Re: Huawei Routers in the Core
Hi, First, thanks goes to all that has replied, I was asked by people to summarize the replies i got so far on the topic, so here it goes: 1- Someone said that they are doing very well in the IPTV and multicast, but they are not in the US. 2- Another one said: Huawei's data-comm products have been already deployed widely in Asia, Europe and South America, and that Huawei's routers have very good compability with Cisco's.(personal experience) There are no problems in BGP/MPLS/PIM interconnection with Cisco. OSPF/ISIS/policy based routing/ACL,MIB,Password/VPN... These are basic requirement for core router, all supported, except for properietry Cisco protocols like EIGRP and TACACS. 3- In Asian markets, Huawei is selling the Avici TSR with the Huawei name/logo. 4- I've seen your post about Huawei NE/AR routers in cisco-nsp list a while ago. Actually I was not subscribed, just a friend of mine sent me a link. We are working with Huawei for a couple of years now and I have seen most of their datacomm boxes. Now we are running two NE80e's as our ASBR and still have two more NE40's from previous instalation. I'm afraid I cannot give you any comparison tables (because I never had time to make them), but if you have questions, I'm open to discussion. 5- I have to say that last two years with them had been a great experience for me. I'm not saying, that it had been without any problems and complications, but what is really amazing is their advance. Two years ago, they were cheap alternative with quite good performance, sometimes bad software and the lack of features. Nowdays with NE40/80e series, they are pretty good and I'm really wondering, what they can do in another year. 6- Detailed opinion: A) Performance: - even 3-4years old NE40 had forwarding rate of 6Mpps per board - their combination of ASIC and NP seems to be a good way - we had some problems with BGP, later resolved. - same with full BGP tables, cards had to be set into LARGE_FIB mode which had impact on overall performance - all these problems seem to be solved now on NE40/80E series - I'm using 10xGE boards and also some 10GE for testing (with S8505 switch) B) OS - they call it VRP, same on all boxes, just minor + feature differences - online patch support possibility, never used - good stability, no fault C) Support - Cisco gave us lame support compared to Huawei. - very good cooperation with local support and even with RD in case of need D) New features - it's hard to beat cisco in a feature field, but there are just few that I'm missing now (and most of them is with switch, not router) E) Comparing with cisco... hmm... 8/10 for technology, but 20/10 for cooperation and their potential for the future 7) I am about to order a number of Huawei NE40's. I just got back from a trip to Huawei headquarters in Shenzen, China. My testing has shown that they really compete well against the equivalent Cisco. The CLI is a bit wierd to start with, but you get used to it. We also use AR18's and AR28's as CPE for our customers. We have some Huawei 8500, 6500 and 5600 switches powering our metro Ethernet service. They are much better than 6500, but still need to develop more feature cards. 8) Yes Huawei has a very wide range of routers and in high end routers they are much cheaper than cisco and provide excellent support to their customers. I myself have worked on NE40E series and its really a competetive product. 9) Their metro optical stuff is well made and works like a champ, but we dont use their routers Thats all i got, pretty encouraging, if anyone thinks otherwise, please enlighten me. On 7/3/06, Kim Onnel [EMAIL PROTECTED] wrote: Hello, We have been looking at Huawei line of routers recently and i was kind of surprised to see they have Core stuff, that are able to handle Gigs of traffic and MPLS, i cant seem to find anyone around that have used any of these, i wonder if anyone here has, i'd love to hear what he/she has to say, positive or negative feedback. Offline messages are welcomed. Thanks, Kim
Huawei Routers in the Core
Hello, We have been looking at Huawei line of routers recently and i was kind of surprised to see they have Core stuff, that are able to handle Gigs of traffic and MPLS, i cant seem to find anyone around that have used any of these, i wonder if anyone here has, i'd love to hear what he/she has to say, positive or negative feedback. Offline messages are welcomed. Thanks, Kim
Huawei Routers in the Core
Hello, We have been looking at Huawei line of routers recently and i was kind of surprised to see they have Core stuff, that are able to handle Gigs of traffic and MPLS, i cant seem to find anyone around that have used any of these, i wonder if anyone here has, i'd love to hear what he/she has to say, positive or negative feedback. Offline messages are welcomed. Thanks, Kim
Foundry Old Switch vs Old Cisco one
Dears, I have this old foundry switch in the warehouse, I have no experience in Foundry, i wonder if this switch can be upgraded to a newer OS that will support advanced features or shall i consider it dead, I want to mainly use it for one customer that wants caching, its L4 i guess and i have an old NetApp caching server that will save the customer 10MBs i guess. [EMAIL PROTECTED] ver SW: Version 07.3.04T12 Copyright (c) 1996-1999 Foundry Networks, Inc. Compiled on Mar 07 2002 at 11:46:40 labeled as SLB07304 HW: ServerIron Switch, serial number 10ac46 400 MHz Power PC processor 740 (revision 8) with 32756K bytes of DRAM 16 100BaseT interfaces with Level 1 Transceiver LXT975 2 GIGA Fiber uplink interfaces, SX 256 KB PRAM and 8*2048 CAM entries for DMA 1, version 0807 256 KB PRAM and 8*2048 CAM entries for DMA 2, version 0807 256 KB PRAM and 4*1024 CAM entries for DMA 4, version 0104, SEEQ GIGA MAC 8101 256 KB PRAM and 4*1024 CAM entries for DMA 5, version 0104, SEEQ GIGA MAC 8101 128 KB boot flash memory 4096 KB code flash memory 2048 KB BRAM, BM version 02 128 KB QRAM 512 KB SRAM Octal System, Maximum Code Image Size Supported: 1965568 (0x001dfe00) The system uptime is 2 days 5 hours 24 minutes 5 seconds The system : started=cold start Please redirect me to technical documentation/OS upgrade webpages for this, if there is any. If it wont fit, i'll have to buy a new Cisco one perhaps.
Re: another exchange in Cairo
Funny that i live in Egypt, i work in the field and i've spent the last three days at ICT (information and comm. tech.) conference and did not hear of that, but i'd love to see it working, our past experiences with peering were very small and not effective, it started with CRIX and ended with CAIX, which not all ISPs were excited about , There are around 10 ISPs in egypt with their own AS number and probably 7 of them with transit links from Flagtelecom or UUNet, the other 3 got their links from local ISPs, As alot of other developing countries, peering is established on personal relationships, and even with that it doesnt work well, because both parties couldnt agree on routing policies or even personal disliking(pathetic) As i said most of the 10 ISPs didnt join CAIX although they are all at the same CO(physical proximity), Ramsis CO is the main CO here, I was involved in both IX, so i can give a brief history, i'm following this thread and i'd love to share opinions, suggestions, in public or private, i know there are alot of experienced people are reading this and i'd like to get a chance to discuss this with them, CRIX started by an ISP+Datacenter here (NTC=Egynet+ECC) at late 2002, They have a large Datacenter and they thought if they could bring other ISPs in, it'd save them international bandwidth, but project died so quickly, it was deployed by Flagtelecom, i guess no one saw benefit and no reason to pay, so they all just didnt join and that was it, As for CRIX (Cairo Regional Exchange Point), its a Govern. initiative and its free, but still most ISPs didnt feel its needed because they either thought that the local traffic is very small or that all other ISPs will abuse their upload speed because they have a large datacenter/servers.., We run 4xOC3 worth of Internet, we peer over CAIX with 2 other ISPs and the traffic between the three of us is 12 Mb :) so its not much, but its free and it costs us nothing but an ethernet port and ethernet cable. My guess is that all the internet traffic overhere is P2P apps, being downloaded from Asia or US. Egypt has over 80 Million in population, 10 million owns a cell phone, half of them with computers and half of them with internet access, so it all boils to not more than 5-7 Gbs of total internet traffic, on the other hand L3 VPNs has grown so much in the last two years, so there is something in the way i believe. On 2/9/06, Joe Abley [EMAIL PROTECTED] wrote: At the risk of perpetuating a thread that arguably should have diedsome days ago, someone without a nanog-post subscription reminded meof GPX, who have plans to being an exchange point live in Egypt(amongst other places). http://www.gpx.ie/No association, knowledge or endorsement implied, but maybe thisinformation is useful to someone.Joe
Terminal server problem
Hi, I got a CCM1650 Avocent terminal server, if i use windows to login to their console, upon hitting enter, the password prompt is bypassed because another enter is also hit, so i get a wrong password everytime. But if i do the same from a linux machine, that doesnt happen and i get to log in fine, which tells me that windows telnet is the problem, but i dont know which knob i need to fix ? Microsoft Telnet set ? bsasdel Backspace will be sent as delete crlf New line mode - Causes return key to send CR LF delasbs Delete will be sent as backspace escape x x is an escape charater to enter telnet client prompt localecho Turn on localecho. logfile x x is current client log file logging Turn on logging mode x x is console or stream ntlm Turn on NTLM authentication. term x x is ansi, vt100, vt52, or vtnt Avocent CCM1650 S/W Version 2.1 Username: noc Password: Authentication Complete (DEC-VT100) Connected to Port: 1 9600,8,N,2,NONE Login: cisco password: login incorrect Login: cisco password: login incorrect Login:
Re: BGP route flap damping
Do this, configure and use blackhole routing with your upstream, this is how you stop an attack How to detect it, use netflow. On 1/16/06, Patrick W. Gilmore [EMAIL PROTECTED] wrote: On Jan 16, 2006, at 8:48 AM, Gustavo Rodrigues Ramos wrote: Patrick W. Gilmore wrote: Not much you can do about this in general.In your specific case, since we don't know why your sessions died, we don't know what to suggest to stop it.Perhaps change the timers with your upstream? My BGP connections (and annoucements) with/to my ISPs are all fine. The problem takes place five or six AS far from me... Where I can't do much. I still can't reach some prefixes announced by large ISPs. At the first time, I thought an e-mail to the NOC of the network I can't reach can solve the problem, but it was a waste of time... I'm a little confused.Are you saying you dampened the prefixes of some other network?Ifso, it sounds like this is 100% in your control.If the BGP sessions between you and your upstreams / peers never flapped, no one should have dampened you.(I can see it possiblyhappening if someone else in the path between you and $OtherNetworkis attacked and therefore flaps your routes, but that would affect alot of networks, not just you.) --TTFN,patrick
Re: GoDaddy DDoS
