[EMAIL PROTECTED] Sent: 02 February 2008 20:39 To: Ben Butler; Paul Vixie; nanog@merit.edu Subject: RE: Blackholes and IXs and Completing the Attack. You could achieve the exact same result simply by not advertising the network to your peers, or by advertising a bogus route (prefixing a known bogon AS for the addresses you want null-routed). I realize you would have to subnet/deaggregate your netblocks, and therefore could wind up with a prefix-length issue for peers who won't accept routes longer than a certain mask, in some cases, but if you are already being DDOSed, this should represent SOME improvement. If you're trying to do it on a /32 basis, I doubt you'd find too many border router operators interested in accepting a route that small, but I may be wrong. The bigger issue with all
RE: Blackholes and IXs and Completing the Attack.
IANAL, but my understanding of patents is that anyone can patent any innovative combination of existing things, if it produces a new effect or is used in a new way. According to the patent lawyers I've worked with, that is, in fact, the most common type of patent. As an example, Watt's steam engine combined a piston, a balance beam, a wheel, and a crank, all of which existed before, but his invention was patented. The ATT patent is on black-holing using BGP null routing to mitigate DDOS. As far as your proposal goes, perhaps I had misunderstood. My understanding was that you wanted everyone in the Internet to accept routes from an AS that was intended to be black-holed. Those routes would be hosts (/32) that were, in fact, placed in the route server by some trusted community (presumably hosters). The benefit of this would be to eliminate the collateral damage to other customers of the hosters caused by traffic targeting the DDOS target also denying service to them. If I have misunderstood, then I'm sorry, but my responses were based on the following assumptions: 1: The routes to be black-holed would all be /32s 2: The routes to be black-holed would have to be, in order to be effective, accepted by routers that carried the vast majority of the Internet's traffic, since you want to drop DDOS traffic as close to its source as possible. In my mind that would, at the very least include all the routers at major aggregation and peering points. 3: Backbone routers can't reasonably filter on a bunch of /32s and also forward traffic at wire speed. 4: It would be much harder to get all the ingress networks, which include all sorts of small local and regional ISPs, to join such a scheme than it would be to get larger ISPS to do so, assuming item 3 above is not true. 5: When one /32 is under DDOS, the rest of the hosts served by the same links are also effectively DOSed, ergo renumbering them out of the DOSed space, while painful, might be less painful than continuing to deal with the DOS. 6: You control what routes you advertise, and therefore can, effectively, make any prefix as short as or shorter than the shortest prefix accepted by your peers go dark, simply by stopping advertising it. 7: The increase in route prefixes caused by disaggregating would, assuming that there were multiple DDOS targets at any one time, not be materially larger than that caused by accepting a bunch of /32s, and may well be less. 8: Disaggregation can be done now, with the tools currently available, and requires no additional hardware, software, or legal agreements. It seems that you are saying that you're just asking your immediate peers to accept this private AS from you, to black-hole traffic to that AS locally, and not propagate the routes to their peers. That's completely different than what I thought you were talking about, which was some sort of Internet-wide black-hole AS that everyone was supposed to peer with. What you and your immediate peers do is between you and them, and I could see this as working quite well on that basis. All it's doing, however, is absorbing the DDOS one step upstream, which is probably a place that can do so more easily, and clearly is doing so any time the DDOS is getting through. In any event, as I pointed out, null routing via BGP to defend against DDOS is Patent Pending ATT, so unless you can get the patent not to issue, building a network based on it runs the risk of the patent troll. I've said my piece on this. Where I've made errors or misspoken, I'm happy to stand corrected. If I've offended anyone, I'm sorry. Best wishes to all. May your packets flow, your sessions connect, and your pagers remain silent. -Original Message- From: Ben Butler [mailto:[EMAIL PROTECTED] Sent: Sunday, February 03, 2008 5:31 AM To: Tomas L. Byrnes; nanog@merit.edu Subject: RE: Blackholes and IXs and Completing the Attack. Hi, I am no lawyer, but I question whether ATT can patent anything that uses the existing technology and commands implemented in BGP. The idea that you can patent a persons intent in advertising a prefix in BGP seems somewhat bizarre. Surely a patent relates to the use of a new bit of technology that they have developed. Btw, I think I might be a good idea to do all sort of things, that doesn't mean I can file legally enforceable patents in case someone in the future shares my point of view. With regards to: A better approach would be to move your DDOS target and all the rest of its co-subnet hosts into a different /24, update the DNS RRs, and cease advertising that /24. I just think you don't get it. Apart from the impracticality of renumbering all the other non-effected hosts in the same /24 and all the associated DNS records and the amount of time that is going to take. Plus then announce another /24 for the renumbered hosts. You are are saying that I should de-aggregate the /19 announcement into components so
Re: Blackholes and IXs and Completing the Attack.
On Feb 3, 2008 2:53 PM, Tomas L. Byrnes [EMAIL PROTECTED] wrote: 3: Backbone routers can't reasonably filter on a bunch of /32s and also forward traffic at wire speed. yes they can. the size of the individual route doesn't matter to the devices in question, the NUMBER of routes does... (as does the associated change-rate of that number, but that's a story for another day) 4: It would be much harder to get all the ingress networks, which include all sorts of small local and regional ISPs, to join such a scheme than it would be to get larger ISPS to do so, assuming item 3 above is not true. some already do this though... not in quite the manner Ben's aiming to do, but there are folks that accept BGP feeds in order to drop traffic inside there network(s). 5: When one /32 is under DDOS, the rest of the hosts served by the same links are also effectively DOSed, ergo renumbering them out of the DOSed space, while painful, might be less painful than continuing to deal with the DOS. you have not had to deal with renumbering I presume? not a raft of end-users (consumers nevermind businesses). Why is the assumption that the surrounding space is a /24 relevant exactly? The aggregation scheme used inside any particular network isn't necessarily '/24 per pop/link/service-area'... renumbering for DDoS isn't really a workable solution, save the distinct case when you own the IP in question and services it provides (and other ancillary bits/bytes related to said ip/device/thingy). 8: Disaggregation can be done now, with the tools currently available, and requires no additional hardware, software, or legal agreements. your point here is that perhaps instead of this scheme one would just advertise the max-prefix-length (/24 currently) from a 'better' place on your network and suck all the 'bad' traffic (all traffic in point of fact) for the attacked destination via a transit/peer/place which can deal with it properly? This isn't a bad solution, and it gives you some control on the traffic stream, it does have the penalty to everyone else of 'one more route in the RIB/FIB'... which I think was Ben's vote against this method. (also not a bad vote...) anyway, the idea behind multi-as blackholing has been (and apparently contunues to get) rehashed a few times over the last 5-8 years... good luck! -Chris
RE: Blackholes and IXs and Completing the Attack.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 anyway, the idea behind multi-as blackholing has been (and apparently continues to get) rehashed a few times over the last 5-8 years... good luck! It seems that way. People seem to forget about the conversations and work around 2000 - 2002. We not only had RTBH (static), multi AS RTBH, Source based RTBH (why uRPF Loose check was created), BGP Community based packet filtering (QPPB - source or destination), Backscatter Traceback (Chris and Brian's cool technique), Customer triggered RTBH (another Chris and Brian trick), BGP Shunts (originally created for the Great Firewall), MAPS's grow (which had multi-AS eBGP multihops BGP RTBHs back in 1997 for anti-SPAM filtering), and then all the BGP Flow-Spec work. We even have a RFC - 3882 Configuring BGP to Block Denial-of-Service Attacks. by D. Turk. published in September 2004. This is a good conversation for NANOG, but we really need to build up some FAQ so we don't keep going over the same things every year. Barry -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBR6Ys/7/UEA/xivvmEQK3pwCg/a7329AxsnBgmPT9kmHoSWXhd1AAnA8d COSRO/CaIVnFOu0BIjbh5snD =HANY -END PGP SIGNATURE-
RE: Blackholes and IXs and Completing the Attack.
