Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS

[Suresh Ramasubramanian]

On Wed, Jan 18, 2012 at 8:07 PM, Robert Kisteleki  wrote:
> One can also try RIPEstat for this: http://stat.ripe.net/
>
> Amongst other modules it gives full (~10 year) BGP history for prefixes.

Does it also give a similar history for ASN announcements?I see a
lot many shady ASNs that simply move from one prefix to another, in
batches

-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: World IPv6 Launch Day - June 6, 2012

[Joel Jaeggli]

By the same token, The mobile broadband network is not some also-ran adjunct to 
the residential broadband  service.

On Jan 18, 2012, at 16:45, "Justin M. Streiner"  wrote:

> On Wed, 18 Jan 2012, Joel jaeggli wrote:
> 
>> On 1/18/12 15:56 , Justin M. Streiner wrote:
>>> On Wed, 18 Jan 2012, Christopher Morrow wrote:
>>> 
>>> I wonder when Comcast and Verizon will get into an IPv6 advertising war.
>>> "v6... smhee-6!  Ditch that cable modem and switch to Fios!"
>> 
>> LTE has V6 natively and it gets used today...
> 
> True, but VZW and VZO are two different animals.
> 
> jms
> 

Re: World IPv6 Launch Day - June 6, 2012

[Antonio Querubin]

On Wed, 18 Jan 2012, Anurag Bhatia wrote:


  1. No A or  record on main worldipv6launch.org


Odd and annoying.  So 20th century... :)

Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: Tata AS6453 not peering with NTT AS2914 in Japan

[Matthew Petach]

On Wed, Jan 18, 2012 at 2:10 PM, Anurag Bhatia  wrote:
> Call it funny or what - so far I have got 4 replies and in total 10emails
> in one to one discussion.
>
> No one replied in mailing list!


People are often hesitant to discuss dirty laundry in public; not
least because it can sometimes have employment implications.

Most requests on the lists are thus phrased as "please contact
me about X" or "It would be really nice if you could fix your
misconfiguration at site Y" so that there's no onus placed on an
engineer to discuss the issue publicly; fixing the issue, or responding
with a private message about the issue is usually considered
sufficient response.

Matt

Re: World IPv6 Launch Day - June 6, 2012

[Justin M. Streiner]

On Wed, 18 Jan 2012, Joel jaeggli wrote:


On 1/18/12 15:56 , Justin M. Streiner wrote:

On Wed, 18 Jan 2012, Christopher Morrow wrote:

I wonder when Comcast and Verizon will get into an IPv6 advertising war.
"v6... smhee-6!  Ditch that cable modem and switch to Fios!"


LTE has V6 natively and it gets used today...


True, but VZW and VZO are two different animals.

jms

Re: bgp question

[Jonathan Lassoff]

On Wed, Jan 18, 2012 at 5:58 AM, Deric Kwok  wrote:
> ls it supporting equally multipath in different bgp connections?

Most software routing protocols have support for this in their RIBs,
but the actual forwarding ability of the underlying kernel will
determine the support for this.
What platform do you route on?

Cheers,
jof

Re: World IPv6 Launch Day - June 6, 2012

[Joel jaeggli]

On 1/18/12 15:56 , Justin M. Streiner wrote:
> On Wed, 18 Jan 2012, Christopher Morrow wrote:
> 
>> My question is when is FiOS going to get v6 natively? could we get the
>> engineers there to actually do something as opposed to trials of
>> non-production systems that'll never actually get deployed? :)
> 
> I wonder when Comcast and Verizon will get into an IPv6 advertising war.
> "v6... smhee-6!  Ditch that cable modem and switch to Fios!"

LTE has V6 natively and it gets used today...

joel

> jms
> 

Re: World IPv6 Launch Day - June 6, 2012

[Justin M. Streiner]

On Wed, 18 Jan 2012, Christopher Morrow wrote:


My question is when is FiOS going to get v6 natively? could we get the
engineers there to actually do something as opposed to trials of
non-production systems that'll never actually get deployed? :)


I wonder when Comcast and Verizon will get into an IPv6 advertising war.
"v6... smhee-6!  Ditch that cable modem and switch to Fios!"

jms

Re: bgp question

[Justin M. Streiner]

On Wed, 18 Jan 2012, Deric Kwok wrote:


Could you tell me more about "routing registries"?
I would like to learn it


In a nutshell, Internet Routing Registries (IRRs) are places where 
networks can store information that describes their routing policies. 
Other networks can query this information and use the results to build or 
update their filtering policies.  You can find an extensive list of 
registries and more background information at http://www.irr.net/



2nd questions?  Are you familiar to quagga?
ls it supporting equally multipath in different bgp connections?


I haven't messed around too much with quagga, so I can't give you a good 
answer on that at the moment.


jms

Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS

[Randy Bush]

> One can also try RIPEstat for this: http://stat.ripe.net/

wfm

> (Disclaimer: our team is working on this tool.)

and you used your work email address.  thank you.

randy

Re: bgp question

[Jo Rhett]

On Jan 18, 2012, at 5:58 AM, Deric Kwok wrote:
> Could you tell me more about "routing registries"?
> I would like to learn it

google it, and RADB for example.

> 2nd questions?  Are you familiar to quagga?
> ls it supporting equally multipath in different bgp connections?

Yes, absolutely.

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other 
randomness

Re: Tata AS6453 not peering with NTT AS2914 in Japan

[Anurag Bhatia]

Call it funny or what - so far I have got 4 replies and in total 10emails
in one to one discussion.

No one replied in mailing list!