It could be a DoS that used a software vulnerability though.On 12/1/05, Christopher L. Morrow [EMAIL PROTECTED] wrote:On Wed, 30 Nov 2005, Sam Crooks wrote: the source I have seen so far is: http://news.com.com/GoDaddy.com+suffers +outage/2110-7349_3-5977187.html?tag=nefd.hedstuck through tinyurl for those that care: http://tinyurl.com/83hxp So I was looking for more detailsapparently it affected web and mail, so I'd assume someone targetted theirDNS hosts :( bummer for them... if they were a customer we could have helped. They seem to be ATT customers, Tim could probably have helped themas well... perhaps calling their ISP's for assitance would have made theaffect less than 65 mins?and thus less press-worthy :( On Wed, 2005-11-30 at 23:11 +, Christopher L. Morrow wrote: On Wed, 30 Nov 2005, Sam Crooks wrote:Does anybody have information regarding to size and scale of the DDoS attack purported to have happened against GoDaddy today? nope... but against their: 1) dns servers? 2) web servers? 3) mail servers? 4) networking equipment? 5) none of the above?CONFIDENTIALITY NOTICE: This message, and any attachments, are intended only for the lawful and specified use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are STRICTLY PROHIBITED from disclosing, printing, storing, disseminating, distributing or copying this communication, or admitting to take any action relying thereon, and doing so may be unlawful. It should be noted that any use of this communication outside of the intended and specified use as designated by the sender, may be unlawful.If you have received this in error, please immediately notify us by return e-mail, fax and/or telephone, and destroy this original transmission and its attachments without reading or saving in any manner.
Re: QoS for ADSL customers
Can any one please suggest to me any commercial or none solution to cap the download stream traffic, our upstream will not recieve marked traffic from us, so what can be done ?On 11/29/05, Kim Onnel [EMAIL PROTECTED] wrote: Hello everyone, We have Juniper ERX as BRAS for ADSL, its GigE interface is on an old Cisco 3508 switch with an old IOS, its gateway to the internet is a 7609, our transit internet links terminate on GigaE, Flexwan on the 7600 The links are now almost always fully utilized, we want to do some QoS to cap our ADSL downstream, to give room for the Corp. customers traffic to flow without pain. I'm here to collect ideas, comments, advises and experiences for such situations. Our humble approach was to collect some p2p ports and police traffic to these ports, but the traffic wasnt much, one other thing is rate-limiting per ADSL customers IPs, but that wasnt supported by management, so we thought of matching ADSL www traffic and doing exceed action is transmit, and police other IP traffic. Doing so on the ERX wasnt a nice experience, so we're trying to do it on the cisco. Thanks
Re: QoS for ADSL customers
Our ADSL customers traffic is 3 OC3 worth of traffic, I dont think our management would buy the idea. thanksOn 12/1/05, Ejay Hire [EMAIL PROTECTED] wrote: Hello.Going back to your original question, how to keep fromsaturating the network with residential users usingbittorrent/edonkey et al, while suffocating businesscustomers.Here goes.Netfilter/IpTables (and a slew of commercial products I'm sure) has a Layer 7 traffic classifier, meaning it canidentify specific file transfer applications and set aDiffServ bit.This means it can tell between a real httprequest and a edonkey transfer, even if they are both using http.It also has rate-limiting capability.So... If youpass all of the traffic destined for your DSL customersthrough an iptables box (single point of failure) then youcan classify and rate-limit the downstream rate on a per-application basis.Fwiw, if you are using diffserv bits, you could push therate-limits down to the router with a qos policy in itinstead of doing it all in the iptables box.References on this..The netfilter website (for classification info) and the Linux advanced router tools(LART) (qos info/rate limiting)-e -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kim Onnel Sent: Thursday, December 01, 2005 3:26 AM To: NANGO Subject: Re: QoS for ADSL customers Can any one please suggest to me any commercial or none solution to cap the download stream traffic, our upstream will not recieve marked traffic from us, so what can bedone ? On 11/29/05, Kim Onnel [EMAIL PROTECTED] wrote: Hello everyone, We have Juniper ERX as BRAS for ADSL, its GigE interface is on an old Cisco 3508 switch with an old IOS,its gateway to the internet is a 7609, our transit internetlinks terminate on GigaE, Flexwan on the 7600 The links are now almost always fully utilized, we want to do some QoS to cap our ADSL downstream, to give roomfor the Corp. customers traffic to flow without pain. I'm here to collect ideas, comments, advises and experiences for such situations. Our humble approach was to collect some p2p portsand police traffic to these ports, but the traffic wasnt much, one other thing is rate-limiting per ADSL customers IPs,but that wasnt supported by management, so we thought ofmatching ADSL www traffic and doing exceed action is transmit, and police other IP traffic. Doing so on the ERX wasnt a nice experience, so we're trying to do it on the cisco. Thanks
QoS for ADSL customers
