RE: Switch with high ACL capacity
*nods* The more ways of knocking down the low hanging fruit the better. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: Ryan Hamel To: Tim Jackson , na...@ics-il.net Cc: nanog list Sent: Tue, 06 Nov 2018 14:04:36 -0600 (CST) Subject: RE: Switch with high ACL capacity I would see if you can get your upstream providers to apply rules to a dedicated interface upstream (drop NTP, memcache, LDAP, rate limit SSDP), and connect that to your switch, which would announce the /32’s or /128’s to pull the traffic over. You would of course have to announce the /24 or /48 through the carrier that has the filters in place to ensure they get all the traffic. After post processing the spoofed traffic, it should leave you with flooding to take care of. -- Ryan Hamel Network Administrator ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud From: NANOG On Behalf Of Tim Jackson Sent: Tuesday, November 06, 2018 11:52 AM To: na...@ics-il.net Cc: nanog list Subject: Re: Switch with high ACL capacity Juniper QFX1(including 12) supports ~64k ACL entries + FlowSpec -- Tim On Tue, Nov 6, 2018 at 1:49 PM Mike Hammett mailto:na...@ics-il.net>> wrote: The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they just trigger something else to do the work. Obviously there is black hole routing, but I'm looking for something with a bit more finesse. If I need to get a switch anyway, might as well try to take advantage of it for other uses. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP - Original Message - From: Lotia, Pratik M mailto:pratik.lo...@charter.com>> To: Mike Hammett mailto:na...@ics-il.net>>, 'nanog list' mailto:nanog@nanog.org>> Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST) Subject: Re: Switch with high ACL capacity Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot more to it than just L4). I doubt if a there is a Switch which can hold a large number of Flowspec entries. ~Pratik Lotia “Improvement begins with I.” On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" mailto:nanog-boun...@nanog.org> on behalf of na...@ics-il.net<mailto:na...@ics-il.net>> wrote: I am looking for recommendations as to a 10G or 40G switch that has the ability to hold a large number of entries in ACLs. Preferred if I can get them there via the BGP flow spec, but some sort of API or even just brute force on the console would be good enough. Used or even end of life is fine. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
RE: Switch with high ACL capacity
Other than it completes the DDoS. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: Zach Puls To: Mike Hammett Cc: 'nanog list' Sent: Tue, 06 Nov 2018 13:55:22 -0600 (CST) Subject: RE: Switch with high ACL capacity Wouldn’t it be more beneficial to just have a low-cost system for detection, then trigger an RTBH community advertisement to your upstream(s)? Zach Puls Network Engineer | MEF-CECP KsFiberNet -Original Message- From: NANOG On Behalf Of Mike Hammett Sent: Tuesday, November 06, 2018 13:47 To: Lotia, Pratik M Cc: 'nanog list' Subject: Re: Switch with high ACL capacity The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they just trigger something else to do the work. Obviously there is black hole routing, but I'm looking for something with a bit more finesse. If I need to get a switch anyway, might as well try to take advantage of it for other uses. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP - Original Message - From: Lotia, Pratik M To: Mike Hammett , 'nanog list' Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST) Subject: Re: Switch with high ACL capacity Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot more to it than just L4). I doubt if a there is a Switch which can hold a large number of Flowspec entries. ~Pratik Lotia “Improvement begins with I.” On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" wrote: I am looking for recommendations as to a 10G or 40G switch that has the ability to hold a large number of entries in ACLs. Preferred if I can get them there via the BGP flow spec, but some sort of API or even just brute force on the console would be good enough. Used or even end of life is fine. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
RE: Switch with high ACL capacity
If the DDoS exceeds capacity, I simply resort to the RTBH. Until then, if I can handle it more delicately, then great. If I can handle it by adjusting routing policy (shy of blackholing) or by dropping traffic selectively until then, I deliver a better experience. Eyeball networks can handle DDoSes a bit differently than content guys because most of our traffic is on just a handful of ASNs on a few ports. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP - Original Message - From: Ryan Hamel To: Mike Hammett , Lotia, Pratik M Cc: 'nanog list' Sent: Tue, 06 Nov 2018 13:52:38 -0600 (CST) Subject: RE: Switch with high ACL capacity Mike, Are you sure you have enough inbound capacity to setup such a thing? Do you have RTBH setup for the final means of killing the attack? If you could get another set of circuits to feed this switch from your same providers, and they accept more specific announcements, you could use this to swing /32's or /128's to said dedicated links so it won't affect your clients traffic. -- Ryan Hamel Network Administrator ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud -Original Message- From: NANOG On Behalf Of Mike Hammett Sent: Tuesday, November 06, 2018 11:47 AM To: Lotia, Pratik M Cc: 'nanog list' Subject: Re: Switch with high ACL capacity The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they just trigger something else to do the work. Obviously there is black hole routing, but I'm looking for something with a bit more finesse. If I need to get a switch anyway, might as well try to take advantage of it for other uses. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP - Original Message - From: Lotia, Pratik M To: Mike Hammett , 'nanog list' Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST) Subject: Re: Switch with high ACL capacity Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot more to it than just L4). I doubt if a there is a Switch which can hold a large number of Flowspec entries. ~Pratik Lotia “Improvement begins with I.” On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" wrote: I am looking for recommendations as to a 10G or 40G switch that has the ability to hold a large number of entries in ACLs. Preferred if I can get them there via the BGP flow spec, but some sort of API or even just brute force on the console would be good enough. Used or even end of life is fine. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
RE: Switch with high ACL capacity
I would see if you can get your upstream providers to apply rules to a dedicated interface upstream (drop NTP, memcache, LDAP, rate limit SSDP), and connect that to your switch, which would announce the /32’s or /128’s to pull the traffic over. You would of course have to announce the /24 or /48 through the carrier that has the filters in place to ensure they get all the traffic. After post processing the spoofed traffic, it should leave you with flooding to take care of. -- Ryan Hamel Network Administrator ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud From: NANOG On Behalf Of Tim Jackson Sent: Tuesday, November 06, 2018 11:52 AM To: na...@ics-il.net Cc: nanog list Subject: Re: Switch with high ACL capacity Juniper QFX1(including 12) supports ~64k ACL entries + FlowSpec -- Tim On Tue, Nov 6, 2018 at 1:49 PM Mike Hammett mailto:na...@ics-il.net>> wrote: The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they just trigger something else to do the work. Obviously there is black hole routing, but I'm looking for something with a bit more finesse. If I need to get a switch anyway, might as well try to take advantage of it for other uses. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP - Original Message - From: Lotia, Pratik M mailto:pratik.lo...@charter.com>> To: Mike Hammett mailto:na...@ics-il.net>>, 'nanog list' mailto:nanog@nanog.org>> Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST) Subject: Re: Switch with high ACL capacity Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot more to it than just L4). I doubt if a there is a Switch which can hold a large number of Flowspec entries. ~Pratik Lotia “Improvement begins with I.” On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" mailto:nanog-boun...@nanog.org> on behalf of na...@ics-il.net<mailto:na...@ics-il.net>> wrote: I am looking for recommendations as to a 10G or 40G switch that has the ability to hold a large number of entries in ACLs. Preferred if I can get them there via the BGP flow spec, but some sort of API or even just brute force on the console would be good enough. Used or even end of life is fine. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
RE: Switch with high ACL capacity
Mike, Are you sure you have enough inbound capacity to setup such a thing? Do you have RTBH setup for the final means of killing the attack? If you could get another set of circuits to feed this switch from your same providers, and they accept more specific announcements, you could use this to swing /32's or /128's to said dedicated links so it won't affect your clients traffic. -- Ryan Hamel Network Administrator ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud -Original Message- From: NANOG On Behalf Of Mike Hammett Sent: Tuesday, November 06, 2018 11:47 AM To: Lotia, Pratik M Cc: 'nanog list' Subject: Re: Switch with high ACL capacity The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they just trigger something else to do the work. Obviously there is black hole routing, but I'm looking for something with a bit more finesse. If I need to get a switch anyway, might as well try to take advantage of it for other uses. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP - Original Message - From: Lotia, Pratik M To: Mike Hammett , 'nanog list' Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST) Subject: Re: Switch with high ACL capacity Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot more to it than just L4). I doubt if a there is a Switch which can hold a large number of Flowspec entries. ~Pratik Lotia “Improvement begins with I.” On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" wrote: I am looking for recommendations as to a 10G or 40G switch that has the ability to hold a large number of entries in ACLs. Preferred if I can get them there via the BGP flow spec, but some sort of API or even just brute force on the console would be good enough. Used or even end of life is fine. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Re: Switch with high ACL capacity
Juniper QFX1(including 12) supports ~64k ACL entries + FlowSpec -- Tim On Tue, Nov 6, 2018 at 1:49 PM Mike Hammett wrote: > The intent is to see if I can construct a poor man's DDOS scrubber. There > are low cost systems out there for the detection, but they just trigger > something else to do the work. Obviously there is black hole routing, but > I'm looking for something with a bit more finesse. > > If I need to get a switch anyway, might as well try to take advantage of > it for other uses. > > -Mike HammettIntelligent Computing SolutionsMidwest Internet > ExchangeThe Brothers WISP > > - Original Message - > From: Lotia, Pratik M > To: Mike Hammett , 'nanog list' > Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST) > Subject: Re: Switch with high ACL capacity > > Mike, > > Can you shed some light on the use case? Looks like you are confusing ACLs > and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they > have a different use case. ACLs cannot be configured using Flowspec > announcements. Flowspec can be loosely explained as 'Routing based on L4 > rules' (there's a lot more to it than just L4). I doubt if a there is a > Switch which can hold a large number of Flowspec entries. > > > ~Pratik Lotia > “Improvement begins with I.” > > > On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" < > nanog-boun...@nanog.org on behalf of na...@ics-il.net> wrote: > > I am looking for recommendations as to a 10G or 40G switch that has > the ability to hold a large number of entries in ACLs. > > Preferred if I can get them there via the BGP flow spec, but some sort > of API or even just brute force on the console would be good enough. > > Used or even end of life is fine. > > -Mike HammettIntelligent Computing SolutionsMidwest Internet > ExchangeThe Brothers WISP > > > E-MAIL CONFIDENTIALITY NOTICE: > The contents of this e-mail message and any attachments are intended > solely for the addressee(s) and may contain confidential and/or legally > privileged information. If you are not the intended recipient of this > message or if this message has been addressed to you in error, please > immediately alert the sender by reply e-mail and then delete this message > and any attachments. If you are not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or storage of > this message or any attachment is strictly prohibited. > >
Re: Switch with high ACL capacity
The intent is to see if I can construct a poor man's DDOS scrubber. There are low cost systems out there for the detection, but they just trigger something else to do the work. Obviously there is black hole routing, but I'm looking for something with a bit more finesse. If I need to get a switch anyway, might as well try to take advantage of it for other uses. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP - Original Message - From: Lotia, Pratik M To: Mike Hammett , 'nanog list' Sent: Tue, 06 Nov 2018 12:29:15 -0600 (CST) Subject: Re: Switch with high ACL capacity Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot more to it than just L4). I doubt if a there is a Switch which can hold a large number of Flowspec entries. ~Pratik Lotia “Improvement begins with I.” On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" wrote: I am looking for recommendations as to a 10G or 40G switch that has the ability to hold a large number of entries in ACLs. Preferred if I can get them there via the BGP flow spec, but some sort of API or even just brute force on the console would be good enough. Used or even end of life is fine. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Re: Switch with high ACL capacity
Mike, Can you shed some light on the use case? Looks like you are confusing ACLs and BGP Flowspec. ACLs and Flowspec rules are similar in some ways but they have a different use case. ACLs cannot be configured using Flowspec announcements. Flowspec can be loosely explained as 'Routing based on L4 rules' (there's a lot more to it than just L4). I doubt if a there is a Switch which can hold a large number of Flowspec entries. ~Pratik Lotia “Improvement begins with I.” On 11/6/18, 10:39, "NANOG on behalf of Mike Hammett" wrote: I am looking for recommendations as to a 10G or 40G switch that has the ability to hold a large number of entries in ACLs. Preferred if I can get them there via the BGP flow spec, but some sort of API or even just brute force on the console would be good enough. Used or even end of life is fine. -Mike HammettIntelligent Computing SolutionsMidwest Internet ExchangeThe Brothers WISP E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