On Thu, Jan 19, 2012 at 1:06 AM, Anurag Bhatia  wrote:

> Hello everyone!
>
> Was wondering is there's anyone from Tata Communications (VSNL/TeleGlobe)
> or NTT Communications? I can see Tata Comm's AS6453 is not exchanging
> traffic with NTT AS2914 in Japan. Is there's any specific reason for that?
> I can see traffic exchange is being done at London, New York, San Jose but
> not in Japan. Thus packets from Tokyo (Tata) to Tokyo (NTT) and having a
> round trip to US. This is screwing up performance of networks which are in
> downstream for NTT e.g Akamai. Route to Akamai.com webserver from Indian
> networks is going like India - UK - Japan adding over 200ms of overhead
> latency. If someone is interested in detailed data, I have blogged about it
> here .
>
>
> Any ideas what's preventing them peering in Japan itself?
> --
>
> Anurag Bhatia
>
> anuragbhatia.com
>
> or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
> network!
>
> Twitter: @anurag_bhatia 
>
>


-- 

Anurag Bhatia

anuragbhatia.com

or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
network!

Twitter: @anurag_bhatia 

Tata AS6453 not peering with NTT AS2914 in Japan

[Anurag Bhatia]

Hello everyone!

Was wondering is there's anyone from Tata Communications (VSNL/TeleGlobe)
or NTT Communications? I can see Tata Comm's AS6453 is not exchanging
traffic with NTT AS2914 in Japan. Is there's any specific reason for that?
I can see traffic exchange is being done at London, New York, San Jose but
not in Japan. Thus packets from Tokyo (Tata) to Tokyo (NTT) and having a
round trip to US. This is screwing up performance of networks which are in
downstream for NTT e.g Akamai. Route to Akamai.com webserver from Indian
networks is going like India - UK - Japan adding over 200ms of overhead
latency. If someone is interested in detailed data, I have blogged about it
here .


Any ideas what's preventing them peering in Japan itself?
-- 

Anurag Bhatia

anuragbhatia.com

or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
network!

Twitter: @anurag_bhatia 

RE: DNS Attacks

[Drew Weaver]

-Original Message-
From: Christopher Morrow [mailto:morrowc.li...@gmail.com] 
Sent: Wednesday, January 18, 2012 11:43 AM
To: Steven Bellovin
Cc: nanog@nanog.org
Subject: Re: DNS Attacks

yup... I think roland and nick (he can correct me, roland I KNOW is saying 
this) are basically saying:

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

is far, far better than state management in a firewall. Anything more complex 
and your firewall fails long before the 7206's interface/filter will :( Some 
folks would say you'd be better off doing some LB/filtering-in-software behind 
said router interface filter, I can't argue with that.

>

But you don't get the benefit of UNIFIED THREAT MANAGEMENT or 
syn-authentication with an access-list or what happens if someone sends your 
wordpress blog a malformed GET request which causes it to give the attacker 
root? Or Slowloris, or one of any thousand  other HTTP protocol based attacks?

(I'm being sarcastic but that is the argument you will hear).

Seriously though if there is one thing I wish people would stop doing it is 
releasing web vulnerability scanners for free (like acunetix), they're easy 
enough to catch because they use sitemaps but they can be a bit annoying and 
generate a lot of load =)

-Drew


 

Re: VPC=S/MLT?

[-Hammer-]

Nice link. Thanks Joshua.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 1/18/2012 11:57 AM, joshua sahala wrote:

vpc has a long list of unclear and/or seemingly contradictory caveats
(spread across multiple cisco docs/webpages).  when it doesn't work
(as expected), it can be challenging to find someone with tac who can
actually tell you why (or how to fix it properly).  if your needs are
fairly basic, are all cisco, follow their dc3.0 verbatim, and don't
mind the lack of features on the nexus platform, then it isn't a bad
box (if rather expensive for the lack of features...like ipv6 for
is-is).  also, be prepared to keep spanning-tree around and keep
bugging your cisco se/am about trill support (as opposed to
fabricpath...see tdp vs ldp)

if you *might* want to involve the n7k in routing at all, then
http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
offers a much clearer explanation than cisco.com about what works and
what doesn't (and whether-or-not tac might try to help)

hth
/joshua

Re: VPC=S/MLT?

[-Hammer-]

Found them all on the same page. Not exactly what I was looking for but 
it's worth sharing.


http://www.cisco.com/en/US/products/ps9670/products_implementation_design_guides_list.html

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 1/14/2012 7:10 PM, Charles Spurgeon wrote:

On Fri, Jan 13, 2012 at 03:05:45PM -0600, -Hammer- wrote:

 The first link references "chapter 3". I found chapter 5 as well
but I can't find the full index. Do you have that link by any chance?

I don't have a link to a full index. The links I sent are from a set
of Nexus design and operation chapters I've found.  Each chapter is a
guide to a specific aspect of Nexus and vPC operation and DC design.
The set doesn't appear to have been turned into standard Cisco docs
with indexes etc.

Here are the links that I've been able to find:

Chapter 1: Data Center Design with Cisco Nexus Switches and Virtual 
PortChannel: Overview
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572831-00_Dsgn_Nexus_vPC_DG.pdf

Chapter 2: Cisco NX-OS Software Command-Line Interface Primer
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572833-00_NX-OS_CLI.pdf

Chapter 3: Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf

Chapter 4: Spanning Tree Design Guidelines for Cisco NX-OS Software and Virtual 
PortChannels
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572834-00_STDG_NX-OS_vPC_DG.pdf

Chapter 5: Data Center Aggregation Layer Design and Configuration with
Cisco Nexus Switches and Virtual PortChannels
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-00_Agg_Dsgn_Config_DG.pdf

Chapter 6 Data Center Access Design with Cisco Nexus 5000 Series
Switches and 2000 Series Fabric Extenders and Virtual PortChannels
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf

Chapter 7 10 Gigabit Ethernet Connectivity with Microsoft Windows Servers
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572828-00_10Gb_Conn_Win_DG.pdf