Hello everyone, We have Juniper ERX as BRAS for ADSL, its GigE interface is on an old Cisco 3508 switch with an old IOS, its gateway to the internet is a 7609, our transit internet links terminate on GigaE, Flexwan on the 7600 The links are now almost always fully utilized, we want to do some QoS to cap our ADSL downstream, to give room for the Corp. customers traffic to flow without pain. I'm here to collect ideas, comments, advises and experiences for such situations. Our humble approach was to collect some p2p ports and police traffic to these ports, but the traffic wasnt much, one other thing is rate-limiting per ADSL customers IPs, but that wasnt supported by management, so we thought of matching ADSL www traffic and doing exceed action is transmit, and police other IP traffic. Doing so on the ERX wasnt a nice experience, so we're trying to do it on the cisco. Thanks
Re: Recommendations for ISPs around the world
For Africa, check out Equant and BTOn 10/24/05, Elmar K. Bins [EMAIL PROTECTED] wrote: Dear colleagues,I'm at a loss here. My current project is to find good transit providersin those regions: South America, Eastern Europe, Africa, Asian-Pacific.Requirements are simple: - good regional connectivity/peerings- fair reach to mainland Europe (London, Amsterdam, Frankfurt)- locations close to exchanges (so we can join there, too)I'm thinking of using two transit ISPs per location (full BGP from our side, of course).I have considered MCI, BT Infonet, Verio, Reach, Sprint, for AP and/or LatinAmerica, but they of course all tell you that they are greatly interconnected.For eastern europe I'm really at a loss, and Africa seems to lack regional connectivity. All I can found is local stuff.So, if anyone can give me a hand here, that would be greatly appreciated.TIA,Elmar.--Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren. (PLemken, [EMAIL PROTECTED])--[ ELMI-RIPE ]---
Marketing ideas for ISPs
Hello, I would like to collect some ideas from you experinced folks on new ideas to push for an ISP that wants to add revenues by adding new service offering or attracting customers with VAS 1) MPLS VPNs: we only provide connectivity, what else could we do, on the top of my head is: a) QoS 2) Internet: we basicly provide ADSL for residential and SDSL for corporate 3) Security: we offer nothing, just configuring firewalls for customers on their premises a) Customers blackhole their traffic b) Analyze customers traffic using sinkholes c) Managed firewalls/ids d) RADIUS based filters(ACL) for dialup/adsl 4) DataCenter: we do normal datacenter, emails, hosting. a) Hosting a mirror of freshmeat and sourceforge, tucowns, download.com b) Netflow analyzers: selling reports to customers or the Arbor Model The points i have under each is things we dont have, i would like you to share with me your experiences with services from the above, feasability, and if there are supporting documents to be able to pullout a presentation, All your private feedback is welcomed. Thanks
Re: commonly blocked ISP ports
Depends where you will put your ACL too, we have this on our Ingress from the internet 10 deny ip 127.0.0.0 0.255.255.255 any (118 matches) 20 deny ip 10.0.0.0 0.255.255.255 any (23297 matches) 30 deny ip 172.16.0.0 0.15.255.255 any (8 matches) 40 deny ip 192.168.0.0 0.0.255.255 any (19 matches) 50 deny tcp any any eq 135 (6750649 matches) 60 deny udp any any eq 135 (20275 matches) 70 deny tcp any any eq 445 (18420302 matches) 80 deny udp any any eq 1026 (3481591 matches) 90 deny ip x.x.x.x 0.0.0.255 any where x.x.x.x is your IPs and you could add bogons But of course you might not want to block some of those as some home customers could use them to connect back to their intranet, but those should use tunnels IMHO. On 9/15/05, Peter Dambier [EMAIL PROTECTED] wrote: There is only one port worth blocking:Block port 80 (http)All other ports might be in use for redirected ssh, telnet, ftp, ...Blocking port 80 will keep windows people from accidently clicking nonsense. :)Kind regards,Peter and Karin DambierLuke Parrish wrote: Everyone, Does anyone have a reference point for commonly blocked ports? We have a list, some reactive and some proactive, however we need to remove ports that are no longer a threat and add new ones as they are published. Thanks luke--Peter and Karin DambierPublic-RootGraeffstrasse 14 D-64646 Heppenheim+49-6252-671788 (Telekom)+49-179-108-3978 (O2 Genion)+49-6252-750308 (VoIP: sipgate.de)mail: [EMAIL PROTECTED] http://iason.site.voila.frhttp://www.kokoom.com/iason
Re: MPLS or Site2Site VPN
What about doing the VPN onver the internet, with IPSec tunnels terminated in a hub and spoke model, i dont know price wise, but it would work fine. On 8/29/05, Todd Reed [EMAIL PROTECTED] wrote: I'm looking at connecting 15+ multi-state locations together to start forming a private corporate network. The sites are small with 25-30 devices. I want to avoid direct-T1's due to cost, therefore I'm looking for alternatives. I know I can do site-to-site VPN, but I've also heard a lot about MPLS and from what I've read, it may be a good option. Over the next year, we will be adding 5-10 more sites, so expansion is important. I'm not planning to do voice, but it may be an option in 2-3 years. If anyone has any suggestions on their experiences, I would greatly appreciate it. Thanks, Todd
MPLS security book
Hello, I've been reading through Cisco press MPLS VPN Security book, too many assumtions about spoofing labels, getting access to core, PE, another VPN, in security nothing should be taken for granted, but has there been any real world incidents where such scenarios have been really occuring ? Regards
Re: Cisco gate and Meet the Fed at Defcon....
and you can get an MPLS image for it too :)On 8/4/05, Bill Woodcock [EMAIL PROTECTED] wrote: On Wed, 3 Aug 2005, Joseph S D Yao wrote: If you feel like keeping 2500s in service, rather than replacing them with something that holds NM-32As, the flash problem is easily resolved for less than US$50: http://www.memorydealers.com/8mbcisthirpa.html to be fair... 2500s are quite useful for things other than what their original purpose intended, but that usefulness diminishes with memory upgrades that are comparable in price to the value of the router $US 24???Where can you get a router for that?[I'm surprised you can get 8 Mb Cisco RAM for that!;-)]http://search.ebay.com/cisco-25012501s seem to mostly cost between $10-$30.-Bill
Re: OT: Cisco.com password reset.
People claim that accounts were compromised, thats why they are resetting them all, looks like Lynn's friends have made their moves for revenge.On 8/3/05, Joe Blanchard [EMAIL PROTECTED] wrote: FYII got an email that my CCO account's password was resetlast night. Not sure how widespread this issue was, but I called my account contact and verified that this isa valid email, and that my password needed to be reset.Just a heads up.-Joe Blanchard
Re: OT: Cisco.com password reset.
No proof, just a sarcastic comment, dont get me jailed :) but really, everyone is claiming its a compromiseOn 8/3/05, Joel Jaeggli [EMAIL PROTECTED] wrote:On Wed, 3 Aug 2005, Kim Onnel wrote: People claim that accounts were compromised, thats why they are resetting them all, looks like Lynn's friends have made their moves for revenge.demonstrate proof for your assertion please. On 8/3/05, Joe Blanchard [EMAIL PROTECTED] wrote: FYI I got an email that my CCO account's password was reset last night. Not sure how widespread this issue was, but I called my account contact and verified that this is a valid email, and that my password needed to be reset. Just a heads up. -Joe Blanchard Joel Jaeggli Unix Consulting [EMAIL PROTECTED]GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: OT: Cisco.com password reset.
I dont mean anything actually, i am really supporting this brave man, some so called hackers claim that they will hunt cisco down, its in the news that some people think they should revenge.On 8/3/05, Etaoin Shrdlu [EMAIL PROTECTED] wrote: Kim Onnel wrote: On 8/3/05, Joe Blanchard [EMAIL PROTECTED] wrote: I got an email that my CCO account's password was reset last night... People claim that accounts were compromised, thats why they are resetting them all, looks like Lynn's friends have made their moves for revenge.You know, don't start down this road. I don't think this is the appropriateplace for that sort of statement, and I don't think you need to put Mr. Lynn in that group. I don't care what you think about his actions, but whatyou're implying is rude, and it implies things about him that (I don'tbelieve) are true.Please, keep it on track, or take it off line. --Shame on Cisco. Shame on ISS.
Re: Best practice ACLs for a internet facing border router?
block bogons block your ips from outside block rfc 1918 (martians) block common worms ports On 6/13/05, Drew Weaver [EMAIL PROTECTED] wrote: I'm just curious if anyone has ever published a list of what isan agreed upon best practice list of ACLs for an internet facing borderrouter. I'm talking about things like bogons, private Ip addresses, et cetera. If anyone is aware of anything like this I'd like to see it.Thanks,-Drew
Re: Using snort to detect if your users are doing interesting things?
How about project Darknet and sinkholes and monitoring dark ip space, worms and botnets usually scans blindly right and left, so there is a good chance you will get a glimpse on infected hosts if thats what you want, i catch infected hosts by looking at apache access logs and i see alot of scans, and Randy for that i change the ssh port to a higher one :)On 6/9/05, Randy Bush [EMAIL PROTECTED] wrote: My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network.Take the time to learn and understand its functionality and intended purpose. Also figure out what you're going to do with the output.Do you have the resources to investigate apparent misbehavior?Remember that any IDS will have a certain false positive rate.Even for true positives, do you have the customer care resources to notify your users and (if appropriate) hold their hands while they disinfect their machines. it'senough of a pita to clean up the syslogs from all the 25k/daypassword attacjs per host, when one does not have password ssheven enabled.randy
Re: IDS/DDOS prevention hardware that doesnt cost $80,000+?
