Re: Securing Greenfield Service Provider Clients

[Curtis, Bruce via NANOG]

> On Oct 9, 2020, at 6:26 PM, Christopher J. Wolff  wrote:
> 
> Dear Mr. Curtis and Nanog;
> 
> Thank you for your responses.  Yes, I am investigating the feasibility of 
> public internet access to help with Digital Divide issues in light of the 
> COVID-19 pandemic as well as the challenges of security in this public 
> application.
> 
> It’s relatively straightforward to segment East-West traffic; however, I’m 
> not so sure about the case of North-South.  I need to address this issue 
> somehow in my assessment of risks in public networks.
> 
> I do *not* want to decrypt SSL traffic.  But I would *like* to be able to 
> have some black box with a subscription at the network edge prevent malware 
> from being downloaded through the network.
> 
> My question was whether this is even possible in a public context.  Secure 
> DNS services would go a long way toward this goal.
> 
> Is it fair to say that an NGFW *must* decrypt SSL traffic in order to fully 
> categorize for IPS/IDS prevention?  


Another thing to keep in mind is that NGFW/IPS depend on blacklisting to block 
malware.

Even if you did install certificates on all devices to enable TLS decryption 
(and bring the decryption device in scope for PCI) that is not a guarantee that 
the NGFW/IPS can block an amount of malware worthy of the investment.

"By 2017, around 96 percent of all malware files detected and blocked by 
Windows Defender were detected only once on a single computer and never seen 
again.”

https://cybersecurityventures.com/the-devastating-effect-of-polymorphic-malware/

"For many years, the viewpoint on malware protection has been inclined towards 
investing in traditional security methods such as firewalls, antivirus as well 
as IPS. However, when it comes to protection against polymorphic malware, these 
solutions do not work properly.”

https://medium.com/@kratikal/how-polymorphic-malware-are-deceiving-the-traditional-cyber-security-method-b56e30655283


While blacklisting, either in a middle box or on the host, will not stop 
malware that is changed to have a different signature every time it is 
downloaded whitelisting on the end host might stop it.
In the example where whitelisting will stop malware but blacklisting will not 
you are better off spending your limited resources on whitelisting.


This is from 2014 but indicates the beginning of the trend to shortening times 
between malware morphing had started.

https://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/



Insights from one year of tracking a polymorphic threat (another example of 
malware that a middle box would not stop)

https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/

> 
> Thank you,
> CJ
> 
> 
> 
> 
> Get Outlook for iOS
> From: Curtis, Bruce 
> Sent: Friday, October 9, 2020 5:23:45 PM
> To: Christopher J. Wolff 
> Cc: nanog@nanog.org 
> Subject: Re: Securing Greenfield Service Provider Clients
>  
> EMAIL FROM EXTERNAL SENDER: DO NOT click links, or open attachments, if 
> sender is unknown, or the message seems suspicious in any way. DO NOT provide 
> your user ID or password. If you believe that this is a phishing attempt 
> please forward this message to phish...@nola.gov
> 
> 
> If you search for this phrase
> 
> During 2020 more than fifty percent of new malware campaigns will use 
> various forms of encryption and obfuscation to conceal delivery, and to 
> conceal ongoing communications, including data exfiltration.
> 
> you will find lots of vendors of decryption have the phrase from Gartner 
> mentioned prominently on their web site.
> 
> 
> I don’t think TLS decryption would be viable in our university environment.
> 
> Your email address indicates that you are in a government environment and if 
> so you might have more control over devices and could have a better chance of 
> making decryption work.
> On the other hand if you have more control over devices a better choice might 
> be to spend your resources on implementing whitelisting rather than 
> decryption.
> 
> Keep in mind that if you implement decryption your decryption device is in 
> scope for PCI and subject to the various PCI duding and logging requirements.
> 
> 
> 
> Attackers abuse Google DNS over HTTPS to download malware
> 
> https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/
> 
> 
> More general and as focused on decryption but I recommend you watch these 
> sessions from RSA conferences.
> 
> https://www.youtube.com/watch?v=d90Ov6QM1jE
> 
> https://www.youtube.com/watch?v=qzI-N0p9hFk
> 
> 
> And also the NIST draft on Zero Trust Architecture.  The document is mainly 
> about Zero Trus

Re: Securing Greenfield Service Provider Clients

[Curtis, Bruce via NANOG]

> On Oct 10, 2020, at 10:58 AM, Ca By  wrote:
> 
> 
> 
> On Sat, Oct 10, 2020 at 8:14 AM Christopher J. Wolff  wrote:
> Dear Mr. Curtis and Nanog;
> 
> Thank you for your responses.  Yes, I am investigating the feasibility of 
> public internet access to help with Digital Divide issues in light of the 
> COVID-19 pandemic as well as the challenges of security in this public 
> application.
> 
> It’s relatively straightforward to segment East-West traffic; however, I’m 
> not so sure about the case of North-South.  I need to address this issue 
> somehow in my assessment of risks in public networks.
> 
> I do *not* want to decrypt SSL traffic.  But I would *like* to be able to 
> have some black box with a subscription at the network edge prevent malware 
> from being downloaded through the network.
> 
> My question was whether this is even possible in a public context.  Secure 
> DNS services would go a long way toward this goal.
> 
> Is it fair to say that an NGFW *must* decrypt SSL traffic in order to fully 
> categorize for IPS/IDS prevention?  
> 
> Thank you,
> CJ
> 
> 
> 
> Just my humble opinion, many network security devices in the middle decrease 
> the overall network security.

  Yes.  And in more ways than by being compromised themselves as indicated in 
the links you provide below.  (Remember that boxes that decrypt TLS are in 
scope for PCI).

In addition most middle boxes are stateful devices that can be affected by DoS 
attacks that create state on the middle boxes.

In the CIA principle Availability is supposed to be equally important.

https://en.wikipedia.org/wiki/Information_security#Availability

So if a middle box is affected by a DoS attack and normal traffic is dropped so 
that Availability of a service is affected that should also be considered a 
security failure or a decrease in overall network security.

Unfortunately in most instances the CIA principle is really applied as the CIa 
principle where Availability is not equal and is always secondary to C and I.  
Even to the point where if a primary protection is in place but a a secondary 
protection fails in a way that affects availability the secondary protection is 
not bypassed to restore Availability.




> Especially if they fall into the category of NGFW, they do too much and end 
> up blowing themselves up. 
> 
> https://www.google.com/amp/s/www.zdnet.com/google-amp/article/us-cyber-command-says-foreign-hackers-will-attempt-to-exploit-new-pan-os-security-bug/
> 
> https://www.google.com/amp/s/www.bleepingcomputer.com/news/security/cisco-patches-asa-ftd-firewall-flaw-actively-exploited-by-hackers/amp/
> 
> 
> Also, they are insanely priced and market to people based on fear. 
> 
> IPS / IDS only works if you have a full time team of folks willing to tune 
> it. And, it is never worth it. Been the same way for 20 years.  I was 
> recently involved in an outage with an IPS rule taking an entire site off 
> line. The fix was to stop doing IPS. 
> 
> The fact is,  most modern systems (win10, iOS, Android) are very secure from 
> a network stack and do not benefit from network based tools.  Even windows 
> Vista has a local firewall on by default. The real hacks that happen in the 
> wild are phishing ... and no network based thing is going to stop that.  You 
> do see occasional nsa tools turned into wannacry style worms, but those only 
> proliferate when SMB is enabled, and that is easily blocked with a router 
> acl, and is a best practice below. 
> 
> For public internet access, please keep it simple. Please do not waste tax 
> payer money on security snake oil. As mentioned, free dns services like 
> 1.1.1.3 and https://cleanbrowsing.org go a long way
> 
> Simple router ACLS are also good to shutdown back trafffic, take a hint from 
> Comcast 
> 
> https://www.xfinity.com/support/articles/list-of-blocked-ports
> 
> 
> Regards,
> CB
> 
> 
> 
> 
> 
> Get Outlook for iO
>  
> From: Curtis, Bruce 
> Sent: Friday, October 9, 2020 5:23:45 PM
> To: Christopher J. Wolff 
> Cc: nanog@nanog.org 
> Subject: Re: Securing Greenfield Service Provider Clients
>  
> EMAIL FROM EXTERNAL SENDER: DO NOT click links, or open attachments, if 
> sender is unknown, or the message seems suspicious in any way. DO NOT provide 
> your user ID or password. If you believe that this is a phishing attempt 
> please forward this message to phish...@nola.gov
> 
> 
> 
> If you search for this phrase
> 
> During 2020 more than fifty percent of new malware campaigns will use 
> various forms of encryption and obfuscation to conceal delivery, and to 
> conceal ongoing communications, including data exfiltration.
> 
> you will find lots of vendors of decryption have

Re: Securing Greenfield Service Provider Clients

[Curtis, Bruce via NANOG]

If you search for this phrase 

During 2020 more than fifty percent of new malware campaigns will use 
various forms of encryption and obfuscation to conceal delivery, and to conceal 
ongoing communications, including data exfiltration.

you will find lots of vendors of decryption have the phrase from Gartner 
mentioned prominently on their web site.


I don’t think TLS decryption would be viable in our university environment.

Your email address indicates that you are in a government environment and if so 
you might have more control over devices and could have a better chance of 
making decryption work.
On the other hand if you have more control over devices a better choice might 
be to spend your resources on implementing whitelisting rather than decryption.

Keep in mind that if you implement decryption your decryption device is in 
scope for PCI and subject to the various PCI duding and logging requirements.



Attackers abuse Google DNS over HTTPS to download malware

https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/


More general and as focused on decryption but I recommend you watch these 
sessions from RSA conferences.

https://www.youtube.com/watch?v=d90Ov6QM1jE

https://www.youtube.com/watch?v=qzI-N0p9hFk


And also the NIST draft on Zero Trust Architecture.  The document is mainly 
about Zero Trust but does briefly mention decryption.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

https://csrc.nist.gov/publications/detail/sp/800-207/final




> On Oct 9, 2020, at 2:09 PM, Christopher J. Wolff  wrote:
> 
> Dear Nanog;
>  
> Hope everyone is getting ready for a good weekend.  I’m working on a 
> greenfield service provider network and I’m running into a security 
> challenge.  I hope the great minds here can help.
>  
> Since the majority of traffic is SSL/TLS, encrypted malicious content can 
> pass through even an “NGFW” device without detection and classification.
>  
> Without setting up SSL encrypt/decrypt through a MITM setup and handing 
> certificates out to every client, is there any other software/hardware that 
> can perform DPI and/or ssl analysis so I can prevent encrypted malicious 
> content from being downloaded to my users?
>  
> Have experience with Palo and Firepower but even these need the MITM 
> approach.  I appreciate any advice anyone can provide.
>  
> Best,
> CJ

Bruce Curtis
Network Engineer  /  Information Technology
NORTH DAKOTA STATE UNIVERSITY
phone: 701.231.8527
bruce.cur...@ndsu.edu

Re: syn flood attacks from NL-based netblocks

[Curtis, Bruce]

On Aug 16, 2019, at 5:04 PM, Jim Shankland 
mailto:na...@shankland.org>> wrote:

Greetings,

I'm seeing slow-motion (a few per second, per IP/port pair) syn flood attacks 
ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 , 5.11.80.0/21, 
and 78.140.128.0/18 ("ostensibly" because ... syn flood, and BCP 38 not yet 
fully adopted).

Why is this syn flood different from all other syn floods? Well ...

1. Rate seems too slow to do any actual damage (is anybody really bothered by a 
few bad SYN packets per second per service, at this point?); but

2. IPs/port combinations with actual open services are being targeted (I'm 
seeing ports 22, 443, and 53, just at a glance, to specific IPs with those 
services running), implying somebody checked for open services first;

3. I'm seeing this in at least 2 locations, to addresses in different, 
completely unrelated ASes, implying it may be pretty widespread.

Is anybody else seeing the same thing? Any thoughts on what's going on? Or 
should I just be ignoring this and getting on with the weekend?

Jim

We are seeing that here also.  Saw similar traffic ostensibly originating from 
NL at least as long ago as last Sunday August 17.

—
Bruce Curtis 
bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: SSL VPN

[Curtis, Bruce]

On Jun 13, 2019, at 1:32 PM, Randy Bush mailto:ra...@psg.com>> 
wrote:

OpenVPN in pfSense?

yep

We run tons of these around the world.

i only do 0.5kg

wireguard, https://www.wireguard.com/, is simpler (always a good thing
with security), and has had code looked at by some credible experts.

randy

Looks like wireguard has some similarities to ZeroTier.  But a big difference 
is that wireguard is based on layer 3 while ZeroTier is based on layer 2 and 
calls itself an "Ethernet switch for planet Earth”.

https://www.zerotier.com


---
Bruce Curtis 
bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Apple devices spoofing default gateway?

[Curtis, Bruce]

We are running 8.5 and 1815s and I don’t think we are seeing this problem.

We do have a very small number of 1810s and did see some strange behavior but 
it doesn’t seem to match this problem description.

Is proxy arp disabled on the default gateway device?  That could potentially 
interact strangely with the features mentioned in earlier posts and mentioned 
below.

> On Mar 14, 2019, at 4:40 PM, Simon Lockhart  wrote:
> 
> On Thu Mar 14, 2019 at 04:19:04PM -0500, Jimmy Hess wrote:
>> Apple's Bonjour protocols include something called Apple Bonjour Sleep Proxy
>> for Wake on Demand ---  When a device goes to sleep,  the Proxy that runs on
>> various Apple devices is supposed to seize all the IP and MAC addresses that
>> device had registered, so it can wait for an incoming TCP SYN, (and if one's
>> received,  then signal the sleeping device to wake up and process the
>> connection.)
> 
> That's a very interesting observation - when we talk to the users of the
> Apple devices, they quite often say that the device was 'asleep' when it
> was sending these 'spoofed' ARP responses.

The "Information About Passive Clients” section of this document

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_interfaces.html

says:

"Wireless LAN controllers currently act as a proxy for ARP requests. Upon 
receiving an ARP request, the controller responds with an ARP response instead 
of passing the request directly to the client. This scenario has two advantages:

• The upstream device that sends out the ARP request to the client will 
not know where the client is located.

• Power for battery-operated devices such as mobile phones and printers 
is preserved because they do not have to respond to every ARP requests."


  Perhaps that function on version 8.5 is interacting incorrectly with the 
Apple Sleep Proxy feature on the Apple devices.

"When a sleep proxy sees an IPv4 ARP or IPv6 ND Request for one of the sleeping 
device's addresses, it answers on behalf of the sleeping device, without waking 
it up, giving its own MAC address as the current (temporary) owner of that 
address.”

https://en.wikipedia.org/wiki/Bonjour_Sleep_Proxy

https://discussions.apple.com/thread/2160614

> 
>> (Or perhaps they wanted to have a feature to let someone  AirPlay from a
>> different VLAN than another device?)
> 
> Cisco Wireless does claim to have some features to 'help' Bonjour / mDNS
> to work better. I wonder if one of those features is misbehaving.
> 
> Simon


---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Multicast traffic % in enterprise network ?

[Curtis, Bruce]

Multicast was also required for earlier versions of VXLAN.  But later versions 
or VXLAN only require unicast.

For the far future it seems like Named Data Neworking, Content Centric 
Networking, Information Centric Networking, Data Centric Networking etc all 
list multicast as a requirement or fundamental part of their architecture.

> On Aug 8, 2018, at 4:15 PM, Greg Shepherd  wrote:
> 
> Financial exchanges around the world use multicast.
> 
> On Wed, Aug 8, 2018 at 1:31 PM, Stan Barber  wrote:
> 
>> As someone else remarked, part of this will depend on the type of network
>> you are profiling. One enterprise networking may have critical internal
>> applications that depend on multicast to work and others may have nothing
>> but the basic requirements of the network itself (e.g. IPv6 uses multicast
>> instead of broadcast for some network control information distribution).
>> 
>> On Wed, Aug 8, 2018 at 11:49 AM, Mankamana Mishra (mankamis) via NANOG <
>> nanog@nanog.org> wrote:
>> 
>>> Hi Every one,
>>> Recently we had good discussion over multicast uses in public internet.
>>> From discussion, it was pointed out uses of multicast is more with in
>>> enterprise.  Wanted to understand how much % multicast traffic present in
>>> network
>>> 
>>>  *   If there is any data which can provide what % of traffic is
>>> multicast traffic. And if multicast is removed, how much unicast traffic
>> it
>>> would add up?
>>>  *   Since this forum has people from deployment area, I would love to
>>> know if there is real deployment problems or its pain to deploy
>> multicast.
>>> 
>>> 
>>> These questions is to work / discussion in IETF to see what is pain
>> points
>>> for multicast, and how can we simplify it.
>>> 
>>> 
>>> 
>>> Thanks
>>> Mankamana
>>> 
>>> 
>> 


---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Multicast traffic % in enterprise network ?

[Curtis, Bruce]

On Aug 8, 2018, at 3:29 PM, na...@jack.fr.eu.org 
wrote:

I believe multicast is only used for IPTV

  There is at least one company that is using multicast for video switching, or 
in other words to replace HDMI switchers in rooms with video sources and 
displays.

  They have devices that encode video from an HDMI input to a multicast stream.
And devices that receive a multicast stream and output the video from that 
stream to an HDMI output.

So you can have multiple cameras and a multicast stream for each camera is 
input into the network.
Then you can have a projector that can choose any of those multicast streams to 
display.

I believe the video is uncompressed


Multicast by itself does not reduce much bandwidth : that reduction is
purely based on the network design
If you place unicast nodes near your customers, multicast is effectively
unicast (just think about it) :)


On 08/08/2018 08:49 PM, Mankamana Mishra (mankamis) via NANOG wrote:
Hi Every one,
Recently we had good discussion over multicast uses in public internet. From 
discussion, it was pointed out uses of multicast is more with in enterprise.  
Wanted to understand how much % multicast traffic present in network

 *   If there is any data which can provide what % of traffic is multicast 
traffic. And if multicast is removed, how much unicast traffic it would add up?
 *   Since this forum has people from deployment area, I would love to know if 
there is real deployment problems or its pain to deploy multicast.


These questions is to work / discussion in IETF to see what is pain points for 
multicast, and how can we simplify it.



Thanks
Mankamana



---
Bruce Curtis 
bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Catalyst 4500 listening on TCP 6154 on all interfaces

[Curtis, Bruce]

On May 7, 2018, at 2:58 PM, Jay Farrell via NANOG 
mailto:nanog@nanog.org>> wrote:

I saw that list, but understood the numbers there to be IDS signature
numbers, rather than port numbers. Am I misreading something?

  No, you are correct.

As Niels Bakker pointed out that is a list of IDS signatures, not a list of 
ports that Cisco devices listen on.

I just skimmed the pages, I should have read them more thoroughly before 
sending to the list.



On Mon, May 7, 2018 at 12:24 PM, Curtis, Bruce 
mailto:bruce.cur...@ndsu.edu>>
wrote:

Some Cisco devices use 6154 for ypxfrd.


6154 ypxfrd Portmap Request (Info, Atomic*)

Triggers when a request is made to the portmapper for the YP transfer
daemon (ypxfrd) port.

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/
configuration/guide/fsecur_c/scfids.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/
configuration/guide/asa_84_cli_config/protect_tools.html



---
Bruce Curtis 
bruce.cur...@ndsu.edu<mailto:bruce.cur...@ndsu.edu>
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Catalyst 4500 listening on TCP 6154 on all interfaces

[Curtis, Bruce]

Some Cisco devices use 6154 for ypxfrd.


6154 ypxfrd Portmap Request (Info, Atomic*)

Triggers when a request is made to the portmapper for the YP transfer daemon 
(ypxfrd) port.



https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfids.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/protect_tools.html





On May 5, 2018, at 6:22 AM, marcel.duregards--- via NANOG 
mailto:nanog@nanog.org>> wrote:

As the zero touch feature is on TCP 4786 (SMI), I vote for either:

- a nsa backdoor :-)
- a default active service

Have you tried to zeroize the config and restart then check if TCP 6154
is still on LISTEN state ?


-
Marcel



On 03.05.2018 06:51, 
frederic.jut...@sig-telecom.net wrote:
Hi,

We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2
which have TCP port 6154 listening on all interfaces.

Any idea what it could be ?

#show tcp brief all
TCB   Local Address   Foreign Address (state)
...
5A529430  0.0.0.0.6154


#show tcp tcb 5A529430
Connection state is LISTEN, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
Local host: 0.0.0.0, Local port: 6154
Foreign host: UNKNOWN, Foreign port: 0
Connection tableid (VRF): 1
Maximum output segment queue size: 50

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0xF58354):
Timer  StartsWakeupsNext
Retrans 0  0 0x0
TimeWait0  0 0x0
AckHold 0  0 0x0
SendWnd 0  0 0x0
KeepAlive   0  0 0x0
GiveUp  0  0 0x0
PmtuAger0  0 0x0
DeadWait0  0 0x0
Linger  0  0 0x0
ProcessQ0  0 0x0

iss:  0  snduna:  0  sndnxt:  0
irs:  0  rcvnxt:  0

sndwnd:  0  scale:  0  maxrcvwnd:   4128
rcvwnd:   4128  scale:  0  delrcvwnd:  0

SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms
minRTT: 6 ms, maxRTT: 0 ms, ACK hold: 200 ms
uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms
Status Flags: gen tcbs
Option Flags: VRF id set, keepalive running, nagle, Reuse local address
 Retrans timeout
IP Precedence value : 0

Datagrams (max data segment is 516 bytes):
Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0
Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second
Congestion: 0), with data: 0, total data bytes: 0

Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
TCP Semaphore  0x5BEB9B10  FREE





(The command "show control-plane host open-ports" is not available on
this platform/code)



I also think that if it would be a local socket for internal process
communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154.
So this is listening on all interfaces, virtuals and physicals and seam
not to be for internal internal process communication.


Fred


---
Bruce Curtis 
bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: pay.gov and IPv6

[Curtis, Bruce]

www.eda.gov has been broken since January.  

It has a  record but when clients connect via IPv6 they see "Bad Request 
(Invalid Hostname)” rather than the web site.

On Mar 17, 2014, at 1:43 PM, Matthew Kaufman  wrote:

> Random IPv6 complaint of the day: redirects from FCC.gov to pay.gov fail when 
> clients have IPv6 enabled. Work fine if IPv6 is off. One more set of client 
> computers that should be dual-stacked are now relegated to IPv4-only until 
> someone remembers to turn it back on for each of them... sigh.
> 
> Matthew Kaufman
> 

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Automatic abuse reports

[Curtis, Bruce]

On Nov 12, 2013, at 3:58 PM, Jonas Björklund  wrote:

> Hello,
> 
> We got often abuse reports on hosts that has been involved in DDOS attacks.
> We contact the owner of the host help them fix the problem.
> 
> I also would like to start send these abuse report to the ISP of the source.
> 
> Are there any avaliable tools for this? Is there any plugin for nfsen?
> 
> Do I need to write my own scripts for this?
> 
> /Jonas

  You could send the info to DSHIELD.  Then they might notify the ISP if you 
enabled “Fightback”.

http://dshield.org/howto.html

http://dshield.org/fightback.html

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: IPTV and ASM

[Curtis, Bruce]

On Dec 28, 2011, at 10:55 PM, Antonio Querubin wrote:

> On Wed, 28 Dec 2011, Marshall Eubanks wrote:
> 
>> From what I understand, the answer is likely to be "yes" and the
>> reason is likely to be "deployed equipment only
>> supports IGMP v2."
> 
> That and numerous clients which don't know anything about SSM.

  For example Apple products don't support IGMPv3.

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Current trends in capacity planning and oversubscription

[Curtis, Bruce]

On Nov 12, 2010, at 5:52 PM, Sean Donelan wrote:

> On Wed, 10 Nov 2010, Curtis, Bruce wrote:
>> If we take our current ISP bandwidth and increase it by 50% every 
>> year for 5 years it would be about twice the 100 Mbps per 1,000 
>> students/staff recommendation.
> 
> Is 50% growth each year typical these days?  In the dot-com boom days, 
> people said 100% growth, other people have suggested 20% may be more 
> reasonable now.

  We did see a lower rate of growth after the dot-com boom/bust.

  However the rate of growth picked up with the popularity of video streaming 
sites.

  This site mentions 40 to 50% growth last year and has references to other 
papers that  mention similar growth rates (although some of those papers may 
now be several years old.)

http://www.dtc.umn.edu/mints/home.php

  So to answer the question I would say that 40 to 50% growth is typical these 
days, it has been for us.

  I assume that it will continue for a few years but I'm less confidant 
speculating that it would still be 40 to 50% in 5 to 7 years.  But I wouldn't 
bet against it either. 

>  A problem with government network capacity 
> planning/growth forecasts is you will be stuck with whatever you choose, 
> too high or too low, for many years because the budget cycle is so long.
> 
> It would be great if there was some actual data available.  But it seems
> more typical to benchmark/compare to do network capacity planning with 
> other government agencies, so we end up with X-Mbps per Y,000 people.
> Yes, I know it depends.  1,000 people downloading data from LHC 
> experiments will be different from an administrative school office. 
> The difference is the people using LHC data usually have someone who can 
> figure out network capacity planning, while the people in an 
> administrative school office may not have anyone.
> 
> So what is a reasonable network capacity for 1,000 students now and in 5 
> years.
> 
> 

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Current trends in capacity planning and oversubscription

[Curtis, Bruce]

On Nov 9, 2010, at 11:26 PM, Sean Donelan wrote:

> While the answer is always it depends, I was wondering what the current 
> rules of thumb university network engineers are using for capacity 
> planning and oversubscription for resnets and admin networks?
> 
> For K-12, SETDA (http://www.setda.org/web/guest/2020/broadband) is 
> recommending:
> 
> - An external Internet connection to the Internet Service Provider of at 
> least 100 Mbps per 1,000 students/staff
> - Internal wide area network connections from the district to each school 
> and between schools of at least 1 Gbps per 1,000 students/staff
> 
> How does that compare with university and enterprise network rules of 
> thumb?

  Page 10 of the presentation on the link you provided says those are the 
numbers they recommend "for the next 5-7 years".  Perhaps they meant to say "in 
5 to 7 years"?

  "for the next 2-3 years" they recommend 10 Mbps per 1,000 people to an ISP 
and 100 Mbps per 1,000 people between schools.

  Our campus is already using almost 3 times the ISP bandwidth recommended "for 
the next 2-3 years".

  If we take our current ISP bandwidth and increase it by 50% every year for 5 
years it would be about twice the 100 Mbps per 1,000 students/staff 
recommendation.

  

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University