Google contact?
Having a bit of diffculty with a Google matter. Was hoping to get pointed in the right direction by someone from Google. --Patrick Darden [EMAIL PROTECTED]
RE: Google contact?
Thanks everyone! Several people from Google responded very quickly, and the issue was resolved faster than I can believe. --Patrick Darden --ARMC
RE: Mitigating HTTP DDoS attacks?
Hi Mike, Depending upon the type of DDOS, there are five things you should do in order: 1. immediate response: set your host based security to mitigate the attack. E.g. mod_security for Apache web server, IPTables for host firewall. This will keep the hard drives from filling up, the cpu from smoking, etc. 2. second response: gateway router or border firewall. Filter that stuff out if you can. This will keep your internal network clean so it won't affect your other systems. One quickie *temporary* fix would be to block whole networks of DSL/Cable modems. There are lists out there specifically for this--always-on broadband home PCs are a often the compromised sources of attacks. 3. third response: contact your upstream providers and ask them to take action. They can apply filters, and apply pressure to their colos. 4. make sure you have done your part: secure your network so it cannot be used for DOS attacks by applying egress filtration etc. ( http://www.sans.org/dosstep/ ); secure your hosts against future DOS attacks using things like mod_security and mod_evasive for Apache, tcplimit for IPTables, or etc. One caveat: bandwidth flooding effects can be mitigated, but you can't really do anything about it other than contacting your upstream provider. Until your provider does something, the bottleneck here is your uplink. --Patrick Darden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Lyon Sent: Monday, March 24, 2008 6:02 PM To: NANOG Subject: Mitigating HTTP DDoS attacks? Howdy all, So, i'm kind of new to this so please deal with my ignorance. But, what is common practice these days for HTTP DDoS mitigation during an attack? You can of course route every offending ip address to null0 at your border. But, if it's a botnet or trojan or something, It's coming from numerous different source IPs and Null0 routes can get very cumbersome. obviously. How do you folk usually deal with this? Any input would be greatly appreciated. Cheers, Mike
US Gvt ipv6 change, associated agencies
I'm looking for documentation on how the US Government IPv6 mandate affects associated agencies--e.g. healthcare providers, non-profits, or any company that depends on US Gvt. funding, record keeping, or financial reimbursement for services rendered (e.g. via Medicare). Over the past 5 years most US Gvt--Assoc. Agencies communications have moved from modem/BBS type systems to Internet based systems. With the mandate, IPv4 will still be available, but I would bet it will be less and less supported as time moves on. I would like to see what the Gvt. has planned I've googled, read FAQs, and looked over the docs at whitehouse.gov without much luck. Can anyone point me in the right direction? --Patrick Darden
RE: load balancing and fault tolerance without load balancer
I understand you have no budget for a comercial load balancer; however, you should consider setting up two inexpensive servers or PCs as load balancers. You could do it with one, but that would itself be a single point of failure. The OS and software are all free. Two old PCs would be next to free. Heck, two bottom of the line new servers would only cost $2K--$3K total. OS linux (fedora 8, SUSE, any modern distro) SoftwareLVS ( http://www.linuxvirtualserver.org/ ) HA ( http://www.linux-ha.org/ ) The How To documentation is short and sweet (there is a full how to, and a mini how to) http://www.austintek.com/LVS/LVS-HOWTO/ . I've been running a cluster of 12 web servers for almost 5 9s for 6 years now based off this stuff. You can take a server down for maintenance and nobody notices. There is a complete bundled package using RPM called Ultra Monkey--it includes LVS and HA and everything else you need. Find it here: http://www.ultramonkey.org/ Documentation that should work for Fedora, CentOS, and RHEL4+ is at http://www.jedi.com/obiwan/technology/ultramonkey-rhel4.html --p -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Smith Sent: Friday, March 14, 2008 6:44 PM To: Joe Shen Cc: [EMAIL PROTECTED]; NANGO Subject: Re: load balancing and fault tolerance without load balancer On Sat, 15 Mar 2008 00:42:26 +0800 (CST) Joe Shen [EMAIL PROTECTED] wrote: hi, we plan to set up a web site with two web servers. The two servers should be under the same domain name. Normally, web surfing load should be distributed between the servers. when one server fails, the other server should take all of load automatically. When fault sever recovers, load balancing should be achived automatically.There is no buget for load balancer. we plan to use DNS to balance load between the two servers. But, it seems DNS based solution could not direct all load to one server automatically when the other is down. Is there any way to solve problem above? One option might be to run two instances of VRRP/CARP across the hosts. You have Host A being the primary/master for one IP address that's in your DNS, and Host B being the primary/master for the other IP addess that's in your DNS. Host A is the secondary/backup for the IP address normally owned by Host B and Host B is the secondary/backup for the IP address normally owned by Host A. When, for example, Host A fails, Host B takes over being the primary/master for both IP addresses in your DNS, giving you your continued availability. If you want make that fail over transparent to load, you'd need to keep the load on the hosts 50% under normal, non-fail circumstances. Regards, Mark. -- Sheep are slow and tasty, and therefore must remain constantly alert. - Bruce Schneier, Beyond Fear
RE: Routing Loop
If it continues for any length of time then contact above.net. To find their contact information, check their registrar. e.g. whois above.net gets you Technical Contact: AboveNet Communications, Inc. [EMAIL PROTECTED] AboveNet Communications, Inc. 50 W SAN FERNANDO ST STE 1010 SAN JOSE, CA 95113-2414 US 408-367-6673 fax: 408-367-6688 If that does not help, then you can solicit for better contact information (from NANOG.) I am betting above.net knows about this and is already working on it. Good luck! --Patrick Darden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Felix Bako Sent: Friday, March 14, 2008 3:34 PM To: nanog@merit.edu Subject: Routing Loop Hello, There is a routing loop while accesing my network 194.9.82.0/24 from some networks on the Internet. | This is a test done from lg.above.net looking glass. 1 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0 msec 2 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78 Exp 0] 0 msec 0 msec 0 msec 3 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 8 msec 8 msec 0 msec 4 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label 80 Exp 0] 0 msec 4 msec 0 msec 5 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0 msec 6 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78 Exp 0] 0 msec 0 msec 4 msec 7 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 64 msec 0 msec 4 msec 8 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label 80 Exp 0] 0 msec 4 msec 0 msec 9 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0 msec 10 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78 Exp 0] 0 msec 4 msec 0 msec 11 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 4 msec 0 msec 4 msec| How do i aproach to fix this issue Regards Felix -- Best Regards, Felix Bako Network Engineer Africa Online, Kenya Tel: +254 (20) 27 92 000 Fax: +254 (20) 27 100 10 Email: [EMAIL PROTECTED] Aim:felixbako * Africa Online Disclaimer and Confidentiality Note * This e-mail, its attachments and any rights attaching hereto are, unless the context clearly indicates otherwise, the property of Africa Online Holdings (Kenya) Limited and / or its subsidiaries (the Group). It is confidential and intended for the addressee only. Should you not be the addressee and have received this e-mail by mistake, kindly notify the sender, delete this e-mail immediately and do not disclose or use the same in any manner whatsoever. Views and opinions expressed in this e-mail are those of the sender unless clearly stated as those of the Group. The Group accepts no liability whatsoever for any loss or damages, however incurred, resulting from the use of this e-mail or its attachments. The Group does not warrant the integrity of this e-mail, nor that it is free of errors, viruses, interception or interference. For more information about Africa Online, please visit our website at http://www.africaonline.com
RE: Tools to measure TCP connection speed
Best way to do it is right after the SYN just count one one thousand, two one thousand until you get the ACK. This works best for RFC 1149 traffic, but is applicable for certain others as well. I don't know of any automated tool, per se. You really couldn't do it *well* on the software side. I see a few options: 1. this invalidates itself, but it is easily doable: get one of those ethernet cards that includes all stack processing, and write a simple driver that includes a timing mechanism and a logger. It invalidates itself because your real-life connection speeds would depend on the actual card you usually use, the OS, etc. ad nauseum, and you would be bypassing all of those. 2. if you are using a free as in open source OS, specifically as in Linux or FreeBSD, then you could write a simple kernel module that could do it. It would still be wrong--but depending on your skill it wouldn't be too wrong. 3. this might actually work for you. Check to see how many total TCP connections your OS can handle, make sure your TCP timeout is set to the default 15 minutes, then set up a simple perl script that simply starts a timer, opens sockets as fast as it can, and when it reaches the total the OS can handle it lets you know the time passed. Take that and divide by total number of connections and you get the average It won't be very accurate, but it will give you some kind of idea. Please forgive the humor --Patrick Darden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe Shen Sent: Monday, March 10, 2008 5:00 AM To: NANGO Subject: Tools to measure TCP connection speed hi, is there any tool could measue e2e TCP connection speed? e.g. we want to measue the delay between the TCP SYN and receiving SYN ACK packet. Joe __ Search, browse and book your hotels and flights through Yahoo! Travel. http://sg.travel.yahoo.com
RE: NANOG website unreachable?
I see the site, not the error. --Patrick Darden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniele Arena Sent: Tuesday, January 15, 2008 12:48 PM To: nanog@merit.edu Subject: NANOG website unreachable? Hi, Am I the only one to get a 403 on http://www.nanog.org/ ? Regards, Daniele.
RE: Asymmetrical routing opinions/debate
I'm not sure I understand. If a routing protocol such as BGP is being used, this is considered normal behavior, and the routing determination is made usually wrt either best route or best bandwidth. In the first case, a return packet would usually follow on the same interface. In the second case it would be determined by however you have set things up (round robin, 2/3rds on one int and 1/3rd on the other, whatever.) If you are multi-homed with two backbone providers with static routes, then it is also normal behavior for some packets to enter thru either of your two interfaces, and then to exit on the preferred interface (if no preference is made clear via routing, then the default outbound interface is the one with the lower IP address--e.g. 201.x.y.z would be preferred over 202.x.y.z). Does that help? --Patrick Darden --ARMC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Drew Weaver Sent: Monday, January 14, 2008 10:31 AM To: nanog@merit.edu Subject: Asymmetrical routing opinions/debate Pardon me if I am using the wrong term, I am using the term Asymmetrical routing to describe a scenario in which a request packet enters a network via one path and the response packet exits the network via a different path. For example an ICMP ping request enters a network via ISP A and the reply leaves via ISP B (due to multi-homing on both networks, and or some kind of manual or automatic 'tweaking' of route preferences on one end or the other). I haven't noticed too many instances of this causing huge performance problems, but I have noticed some, has anyone noticed any instances in the real world where this has actually caused performance gains over symmetrical routing? Also in a multi-homed environment is there any way to automatically limit or control the amount of Asymmetrical routing which takes place? (should you?) I have read a few papers [what few I could find] and they are conflicted about whether or not it is a real problem for performance of applications although I cannot see how it wouldn't be. Has there been any real community consensus on this issue published that I may have overlooked? Thank you, -Drew
RE: General question on rfc1918
They do. What you are seeing are probably forged packets. Nmap etc. all let you forge SIP, in fact they automate it. One Nmap mode actually actively obfuscates network scans by doing random SIPs--e.g. 10,000 random SIPs and one real one--this makes it hard to figure out who is actually scanning your networks. Of course, if you don't filter incoming traffic on your inner interfaces, then the traffic could be from your own network. A lot of people filter only on their external ints: outgoing traffic limited to [mynetwork1, mynetwork2, mynetwork3] incoming traffic limited to [public IP addresses] Make sense? --Patrick Darden --Internetworking Manager --ARMC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Drew Weaver Sent: Tuesday, November 13, 2007 10:09 AM To: nanog@merit.edu Subject: General question on rfc1918 Hi there, I just had a real quick question. I hope this is found to be on topic. Is it to be expected to see rfc1918 src'd packets coming from transit carriers? We have filters in place on our edge (obviously) but should we be seeing traffic from 192.168.0.0 and 10.0.0.0 et cetera hitting our transit interfaces? I guess I'm not sure why large carrier networks wouldn't simply filter this in their core? Thanks, -Drew
RE: cpu needed to NAT 45mbs
From my experience, a fast P4 linux box with 2 good NICs can NAT 45Mbps easily. I am NAT/PATing 4,000 desktops with extensive access control lists and no speed issues. This isn't over a 45Mb T3--this is over 100 Mb Ethernet. --Patrick Darden --ARMC, Internetworking Manager -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Carl Karsten Sent: Thursday, November 08, 2007 2:25 PM To: nanog@merit.edu Subject: cpu needed to NAT 45mbs I do the networking in my house, and hang out with guys that do networking in small offices that have a few T1s. Now I am talking to people about a DS3 connection for 500 laptops*, and I am bing told a p4 linux box with 2 nics doing NAT will not be able to handle the load. I am not really qualified to say one way or the other. I bet someone here is. * for wifi, going to be using this system: http://wavonline.com/vendorpages/extricom.htm March 13-17 (testing a week or 2 before) for PyCon in Chicago. If anyone wants to see it in action, etc. drop me a line. Carl K