Hi Barry, Thank you for some really useful pointers, I am off to do some more reading. Kind Regards Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Greene (bgreene) Sent: 03 February 2008 21:07 To: Christopher Morrow; Tomas L. Byrnes Cc: nanog@merit.edu Subject: RE: Blackholes and IXs and Completing the Attack. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 anyway, the idea behind multi-as blackholing has been (and apparently continues to get) rehashed a few times over the last 5-8 years... good luck! It seems that way. People seem to forget about the conversations and work around 2000 - 2002. We not only had RTBH (static), multi AS RTBH, Source based RTBH (why uRPF Loose check was created), BGP Community based packet filtering (QPPB - source or destination), Backscatter Traceback (Chris and Brian's cool technique), Customer triggered RTBH (another Chris and Brian trick), BGP Shunts (originally created for the Great Firewall), MAPS's grow (which had multi-AS eBGP multihops BGP RTBHs back in 1997 for anti-SPAM filtering), and then all the BGP Flow-Spec work. We even have a RFC - 3882 Configuring BGP to Block Denial-of-Service Attacks. by D. Turk. published in September 2004. This is a good conversation for NANOG, but we really need to build up some FAQ so we don't keep going over the same things every year. Barry -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBR6Ys/7/UEA/xivvmEQK3pwCg/a7329AxsnBgmPT9kmHoSWXhd1AAnA8d COSRO/CaIVnFOu0BIjbh5snD =HANY -END PGP SIGNATURE-
RE: Blackholes and IXs and Completing the Attack.
Hi, snip your point here is that perhaps instead of this scheme one would just advertise the max-prefix-length (/24 currently) from a 'better' place on your network and suck all the 'bad' traffic (all traffic in point of fact) for the attacked destination via a transit/peer/place which can deal with it properly? This isn't a bad solution, and it gives you some control on the traffic stream, it does have the penalty to everyone else of 'one more route in the RIB/FIB'... which I think was Ben's vote against this method. (also not a bad vote...) /snip Personally, I would achieve this using multiple sinkholes at the edge in IGP rather than advertising an extra /24 in BGP to suck it to one router. PA Deagregation as evidenced in some of my other posts is a pet hate of mine. PI space (and for that matter v6 PI please) is not - especially if we clean up the act on the PA front. Because, my research into anti DoS is still work in progress, I was going to sort out traffic mitigation through completing the attack first, then move on to investigating classification using sinks, and then worry about scrubbing / source filtering last. I just haven't got around at looking at sinks and scrubbing yet. I fully accept there is no single silver bullet for all situations and circumstances, but equally a tactic should be as effective as possible when it is selected and deployed - which started this thread. And I am trying to advocate being able to extend completing the attack beyond just transit feeds that is all. I don't know about other people our multiple Internet Exchange peak interconnect capacity versus our transit peak capacity is a significant %. While effectively securing my AS as a whole against the sources that reach me via transit, currently I cant do the same trick with XPs. Now the number of end host systems that I reach via peers is obviously a lot less than transit but the potential is still there as an unsecured ingress which could cause problems either through router/wan overload or interconnect congestion causing packet loss for other traffic. Either isn't good. In the absence of an alternative, it appears that in the scenario that I am under DoS, have blackholed a /32 to transit but my interconnect with an IX is saturated to the detriment of customer traffic - that the only thing I can sensibly do to resolve the situation is to temporally admin down / remove my prefix announcement from the IX peerings to shift the load to transit. This also doesn't seem very sensible. Kind Regards Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Morrow Sent: 03 February 2008 20:56 To: Tomas L. Byrnes Cc: nanog@merit.edu Subject: Re: Blackholes and IXs and Completing the Attack. On Feb 3, 2008 2:53 PM, Tomas L. Byrnes [EMAIL PROTECTED] wrote: 