Cisco routers and switches export network accounting information you can write a software that reads these flows and report to you who is the Top Talker/DDoS or you can get an open-source one (flow-tools, ntop,..) or you can buy one (Arbor, lancope, crannog,...) On 5/25/05, Drew Weaver [EMAIL PROTECTED] wrote: I'm wondering if there is such an animal out there? All of the ones I have seen are made for the multi-gigabit service provider there aren't any for the smaller mid-rangers out there. Can anyone suggest anything that we can put in place? The attacks we're seeing are just a huge influx of PPS not so much the amount of bandwidth. Offlist to keep chatter low is fine with me. Sorry to be a bother, -D
Re: DOS attack tracing
1) Get 'Cisco guard' , too expensive ? 2) Get Arbor, Stealthflow, Esphion, too expensive ? 3) Use flow-tools, ntop, Silktools and open-source Netflow collectors analyzers 4) Apply Ingress/Egress Filtering : RFC 2827 , uRPF, Team cymru IOS template 5) Monitor CPU/Netflow table size using SNMP 6) Request a blackholing BGP community from your upsream provider. On 5/10/05, Scott Weeks [EMAIL PROTECTED] wrote: On Mon, 9 May 2005, Steve Gibbard wrote: : On Mon, 9 May 2005, Scott Weeks wrote: : On Mon, 9 May 2005, Richard wrote: : : : type of routers. Our routers normally run at 35% CPU. What sucks is that the : : traffic volume doesn't have to be very high to bring down the router. : : That's because it's the number of packets per time period that it can't : handle, not the traffic level. At this point it seems most likely that : it's a simple UDP flood. If your CPU usually runs at 35% you definitely : don't need a bigger router unless you're expecting a growth spurt. You : might want to put an RRDTool or MRTG graph on the CPU usage to be sure. : : I'll disagree here. Cool! Good 'ol operations discussion... :-) I took things out of order from your email, but kept the context. : www.stevegibbard.com/ddos-talk.htm Nice paper. However, you still say what I was saying, just in a different sort of way. Instead of NTop and RRDTool/MRTG, you use Cricket. RRDTool/MRTG alerts you to the problem and NTop directs you to the source of the problem. Once you get the procedure down pat, it can go pretty fast. As far as puttimg something in front of the core router(s) (such as Riverhead), I assumed there was nothing there for Richard; just raw router interface(s) to the upstream and not enough budget to afford those nice-but-expensive boxes. I was going to mention things like Riverhead or Packeteer later in the posts if appropriate. : When you're engineering a network, what you generally need to care about : is peak traffic, not average traffic. While DOS attack traffic is : presumably traffic you'd rather not have, it tends to be part of the : environment. : : This is somewhat of an arms race, and no router will protect you from all : conceivable DOS attacks. That said, designing your network around the : size of attack you typically see (plus some room for growth) raises the : bar, and turns attacks of the size you've designed for into non-events : that you don't need to wake up in the middle of the night for. This is what I was getting at. Engineering the network. That's more than buying a Bigger Badder Router and Fatter Pipes(BBRFP). If your router is running at 35% during the normal peak traffic flow, you don't need a BBRFP. All you need to do is design the network (and train the monkeys, as randy terms it... :-) to deal with extraordinary peaks. : Remember, the real goal in dealing with DOS attacks is to get to the point : where you don't notice them, rather than just being able to explain why : your network is down. Yes, but a BBRFP isn't the way to deal with this unless you've got the big budget. I know that a bigger hammer is better if you've got the money, but if you don't engineering finesse can work well. scott
Re: anycast and ddos
I've looked around most DDoS prevention methods outhere, i can safely say that alot of them usually just repeat each other, for me it all boils down to 1) CoPP and aggresive SPD to protect the routing/management when infrastructure is attacked. 2) Getting Riverhead, which is a shame if they had it and it didnt save the day. 3) Netflow to detect the attacking sources/dst and using Filtering and blackholing methods. (Arbor, open-source tools...) So, if they had all that in place and still they were brought down, then i would seriously like to look for new/different solutions applied or perhaps someone on the list could give us his experience in a case of a heavy ddos where it was easily mitigated with the above. Regards On 5/6/05, Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: As one of the co-authors of RFC-2827, I'm assuming you meant me -- if so, no apology needed. :-) I'm just sorry to have to see a weakness exploited which could easily be fixed - ferg ps. This also seems like a good time to mention (again) The Spoofer Project at MIT: http://momo.lcs.mit.edu/spoofer/ [and] http://momo.lcs.mit.edu/spoofer/summary.php -- Randy Bush [EMAIL PROTECTED] wrote: it seems that anycasting was quite insufficient to protect netsol's service from being severely damaged (udp dead, tcp worked) for a considerable length of time by a ddos [0] last week [1]. it would be very helpful to other folk concerned with service deployment to understand how the service in question was/is anycast, and what might be done differently to mitigate exposure of similar services. anyone have clues or is this ostrich city? maybe a preso at nanog would be educational. randy --- [0] - as it seems that the ddos sources were ip address spoofed (which is why the service still worked for tcp), i owe paul an apology for downplaying the immediacy of the need for source address filtering. [1] - netsol is not admitting anything happened, of course sigh. but we all saw the big splash as it hit the water, the bubbles as it sank, and the symptoms made the cause pretty clear. -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
