SMF Tie Cable Standards for Data Center Applications

2019-08-19 Thread Chris Costa
In our new data center builds we're transitioning from MMF to SMF for the tie cabling between networking gear in the MDF/IDF racks to the server racks. Today those interconnects are short (under 100 meters) 10GE and 40GE-LX4 over MMF. We’re transitioning to SMF to support services beyond that,

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Töma Gavrichenkov
On Mon, Aug 19, 2019, 9:24 PM Florian Brandstetter wrote: > ​Load balancing is done on Layer 4 or Layer 3 when routing, so your > ingress connection will have the same hash as the outgoing connection > (unless the source port of the connection changes on the ACK - which it > really should not).

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Töma Gavrichenkov
On Mon, Aug 19, 2019, 9:27 PM Valdis Klētnieks wrote: > On Mon, 19 Aug 2019 21:18:49 +0300, Töma Gavrichenkov said: > > > If you're doing load balancing for *outgoing* traffic — and in exactly > the > > same manner as you do with incoming — then maybe. > > On the other hand, your servers should

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Valdis Klētnieks
On Mon, 19 Aug 2019 21:18:49 +0300, T�ma Gavrichenkov said: > If you're doing load balancing for *outgoing* traffic — and in exactly the > same manner as you do with incoming — then maybe. On the other hand, your servers should probably be doing non-loadbalanced outbound on a different IP

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Töma Gavrichenkov
On Mon, Aug 19, 2019, 8:57 PM Valdis Klētnieks wrote: > On Mon, 19 Aug 2019 20:44:47 +0300, Töma Gavrichenkov said: > > > Not in a typical DC/ISP environment! With the solution you propose, a > > perfect routing symmetry is a hard requirement, b/c you need to make > > sure a returning SYN/ACK

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Valdis Klētnieks
On Mon, 19 Aug 2019 20:44:47 +0300, T�ma Gavrichenkov said: > Not in a typical DC/ISP environment! With the solution you propose, a > perfect routing symmetry is a hard requirement, b/c you need to make > sure a returning SYN/ACK hits the very same machine as the initial > SYN. If your load

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Töma Gavrichenkov
On Mon, Aug 19, 2019 at 8:12 PM Damian Menscher wrote: > A factor of 2 is "rounding error" and we probably shouldn't > waste our time on it (eg, by designing solutions to reduce > amplification factors) when we could instead be targeting > the sources of spoofed traffic. Ah, fine. Spoofing is

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Damian Menscher via NANOG
On Mon, Aug 19, 2019 at 4:15 AM Töma Gavrichenkov wrote: > Dealing with TCP flags is a different story: > I agree these attacks can be large: the one under discussion probably exceeded 10Mpps (Gbps is the wrong metric for small-packet attacks) I agree they can cause significant outages: this

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Töma Gavrichenkov
Peace, On Mon, Aug 19, 2019 at 7:39 AM Damian Menscher via NANOG wrote: > Most kernels will return 3-5 SYN-ACK packets for an incoming > SYN, so it's not particularly interesting for attackers or defenders. Well, producing 1000 Gbps as opposed to 200 Gbps is still pretty impressive, isn't it?

Re: syn flood attacks from NL-based netblocks

2019-08-19 Thread Töma Gavrichenkov
Peace, On Sun, Aug 18, 2019 at 6:48 PM Mike wrote: > [..] I do have an idea > that may be potentially a good mitigation strategy and for the exact > reason stated above; low load to individual end points may still, in > aggregate, overwhelm an IX or provider, so cutting off the SYN-ACK > traffic