3: Backbone routers can't reasonably filter on a bunch of /32s and also forward traffic at wire speed. yes they can. the size of the individual route doesn't matter to the devices in question, the NUMBER of routes does... (as does the associated change-rate of that number, but that's a story for another day) 4: It would be much harder to get all the ingress networks, which include all sorts of small local and regional ISPs, to join such a scheme than it would be to get larger ISPS to do so, assuming item 3 above is not true. some already do this though... not in quite the manner Ben's aiming to do, but there are folks that accept BGP feeds in order to drop traffic inside there network(s). 5: When one /32 is under DDOS, the rest of the hosts served by the same links are also effectively DOSed, ergo renumbering them out of the DOSed space, while painful, might be less painful than continuing to deal with the DOS. you have not had to deal with renumbering I presume? not a raft of end-users (consumers nevermind businesses). Why is the assumption that the surrounding space is a /24 relevant exactly? The aggregation scheme used inside any particular network isn't necessarily '/24 per pop/link/service-area'... renumbering for DDoS isn't really a workable solution, save the distinct case when you own the IP in question and services it provides (and other ancillary bits/bytes related to said ip/device/thingy). 8: Disaggregation can be done now, with the tools currently available, and requires no additional hardware, software, or legal agreements. your point here is that perhaps instead of this scheme one would just advertise the max-prefix-length (/24 currently) from a 'better' place on your network and suck all the 'bad' traffic (all traffic in point of fact) for the attacked destination via a transit/peer/place which can deal with it properly? This isn't a bad solution, and it gives you some control on the traffic stream, it does have the penalty to everyone else of 'one more route in the RIB/FIB'... which I think was Ben's vote against this method. (also not a bad vote...) anyway,
Fourth cable damaged in Middle Eest (Qatar to UAE)
A fourth submarine cable in the middle east was damaged Sunday between Haloul, Qatar and Das, United Arab Emirates. This is in addition to the damage affecting FLAG, SAE-ME-WE4, FALCON cables. Afer reviewing surveillance video of the area, Egypt's ministry of maritime transportation is reporting no ships were near the FLAG or SAE-ME-WE4 cables 12-hours before or after the cable damage near Alexanderia, Egypt. The reason for outage of the cables has not been identified yet.
Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
Dear Sean; Do you know how Syria, Jordan and Lebanon get their connectivity ? They have dropped off the map today for us. (Or maybe yesterday - I wasn't able to pay any attention to this yesterday.) Our Egyptian audience remains very low, while Iran still seems to be unaffected. Regards Marshall On Feb 3, 2008, at 6:52 PM, Sean Donelan wrote: A fourth submarine cable in the middle east was damaged Sunday between Haloul, Qatar and Das, United Arab Emirates. This is in addition to the damage affecting FLAG, SAE-ME-WE4, FALCON cables. Afer reviewing surveillance video of the area, Egypt's ministry of maritime transportation is reporting no ships were near the FLAG or SAE-ME-WE4 cables 12-hours before or after the cable damage near Alexanderia, Egypt. The reason for outage of the cables has not been identified yet.
RE: Fourth cable damaged in Middle Eest (Qatar to UAE)
Sean, do you have any URLs with additional info on the new cut? Questions are being asked. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Donelan Sent: Sunday, February 03, 2008 6:52 PM To: nanog@merit.edu Subject: Fourth cable damaged in Middle Eest (Qatar to UAE) A fourth submarine cable in the middle east was damaged Sunday between Haloul, Qatar and Das, United Arab Emirates. This is in addition to the damage affecting FLAG, SAE-ME-WE4, FALCON cables. Afer reviewing surveillance video of the area, Egypt's ministry of maritime transportation is reporting no ships were near the FLAG or SAE-ME-WE4 cables 12-hours before or after the cable damage near Alexanderia, Egypt. The reason for outage of the cables has not been identified yet.
RE: Fourth cable damaged in Middle Eest (Qatar to UAE)
http://afp.google.com/article/ALeqM5i03tUdyj8wf2Xa9P4trWEjqAJdyQ DOHA (AFP) . An undersea telecoms cable linking Qatar to the United Arab Emirates was damaged, disrupting services, telecommunications provider Qtel said on Sunday, the latest such incident in less than a week. The cable was damaged between the Qatari island of Haloul and the UAE island of Das on Friday, Qtel's head of communications Adel al Mutawa told AFP. On Sun, 3 Feb 2008, Marcus H. Sachs wrote: Sean, do you have any URLs with additional info on the new cut? Questions are being asked. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Donelan Sent: Sunday, February 03, 2008 6:52 PM To: nanog@merit.edu Subject: Fourth cable damaged in Middle Eest (Qatar to UAE) A fourth submarine cable in the middle east was damaged Sunday between Haloul, Qatar and Das, United Arab Emirates. This is in addition to the damage affecting FLAG, SAE-ME-WE4, FALCON cables. Afer reviewing surveillance video of the area, Egypt's ministry of maritime transportation is reporting no ships were near the FLAG or SAE-ME-WE4 cables 12-hours before or after the cable damage near Alexanderia, Egypt. The reason for outage of the cables has not been identified yet.
Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
y'all, there has has been a lot of speculation that this is all some US prelude to war with iran. while i don't claim to know much about whether that makes any sense, i do know that if they're trying to disconnect iran from the internet, they're doing a lousy job: http://www.renesys.com/blog/2008/02/attention_iran_is_not_disconne_1.shtml we (renesys) have been tracking (at layer 3) this set of outages (see the previous 3 postings at: http://www.renesys.com/blog/2008/01/mediterranean_cable_break.shtml http://www.renesys.com/blog/2008/01/mediterranean_cable_break_part_1.shtml and http://www.renesys.com/blog/2008/02/mediterranean_cable_break_part.shtml for a view of this from a routing perspective among out peer set) and iran is not even one of the 10 most affacted countries. it certainly all seems suspcious and worrisome, but it does not seem that iran is the target of a competent campaign to disrupt its telecommunications (slashdot paranoia notwithstanding). i'll be interested to hear more about what is found about the physical layer causes. t. -- _ todd underwood +1 603 643 9300 x101 renesys corporationgeneral manager babbledog [EMAIL PROTECTED] http://www.renesys.com/blog
RE: Fourth cable damaged in Middle Eest (Qatar to UAE)
So is this cause for concern or just business as usual with respect to the daily operations of USFO cables? Seems somewhat out of place to have four within five days but then it might be only slightly abnormal and amplified by the media paying more attention. -Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED] Sent: Sunday, February 03, 2008 8:22 PM To: Marcus H. Sachs Cc: nanog@merit.edu Subject: RE: Fourth cable damaged in Middle Eest (Qatar to UAE) http://afp.google.com/article/ALeqM5i03tUdyj8wf2Xa9P4trWEjqAJdyQ DOHA (AFP) . An undersea telecoms cable linking Qatar to the United Arab Emirates was damaged, disrupting services, telecommunications provider Qtel said on Sunday, the latest such incident in less than a week. The cable was damaged between the Qatari island of Haloul and the UAE island of Das on Friday, Qtel's head of communications Adel al Mutawa told AFP. On Sun, 3 Feb 2008, Marcus H. Sachs wrote: Sean, do you have any URLs with additional info on the new cut? Questions are being asked. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Donelan Sent: Sunday, February 03, 2008 6:52 PM To: nanog@merit.edu Subject: Fourth cable damaged in Middle Eest (Qatar to UAE) A fourth submarine cable in the middle east was damaged Sunday between Haloul, Qatar and Das, United Arab Emirates. This is in addition to the damage affecting FLAG, SAE-ME-WE4, FALCON cables. Afer reviewing surveillance video of the area, Egypt's ministry of maritime transportation is reporting no ships were near the FLAG or SAE-ME-WE4 cables 12-hours before or after the cable damage near Alexanderia, Egypt. The reason for outage of the cables has not been identified yet.
Re: Blackholes and IXs and Completing the Attack.
On Feb 3, 2008 5:18 PM, Ben Butler [EMAIL PROTECTED] wrote: Hi, snip your point here is that perhaps instead of this scheme one would just advertise the max-prefix-length (/24 currently) from a 'better' place on your network and suck all the 'bad' traffic (all traffic in point of fact) for the attacked destination via a transit/peer/place which can deal with it properly? This isn't a bad solution, and it gives you some control on the traffic stream, it does have the penalty to everyone else of 'one more route in the RIB/FIB'... which I think was Ben's vote against this method. (also not a bad vote...) /snip Personally, I would achieve this using multiple sinkholes at the edge in IGP rather than advertising an extra /24 in BGP to suck it to one router. Oops, I think I wasn't clear, my point was you could force traffic off of most peers and transits and onto a single transit by advertising the most specific global route possible (/24 today) through a single transit. This way you can force all of the world to find your attacked host through a place you choose, rather than 'everywhere'. Shifting around things in your IGP isn't going to help the rest-of-the-worlds view of your problem... My proposal would allow you to normalize traffic on your peer/transit links save one (or a smaller selection of them)... You could extend this to pulling the /24 down some sacrificial link (t1 sort of thing) as well, of course. You could also reverse the logic and either drop the route toward peers or extend the path via as-prepend... I fully accept there is no single silver bullet for all situations and circumstances, but equally a tactic should be as effective as possible when it is selected and deployed - which started this thread. And I am trying to advocate being able to extend completing the attack beyond just transit feeds that is all. Sure, and as I and Barry said, there have been several iterations of this discussion, not that that's a bad thing just a note that this is ground covered at least a few times. I don't know about other people our multiple Internet Exchange peak interconnect capacity versus our transit peak capacity is a significant %. While effectively securing my AS as a whole against the sources that reach me via transit, currently I cant do the same trick with XPs. Now sure you can, just don't have the traffic arrive there, draw it elsewhere, somewhere you are better prepared to deal with the problem... Something about fighting battles on your terms not theirs? traffic - that the only thing I can sensibly do to resolve the situation is to temporally admin down / remove my prefix announcement from the IX peerings to shift the load to transit. This also doesn't seem very sensible. I'd couch this in the following terms: Don't be where the flood is, or deal with it where you are best equipped to... There are many option, getting 'peer' folks to do BHR things for you isn't simple (most times they don't want you traffic engineering inside their network...), getting a transit to is another story, most times they have this facility it's just a matter of finding someone inside their support crew to get you the right bits/setup. Extra BGP sessions and unbounded /32 growth doesn't bode well for this plan either... anyway, it'll be interesting to watch the discussion progress. -Chris
Re: Aggregation for IPv4-compatible IPv6 address space
in the most recent architecture, rfc 4291, that was deprecated. The exact statement is 2.5.5.1. IPv4-Compatible IPv6 Address The IPv4-Compatible IPv6 address was defined to assist in the IPv6 transition. The format of the IPv4-Compatible IPv6 address is as follows: |80 bits | 16 | 32 bits| +--+--+ |..||IPv4 address | +--++-+ Note: The IPv4 address used in the IPv4-Compatible IPv6 address must be a globally-unique IPv4 unicast address. The IPv4-Compatible IPv6 address is now deprecated because the current IPv6 transition mechanisms no longer use these addresses. New or updated implementations are not required to support this address type. I should think you are within bounds to not announce it at all. On Feb 4, 2008, at 6:09 AM, snort bsd wrote: Hi all: With IPv4-compatible IPv6 address space, could I aggregate the address space? say 192.168.0.0/16 become ::192.168/112? or It must be converted to native IPv6 address space? Just wondering, Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail
Aggregation for IPv4-compatible IPv6 address space
Hi all: With IPv4-compatible IPv6 address space, could I aggregate the address space? say 192.168.0.0/16 become ::192.168/112? or It must be converted to native IPv6 address space? Just wondering, Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail
RE: Fourth cable damaged in Middle Eest (Qatar to UAE)
Caution: upon further research it appears there may be some language misscommunication in some of the reports; and some of the outages may be multiple reports of the same incidents. http://www.khaleejtimes.com/DisplayArticle.asp?xfile=data/theuae/2008/February/theuae_February115.xmlsection=theuae Confirming international media reports, an Etisalat official yesterday told Khaleej Times that the cable network was not completely severed, though the damage slowed down the already affected system. He did not give any further details regarding the cause of damage. [...] This is the third incident of its kind in the area since January 30 since the cables were first damaged in the Mediterranean and then off the coast of Dubai, causing widespread disruption to Internet and international telephone services in Egypt, Gulf Arab states and south Asia. FLAG restoration update information: http://www.flagtelecom.com/media/PDF_files/Submarine%20Cable%20Cut%20Update%20Bulletin%20Release%20030208.pdf
Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
On Mon, 4 Feb 2008, Todd Underwood wrote: there has has been a lot of speculation that this is all some US prelude to war with iran. while i don't claim to know much about whether that makes any sense, i do know that if they're trying to disconnect iran from the internet, they're doing a lousy job: An extremely poor job if that was the intent. According to SLAC, throughput to Iran actually improved. https://confluence.slac.stanford.edu/display/IEPM/Effects+of+Fibre+Outage+through+Mediterranean If the intent was to cut off Iran, they're picking the wrong cables. TAE goes across the northern part of Iran http://taeint.net/en/network/middle/ FLAG via UAE, SE-ME-WE-3 (not 4), ITOUR and KAFOS Sometimes concicidences are concidences.
RE: Aggregation for IPv4-compatible IPv6 address space
You mean do you have to express it in hex? The original spec allowed both ways I believe... but just so you realize, this has been deprecated. Mostly 'cause people can't subnet. :) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of snort bsd Sent: Sunday, February 03, 2008 11:10 PM To: nanog@merit.edu Subject: Aggregation for IPv4-compatible IPv6 address space Hi all: With IPv4-compatible IPv6 address space, could I aggregate the address space? say 192.168.0.0/16 become ::192.168/112? or It must be converted to native IPv6 address space? Just wondering, Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail
Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
Hi, anyone with a source of unadulterated information from an operational point of view about this cuts. A search on the Net is springing up a lot of speculative whodunits. Reason is, how will the affected regions get round this issue before the repairs are done. First thought would be to set up satellite links, not as good but better than nothing. Raymond Sean Donelan wrote: On Mon, 4 Feb 2008, Todd Underwood wrote: there has has been a lot of speculation that this is all some US prelude to war with iran. while i don't claim to know much about whether that makes any sense, i do know that if they're trying to disconnect iran from the internet, they're doing a lousy job: An extremely poor job if that was the intent. According to SLAC, throughput to Iran actually improved. https://confluence.slac.stanford.edu/display/IEPM/Effects+of+Fibre+Outage+through+Mediterranean If the intent was to cut off Iran, they're picking the wrong cables. TAE goes across the northern part of Iran http://taeint.net/en/network/middle/ FLAG via UAE, SE-ME-WE-3 (not 4), ITOUR and KAFOS Sometimes concicidences are concidences.
Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
Marshall: I don't see any cables for Lebanon. I also don't see any cable for Syria. I see Falcon coming down an estuary on an edge border for Jordan. In proximity, Israel has some redundancy, although I don't have the granularity to strip out the specific cables. It looks like a branch to me, a splice point in a cable that happens under the water, which allows for multi-directional paths from a single cable. I would think that route-views would have any of what you may need to track down what's going on advertisement wise, and for free. Best, Marty On Feb 3, 2008 7:33 PM, Marshall Eubanks [EMAIL PROTECTED] wrote: Dear Sean; Do you know how Syria, Jordan and Lebanon get their connectivity ? They have dropped off the map today for us. (Or maybe yesterday - I wasn't able to pay any attention to this yesterday.) Our Egyptian audience remains very low, while Iran still seems to be unaffected. Regards Marshall On Feb 3, 2008, at 6:52 PM, Sean Donelan wrote: A fourth submarine cable in the middle east was damaged Sunday between Haloul, Qatar and Das, United Arab Emirates. This is in addition to the damage affecting FLAG, SAE-ME-WE4, FALCON cables. Afer reviewing surveillance video of the area, Egypt's ministry of maritime transportation is reporting no ships were near the FLAG or SAE-ME-WE4 cables 12-hours before or after the cable damage near Alexanderia, Egypt. The reason for outage of the cables has not been identified yet.
Re: Blackholes and IXs and Completing the Attack.
If you're trying to do it on a /32 basis, I doubt you'd find too many border router operators interested in accepting a route that small, but I may be wrong. I can think of at least one Global Tier One that offers a service that allows one to do exactly this (ie. advertise a /30 or /32 to them with a specific community) and blackhole it. -- Matthew Moyle-Croft - Internode/Agile - Networks Level 5, 150 Grenfell Street, Adelaide, SA 5000 Australia Email: [EMAIL PROTECTED] Web: http://www.on.net Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999 Fax: +61-8-8235-6909 The difficulty lies, not in the new ideas, but in escaping from the old ones - John Maynard Keynes
Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
On 04/02/2008, at 4:38 PM, Martin Hannigan wrote: I agree with Rod Beck as far as the speculations go. It could be terror, Well, no, it couldn't be. Nobody is being terrorized by this. How can it possibly be a terrorist incident? If it's deliberate, it might be described as an information warfare tactic. But not terrorism. (visions of some guy sitting a in cave with a pair of wet boltcutters laughing maniacally to himself, cackling, Ha-ha! Now their daytraders will get upset, and teenagers will get their porn _slower_! Die American scum! Doesn't really work, does it?) Politicians have succeeded in watering down the definition of the word terrorism to the point where it no longer has any meaning. But we're rational adults, not politicians, right? If we can't get it right, who will? - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
On Feb 4, 2008 12:38 AM, Sean Donelan [EMAIL PROTECTED] wrote: On Mon, 4 Feb 2008, Todd Underwood wrote: there has has been a lot of speculation that this is all some US prelude to war with iran. while i don't claim to know much about whether that makes any sense, i do know that if they're trying to disconnect iran from the internet, they're doing a lousy job: An extremely poor job if that was the intent. According to SLAC, throughput to Iran actually improved. https://confluence.slac.stanford.edu/display/IEPM/Effects+of+Fibre+Outage+through+Mediterranean If the intent was to cut off Iran, they're picking the wrong cables. TAE goes across the northern part of Iran Where are you seeing that? I can only see access to Iran through the Gulf of Oman and Caspian Sea. The Caspian Sea doesn't appear to have any cables. The only service to Iran that seems logical, or that I can see, is via Kuwait City and across the Gulf. Nothing appears to go through the Straight of Hormuz without touchdown in Oman or the UAE. I would hope that there is significant terrestrial cooperation in the region all considered, but I don't know anything about Med terrestrial networks. I agree with Rod Beck as far as the speculations go. It could be terror, but it's just not that interesting and is not really a soft-target. I caught some posts about beach heads, et. al. There are some vulnerabilities related to shared landing stations, but I think that places like Telehouse North are far more vulnerable and sexy as a target. Should be interesting to read the RFO's if and when they become public. Best, Marty