BCP for ISP to block worms at PEs and NAS
Hello, Can someone confirm if my approach explained below is sufficient and if there is other/better ways to do this ? something i am missing. On my Cisco-based SP network with RPMs in MGX chassis acting as PEs: I have the ACL below applied on many network devices to block the common worms ports, On the NAS, i have placed the worm on the Group-Async interfaces so the worms will not propagate between user who dial up on the same NAS, and on the uplink ethernet interface.(in and out) On the PEs, i have placed it on the interface switches for the customers and on the uplink too, and then on the aggregating routers and on the gateway for all these. ip access-list extended worms deny tcp any any eq 5554 deny tcp any any range 135 139 deny udp any any range 135 netbios-ss deny tcp any any eq 445 deny udp any any eq 1026 permit ip any any Regards
Re: BCP for ISP to block worms at PEs and NAS
Even if they care, its consuming alot of CPU resources and bandwidth, i had a long quarrel with my teams members on should we do it or not, i understand that if we only provide best effort traffic without any filtering contracted its wrong to do it, but the ACL matches are so big, doing it on the Radius however is one nice other way to do it IMHO, there was once a worm using port 5000 which broke IPSec, and i had to modify it all over the place, same with MSSQL ports, a Centralised configuration is much better, i would like to see these methods documented anywhere (Practices for ISPs to block worms) On 4/17/05, J.D. Falk [EMAIL PROTECTED] wrote: On 04/17/05, Randy Bush [EMAIL PROTECTED] wrote: On my Cisco-based SP network with RPMs in MGX chassis acting as PEs: I have the ACL below applied on many network devices to block the common worms ports, if you are a service provider, perhaps filtering in the core will not be appreciated by some customers. of course, as a provider, you can choose what 'service' you are providing. but, if you filter ports, it is not clear you are providing internet service. In practice, it is nearly certain that your users won't care (or even notice) -- but grumpygeeks will argue about it anyway. -- J.D. Falk As a carpenter bends the seat of a chariot [EMAIL PROTECTED]I bend this frenzy round my heart.
Re: books every network operator should read?
Internet Routing Arch. Routing TCP/IP vol.1 Cisco LAN Switching or Any other LAN switching book Troubleshooting Routing Protocols by Zaheer Aziz Cisco ISP essentials Some chapters of IOS software Arch On Apr 9, 2005 6:36 AM, Janet Sullivan [EMAIL PROTECTED] wrote: I'd like to make a list for the BGP4.net wiki of books that are thought highly of by the network community. What books stand out for you as being excellent? If you could only own 5 network related books, what would they be? Feel free to reply to me offlist - I'll post a summary after a few days. Thanks! Janet
Re: BGP Anywhere - Global Redundancy
There are New IOS features for such situations, take a look at datacenter backup, SLB and these issues. On Apr 7, 2005 2:35 AM, Vandy Hamidi [EMAIL PROTECTED] wrote: All, We're an ASP and are considering adding a secondary Backup Datacenter (BDC) in the US to protect our web presence. My goal is to ensure automatic failover of my Primary DC's (IP) traffic to the BDC in the event of a catastrophic failure of the PDC. I'm considering geographic load balancing and BGP Anywhere as the two options. I'm clear on how the Geo LB works, but have some doubts about BGPAW as I've never implemented it before and documentation online is pretty weak to non-existent. Below is how I believe it should be done. From PDC: -Advertise CIDR block to all peers w/good metric (0 hop count) From BDC: -Advertise same CIDR block to all peers w/poor metric (+20 hop count) During normal operation, all ASes will route production traffic to PDC. In the event of catastrophic failure at PDC; PDC advertisements will cease, BDC route will become the only one on the net and traffic will route to the BDC. Questions: 1) Will this work? 2) Other suggestions or alternatives? 3) Any chance that traffic could flow to BDC for any reason? 4) Any internet etiquette I could be ignoring? 5) What would you estimate the failover time would be? 6) Assuming the routers at PDC and BDC pull down full routing table, how will the receipt of the PDC CIDR advertisement be treated? BGP rules say it will be dropped as a routing loop. What alternatives would I have if I want to be able to route that CIDR block traffic from the BDC to the PDC. Confed? Cisco conditional advertisements? Thanks all. This is the only place I can think of that would have the expertise to comment. -=Vandy=-
Re: Is current DDoS detecting method effective?
On Mon, 07 Mar 2005 06:11:35 + (GMT), Christopher L. Morrow [EMAIL PROTECTED] wrote: Some of your cflowd gathering should also see these things, but they will need data correlation, something Arbor already went to the trouble of doing for you... So, define: attack and then see if your tool fits that definition. So I can safely say that Detecting DDoS attacks is mostly done using Netflow data, now the only tool(known) on the market to analyze for attacks is Arbor, now besides being expensive, which is a problem for Mid-sizes ISPs, doing that with open-source tools(cflowd,...) isnt quite easy for a network engineer, who rarely has programming experience, thats my problem now, we either need to outsource or buy Arbor, I've seen open-source Netflow DDoS specific apps. anyone tried them (Zazu and Panoptis) -With the small experience i've gained to work out these tools, - Zazu is still under devel. but some times reports nice results - couldnt compile panoptis Any luck with (stager, Silktools, ntop,...)? I wish there could be a documented ISPs experience for using open-source tools to detect DDoS, or a homegrown script that uses flow-tools to report anomalies. Any news of undergoing projects or papers for the above, there are too many on Blackholing, but not how to get the IP to blackhole) Regards
Cisco 3640 Bootrom
I have a 3640 that while booting up gives the errors below at the console, Console Errors: _ C3600 processor with 65536 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled unknown flash deþ System Bootstrap, Version 11.1(7)AX [kuong (7)AX], EARLY DEPLOYMENT RELEASE SOFT WARE (fc2) Copyright (c) 1994-1996 by cisco Systems, Inc. C3600 processor with 65536 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled unknown flash device - mandev code = 0x cannot read flash info getdevnum warning: device flash has size of zero unknown flash device - mandev code = 0x cannot read flash info getdevnum warning: device flash has size of zero open: read error...requested 0x4 bytes, got 0x0 trouble reading device magic number boot: cannot open flash: an alternate boot helper program is not specified (monitor variable BOOTLDR is not set) and unable to determine first file in bootflash loadprog: error - on file open boot: cannot load tftp:c3640-js-mz.122-15.T5.bin 40.40.40.2 System Bootstrap, Version 11.1(7)AX [kuong (7)AX], EARLY DEPLOYMENT RELEASE SOFT WARE (fc2) Copyright (c) 1994-1996 by cisco Systems, Inc. C3600 processor with 65536 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled I was adviced to upgrade bootrom, because the bootrom doesnt recognize the flash sticks, how do you guys check that this bootrom will work with this flash stick ? Regards
Cisco 3640 Flash errors - upgrade bootrom?
I have a 3640 that while booting up gives the errors below at the console, Console Errors: _ C3600 processor with 65536 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled unknown flash deþ System Bootstrap, Version 11.1(7)AX [kuong (7)AX], EARLY DEPLOYMENT RELEASE SOFT WARE (fc2) Copyright (c) 1994-1996 by cisco Systems, Inc. C3600 processor with 65536 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled unknown flash device - mandev code = 0x cannot read flash info getdevnum warning: device flash has size of zero unknown flash device - mandev code = 0x cannot read flash info getdevnum warning: device flash has size of zero open: read error...requested 0x4 bytes, got 0x0 trouble reading device magic number boot: cannot open flash: an alternate boot helper program is not specified (monitor variable BOOTLDR is not set) and unable to determine first file in bootflash loadprog: error - on file open boot: cannot load tftp:c3640-js-mz.122-15.T5.bin 40.40.40.2 System Bootstrap, Version 11.1(7)AX [kuong (7)AX], EARLY DEPLOYMENT RELEASE SOFT WARE (fc2) Copyright (c) 1994-1996 by cisco Systems, Inc. C3600 processor with 65536 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled I was adviced to upgrade bootrom, because the bootrom doesnt recognize the flash sticks, how do you guys check that this bootrom will work with this flash stick ? Regards
Proper authentication model
Hello, I'd like everyones 2 cents on the BCP for network management of an ISP PoPs, with a non-security oriented NOC, Most of my routers doesnt have crypto IOS images, couldnt agree with core members to do a major upgrade, just a promise of doign that when other needs to an IOS upgrade come up, So i need to workaround it and secure management traffic somehow, Usually the NOC logs to the PoPs 24x7, so i definitely need to hit a balance between encryption/security and usability, thats why i excluded OTP, My homework concluded: 1) Establishing an ipsec tunnel from each NOC Pc to a VPN concentrator, and of course on every PC, there would be static routes injected to take management traffic through the tunnel, Major advantage is usability and transperancy to the user, One major pitfall here is when ipsec tunnels break, my presence would be needed to troubleshoot that, 2) An OpenBSD bastion host(s), where the NOC would ssh in, get authenticated from TACACS+ or ssh certs, and then just telnet from there all day, One major advantage here is the heavy monitoring/limiting i can do on a *nix box, systrace their login shell to a policy (telnet/ping/traceroute only) 3) Or just an IOS based bastion router that also runs ssh, This has the advantage of IOS limitations in a way, not much maintaining is needed but being limited with 16 vtys is a problem, also vtys may get stuck and all these ssh sessions would kill the memory of the router, I would of course have multiple setups one at the Datacenter, another at some PoP, redundant solutions incase one fails, and For the record, I do run rancid, syslogging and we do AAA, so its just down to whats others experiences/ideas about secure management?
Blocking worms/ddos for customer for free?
Hello, Currently, on our ingress, we block spoofed packets, common worms/trojans ports. We do that for all of our customers(residential DSL, Dial-up, Corporate DSL, and the data center hosted websites/servers), however, For me there are 2 ways to look at it, if i leave these worms to come in, they would consume our bandwidth and CPU, and on the other hand, it looks like we're giving a free service, which in a way uses up our resources, Its the same for DDoS, if i stop it for a customer, i'm giving him a free a service, if i dont, its gonna wreck my network. Personally, i block the illegitimate packets out of my network(egress) but thats because i owe this to the internet community, even if i am not getting paid for it. I would like to know other providers policy about this?