Re: [nznog] UFB 1 gig plans for retail and impact they have

I'd like to think we all care about an open internet where any one can connect with anyone, but the engineer in me says that there are some things we should do to ensure that it is not stupidly easy for a 3rd party to use anyone to harm someone else.

I agree. The days of the "any to any, open Internet" are slowly coming to an end. One small flaw in one mass produced and mass distributed piece of software (including software that runs on CPE) can easily snowball into hundreds of gigabits of traffic at the "core" of the Internet (I hate that term but I'm too tired to come up with anything else right now). Who would have thought you could weaponise a D-Link ;) A lot of providers still fail to implement basic ingress packet filtering from users (BCP38). What hope is there if scope is expanded to limit or block NTP, DNS, SSDP, SNMP etc as well? Maybe our beloved vendors of BNG and BRAS products should step up to the plate and give us the 'dummy' mode config for service providers that can used for best practice secure subscriber templates? That'll take care of our high speed users and their compromised home networks.... What do we do about the networks that intentionally sell bandwidth for the purposes of launching high volume unfiltered DDOS attacks? :) Here we all were thinking that IPv4 exhaustion would break the any-to-any connectivity! Macca On Mon, Nov 3, 2014 at 10:11 PM, Jamie Baddeley wrote:

Hey Barry,

Great conversation starter and some topics that have on my mind lately.

Seems to me after having done a quick scan of the market the other day that ISP's have fallen away around being clear about the Acceptable Use Policies that they may have with customers. Traditionally (or least when my head was buried *all the time* in operational matters), AUP's were built to deal with intentional abuse of the network, spam, conscious DDoS attacks ecetera ecetera. But as you point out with very high speed plans available and customers being unintentional participants of abuse, the results can be quite cataclysmic and spectacuuulaaarr.

Our friend Roland Dobbins presented a really simple summary at AUSNOG recently on the state of play with fashionable DDoS attacks. At least half a dozen services available on 1G connected CPE - mostly reflector attacks. DNS, NTP, Chargen (woah, the 80's are calling), and some others too.

Seems to me we need to consider whether these services running on CPE are considered harmful in a gb connected age and whether we make it clear that these services (i.e open DNS resolver on a gb connected customer site) is considered harmful by default unless the customer has explicitly asked for that to be available and is consciously aware of the risks. I think the challenges of operationally managing this are proportionally related to competition and the fluidity of the market. Customers churning and turning up with their own CPE. Sigh.

It's not until we've had the conversations with our customers and we get sense of what is mutually acceptable before we take steps to explicitly deny this stuff. It is all about mitigating risk for the benefit of most but the process by which we get that permission to do so is an important one.

I'd like to think we all care about an open internet where any one can connect with anyone, but the engineer in me says that there are some things we should do to ensure that it is not stupidly easy for a 3rd party to use anyone to harm someone else.

Now I'm sure some of you will say, yeah we do that. But as far as the public is concerned - are we making that clear enough? I think the wholesale players need to also think about steps to ensure that AUP (what ever that is) ripples downstream too.

cheers

jamie

On 3 November 2014 23:01, Barry Murphy wrote:

...

Hey guys,

I just wondered what people thought of the implications around 1gbps residential / business plans now becoming more and more common. I¹m seeing requests from wholesalers and retail asking about this gigatown thing and how they can get a 1Gbps service, especially unlimited. While I know 1gbps is not too common yet, the 200mbps plan is becoming more and more common and it won¹t be long before there is pressure to do 1gbps

I know the unlimited part is easy to justify to the client around Œinternational & domestic¹ transit pricing, but some ask why can we not do user to user or peering traffic at 1gbps.

I¹m not sure if it¹s still true, but I recall from the Chorus documentation that you could LAG a maximum of 8x10g circuits in a handover region and that was the max, so theoretically 80gbps handover. For the sake of ease and because 10Gbps holes are not cheap in high end routers like ALU 7750 SR-7¹s which we run, we will consider the average provider has a single 10g or maybe 2 per region right now.

If you had say 10 or 20 users on the 1Gbps plan or even 100-200 users on the 200mbps plan and they had misconfigured routers (consider they could do 200mbps upload) opening them up to the likes of DNS amplifications etc. Now those users are maxing out the upload capacity of the handover, you have no ability to QoS the malicious users as the QoS would need to come before hitting the handover, I.e. On the CPE. Suddenly everyone on the handover is impacted from a handful of users that wanted the faster speed just because it was available and affordable. The only way to stop the attack affecting everyone would be to isolate and disconnect the end users causing the damage, be it IPOE or PPPoE, if the user was on a direct /30 IP then things are even harder to manage.

The DNS amplifications that hurt Spark for a whole weekend, I can only assume was caused by such a large amount of affected devices filling up the handovers and also because it was targeted at their DNS. Imagine an attack of that magnitude, 10s of thousands of end users on 200 or even 100mbps circuits filling up a 10gig or even at this point a 80gbps handover LAG.

When you talk about regional handovers up and down the country then the problem gets worse as you then obviously need to backhaul that capacity to Auckland before getting out to the internet, so this also has to be considered too.

Any thoughts on the matter.

Many thanks

Kind regards, Barry Murphy / Chief Operating Officer +64 27 490 9712 / barry(a)vibecommunications.co.nz http://www.vibecommunications.co.nz/ https://www.facebook.com/VibeCom https://twitter.com/vibecomnz https://www.linkedin.com/company/1941512 Office: +64 9 222 0000 / Fax: 0800 842 326 Unit A7, 1 Beresford Square, Auckland, New Zealand Web: www.vibecommunications.co.nz http://www.vibecommunications.co.nz/ / Peering: AS45177 http://www.peeringdb.com/view.php?asn=45177 This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog