Well some yahoo had to go and do it.
BSD runs on the P200 that manages the box. Like the ssh session you might use to configure it. ASICs handle the packet forwarding, route table, forwards table, etc. No matter how cool BSD is, it still doesn't push an OC-192 at wire speed. Moderate that guy down like the uninformed bastard that he is.
You go on with your bad self. Because hey commitees are soooo much better then an informed individual. We can get a committee of people who can agree and are idiots and then start with the five year plans. THat's a great idea.
Linus killed it because it was a fucking dumb idea. No other reason. He doesn't have to accept anything. He even freely admits that his job is to keep crap out of the kernel more so then writing code.
You are wrong.:) - Most larger email systems use a so-called "2nd generation" MTA like qmail. Sendmail is basically monolithic and qmail is actually about 5 different processes. Processes for sending mail, recieving mail, etc. Postfix, Exim, and a few other also fall into this category, I believe. Postfix has been showing up in several Linux distro's due to their friendlier license then qmail. Source for Qmail is availible, but making changes availible in a commercial product has issues. - There's nothing really wrong with sendmail, it's just if you want to move LOTS of mail something a bit smaller and leaner is better.
Unfortunely you dick about routing. So do obviously the moderators. - The whole purpose of BGP is to be stable yet allow you to route around things. True, BGP does not take into consideration pipe size, saturation, etc like some IGP's do. Of course most network operators have a vested intrest is making such this doesn't happen. This why we have nice knobs and switches in BGP like AS padding, localpref, compare MED, etc. - If a router is returning no packets it can't very well maintain a BGP session which is TCP based. Session goes down, routes drop. Convergence is on the order of less than 60 secs unless you set something like no bgp-fast-exteral-failover. - Of course your ISP could be doing something monumentally stupid like running RIPv2 across their core. In which case, yes what you summarized might happen, if the operators were retarded or something. - Read "Where the Wizards Stay up Late". The Internet was NOT created to survive a snuclear war.
You're an idiot.
Juniper uses ASIC's to do all the packet forwarding. The BSD based JUN OS is strictly for out-of-band management, creating configs, logging, etc. and has absolutely nothing to do with moving real packets.
Kashani
1. Multiple fiber carriers in to the building in case you need to drop a circuit or two down the way. 2. Locked cage or suite depending on your size requirement. 3. 24/7 NOC techs who can act as remote hands, open tickets, let vendor techs in, etc. 4. Conditioned power, UPS, generator, etc. 5. Multiple peers, UUnet, Level3, and GTE/Genuity should all be peers at min. You should be able to get a partial list of peers. You will not be able to see the size of the pipe to each peer. This is usually confidential. 6. Switched port if you are not going to run your own routers. Make sure they can route for you if you want to bring in dedcated lines or that you can add your own routers in later. 7. Get a tour. Make sure there are no hot spots. Avoid anything with walmart fan blowing air to relieve hot spots. It happens. Always check provisioning times. How fast can they bring another 110v 20A circuit? 220 20A? More bandwidth? Larger space? Another cabinet? Some colo's are running out of space, power, etc. Make sure they have a plan to cover growth ove rthe next year or the length of your contract. Kashani
I've more traffic then most through an Alteon Ace3 (250 Mb/s and 90k concurrent sessions) and it ain't that good at it. Numberous software problems and lot's of generally flakiness. I had the config checked out several time by ALteon and even swapped hardware. We'll see how their new 700 boxes and 8.0 code do, but if you're doing things today Arrowpoint is one of the better choices.
because the 6509 is way too under powered processor wise to do the kind of traffic slashdot is doing. Having built a system that pushes 250Mb/s out at peak, the Arrowpoints are really the only way to go especiialy if you plan on the usual exponential internet growth, converting to NAT, and like some sembelance of filtering.
#1. Getting the provider to change DNS is better then an actual attack. You now have 1-48 hours of cached DNS floating around on the Internet. Mission accomplished.
#2. Any solution to the problem has to take into account multiple gateways. While the author said he'll show one gateway for simplicity, I counter that this is not a simple problem and can not be reduced to a sigle gateway network even in demonstration.
#3. Half the battle is these attacks is finding out which of your providers is sending which traffic. To do this in most cases you must be able to filter packets. Filter packets at a Gb/s or so is impossible unless you ARE WAY over built.
