jamieIt's not until we've had the conversations with our customers and we get sense of what is mutually acceptable before we take steps to explicitly deny this stuff. It is all about mitigating risk for the benefit of most but the process by which we get that permission to do so is an important one.Seems to me we need to consider whether these services running on CPE are considered harmful in a gb connected age and whether we make it clear that these services (i.e open DNS resolver on a gb connected customer site) is considered harmful by default unless the customer has explicitly asked for that to be available and is consciously aware of the risks. I think the challenges of operationally managing this are proportionally related to competition and the fluidity of the market. Customers churning and turning up with their own CPE. Sigh.Our friend Roland Dobbins presented a really simple summary at AUSNOG recently on the state of play with fashionable DDoS attacks. At least half a dozen services available on 1G connected CPE -�� mostly reflector attacks. DNS, NTP, Chargen (woah, the 80's are calling), and some others too.Seems to me after having done a quick scan of the market the other day that ISP's have fallen away around being clear about the Acceptable Use Policies that they may have with customers. Traditionally (or least when my head was buried all the time in operational matters), AUP's were built to deal with intentional abuse of the network, spam, conscious DDoS attacks ecetera ecetera. But as you point out with very high speed plans available and customers being unintentional participants of abuse, the results can be quite cataclysmic and spectacuuulaaarr.Hey Barry,Great conversation starter and some topics that have on my mind lately.I'd like to think we all care about an open internet where any one can connect with anyone, but the engineer in me says that there are some things we should do to ensure that it is not stupidly easy for a 3rd party to use anyone to harm someone else.Now I'm sure some of you will say, yeah we do that. But as far as the public is concerned - are we making that clear enough? I think the wholesale players need to also think about steps to ensure that AUP (what ever that is) ripples downstream too.cheersOn 3 November 2014 23:01, Barry Murphy <barry@vibecommunications.co.nz> wrote:Hey guys,
I just wondered what people thought of the implications around 1gbps
residential / business plans now becoming more and more common.
I��m seeing requests from wholesalers and retail asking about this gigatown
thing and how they can get a 1Gbps service, especially unlimited.
While I know 1gbps is not too common yet, the 200mbps plan is becoming
more and more common and it won��t be long before there is pressure to do
1gbps
I know the unlimited part is easy to justify to the client around
��international & domestic�� transit pricing, but some ask why can we not do
user to user or peering traffic at 1gbps.
I��m not sure if it��s still true, but I recall from the Chorus
documentation that you could LAG a maximum of 8x10g circuits in a handover
region and that was the max, so theoretically 80gbps handover.
For the sake of ease and because 10Gbps holes are not cheap in high end
routers like ALU 7750 SR-7��s which we run, we will consider the average
provider has a single 10g or maybe 2 per region right now.
If you had say 10 or 20 users on the 1Gbps plan or even 100-200 users on
the 200mbps plan and they had misconfigured routers (consider they could
do 200mbps upload) opening them up to the likes of DNS amplifications etc.
Now those users are maxing out the upload capacity of the handover, you
have no ability to QoS the malicious users as the QoS would need to come
before hitting the handover, I.e. On the CPE.
Suddenly everyone on the handover is impacted from a handful of users that
wanted the faster speed just because it was available and affordable.
The only way to stop the attack affecting everyone would be to isolate and
disconnect the end users causing the damage, be it IPOE or PPPoE, if the
user was on a direct /30 IP then things are even harder to manage.
The DNS amplifications that hurt Spark for a whole weekend, I can only
assume was caused by such a large amount of affected devices filling up
the handovers and also because it was targeted at their DNS.
Imagine an attack of that magnitude, 10s of thousands of end users on 200
or even 100mbps circuits filling up a 10gig or even at this point a 80gbps
handover LAG.
When you talk about regional handovers up and down the country then the
problem gets worse as you then obviously need to backhaul that capacity to
Auckland before getting out to the internet, so this also has to be
considered too.
Any thoughts on the matter.
Many thanks
Kind regards,
Barry Murphy / Chief Operating Officer
+64 27 490 9712 / barry@vibecommunications.co.nz
��<http://www.vibecommunications.co.nz/>
<https://www.facebook.com/VibeCom>�� <https://twitter.com/vibecomnz>
<https://www.linkedin.com/company/1941512>
Office: +64 9 222 0000 / Fax: 0800 842 326
Unit A7, 1 Beresford Square, Auckland, New Zealand
Web: www.vibecommunications.co.nz <http://www.vibecommunications.co.nz/> /
Peering: AS45177 <http://www.peeringdb.com/view.php?asn=45177>
This communication, including any attachments, is confidential. If you are
not the intended recipient, you should not read it - please contact me
immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it. Thank you. Please note that
this communication does not designate an information system for the
purposes of the Electronic Transactions Act 2002.
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog