nanog mailing list archives
RE: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email
From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Wed, 21 Mar 2018 11:06:26 -0600
LaBrea Tarpit http://labrea.sourceforge.net/ can do this as well, though perhaps only for IPv4. Basically it looks for unanswered ARP requests and answers them. What it does with the ensuing session data is configurable. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Stephen Satchell Sent: Tuesday, 20 March, 2018 19:39 To: nanog () nanog org Subject: Fwd: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email Linux systems have the ability, given enough RAM, to associate almost any number of IP addresses to a given interface. Our IP allocation database kept track of who was using what IP address. I wrote some queries to collect all unassigned IP addresses, and to construct the appropriate shell commands to assign those IP addresses to Ackbar's interface. Part of the program would also remove any allocated IP addresses from the server automtically. Worked like a charm. Whenever someone would nmap our address space, there would be at most one ARP request for the address; the router would then remember the IP->MAC association for the subsequent scans for a period of time -- 30 minutes if we were renumbering, 12 hours otherwise. The Ackbar server lived attached to our main distribution switch, so that subsequent traffic to those unused IP addresses stayed out of the server farm. We had some, er, "interesting" denial of service attacks that didn't do as much damage as they could have. -------- Forwarded Message -------- Subject: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email Date: Tue, 20 Mar 2018 17:15:25 +0000 From: Charles Bronson <cbronson () iec-electronics com> To: nanog () nanog org <nanog () nanog org> If this isn't pertinent to the list, feel free to answer privately. How did you implement the server that got rid of ARP storms? Charles Bronson -----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Stephen Satchell Sent: Monday, March 19, 2018 9:31 PM To: nanog () nanog org Subject: [EXT] Fwd: Re: problems sending to prodigy.net hosted email Two DNS servers hosted on one box (or VM object), even with two addresses, is easily compromised by DDoS amplification attacks. That's the norm for a number of "web control panel" systems like Plesk and CPanel. It depends on the scale of your operations. Last time I was in that situation, I had roughly 25,000 domains spread across 30 servers. Life became MUCH simpler when I put up dedicated, and high-power, physical systems running non-recursive BIND for DNS1 and DNS2, as well as another pair of boxes running recursive servers as DNS3 and DNS4. Getting QMail and Exim to "smart host" to my monster MX servers proved to be pretty easy, and I even was able to get the web servers to tell me when a mailbox was full so I could reject the SMTP exchange at the edge, instead of generating backscatter. And, with a pool of roughly 4,000 IP addresses, I got rid of ARP storms in our network by putting up a little server called "ackbar", that was configured to respond to all otherwise unused IP address in our pool. (Edge routers were Cisco 7000 class, with DS3 uplinks.) Lessons learned well. -------- Forwarded Message -------- Subject: Re: problems sending to prodigy.net hosted email Date: Mon, 19 Mar 2018 17:55:33 +0100 From: Chris <chris2014 () postbox xyz> To: C. Jon Larsen <jlarsen () richweb com> CC: nanog () nanog org On Mon, 19 Mar 2018 11:56:16 -0400 (EDT) C. Jon Larsen wrote:Why not? Never had a problem with multiple services on linux, in contrast to windows where every service requires its own box (oratleast vm).Go for it ! Failure is an awesome teacher :)Don't really see a problem, especially since you normally always have two DNS servers... -- Papst Franziskus ruft zum Kampf gegen Fake News auf. Wir finden, der Mann, der sich als Stellvertreter Christi ausgibt, von dem er behauptet, dessen Mutter sei zeitlebens Jungfrau gewesen, er hätte über Wasser gehen und selbiges in Wein verwandeln können, hat vollkommen recht.
Current thread:
- problems sending to prodigy.net hosted email Trey Nolen (Mar 11)
- Re: problems sending to prodigy.net hosted email Stephen Satchell (Mar 11)
- Re: problems sending to prodigy.net hosted email Chris (Mar 19)
- Re: problems sending to prodigy.net hosted email C. Jon Larsen (Mar 19)
- Re: problems sending to prodigy.net hosted email Chris (Mar 19)
- Fwd: Re: problems sending to prodigy.net hosted email Stephen Satchell (Mar 19)
- RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email Charles Bronson (Mar 20)
- Managing ARP traffic [ was Re: [EXT] Fwd: Re: problems sending to prodigy.net hosted email ] Hugo Slabbert (Mar 20)
- Fwd: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email Stephen Satchell (Mar 20)
- RE: RE: [EXT] Fwd: Re: problems sending to prodigy.net hosted email Keith Medcalf (Mar 21)
- Re: problems sending to prodigy.net hosted email Chris (Mar 19)
- Re: problems sending to prodigy.net hosted email Stephen Satchell (Mar 11)
- Re: problems sending to prodigy.net hosted email Stephen Satchell (Mar 19)