#4. Having a "stub network" is not a new idea. I saw the presentation for CenterTrack at the Nov Nanog. http://www.caida.org/k/centertrack.pdf Again havng the processor power to actually accomplish this is not a little problem.
Jeez this is dense. What the author is taking about is running a program that does bad things, a trojan not a virus. If he had thought for a moment he would have taken his head out of his ass before writting this drivel. Window's problem has always been that all users are basically root. All program that ran could overwrite any other file on hte system. NT's problem was the macro languages built into apps were also allowed to do whatever the hell they wanted. THe real question is, if i'm root and I open a "infected file" in vi, is vi now infected? That would be virus behavior. If I put a floppy in the drive and read my data, will any viruses on the disk execute? Personally I don't think so, but if we're going to talk about virii let's split the matter from trojan which are COMPLETELY different.
I think you're wrong. THere are technically feasible ways to minimize the amount of spam, etc leaving your network. If you do not take the basic precautions then you are asking for trouble. I work at a few million odd user ISP and we have nowhere near the spam problem other companies have. We don't allow non users to relay and we don't allow our users to relay off others. Same with our news system. On the other hand I've seen a single @Home user attempt to relay 900,000 spams off my servers. ??? Qmail accept and disregard is a beautiful thing. Really let's the user hang himself. @Home is merely being told that they need to get their act together. Loudly. - Kashani
Yeah there is an extended director's cut which is 3+ hours, I think. Not sure, but the Sci Fi channel usually shows it once or twice per year. I hear you can get it on laser disk, but it was a few hunderd dollars. If someone has seen it cheaper a little side email would be swell.
1. Mail machines with unmatching forward and reverse DNS 2. RBL'ed boxes.
If you can't get correct DNS either relay off your ISP or get it changed. And for all the rfc quoters, all the rfc asks is that you are specific in you sends and general in you accepts. My company decided what those would be and it has caused us very few problems considering we push 10mb/s of mail on average.
As someone whose life long dream was to be a Mechanical Eng. I feel I can comment on the above article with some authority. I was in my 3rd year at UIC in Chicago when it hit me. I am not going to change the world when I get out of school. I am going to do stress analysis on little metal parts for the first few years till I past the Exam, work on my masters, and generally be a flunky. I'll impliment standard procedures, get products out on time, and general be an efficient engineer. I would be revolutionizing any 100 year old industries overnight. Not that it can't happen, but would "I" be able to do it. I'm no company man in it for the pension. I also read an article in Pop Sci above genetic algos being using to design more eficient propelers for planes. The engineers were estatic at this 1% increase in effiencincy then had gained. Pop Sci went on to explain "that 1% is an amzing windfall in a mature field like areodynamics." I quit that semester. I didn't make the jump to computers for a few years after I quit school. But when I started a job in tech support 3 years ago (for which I was extremely underqualified) it was love at first sight. Here was a field where there are no "standard way" to do anything. If you think you can do it better, no one is going to get into your way. Either it works or it doesn't. If they don't like it you take your idea somewhere else and start your own company. Hell my boss is one year older then I am and sitting on ARIN's board. He is doing soemthing tangible and the effects will be felt for years to come. I only hope that my work can be as useful.
Very few non-server systems seem to be built with crypto in mind. Cisco finally putting ssh on their routers is a good example. With the whole "smart appliances everywhere" right around the corner I find this disconcerting. What do you think it will take to put crypto on all devices esp consumer devices?
Slashdot Mirror
Well some yahoo had to go and do it.
BSD runs on the P200 that manages the box. Like the ssh session you might use to configure it. ASICs handle the packet forwarding, route table, forwards table, etc. No matter how cool BSD is, it still doesn't push an OC-192 at wire speed. Moderate that guy down like the uninformed bastard that he is.
kashani
You go on with your bad self. Because hey commitees are soooo much better then an informed individual. We can get a committee of people who can agree and are idiots and then start with the five year plans. THat's a great idea.
Linus killed it because it was a fucking dumb idea. No other reason. He doesn't have to accept anything. He even freely admits that his job is to keep crap out of the kernel more so then writing code.
You are wrong. :)
-
Most larger email systems use a so-called "2nd generation" MTA like qmail. Sendmail is basically monolithic and qmail is actually about 5 different processes. Processes for sending mail, recieving mail, etc. Postfix, Exim, and a few other also fall into this category, I believe. Postfix has been showing up in several Linux distro's due to their friendlier license then qmail. Source for Qmail is availible, but making changes availible in a commercial product has issues.
-
There's nothing really wrong with sendmail, it's just if you want to move LOTS of mail something a bit smaller and leaner is better.
Kashani, occasional qmail flunky
Unfortunely you dick about routing. So do obviously the moderators.
-
The whole purpose of BGP is to be stable yet allow you to route around things. True, BGP does not take into consideration pipe size, saturation, etc like some IGP's do. Of course most network operators have a vested intrest is making such this doesn't happen. This why we have nice knobs and switches in BGP like AS padding, localpref, compare MED, etc.
-
If a router is returning no packets it can't very well maintain a BGP session which is TCP based. Session goes down, routes drop. Convergence is on the order of less than 60 secs unless you set something like no bgp-fast-exteral-failover.
-
Of course your ISP could be doing something monumentally stupid like running RIPv2 across their core. In which case, yes what you summarized might happen, if the operators were retarded or something.
-
Read "Where the Wizards Stay up Late". The Internet was NOT created to survive a snuclear war.
Kashani -router guy
Again this is why you filter AT THE BORDER before the problem make it to the core.
kashani
That's why you filter at the border before the erraent packets get in your core.
Kashani
You're an idiot. Juniper uses ASIC's to do all the packet forwarding. The BSD based JUN OS is strictly for out-of-band management, creating configs, logging, etc. and has absolutely nothing to do with moving real packets. Kashani
1. Multiple fiber carriers in to the building in case you need to drop a circuit or two down the way. 2. Locked cage or suite depending on your size requirement. 3. 24/7 NOC techs who can act as remote hands, open tickets, let vendor techs in, etc. 4. Conditioned power, UPS, generator, etc. 5. Multiple peers, UUnet, Level3, and GTE/Genuity should all be peers at min. You should be able to get a partial list of peers. You will not be able to see the size of the pipe to each peer. This is usually confidential. 6. Switched port if you are not going to run your own routers. Make sure they can route for you if you want to bring in dedcated lines or that you can add your own routers in later. 7. Get a tour. Make sure there are no hot spots. Avoid anything with walmart fan blowing air to relieve hot spots. It happens. Always check provisioning times. How fast can they bring another 110v 20A circuit? 220 20A? More bandwidth? Larger space? Another cabinet? Some colo's are running out of space, power, etc. Make sure they have a plan to cover growth ove rthe next year or the length of your contract. Kashani
I've more traffic then most through an Alteon Ace3 (250 Mb/s and 90k concurrent sessions) and it ain't that good at it. Numberous software problems and lot's of generally flakiness. I had the config checked out several time by ALteon and even swapped hardware. We'll see how their new 700 boxes and 8.0 code do, but if you're doing things today Arrowpoint is one of the better choices.
kashani
because the 6509 is way too under powered processor wise to do the kind of traffic slashdot is doing. Having built a system that pushes 250Mb/s out at peak, the Arrowpoints are really the only way to go especiialy if you plan on the usual exponential internet growth, converting to NAT, and like some sembelance of filtering.
kashani
the router card in a 6509 is the RSP4 from the aging 75xx line. The 72xx VXR will kick it's ass every time.
kashani
A few problems here.
#1. Getting the provider to change DNS is better then an actual attack. You now have 1-48 hours of cached DNS floating around on the Internet. Mission accomplished.
#2. Any solution to the problem has to take into account multiple gateways. While the author said he'll show one gateway for simplicity, I counter that this is not a simple problem and can not be reduced to a sigle gateway network even in demonstration.
#3. Half the battle is these attacks is finding out which of your providers is sending which traffic. To do this in most cases you must be able to filter packets. Filter packets at a Gb/s or so is impossible unless you ARE WAY over built.
#4. Having a "stub network" is not a new idea. I saw the presentation for CenterTrack at the Nov Nanog.
http://www.caida.org/k/centertrack.pdf
Again havng the processor power to actually accomplish this is not a little problem.
Kashani
Jeez this is dense. What the author is taking about is running a program that does bad things, a trojan not a virus. If he had thought for a moment he would have taken his head out of his ass before writting this drivel.
Window's problem has always been that all users are basically root. All program that ran could overwrite any other file on hte system. NT's problem was the macro languages built into apps were also allowed to do whatever the hell they wanted.
THe real question is, if i'm root and I open a "infected file" in vi, is vi now infected? That would be virus behavior. If I put a floppy in the drive and read my data, will any viruses on the disk execute? Personally I don't think so, but if we're going to talk about virii let's split the matter from trojan which are COMPLETELY different.
http://www.enteract.com/~kashani/petbook.jpg
I think you're wrong. THere are technically feasible ways to minimize the amount of spam, etc leaving your network. If you do not take the basic precautions then you are asking for trouble. I work at a few million odd user ISP and we have nowhere near the spam problem other companies have. We don't allow non users to relay and we don't allow our users to relay off others. Same with our news system. On the other hand I've seen a single @Home user attempt to relay 900,000 spams off my servers. ??? Qmail accept and disregard is a beautiful thing. Really let's the user hang himself.
@Home is merely being told that they need to get their act together. Loudly.
-
Kashani
That's right it is MCSE. The best way to remember is to know that MCSE stands for:
Must
Consult
Someone
Experienced
or
Most
Concerned with
Salary
Enhancement
-
:)
uh no. Why single out HKS? Just don't do ANY CC transactions, ever, with any bank.
-
What we really need is "dumb as fuck" as one of the moderation choices.
Yeah there is an extended director's cut which is 3+ hours, I think. Not sure, but the Sci Fi channel usually shows it once or twice per year. I hear you can get it on laser disk, but it was a few hunderd dollars. If someone has seen it cheaper a little side email would be swell.
Kashani
I'd deny you too.
I don't accept email from the following places:
1. Mail machines with unmatching forward and reverse DNS
2. RBL'ed boxes.
If you can't get correct DNS either relay off your ISP or get it changed. And for all the rfc quoters, all the rfc asks is that you are specific in you sends and general in you accepts. My company decided what those would be and it has caused us very few problems considering we push 10mb/s of mail on average.
Kashani
I agree with the cdrom bit. I speed several hundred thousand on an E6500 and get a 12x cdrom? Crack smokers.
As someone whose life long dream was to be a Mechanical Eng. I feel I can comment on the above article with some authority. I was in my 3rd year at UIC in Chicago when it hit me. I am not going to change the world when I get out of school. I am going to do stress analysis on little metal parts for the first few years till I past the Exam, work on my masters, and generally be a flunky. I'll impliment standard procedures, get products out on time, and general be an efficient engineer. I would be revolutionizing any 100 year old industries overnight. Not that it can't happen, but would "I" be able to do it. I'm no company man in it for the pension. I also read an article in Pop Sci above genetic algos being using to design more eficient propelers for planes. The engineers were estatic at this 1% increase in effiencincy then had gained. Pop Sci went on to explain "that 1% is an amzing windfall in a mature field like areodynamics." I quit that semester.
I didn't make the jump to computers for a few years after I quit school. But when I started a job in tech support 3 years ago (for which I was extremely underqualified) it was love at first sight. Here was a field where there are no "standard way" to do anything. If you think you can do it better, no one is going to get into your way. Either it works or it doesn't. If they don't like it you take your idea somewhere else and start your own company. Hell my boss is one year older then I am and sitting on ARIN's board. He is doing soemthing tangible and the effects will be felt for years to come.
I only hope that my work can be as useful.
Kashani
Uh hello! subdomians?
cheech.imgs.sfo.xxxx
chong.imgs.sfo.xxxx
sulu.dnld.lax.xxx
kirk.dnld.lax.xxx
spock.dnld.lax.xxx
skipper.auth.chi.xxxx
ginger.auth.chi.xxxx
professor.auth.chi.xxxx
THis is way better then the L3servauth4.xxxx crap we had before I got here.
Very few non-server systems seem to be built with crypto in mind. Cisco finally putting ssh on their routers is a good example. With the whole "smart appliances everywhere" right around the corner I find this disconcerting. What do you think it will take to put crypto on all devices esp consumer devices?
If we wanted another Windows then you are correct. I personally want a home OS that does not crash.