Re: Recommended DDoS mitigation appliance?

2019-11-17 Thread Rabbi Rob Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Töma,

> Potential miscreants today should be assumed to have much more to
> show you even on a daily basis.

Oh, indeed!  :)

> Is it like you also have something filtering upstream for you,
> e.g. flowspec-enabled peers?

That is correct.

Be well,
Rob.
- -- 
Rabbi Rob Thomas   Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
agree." - Leo McKern
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3SBH4ACgkQQ+hhYvqF
8o3k7Q//YSgohuoaE6bB7uopBUTbdg6uiHc1TNFGrYA+vf9idXpYuc7V0092hA3k
xxF1iSsChQgqFB03syWgI3j5+NIHGS2LLYHVmsgQWOBLbsr2dvp09MoVTWDh7ODR
zex5g/ZyOn6Tdj3oJkeKzcwi49kgYEAxXqaU1nt7jFS0pFBKeXuaLomLIm5hPaNO
qhHkNg7BnRlm3Vr+rdcXFYFnlZIBkCVXi6I4E5xBWzu4r3TPJU/LYGPstZFt/coF
vc86Ry90rsdm9xuo7se2LTpXimL8Qzqcj5MP948JCc3TyS+ZGecGq9QovEDsX4SC
I9bOX8jmYThO1HgOFXKt9y6dl8J1Mi98KpZL82Gc1gspeFzdJ4FdyUddpA9+glda
IvDKI2o+pP9dqignczvlEiExiSCHDe/5DnVYcAvwUwI59gyKBdGkgGGVu8cPTIAt
8qV8SHrYoVD/3tM3h89ZvReJwZk8wo7JG0cxwqRJqlBbCKPSMSYm35ps/L+7rYNL
ApxiFwu3pWfx5HBBpbQ/KugVyBA2KOg2qMVs07FM3D0CIy6soUqjWsn/hMMbRZaE
zpyhTjBKpyvOXFLQWThDoahDUzTS/KFGvMS/JMeAz35gg1p5zHtbXGY8WCb63B1l
oefiZEIVJImNfEvw+SViK6RSK/OMfhg0yN0NAhVEyifxPxhrdIM=
=enDs
-END PGP SIGNATURE-

Re: Recommended DDoS mitigation appliance?

2019-11-17 Thread Töma Gavrichenkov 
Peace,

On Mon, Nov 18, 2019, 5:25 AM Richard  wrote:

> The OP is very knowledgeable and would not mince words or waste bandwidth.
>

Sure, I totally assume that.  I just feel I might offer a better advice
once I see the big picture.

--
Töma

>

Re: Recommended DDoS mitigation appliance?

2019-11-17 Thread Richard 
I would say you are making some assumptions that are not fact based. The
OP is very knowledgeable and would not mince words or waste bandwidth.
Let us see what he has to say in regards to your remarks. He will be
able to make this more clear once he has read what people have stated in
other responses.

Respectfully, of course, Richard Golodner

On 11/17/19 8:12 PM, Töma Gavrichenkov wrote:
> Peace,
>
> On Mon, Nov 18, 2019, 1:49 AM Rabbi Rob Thomas  > wrote:
>
> > I am going to assume you want it to spit out 10G clean, what size
> > dirty traffic are you expecting it to handle?
>
> Great question!  Let's say between 6Gbps and 8Gbps dirty.
>
>
> As someone making a living as a DDoS mitigation engineer for the last
> 10 years (minus 1 month) I should say your threat model is sort of
> unusual.  Potential miscreants today should be assumed to have much
> more to show you even on a daily basis.
>
> Is it like you also have something filtering upstream for you, e.g.
> flowspec-enabled peers?
>
> --
> Töma
>

Re: Recommended DDoS mitigation appliance?

2019-11-17 Thread Töma Gavrichenkov 
Peace,

On Mon, Nov 18, 2019, 1:49 AM Rabbi Rob Thomas  wrote:

> > I am going to assume you want it to spit out 10G clean, what size
> > dirty traffic are you expecting it to handle?
>
> Great question!  Let's say between 6Gbps and 8Gbps dirty.
>

As someone making a living as a DDoS mitigation engineer for the last 10
years (minus 1 month) I should say your threat model is sort of unusual.
Potential miscreants today should be assumed to have much more to show you
even on a daily basis.

Is it like you also have something filtering upstream for you, e.g.
flowspec-enabled peers?

--
Töma

>

Re: Recommended DDoS mitigation appliance?

2019-11-17 Thread Rabbi Rob Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Ryan,

> I am going to assume you want it to spit out 10G clean, what size
> dirty traffic are you expecting it to handle?

Great question!  Let's say between 6Gbps and 8Gbps dirty.

Thank you!
Rob.


> On Nov 17 2019, at 2:18 pm, Rabbi Rob Thomas 
> wrote:
> 
> 
> 
> Hello, NANOG!
> 
> I'm in the midst of rebuilding/upgrading our backbone and peering
> - sessions cheerfully accepted :) - and am curious what folks
> recommend in the DDoS mitigation appliance realm? Ideally it would
> be capable of 10Gbps and circa 14Mpps rate of mitigation. If you
> have a recommendation, I'd love to hear it and the reasons for it.
> If you have an alternative to an appliance that has worked well for
> you (we're a mix of Cisco and Juniper), I'm all ears.
> 
> Private responses are fine, and I'm happy to summarize back to the 
> list if there is interest.
> 
> Thank you! Rob.
> 

- -- 
Rabbi Rob Thomas   Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
agree." - Leo McKern
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3RzkAACgkQQ+hhYvqF
8o1J6Q//ZUgytaLqJoKV6i39pXmVH7Yxau5jThSfHEdLk9n1dQzrLCfM28vyUTQr
93TeikXMvEXi8mG5vFXjQAkaNLbKPLJnpydIwRe3vbDxl6pkzrWF3XF5dy9dZ0rl
IWcpe1ngVmT/FGTFm5T26woEAmvg4CLjP9Fm8nMHLKp29xRgd8SKs7jDxtZZx68g
BkdJiFGXdVP/oKUslYzDTIUdhUwckAeJKxFfsvdgN6Ybz70yckLeyfwZwo9pNcjj
W8yYWchGEtPMKidtupAATYKkKcZQp0gvObRXwDeGR4y+4YoJlTU5L+bNAr+xmsgi
hIy9YKs3/0uhOFPBbcN+sconQqTCyWA2eyXlCGlT1dnMvM7SbXDeD8R4IxqQeQ9i
JSZJiUhtfQFVqNnufqbeI0im/onSbyqv+IUPFKug5wU2hXY04YnoRcFMGwufIugj
pUSUqlkh4pmTe8so+JMOYHzH186fuVRKtNnScqkGPeKxEM+vp2Ou4hCaHyWPfTb1
aLKBY6LeJK6oWWOPArk8m8nVjvTKdYZh6XvlCeiA/lOy8a6rGVKLN8uX2QRVGZFE
5TE0XpoH+0MAqhO57ZiT8Uvs7D0Gpdc0ZJ3HQUj005SwJ1l4vGeq/jPhTnBEtcEO
fIu9tyqlWDuIeZfuMGG1lXrL+OUtfA8TJomizvyPBwzMfvTX4bU=
=vQSp
-END PGP SIGNATURE-

Re: Recommended DDoS mitigation appliance?

2019-11-17 Thread Ryan Hamel 
Rob,

I am going to assume you want it to spit out 10G clean, what size dirty traffic 
are you expecting it to handle?
Ryan
On Nov 17 2019, at 2:18 pm, Rabbi Rob Thomas  wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
> Hello, NANOG!
> I'm in the midst of rebuilding/upgrading our backbone and peering -
> sessions cheerfully accepted :) - and am curious what folks recommend
> in the DDoS mitigation appliance realm? Ideally it would be capable
> of 10Gbps and circa 14Mpps rate of mitigation. If you have a
> recommendation, I'd love to hear it and the reasons for it. If you
> have an alternative to an appliance that has worked well for you
> (we're a mix of Cisco and Juniper), I'm all ears.
>
> Private responses are fine, and I'm happy to summarize back to the
> list if there is interest.
>
> Thank you!
> Rob.
> - --
> Rabbi Rob Thomas Team Cymru
> "It is easy to believe in freedom of speech for those with whom we
> agree." - Leo McKern
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF
> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF
> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV
> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv
> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ
> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y
> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti
> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ
> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka
> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC
> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP
> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=
> =uuel
> -END PGP SIGNATURE-
>

Recommended DDoS mitigation appliance?

2019-11-17 Thread Rabbi Rob Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hello, NANOG!

I'm in the midst of rebuilding/upgrading our backbone and peering -
sessions cheerfully accepted :) - and am curious what folks recommend
in the DDoS mitigation appliance realm?  Ideally it would be capable
of 10Gbps and circa 14Mpps rate of mitigation.  If you have a
recommendation, I'd love to hear it and the reasons for it.  If you
have an alternative to an appliance that has worked well for you
(we're a mix of Cisco and Juniper), I'm all ears.

Private responses are fine, and I'm happy to summarize back to the
list if there is interest.

Thank you!
Rob.
- -- 
Rabbi Rob Thomas   Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
agree." - Leo McKern
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF
8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF
xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV
7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv
oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ
N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y
7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti
27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ
hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka
VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC
g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP
d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=
=uuel
-END PGP SIGNATURE-

Re: Landing Stations used as datacenter

2019-11-17 Thread Rod Beck 
A landing station is not typically carrier neutral and is not designed to have 
a huge of excess space to accommodate third parties. When I was at Hibernia 
Atlantic we would get from time to time a disaster recovery client, but there 
was not a lot of excess space available and so it was priced accordingly. It 
will be a very poor choice for most potential clients.

Regards,

Roderick.


From: NANOG  on behalf of william manning 

Sent: Sunday, November 17, 2019 12:02 AM
To: Mehmet Akcin 
Cc: nanog 
Subject: Re: Landing Stations used as datacenter

usually the logistics and business models of traditional CLS and DC are 
different (Bill Woodcock laid it out).
a few years ago i built a model for SWIFT that provided for dynamic remapping 
of lambda in the event of backhoe fade.  Not exactly your DC, neutral IX form 
factor, but met the need at the time.  I can dig up the DoT presentation if 
there is interest.

/Wm

On Thu, Nov 14, 2019 at 7:00 PM Mehmet Akcin 
mailto:meh...@akcin.net>> wrote:
Hey there

I have been putting my thoughts on Infrapedia blog and sharing with folks like

https://www.infrapedia.com/post/top20cities-datacenters

I am working on a new article and this time my topic will be looking at cable 
landing stations(cls). Do you consider cable landing stations as a datacenter? 
Do you have any experience deploying a pop in CLS? Are you able to share (on or 
off record) your experience which I can refer as your experience (good or bad) 
why deploying a pop inside a CLS is good or bad idea. Any additional comments..

I am not a big fan of CLS deployments. They have limited networks ( like only 
carriers and no eyeballs) and very expensive connectivity (usually)

Thank you in advance sharing your experience

Mehmet

--
Mehmet
+1-424-298-1903