Re: Network Performance Testing Equipment
On Jun 18, 2004, at 5:50 PM, Jonathan Slivko wrote: Hmmm. Netperf usually does the trick for network load testing. At least thats what we use at work :) -- Jonathan On a related note, are there any test suites that measure the success/failure rate of TCP connections while measuring throughput? For example, pushing 10k TCP sessions and measuring time to complete _and_ success rate? Normally, the httpd benchmark stuff would suffice, but it would be ideal to avoid any end-application latency and ensure that you're testing the quality of the device (firewall) in between. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: What HTTP exploit?
On May 31, 2004, at 12:45 PM, Bob Martin wrote: The real irony is that it doesn't bother Apache running on NT :) In all fairness, somewhere along the line there was a patch for this. All my Apache servers do is put request failed: URI too long in the error log. Even without the fix it really wasn't anything more than a nuisance. Killing off one child process had no effect on valid sessions or the parent process. This also has no effect on Apache 1.3.28 on OpenBSD 3.4 (-stable), other than logging an extremely long request string. Of course, the OpenBSD folks audit/patch their own version of Apache, so it might have the patch you mention. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Ad blocking with squid
On Apr 19, 2004, at 4:33 PM, Paul Khavkine wrote: Anyone doing ad blocking with Squid cache engine out there ? I'm not sure if this is a kosher question for nanog, but what the hell. Personally, I've been very pleased with Privoxy, especially if you don't want or need to install a full-blown proxy like Squid. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Alternative Satellite news feed needed
On Thu, 2003-10-02 at 15:55, Adam Maloney wrote: It was extremely nice to take the NNTP load off of our upstream links when we first set it up. As I understood it, they were not doing well on binary feeds towards the end there though. I think they ended up filtering posts over a certain length over a year ago (?). They were approaching 45-50MBit/s, and when they implemented that filter they cut it back to about 30. Not exactly a full feed, but how much porn do you actually need? :) I don't want to start speculating on certain issues, but I worked there between 4/00 and 4/01 as one of the engineers responsible for maintaining the uplink servers and other satellite doohickeys, so I can speak factually on certain events and paths we went down. Although Mike Donovan or Lisa Peoples would be able to explain much of this better than yours truly, I'll give it my best shot (as I remember it). As the Internet grew, NNTP traffic grew exponentially. Binary attachments were the bane of our existence, but... so long as we had the transponder throughput to accomodate our recipe of HTTP/NNTP/AV/etc, we avoided filtering as long as technically feasible. Unfortunately, it quickly became obvious that while NNTP was what was paying the bills (hypothetically... since too many ISP's were apparently too damn cheap to pay their bills), it was also choking the 45MB we could fit through the transponder. At one point in time, we were trying to push 250-260Gb/day across the transponder (roughly 22-30Mbps peak, IIRC). This left very little for our other products. When it started to smother the rest, we were forced to start filtering on incomplete multi-part binaries. Some of our clients started bitching (some did from the beginning), as they would miss the occassional multi-part binary and blame Cidera. This was *not* any fault of ours, as we would push out everything we had. As a usenet peer, we were victim to incompletes just like anyone else (even with our excellent range of peer sources... thanks to M.D.). The only other type of filtering that might have occurred was throttling on the uplink. I have no doubt that things had changed drastically since the day I was laid off in April '01 (coincidentally, the day our SysEng staff went from 2 to 1). NNTP continued to increase, and likely always will. Folks like Donovan, Peoples, McGuire, Krokes, Humphrey and the rest did their damndest to provide a kick-ass product at a fraction of the cost of conventional terrestrial lines. I miss that place and the work we did with a serious passion. It was just one of those ideas and opportunities that doesn't come across very often, and I was damn lucky to be considered a [very] small part of it. *sigh* Cheers to the happy fun ball. -- Jason Dixon Former Systems Engineer Cidera, Inc.
Re: Paypal off-the-air?
On Fri, 2003-08-29 at 09:45, John Ferriby wrote: It seems that PayPal is off-the-air. We're seeing all connections die via uunet and sprint routes. Anyone know what's going on? I recall they were going offline from 12:30am to 3:00am Pacific Time for maintenance. I'm not seeing any problems with the site right now, from the east coast. Traceroutes timeout in San Jose AlterNet (starting on EC), but http works fine. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
Re: Server Redundancy
On Wed, 2003-08-06 at 13:39, Allan Liska wrote: On 6 Aug 2003, Jason Greenberg wrote: Can I have some suggestions on how to load balance servers that are on seperate IP blocks? Is there any way to perform translation at this level? Exclude DNS based balancing please... Take a look at Nortel's Alteon product line, Cisco's CSS product line, or F5's BigIP Product Line. All of which have Global Server Load Balancing capability. The GSLB can be done a number of different ways on these boxes including stupid DNS tricks (not your typical round robin stuff, but still DNS) and using a BGP configuration. I second this suggestion. I worked briefly at F5 Networks in 2001 and was responsible for supporting Big-IP and 3DNS. Both are very nice products, but NOT cheap. -J.
Re: Learning more about authentication and passwords
On Tue, 2003-07-29 at 09:37, Dave Israel wrote: On 7/29/2003 at 04:37:01 -0400, Sean Donelan said: If you would like to learn more about the strengths and weaknesses of various authentication methods, I highly recommend the book Authentication: From Passwords to Public Keys by Richard E. Smith ISBN: 0201615991 I'll add: Network Security: Private Communication in a Public World by Charlie Kaufman, Radia Perlman, Mike Speciner, Charles Kaufman Prentice Hall PTR ISBN: 0130460192 I have not read the 2nd Edition, but the 1st was excellent. I *have* read the 2nd Edition, and highly recommend it. Hi Dave. :) -J.