Chapter 8 Data Center Design with VMware ESX 4.0 and Cisco Nexus 5000
and 1000V Series Switches 4.0(4)SV1(1) and 2000 Series Fabric
Extenders
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572832-00_VMware_ESX4_Nexus_DG.pdf

-Charles

Charles E. Spurgeon / UTnet
UT Austin ITS / Networking
c.spurg...@its.utexas.edu / 512.475.9265

Re: enterprise 802.11

[Robert E. Seastrom]

Jay Ashworth  writes:

> - Original Message -
>> From: "Jared Mauch" 
>
>> network side. I'm personally not convinced of the value of very short
>> lease times (less than an hour)
>
> Less than an hour, perhaps not. 
>
> On small residential networks, though -- generally, anything where the 
> router (which will need to get rebooted occasionally) *is* the DHCP server --
> I tend to set the timeout to 30-60 minutes, to reduce the race window between
> when a router is rebooted, and when a new device shows up and conflicts 
> because it's given an IP another device still thinks it owns.

Another thing that works (in environments where you can get away with
it) is an enormous dhcp pool and super long leases with
walking-the-whole-space behavior and persistent-across-reboots
behavior on the part of the DHCP server.

The built-in server on the Mikrotik platforms will do this.
Configuring a /16 worth of 1918 space with a 3 week lease for a
campground that typically hosts 1 week long events has handily dodged
the issue for me.  Admittedly this is a corner case...

-r

Re: VPC=S/MLT?

[joshua sahala]

vpc has a long list of unclear and/or seemingly contradictory caveats
(spread across multiple cisco docs/webpages).  when it doesn't work
(as expected), it can be challenging to find someone with tac who can
actually tell you why (or how to fix it properly).  if your needs are
fairly basic, are all cisco, follow their dc3.0 verbatim, and don't
mind the lack of features on the nexus platform, then it isn't a bad
box (if rather expensive for the lack of features...like ipv6 for
is-is).  also, be prepared to keep spanning-tree around and keep
bugging your cisco se/am about trill support (as opposed to
fabricpath...see tdp vs ldp)

if you *might* want to involve the n7k in routing at all, then
http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
offers a much clearer explanation than cisco.com about what works and
what doesn't (and whether-or-not tac might try to help)

hth
/joshua

Re: World IPv6 Launch Day - June 6, 2012

[Christopher Morrow]

On Wed, Jan 18, 2012 at 12:30 PM, Anurag Bhatia  wrote:
> Hi Fred
>
> You can access on www.worldipv6launch.org but not
> http://worldipv6launch.org (without
> www)
>
>
not everyone puts their web content on their domain? nothing to see
here, please drive through...

Re: World IPv6 Launch Day - June 6, 2012

[Christopher Morrow]

On Wed, Jan 18, 2012 at 12:04 PM, Owen DeLong  wrote:

>>
>> My question is when is FiOS going to get v6 natively? could we get the
>> engineers there to actually do something as opposed to trials of
>> non-production systems that'll never actually get deployed? :)
>>
>
> My understanding is that some areas have native IPv6 on FIOS.

really? I terminate on the same CO/l3 device the testing was done (you
know, the one that was press-released ~1.5 years ago?) ... no v6 for
me... and as near as I can tell each sales/support person I talk to
says: "ipvwhat?"

I would bet that the VERIZON fios deployments are non-v6 everywhere...
which is just sad, for the internet and for verizon.

-chris

Re: World IPv6 Launch Day - June 6, 2012

[Anurag Bhatia]

Hi Fred

You can access on www.worldipv6launch.org but not
http://worldipv6launch.org (without
www)

It's available on IPv6 on www since Akami node has  and seems fine.

anurag@laptop:~$ dig www.worldipv6launch.org  +short
www.worldipv6launch.org.edgesuite.net.
a1448.dscb.akamai.net.
2600:140e:1::3cfe:83ca
2600:140e:1::3cfe:83d1



Someone missed a redirection record for worldipv6launch.org to
www.worldipv6launch.org

On Wed, Jan 18, 2012 at 10:57 PM, Fred Baker  wrote:

>
> On Jan 18, 2012, at 9:03 AM, Shumon Huque wrote:
>
> > But, checking www.worldipv6launch.org just now shows that it
> > have IPv6 records now:
>
> I just successfully accessed it using IPv6. The service is real, not just
> the DNS record. The address I accessed it at was 2600:809:600::3f50:411.
>



-- 

Anurag Bhatia

anuragbhatia.com

or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
network!

Twitter: @anurag_bhatia 

Re: World IPv6 Launch Day - June 6, 2012

[Fred Baker]

On Jan 18, 2012, at 9:03 AM, Shumon Huque wrote:

> But, checking www.worldipv6launch.org just now shows that it
> have IPv6 records now:

I just successfully accessed it using IPv6. The service is real, not just the 
DNS record. The address I accessed it at was 2600:809:600::3f50:411.

Re: DNS Attacks

[Cameron Byrne]

On Jan 18, 2012 8:43 AM, "Christopher Morrow" 
wrote:
>
> On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin 
wrote:
> >
> > On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
> >
> >> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard 
wrote:
> >>> On 18/01/2012 14:18, Leigh Porter wrote:
>  Yeah like I say, it wasn't my idea to put DNS behind firewalls. As
long
>  as it is not *my* firewalls I really don't care what they do ;-)
> >>>
> >>> As you're posting here, it looks like it's become your problem. :-D
> >>>
> >>> Seriously, though, there is no value to maintaining state for DNS
queries.
> >>>  You would be much better off to put your firewall production
interfaces on
> >>> a routed port on a hardware router so that you can implement ASIC
packet
> >>> filtering.  This will operate at wire speed without dumping you into
the
> >>> colloquial poo every time someone decides to take out your critical
> >>> infrastructure.
> >>
> >> I get the feeling that leigh had implemented this against his own
> >> advice for a client... that he's onboard with 'putting a firewall in
> >> front of a dns server is dumb' meme...
> >
> > In principle, this is certainly correct (and I've often said the same
thing
> > about web servers); in practice, though, a lot depends on the specs.
 For
> > example: can the firewall discard useless requests more quickly?  Does
it do
> > a better job of discarding malformed packets?  Is the vendor better
about
> > supplying patches to new vulnerabilities?  Can it do a better job
filtering
> > on source IP address?  Does it do load-balancing?  Are there other
services
> > on the same server IP address that do require stateful filtering?
>
>
> yup... I think roland and nick (he can correct me, roland I KNOW is
> saying this) are basically saying:
>
> permit tcp any any eq 80
> permit tcp any any eq 443
> deny ip any any
>
> is far, far better than state management in a firewall. Anything more
> complex and your firewall fails long before the 7206's
> interface/filter will :( Some folks would say you'd be better off
> doing some LB/filtering-in-software behind said router interface
> filter, I can't argue with that.
>
> > As I said, most of the time a dedicated DNS appliance doesn't benefit
from
> > firewall protection.  Occasionally, though, it might.
>
> I suspect the cases where it MAY benefit are the 'lower packet rate,
> ping-o-death-type' attacks only though. Essentially 'use a proxy to
> remove unknown cruft' as a frontend to your more complex dns/web
> answering system, eh?
>
> under load though, high pps rate attacks/instances (victoria secret
> fashion-show sorts of things) your firewall/proxy is likely to die
> before the backend does ;(
>

Very refreshing tone of conversation. Normally I hear a chorus of "defense
in depth" blah when we should be talking about fundamental host / protocol
based robustness and matching risks with controls ...not boxes with
places on a network map.

It leads to:  security is like an onion, it makes you cry

The ng stateful firewall is no firewall (tm)

I like https://www.opengroup.org/jericho/index.htm

Cb
> -chris
>
> >
> >--Steve Bellovin, https://www.cs.columbia.edu/~smb
> >
> >
> >
> >
> >
>

Re: World IPv6 Launch Day - June 6, 2012

[Anurag Bhatia]

Btw did someone noticed DNS setup of project site is really crazy!

anurag@laptop:~$ ping worldipv6launch.org
ping: unknown host worldipv6launch.org
anurag@laptop:~$ dig worldipv6launch.org ns +short
ns5.he.net.
ns4.he.net.
ns2.he.net.
ns3.he.net.
anurag@laptop:~$ dig worldipv6launch.org soa +short
ns1.he.net. hostmaster.he.net. 2012011801 10800 1800 604800 86400
anurag@laptop:~$ dig worldipv6launch.org a +short
anurag@laptop:~$ dig worldipv6launch.org  +short
anurag@laptop:~$ dig www.worldipv6launch.org +short
www.worldipv6launch.org.edgesuite.net.
a1448.dscb.akamai.net.
58.27.22.162
58.27.22.163



   1. No A or  record on main worldipv6launch.org
   2. www.worldipv6launch.org has cname to Akamai





-- 

Anurag Bhatia

anuragbhatia.com

or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
network!

Twitter: @anurag_bhatia 

Re: World IPv6 Launch Day - June 6, 2012

[Owen DeLong]

On Jan 18, 2012, at 8:46 AM, Christopher Morrow wrote:

> On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque  wrote:
>> On Tue, Jan 17, 2012 at 08:17:40PM -0800, Owen DeLong wrote:
>>> Another very sad thing about it:
>>> 
>>> delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org   
>>> 2012/01/16 21:24:21
>>> www.worldipv6launch.org is an alias for 
>>> www.worldipv6launch.org.edgesuite.net.
>>> www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net.
>>> a1448.b.akamai.net has address 72.246.53.104
>>> a1448.b.akamai.net has address 72.246.53.8
>>> 
>>> 
>>> I don't seem to be able to get to the site on IPv6.
>>> 
>>> Owen
>> 
>> I heard that it initially had  records. After the site
>> couldn't keep up with the initial load, it was migrated to
>> Akamai's CDN (the DNS records you see now are those), and
>> Akamai doesn't yet offer IPv6 in production, so no IPv6.
> 
> there are places in this world with working v6 at scale the folk
> involved COULD use them.
> (I thought, actually, that akamai's v6 offering was actually
> production, just not wide-spread?)
> 

In fairness, it is up on IPv6 today. I don't know exactly when that
happened, but, kudos to ISOC and Akamai for getting it done
fairly quickly.

>> Akamai does have a trial IPv6 program though - we host IPv6
>> capable Akamai nodes on our campus for example, and a non
>> production version of our university website is using it -
>> so ISOC could try seeing if they could be hosted on that
>> infrastructure.
> 
> My question is when is FiOS going to get v6 natively? could we get the
> engineers there to actually do something as opposed to trials of
> non-production systems that'll never actually get deployed? :)
> 

My understanding is that some areas have native IPv6 on FIOS.

Owen

Re: World IPv6 Launch Day - June 6, 2012

[Shumon Huque]

On Wed, Jan 18, 2012 at 11:46:24AM -0500, Christopher Morrow wrote:
> On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque  wrote:
> >
> > I heard that it initially had  records. After the site
> > couldn't keep up with the initial load, it was migrated to
> > Akamai's CDN (the DNS records you see now are those), and
> > Akamai doesn't yet offer IPv6 in production, so no IPv6.
> 
> there are places in this world with working v6 at scale the folk
> involved COULD use them.
> (I thought, actually, that akamai's v6 offering was actually
> production, just not wide-spread?)

Not sure - our Akamai support people have so far not told us
that it's production ready (we ask periodically; maybe we aren't
talking to the right people). And thus far, they haven't 
permitted us to point the www.upenn.edu  record to Akamai.
A non production name (ipv6.upenn.edu) mirroring the same
content does have a  to Akamai though.

But, checking www.worldipv6launch.org just now shows that it
have IPv6 records now:

;; QUESTION SECTION:
;www.worldipv6launch.org.   IN  

;; ANSWER SECTION:
www.worldipv6launch.org. 297IN  CNAME   
www.worldipv6launch.org.edgesuite.net.
www.worldipv6launch.org.edgesuite.net. 6167 IN CNAME a1448.dscb.akamai.net.
a1448.dscb.akamai.net.  20  IN  2001:590:1:400::451f:4859
a1448.dscb.akamai.net.  20  IN  2001:590:1:400::451f:4868

-- 
Shumon Huque
University of Pennsylvania.

Re: accessing multiple devices via a script

[chip]

Like many others on here, I utilize rancid's set of scripts to handle
all the different platform's quirks for access.  I then wrap that
inside a perl script that can do things in parallel.  I'm no developer
by any stretch of the imagination but I can poke around in perl badly
enough to write some tools.  One perl module I've come across is
Parallel::Fork::BossWorkerAsync.  Using this module makes it
incredibly easily to run many instances in parallel while each
instance is just a bit different and then can gather data back from
each session.  Using some form of parallelization can significantly
decrease the amount of time things take.  I hope you find it as useful
as I have.

http://search.cpan.org/~jvannucci/Parallel-Fork-BossWorkerAsync-0.06/lib/Parallel/Fork/BossWorkerAsync.pm

Good Luck!

--chip

On Sun, Jan 15, 2012 at 12:52 PM, Abdullah Al-Malki
 wrote:
> Hi fellows,
> I am supporting a big service provider and sometimes I face this problem.
> Sometimes I want to access my customer network and want to extract some
> verification output "show commands" from a large number of devices.
>
> What kind of scripting solutions you guys are using this case.
>
> Appreciate the feedback,
> Abdullah



-- 
Just my $.02, your mileage may vary,  batteries not included, etc

Re: World IPv6 Launch Day - June 6, 2012

[Christopher Morrow]

On Tue, Jan 17, 2012 at 11:38 PM, Shumon Huque  wrote:
> On Tue, Jan 17, 2012 at 08:17:40PM -0800, Owen DeLong wrote:
>> Another very sad thing about it:
>>
>> delong-dhcp202:owen (9) ~ % host www.worldipv6launch.org                   
>> 2012/01/16 21:24:21
>> www.worldipv6launch.org is an alias for 
>> www.worldipv6launch.org.edgesuite.net.
>> www.worldipv6launch.org.edgesuite.net is an alias for a1448.b.akamai.net.
>> a1448.b.akamai.net has address 72.246.53.104
>> a1448.b.akamai.net has address 72.246.53.8
>>
>>
>> I don't seem to be able to get to the site on IPv6.
>>
>> Owen
>
> I heard that it initially had  records. After the site
> couldn't keep up with the initial load, it was migrated to
> Akamai's CDN (the DNS records you see now are those), and
> Akamai doesn't yet offer IPv6 in production, so no IPv6.

there are places in this world with working v6 at scale the folk
involved COULD use them.
(I thought, actually, that akamai's v6 offering was actually
production, just not wide-spread?)

> Akamai does have a trial IPv6 program though - we host IPv6
> capable Akamai nodes on our campus for example, and a non
> production version of our university website is using it -
> so ISOC could try seeing if they could be hosted on that
> infrastructure.

My question is when is FiOS going to get v6 natively? could we get the
engineers there to actually do something as opposed to trials of
non-production systems that'll never actually get deployed? :)

-chris

>
> --
> Shumon Huque
> University of Pennsylvania.
>

Re: DNS Attacks

[Christopher Morrow]

On Wed, Jan 18, 2012 at 11:34 AM, Steven Bellovin  wrote:
>
> On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:
>
>> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard  wrote:
>>> On 18/01/2012 14:18, Leigh Porter wrote:
 Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
 as it is not *my* firewalls I really don't care what they do ;-)
>>>
>>> As you're posting here, it looks like it's become your problem. :-D
>>>
>>> Seriously, though, there is no value to maintaining state for DNS queries.
>>>  You would be much better off to put your firewall production interfaces on
>>> a routed port on a hardware router so that you can implement ASIC packet
>>> filtering.  This will operate at wire speed without dumping you into the
>>> colloquial poo every time someone decides to take out your critical
>>> infrastructure.
>>
>> I get the feeling that leigh had implemented this against his own
>> advice for a client... that he's onboard with 'putting a firewall in
>> front of a dns server is dumb' meme...
>
> In principle, this is certainly correct (and I've often said the same thing
> about web servers); in practice, though, a lot depends on the specs.  For
> example: can the firewall discard useless requests more quickly?  Does it do
> a better job of discarding malformed packets?  Is the vendor better about
> supplying patches to new vulnerabilities?  Can it do a better job filtering
> on source IP address?  Does it do load-balancing?  Are there other services
> on the same server IP address that do require stateful filtering?


yup... I think roland and nick (he can correct me, roland I KNOW is
saying this) are basically saying:

permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

is far, far better than state management in a firewall. Anything more
complex and your firewall fails long before the 7206's
interface/filter will :( Some folks would say you'd be better off
doing some LB/filtering-in-software behind said router interface
filter, I can't argue with that.

> As I said, most of the time a dedicated DNS appliance doesn't benefit from
> firewall protection.  Occasionally, though, it might.

I suspect the cases where it MAY benefit are the 'lower packet rate,
ping-o-death-type' attacks only though. Essentially 'use a proxy to
remove unknown cruft' as a frontend to your more complex dns/web
answering system, eh?

under load though, high pps rate attacks/instances (victoria secret
fashion-show sorts of things) your firewall/proxy is likely to die
before the backend does ;(

-chris

>
>                --Steve Bellovin, https://www.cs.columbia.edu/~smb
>
>
>
>
>

Re: DNS Attacks

[Steven Bellovin]

On Jan 18, 2012, at 10:41 30AM, Christopher Morrow wrote:

> On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard  wrote:
>> On 18/01/2012 14:18, Leigh Porter wrote:
>>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>>> as it is not *my* firewalls I really don't care what they do ;-)
>> 
>> As you're posting here, it looks like it's become your problem. :-D
>> 
>> Seriously, though, there is no value to maintaining state for DNS queries.
>>  You would be much better off to put your firewall production interfaces on
>> a routed port on a hardware router so that you can implement ASIC packet
>> filtering.  This will operate at wire speed without dumping you into the
>> colloquial poo every time someone decides to take out your critical
>> infrastructure.
> 
> I get the feeling that leigh had implemented this against his own
> advice for a client... that he's onboard with 'putting a firewall in
> front of a dns server is dumb' meme...

In principle, this is certainly correct (and I've often said the same thing
about web servers); in practice, though, a lot depends on the specs.  For
example: can the firewall discard useless requests more quickly?  Does it do
a better job of discarding malformed packets?  Is the vendor better about
supplying patches to new vulnerabilities?  Can it do a better job filtering
on source IP address?  Does it do load-balancing?  Are there other services
on the same server IP address that do require stateful filtering?

As I said, most of the time a dedicated DNS appliance doesn't benefit from
firewall protection.  Occasionally, though, it might.


--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: DNS Attacks

[Christopher Morrow]

On Wed, Jan 18, 2012 at 10:05 AM, Nick Hilliard  wrote:
> On 18/01/2012 14:18, Leigh Porter wrote:
>> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
>> as it is not *my* firewalls I really don't care what they do ;-)
>
> As you're posting here, it looks like it's become your problem. :-D
>
> Seriously, though, there is no value to maintaining state for DNS queries.
>  You would be much better off to put your firewall production interfaces on
> a routed port on a hardware router so that you can implement ASIC packet
> filtering.  This will operate at wire speed without dumping you into the
> colloquial poo every time someone decides to take out your critical
> infrastructure.

I get the feeling that leigh had implemented this against his own
advice for a client... that he's onboard with 'putting a firewall in
front of a dns server is dumb' meme...

Re: DNS Attacks

[Nick Hilliard]

On 18/01/2012 14:18, Leigh Porter wrote:
> Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long
> as it is not *my* firewalls I really don't care what they do ;-)

As you're posting here, it looks like it's become your problem. :-D

Seriously, though, there is no value to maintaining state for DNS queries.
 You would be much better off to put your firewall production interfaces on
a routed port on a hardware router so that you can implement ASIC packet
filtering.  This will operate at wire speed without dumping you into the
colloquial poo every time someone decides to take out your critical
infrastructure.

Nick

Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS

[Robert Kisteleki]

On 2012.01.18. 15:22, Arturo Servin wrote:
> 
>   For example for any given prefix to get which ASNs have originated that 
> prefix over time and when.
> 
>   I think that could be interesting for discovering if a prefix has been 
> hijacked in the past.
> 
>   RIS from RIPE NCC provides something like this:
> 
> http://www.ripe.net/data-tools/stats/ris/routing-information-service
> 
>   We have used it to verify some "suspicious" announcements of prefixes. 
> 
> Regards,
> as

One can also try RIPEstat for this: http://stat.ripe.net/

Amongst other modules it gives full (~10 year) BGP history for prefixes.

(Disclaimer: our team is working on this tool.)

Robert

Re: ANNOUNCE: bgptables.merit.edu - understanding visibility of your prefix/AS

[Arturo Servin]

For example for any given prefix to get which ASNs have originated that 
prefix over time and when.

I think that could be interesting for discovering if a prefix has been 
hijacked in the past.

RIS from RIPE NCC provides something like this:

http://www.ripe.net/data-tools/stats/ris/routing-information-service

We have used it to verify some "suspicious" announcements of prefixes. 

Regards,
as

On 17 Jan 2012, at 19:52, Manish Karir wrote:

> 
> Hi Arturo,
> 
> We could easily archive older copies of the database when we update the data, 
> but I think our issue right now
> is that we dont fully understand how to add the notion of time to the user 
> interface and we dont understand how
> folks might want to use it.  Do you have a simple use case description of an 
> example which might help us
> figure out how the notion of time can help answer a question.?  What would be 
> an example of a query 
> that uses time?
> 
> Thanks.
> -manish
> 
> 
> On Jan 16, 2012, at 12:53 PM, Arturo Servin wrote:
> 
>> Manish,
>> 
>>  Nice tool.
>> 
>>  Is it possible to see the "history" of a prefix?
>> 
>> 
>> Regards,
>> .as
>> 
>>  
>>  
>> On 13 Jan 2012, at 18:19, Manish Karir wrote:
>> 
>>> 
>>> All,
>>> 
>>> We would like to announce the availability of the bgpTables Project at 
>>> Merit at: http://bgptables.merit.edu
>>> bgpTables allows users to easily navigate global routing table data 
>>> collected via routviews.org.  bgptables
>>> essentially processes the data collected at routeviews and makes is 
>>> available in a somewhat easier
>>> to use interface. The goal of bgpTables is to represent global prefix and 
>>> AS visibility information from the
>>> vantage point of the various bgp table views as seen at routeviews. 
>>> The data is currently updated nightly (EST) but we hope to improve this 
>>> over time. 
>>> Please see the FAQ (http://bgptables.merit.edu/faq.php) for some simple 
>>> examples of how you can use bgpTables.
>>> 
>>> Some examples:
>>> - You can query for a specific ASN by entering the text 'as' followed by 
>>> the AS number into the search box. For example to query for information 
>>> about AS 237 you would enter 'as237' [without quotation marks] into the 
>>> search box and then click 'search'. You can then use the view navigator map 
>>> to switch to different routing table views for this ASN
>>> 
>>> - You can query for a specific prefix by directly entering the prefix into 
>>> the search box. For example to query for information about prefix 
>>> 12.0.0.0/8 you would simply enter '12.0.0.0/8' [without quotation marks] 
>>> into the search box and then click 'search'. You can then use the view 
>>> navigator map to switch to different routing table views for the prefix.
>>> 
>>> - You can find a particular prefix that you might be interested in by 
>>> running a 'contained within' query via the search box. For example to 
>>> quickly browse a list of prefixes contained within 1.0.0.0/8 to find the 
>>> particular prefix you might be interested in, you can enter the text 
>>> 'cw1.0.0.0/8' [without quotation marks] into the search box and click 
>>> 'search'. You can then browse the resulting table to select the particular 
>>> prefix you might be interested in.
>>> 
>>> - You can simply enter the text 'as' followed by the company name into the 
>>> search box then click search to view a list of possible matches for that 
>>> text. For example, to view all matching google ASNs you can simply enter 
>>> 'asgoogle' into the search box and click search. A list of possible 
>>> matching ASNs that reference Google by name will be returned from which you 
>>> an then select the particular ASN that is of interest to you.
>>> 
>>> 
>>> Comments, corrections, and suggestions are very welcome.  Please send them 
>>> to mka...@merit.edu.  Hopefully folks will find this useful.
>>> 
>>> Thanks.
>>> -The Merit Network Research and Development Team
>>> 
>> 
> 

RE: DNS Attacks

[Leigh Porter]

Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it 
is not *my* firewalls I really don't care what they do ;-)

--
Leigh Porter


> -Original Message-
> From: Dennis [mailto:den...@justipit.com]
> Sent: 18 January 2012 12:55
> To: Leigh Porter; toor
> Cc: nanog@nanog.org
> Subject: Re: DNS Attacks
> 
> I agree with Roland on the firewall placement.  I add that the attack
> would have likely succeeded to exhaust the servers.  There is alot of
> recent ddos activity on DNS with what looks like legitimate queries.
> You should also look at some DOS/ application level protections;
> Radware and Arbor top the list.
> 
> 
> Leigh Porter  wrote:
> 
> >
> >
> >On 18 Jan 2012, at 05:06, "toor"  wrote:
> >
> >> Hi list,
> >>
> >> I am wondering if anyone else has seen a large amount of DNS queries
> >> coming from various IP ranges in China. I have been trying to find a
> >> pattern in the attacks but so far I have come up blank. I am
> completly
> >> guessing these are possibly DNS amplification attacks but I am not
> >> sure. Usually what I see is this:
> >>
> >
> >At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
> >
> >It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS, a
> web server and an open SSH port.
> >
> >--
> >Leigh Porter
> >
> >
> >__
> >This email has been scanned by the Symantec Email Security.cloud
> service.
> >For more information please visit http://www.symanteccloud.com
> >__
> >
> >
> 
> __
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: DNS Attacks

[Drew Weaver]

We ran into a 25Gbps SNMP 'reply/amplification attack' from a cable modem 
network about a month ago.

Hopefully the particular network has fixed that issue now, but it was a banner 
day to be sure.

Thanks,
-Drew


-Original Message-
From: virendra rode [mailto:virendra.r...@gmail.com] 
Sent: Wednesday, January 18, 2012 8:58 AM
To: nanog@nanog.org
Subject: Re: DNS Attacks

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi -

We've been victims of these attacks many a times and more recently towards our 
customer dns servers which was rated at ~ 4gbps for a duration of 30mins.

Tracking the source of an attack is simplified when the source is more likely 
to be "valid".

The nature of these attacks for us was a combination of amplification and 
spoofed, however implementing anti-spoofing (uRFP) specially bcp38 is a good 
idea not saying its a fix but certainly the attack methodology will 
significantly lessen.

As Matt Katz put it rightly so, "Distributed denial of service can only be 
solved with distributed delivery of service".


regards,
/virendra

On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
> 
> I am wondering if anyone else has seen a large amount of DNS queries 
> coming from various IP ranges in China. I have been trying to find a 
> pattern in the attacks but so far I have come up blank. I am completly 
> guessing these are possibly DNS amplification attacks but I am not 
> sure. Usually what I see is this:
> 
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in 
> question are authoritive for (I can't really see any pattern there, 
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10 
> minutes before stopping and then a break of 30 minutes or so before 
> another attack from a different IP range
> - Every IP range has been from China
> 
> I have limited the number of queries that can be done to mitigate this 
> but its messing up my pretty netflow graphs due to the spikes in 
> flows/packets being sent.
> 
> Does anyone have any ideas what the reasoning behind this could be? I 
> would also be interested to hear from anyone else experiencing this 
> too.
> 
> I can provide IP ranges from where I am seeing the issue but it does 
> vary a lot between the attacks with the only pattern every time being 
> the source address is located in China. I read a thread earlier, 
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact 
> thing I am seeing.
> 
> Thanks
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=HsEg
-END PGP SIGNATURE-

Re: bgp question

[Deric Kwok]

Hi Justin

Thank you

Could you tell me more about "routing registries"?

I would like to learn it

2nd questions?  Are you familiar to quagga?

ls it supporting equally multipath in different bgp connections?

Thank you so much

On Tue, Jan 10, 2012 at 7:58 PM, Justin M. Streiner
 wrote:
> On Tue, 10 Jan 2012, Deric Kwok wrote:
>
>> When we get  newip, we should let the upstream know to expor it as
>> there should have rule in their side.
>
>
> Correct.  Ideally, two things happen:
> 1. You tell your upstreams and peers about the new space, and they update
> whatever prefix filters they have in place for your network.
> 2. You update you own outbound BGP filters wherever necessary so that you
> can announce the new prefix, aggregated to the extent possible, when you're
> ready.
>
>
>> how about upstream provider, does they need to let their all bgp
>> interconnect to know those our newip?
>
>
> They might.  It depends on the relationship your upstreams have with their
> neighbors.  Different providers have different criteria for what they'll
> accept and how they manage their filters.
>
> If your upstreams need to have their upstreams and/or peers update their BGP
> filters, it is their responsibility to notify them.  Note that this can add
> to the amount of time it will take before your direct upstreams are ready to
> accept and propagate your new prefix.
>
> Some providers might require that your new prefix be registered in one of
> several routing registries, and they'll update their filters based on your
> new registry data.
>
> jms
>

Re: DNS Attacks

[virendra rode]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi -

We've been victims of these attacks many a times and more recently
towards our customer dns servers which was rated at ~ 4gbps for a
duration of 30mins.

Tracking the source of an attack is simplified when the source is more
likely to be "valid".

The nature of these attacks for us was a combination of amplification
and spoofed, however implementing anti-spoofing (uRFP) specially bcp38
is a good idea not saying its a fix but certainly the attack methodology
will significantly lessen.

As Matt Katz put it rightly so, "Distributed denial of service can only
be solved with distributed delivery of service".


regards,
/virendra

On 01/17/2012 09:04 PM, toor wrote:
> Hi list,
> 
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
> 
> - Attacks most commonly between the hours of 4AM-4PM UTC
> - DNS queries appear to be for real domains that the DNS servers in
> question are authoritive for (I can't really see any pattern there,
> there are about 150,000 zones on the servers in question)
> - From a range of IP's there will be an attack for approximately 5-10
> minutes before stopping and then a break of 30 minutes or so before
> another attack from a different IP range
> - Every IP range has been from China
> 
> I have limited the number of queries that can be done to mitigate this
> but its messing up my pretty netflow graphs due to the spikes in
> flows/packets being sent.
> 
> Does anyone have any ideas what the reasoning behind this could be? I
> would also be interested to hear from anyone else experiencing this
> too.
> 
> I can provide IP ranges from where I am seeing the issue but it does
> vary a lot between the attacks with the only pattern every time being
> the source address is located in China. I read a thread earlier,
> http://seclists.org/nanog/2011/Nov/920, which sounds like the exact
> thing I am seeing.
> 
> Thanks
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk8Wz9YACgkQ3HuimOHfh+EupAD+MkS8Z0+j1D53txQTqMOVDRWe
vve+Ov/im9y87mEqxhsA/0IJKkntI8w11QTMZGgbw55A4V4VQvj7WchKnMNKaT2L
=HsEg
-END PGP SIGNATURE-

Re: DNS Attacks

[Dennis]

I agree with Roland on the firewall placement.  I add that the attack would 
have likely succeeded to exhaust the servers.  There is alot of recent ddos 
activity on DNS with what looks like legitimate queries.   You should also look 
at some DOS/ application level protections; Radware and Arbor top the list.


Leigh Porter  wrote:

>
>
>On 18 Jan 2012, at 05:06, "toor"  wrote:
>
>> Hi list,
>> 
>> I am wondering if anyone else has seen a large amount of DNS queries
>> coming from various IP ranges in China. I have been trying to find a
>> pattern in the attacks but so far I have come up blank. I am completly
>> guessing these are possibly DNS amplification attacks but I am not
>> sure. Usually what I see is this:
>> 
>
>At various seemingly random times over the past week I have had a DNS which is 
>behind a firewall come under attack. The firewall is significant because the 
>attacks killed the firewall as it is rather under specified (not my idea..).
>
>It did originate from Chinese address space and consisted of DNS queries for 
>lots of hosts. There was also a port-scan in the traffic and a SYN attack on a 
>few hosts on the same small subnet as the DNS, a web server and an open SSH 
>port.
>
>-- 
>Leigh Porter
>
>
>__
>This email has been scanned by the Symantec Email Security.cloud service.
>For more information please visit http://www.symanteccloud.com
>__
>
>

Re: DNS Attacks

[Joel jaeggli]

On 1/17/12 23:45 , Leigh Porter wrote:
> 
> 
> On 18 Jan 2012, at 05:06, "toor"  wrote:
> 
>> Hi list,
>> 
>> I am wondering if anyone else has seen a large amount of DNS
>> queries coming from various IP ranges in China. I have been trying
>> to find a pattern in the attacks but so far I have come up blank. I
>> am completly guessing these are possibly DNS amplification attacks
>> but I am not sure. Usually what I see is this:
>> 
> 
> At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).

Given the the pps rate and the cps rate of DNS requests are rather
similar one expects the value of inspecting unsolicited queries to your
nameserver to be rather low.

> It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS,
> a web server and an open SSH port.
> 

Re: DNS Attacks

[Dobbins, Roland]

On Jan 18, 2012, at 2:45 AM, Leigh Porter wrote:

> The firewall is significant because the attacks killed the firewall as it is 
> rather under specified (not my idea..).


DNS servers (nor any other kind of server, for that matter) should never be 
placed behind stateful firewalls - the largest firewall one can build or buy 
will choke under even moderate DDoS attacks due to state-table exhaustion:



---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde