March 17, 2018 Blog (Ivan Pepelnjak)

Worth Reading: Magical Thinking in Internet Security

Someone pointed me to this article by dr. Paul Vixie (of the DNS fame). The best part (as I’m not a security person):

The TCO of new technology products and services, including security-related products and services, should be fudge-factored by at least 3X to account for the cost of reduced understanding. That extra 2X is a source of new spending: on training, on auditing, on staff growth and retention, on in-house integration.

In case you didn’t get it: figure out how much you think the magic unicorn-based software-defined solution will cost, then multiply it by three. Of course nobody wants to admit that.

by Ivan Pepelnjak ( at March 17, 2018 08:53 AM

March 16, 2018

Internetwork Expert Blog

We’ve Added a New CCIE Security Course to Our Video Library!

This course is part of INE’s CCIE Security v5 Technology Series. This series consists of several modules focused on many different aspects of the Group Encrypted Transport VPN (GETVPN) technology, such as operations, configuration, and redundancy. The course covers all important and exam-relevant topics and technologies, including GETVPN Data & Control Plane Components, Registration, IPv6 support, COOP KS, G-IKEv2, implementation, verification, and more, such as design considerations.


This course is taught by Poitr Kaluzny and is 2 hours and 38 minutes long. For those who are INE All Access Pass members, you can watch this course on the streaming site. This course is also available for purchase at

About The Instructor

Piotr Kaluzny started his networking career during his studies. He was able to get his first job in production right after graduating in 2007 (Piotr holds MSc in Computer Science). He progressed his career by working in different routing & switching and security roles, with responsibilities ranging from operations and engineering to consulting and management. Since the beginning, Piotr has focused heavily on the security track. He passed the CCIE Security certification exam (#25565) in 2009 on his first attempt.

Piotr already has an extensive background as a senior technical instructor. For the past several years he has designed, developed and taught CCNA, CCNP and CCIE training courses for one of the largest, and most respected Cisco training companies in the world.

by jdoss at March 16, 2018 08:54 PM

The Networking Nerd

When Redundancy Strikes

Networking and systems professionals preach the value of redundancy. When we tell people to buy something, we really mean “buy two”. And when we say to buy two, we really mean buy four of them. We try to create backup routes, redundant failover paths, and we keep things from being used in a way that creates a single point of disaster. But, what happens when something we’ve worked hard to set up causes us grief?

Built To Survive

The first problem I ran into was one I knew how to solve. I was installing a new Ubiquiti Security Gateway. I knew that as soon as I pulled my old edge router out that I was going to need to reset my cable modem in order to clear the ARP cache. That’s always a thing that needs to happen when you’re installing new equipment. Having done this many times, I knew the shortcut method was to unplug my cable modem for a minute and plug it back in.

What I didn’t know this time was that the little redundant gremlin living in my cable modem was going to give me fits. After fifteen minutes of not getting the system to come back up the way that I wanted, I decided to unplug my modem from the wall instead of the back of the unit. That meant the lights on the front were visible to me. And that’s when I saw that the lights never went out when the modem was unplugged.

Turns out that my modem has a battery pack installed since it’s a VoIP router for my home phone system as well. That battery pack was designed to run the phones in the house for a few minutes in a failover scenario. But it also meant that the modem wasn’t letting go of the cached ARP entries either. So, all my efforts to make my modem take the new firewall were being stymied by the battery designed to keep my phone system redundant in case of a power outage.

The second issue came when I went to turn up a new Ubiquiti access point. I disconnected the old Meraki AP in my office and started mounting the bracket for the new AP. I had already warned my daughter that the Internet was going to go down. I also thought I might have to reprogram her device to use the new SSID I was creating. Imagine my surprise when both my laptop and her iPad were working just fine while I was hooking the new AP up.

Turns out, both devices did exactly what they were supposed to do. They connected to the other Meraki AP in the house and used it while the old one was offline. Once the new Ubiquiti AP came up, I had to go upstairs and unplug the Meraki to fail everything back to the new AP. It took some more programming to get everything running the way that I wanted, but my wireless card had done the job it was supposed to do. It failed to the SSID it could see and kept on running until that SSID failed as well.

Finding Failure Fast

When you’re trying to troubleshoot around a problem, you need to make sure that you’re taking redundancy into account as well. I’ve faced a few problems in my life when trying to induce failure or remove a configuration issue was met with difficulty because of some other part of the network or system “replacing” my hard work with a backup copy. Or, I was trying to figure out why packets were flowing around a trouble spot or not being inspected by a security device only to find out that the path they were taking was through a redundant device somewhere else in the network.

Redundancy is a good thing. Until it causes issues. Or until it makes your network behave in such a way as to be unpredictable. Most of the time, this can all be mitigated by good documentation practices. Being able to figure out quickly where the redundant paths in a network are going is critical to diagnosing intermittent failures.

It’s not always as easy as pulling up a routing table either. If the entire core is down you could be seeing traffic routing happening at the edge with no way of knowing the redundant supervisors in the chassis are doing their job. You need to write everything down and know what hardware you’re dealing with. You need to document redundant power supplies, redundant management modules, and redundant switches so you can isolate problems and fix them without pulling your hair out.

Tom’s Take

I rarely got to work with redundant equipment when I was installing it through E-Rate. The government doesn’t believe in buying two things to do the job of one. So, when I did get the opportunity to work with redundant configurations I usually found myself trying to figure out why things were failing in a way I could predict. After a while, I realized that I needed to start making my own notes and doing some investigation before I actually started troubleshooting. And even then, like my cable modem’s battery, I ran into issues. Redundancy keeps you from shooting yourself in the foot. But it can also make you stab yourself in the eye in frustration.

by networkingnerd at March 16, 2018 02:28 PM Blog (Ivan Pepelnjak)

Video: Automated Data Center Fabric Deployment Demo

I was focused on network automation this week, starting with a 2-day workshop and continuing with an overview of real-life automation wins. Let’s end the week with another automation story: automated data center fabric deployment demonstrated by Dinesh Dutt during his part of Network Automation Use Cases webinar.

You’ll need at least free subscription to watch the video.

by Ivan Pepelnjak ( at March 16, 2018 07:25 AM

Networking Now (Juniper Blog)

Wave of Spam Uses RTF Exploit, Delivers a Trojan-Spyware

During the early weeks of February 2018, Juniper Threat Labs detected several malicious email campaigns involving a malicious MS Office file. The file attachment is an RTF file that includes an exploit. As we discovered, the RTF is exploiting CVE 2017-8570. This exploit is related to CVE-2017-0199, but a little less popular. Back in April 2017, CVE-2017-0199, considered a zero-day attack, was actively exploited in the wild. In an attack scenario, Microsoft Office documents can be embedded with OLE objects such as “EXE, VBS, JS, ZIP, HTA, SCT, etc.”

by paulkimayong at March 16, 2018 05:49 AM

XKCD Comics

March 15, 2018 Blog (Ivan Pepelnjak)

Speakers in the Spring 2018 Building Next-Generation Data Center Online Course

We managed to get another awesome lineup of speakers for the Spring 2018 Building Next-Generation Data Center online course.

Russ White, one of the authors of CCDE and CCAr programs and highly respected book author will start the course with a topic everyone should always consider when designing new infrastructure: how do you identify tradeoffs and manage complexity, making sure you meet the customer requirements while at the same time having an easy-to-operate infrastructure.

Read more ...

by Ivan Pepelnjak ( at March 15, 2018 08:02 AM

March 14, 2018

My Etherealmind

When Will BGP Become Unfashionable

The tragedy is that BGP works ok. Its not broken. Its like a 30 year old pair of jeans that you know is worn out but you can’t bring your self to throw them away because of the memories. Ok. Can we replace it ? The challenge is building a community around that effort. Technically, […]

by Greg Ferro at March 14, 2018 07:26 PM

Internetwork Expert Blog

Tune Into Our Introduction to Networking Technologies March 2018 Live Session

Tomorrow, March 15th, we will air our March 2018 Networking Technologies Live Session with Keith Bogart. This course is designed for those with absolutely no knowledge of computer networks, but who would like to learn more and possibly head down a career path working on computer networks.

<iframe frameborder="0" height="315" src="" width="560"></iframe>

    March 16, 2018 10 am PST/ 1 pm EST

    Instructor Info:
    This Course is taught by Keith Bogart, CCIE #4923. Keith started his networking career as customer service representative at Cisco Systems in 1996. His desire to learn more soon led him to a position as a Cisco Technical Assistance Center (TAC) engineer on the “Dial-Access” team, and within six months he had obtained his Dial-ISP CCIE. He later became a network consulting engineer and obtained his CCNA certification while teaching the technologies to Cisco employees during his lunch breaks. Keith was the first instructor on Cisco’s TAC Training team, where he taught a wide range of internetworking topics and later developed and taught other courses such as routing protocols, LAN switching, MPLS, 802.1x, and CCNA. After almost 17 years with Cisco, Keith joined a small startup and focused on 802.11 Wi-Fi technologies, during which time he obtained his CWNA certification. He is now very happy to be working with INE as an instructor for Routing & Switching.

    Who Should Watch:
    Anyone with little to no knowledge about the IT and networking industry that would like to learn more.

    Why You Should Watch:
    This live session will allow you to find out more about what a computer network is, what types of things it can be used for, and what types of careers are available for those who want to design, install, monitor, and troubleshoot networks by asking questions, and discussing these topics with an industry expert.

by jdoss at March 14, 2018 04:00 PM

My Etherealmind

Quitting My CCIE Status. Time to Move On.

Its been 17 years since I achieved CCIE status. It was great but its not my future.

by Greg Ferro at March 14, 2018 03:05 PM

Potaroo blog


March has seen the first of the DNS Operations, Analysis, and Research Center (OARC) workshops for the year, where two days where too much DNS is just not enough!

March 14, 2018 01:30 PM Blog (Ivan Pepelnjak)

I Can’t Choose the Gear for You

One of my readers sent me a question along these lines after reading the anti-automation blog post:

Your blog post has me worried as we're currently reviewing offers for NGFW solution... I understand the need to keep the lid on the details rather than name and shame, but is it possible to get the details off the record?

I always believed in giving my readers enough information to solve their challenges on their own (you know, the Teach a man to fish idea).

Read more ...

by Ivan Pepelnjak ( at March 14, 2018 08:00 AM

XKCD Comics

March 13, 2018

Internetwork Expert Blog

Check Out Our Newest Addition to The INE Library: OSCP Security Technology Course

The OSCP Security Technology course is for those interested in learning advanced ethical hacking and penetration testing. This course is designed to prepare students to for the Penetration Testing with Kali (PWK) course offered by Offensive Security. The PWK course is a prerequisite to the Offensive Security Certified Professional (OSCP) exam. Students should be familiar with Linux command line, Bash and Python scripting, and basic networking concepts before attempting the course.


This Course is 9 hours and 22 minutes long and taught by Heath Adams. You can view the full OSCP course on our streaming site.

About The Instructor:

Heath Adams is a cybersecurity professional. He currently holds the OSCP, OSWP, CEH, CCNA, Security+, Linux+, Network+, and A+ certifications. When he is not developing courses with INE, he spends his work life as a senior network engineer with a national lab in the United States. He is also currently an Army Officer in the Reserves.

In his free time, Heath enjoys spending time with his fiance and their 4 animal children. He enjoys playing video games, running, playing the guitar, watching sports, and binge-watching more TV shows than he should admit.

by jdoss at March 13, 2018 08:41 PM

My Etherealmind

Three Ways WAFs Fail

WAFs exist to tick a box not as a security tool.

by Greg Ferro at March 13, 2018 07:56 PM Blog (Ivan Pepelnjak)

Streaming Telemetry Standards: So Many to Choose From

Continuing the Streaming Telemetry saga, let’s focus on presentation formats and transport mechanisms.

I already mentioned three presentation formats: XML (used by NETCONF), JSON (used by RESTCONF) and Protocol Buffers (used by gRPC). Two of them are text-based, the third one (Protocol Buffers) is binary encoding not unlike ASN.1 BER used by SNMP. That can’t be good in a JSON-hyped world, right?

Read more ...

by Ivan Pepelnjak ( at March 13, 2018 08:36 AM

March 12, 2018

Ethan Banks on Technology

Space To Think My Own Thoughts

Everyone Creates

A challenge for people who make things is living in a world where everyone else makes things, too. On the Internet, everyone seems to be making something they want you to consider and approve of.

Sometimes, that Internet creation is as simple as a tweet or Facebook post. Like it! Share it! Retweet it! More complex creations, like this blog post, are still easy enough to make and share that there are likely hundreds of new articles you might be asked to read in a week.

If you were to carefully keep up with everything you subscribe to or follow, your mind would never have time to itself. You’d never be able to think your own thoughts. You’d be too busy chewing on the thoughts of other people.


For this reason, I believe constant consumption damages productivity. Designers, architects, artisans, writers, and other creators need time to think through what they are making. Writers need a subject and word flow to clearly communicate. Technology architects need to deeply consider the implications of their designs from multiple angles.

Deep consideration takes contiguous blocks of time. Achieving a flowing state of mind takes uninterrupted time. Thoughts build one on another. The implications of an idea and impact on related ideas need opportunity to find one another. Only when the mind is able to consider a single topic without other topics being constantly introduced can this happen.

I have been contemplating this as I consider the inputs in my normal routine. At the moment, I’m not allowing myself enough mental space, and my productivity has struggled. This weighs on me as my company is in the process of creating a platform meant for the sole purpose of delivering deep technology content.

A Broken Mirror

How I can create such content if my mind is usually in a broken mirror state, challenged by outside thoughts and ideas all of the time?

I listen to one or more podcasts daily. Most of the podcasts I listen to are heavy, requiring focus. I take in some amount of social media. I am a member of 17 Slack groups that I am aware of. I do not keep up with most of them, but Slack is an input I contend with. I am an avid reader, lately reading at least 3 hours a day. I also have meetings, phone calls, my inbox, etc. that are inputs I need to process.

If I prioritize inputs, I do not have any space left to think my own thoughts. And yet, I need space. I need silence. And I need that space and silence in large enough blocks of time that I can create effectively. That I can be productive.

In short, I need to spend less time taking in what everyone else is making. On days when I leave space to ponder my own projects, they progress. On days when I fill my brain with constant inputs, I do not.

by Ethan Banks at March 12, 2018 03:18 PM

My Etherealmind Blog (Ivan Pepelnjak)

Should You Build or Buy an Automation Solution?

One of the most important aspects of the introductory part of my Building Network Automation Solutions online course is the question should I buy a solution or build my own?

I already described the arguments against buying a reassuringly-expensive single-blob-of-complexity solution from a $vendor, but what about using point tools?

Read more ...

by Ivan Pepelnjak ( at March 12, 2018 08:23 AM

XKCD Comics

March 10, 2018 Blog (Ivan Pepelnjak)

Worth Reading: How to Talk to a C-Level Executive

Ever wondered who manages to produce deja-moo like this one and why they’d do it?

We unveiled a vision to create an intuitive system that anticipates actions, stops security threats in their tracks, and continues to evolve and learn. It will help businesses to unlock new opportunities and solve previously unsolvable challenges in an era of increasing connectivity and distributed technology.

As Erik Dietrich explains in his blog post, it’s usually nothing more than a lame attempt to pretend there are some clothes hanging on the emperor.

Just in case you’re interested: we discussed the state of Intent-Based Majesty’s wardrobe in Network Automation Use Cases webinar.

by Ivan Pepelnjak ( at March 10, 2018 08:48 AM

March 09, 2018

Dyn Research (Was Renesys Blog)

Internet Intelligence, Now Available In The Oracle Cloud Infrastructure Console

The Oracle Cloud Infrastructure (OCI) team is proud of the data centers and network we are building for the next generation of cloud users and, in the spirit of transparency, we want to share with our users tools to better evaluate and measure the performance they will experience on our cloud. Today, we are pleased to announce two new network tools available in the Console to help you measure and analyze network performance.

OCI Market Performance is an interactive visualization tool that displays network performance metrics from OCI regions to cities around the globe.  Performance is measured over time to a carefully curated set of endpoint IP addresses within the top providers in each market, providing the user with aggregated performance data for markets and providers over the last day, week, month or three months. This latency data from our Phoenix, Ashburn, and Frankfurt regions can help you predict and manage network performance.  We will be adding metrics for more of our regions as they come online (including our twelve recently announced regional data centers).

OCI Market Performance can also assist in planning for growth, as you extend your footprint into new global markets.  For FastConnect customers, this tool can help to predict performance between an OCI region and a specific provider in your data center location.

The second tool, OCI IP Troubleshooting, helps troubleshoot issues with public facing IP addresses. This feature is also part of our Internet Intelligence toolset, providing analytical insight to help network operations teams reduce the time it takes to troubleshoot an issue by providing awareness of availability and latency across the Internet.     

Effectively acting as a set of global Looking Glass servers, this service utilizes OCI’s network of global Vantage Points to verify the reachability of – and paths to – any user-specified IP address. For network operations teams, this is an invaluable tool to quickly answer questions such as: Is this IP address currently reachable for our customers across all markets? What shared infrastructure exists on the paths to this network across geographic regions? What are the long latency hops along the path to this network?

We look forward to hearing your feedback about both of these new features and ways in which we may improve them.  

by Rob Bushell at March 09, 2018 05:56 PM

Internetwork Expert Blog

LIVE in 1 hour, CCNA/CCNP Q&A!

Don’t forget to watch Keith Bogart’s live CCNA/CCNP Q&A session TODAY at 1pm!

<iframe frameborder="0" height="315" src="" width="560"></iframe>

During this live Q&A Keith bogart will answer all of your questions about the Cisco CCNA and CCNP Routing and Switching exams. Check back at 1 pm (EST) to get all of your questions answered by an industry expert.

by jdoss at March 09, 2018 05:02 PM Blog (Ivan Pepelnjak)

Linux Interfaces on Software Gone Wild

Continuing the Linux networking discussion we had in Episode 86, we focused on Linux interfaces in Episode 87 of Software Gone Wild with Roopa Prabhu and David Ahern.

We started with simple questions like “what is an interface” and “how do they get such weird names in some Linux distributions” which quickly turned into a complex discussion about kernel objects and udev, and details of implementing logical interfaces that are associated with ASIC front-panel physical ports.

Read more ...

by Ivan Pepelnjak ( at March 09, 2018 08:39 AM

XKCD Comics

March 08, 2018

Security to the Core | Arbor Networks Security

Donot Team Leverages New Modular Malware Framework in South Asia

Authors: Dennis Schwarz and Jill Sopko Special thanks to Richard Hummel and Hardik Modi for their contributions on this post. Key Findings ASERT discovered a new modular malware framework, we call yty, that focuses on file collection, screenshots, and keylogging. We believe the threat actors, Donot […]

by ASERT team at March 08, 2018 02:39 PM

Potaroo blog

Crypto Zealots

Is the IETF is behaving irresponsibly in attempting to place as much of the Internet’s protocols behind session level encryption as it possibly can?

March 08, 2018 01:30 PM Blog (Ivan Pepelnjak)

Before Commenting on Someone Mentioning RFC1925 ;)

Some of my readers got annoyed when I mentioned Google’s BeyondCorp and RFC 1925 in the same sentence (to be perfectly clear, I had Rule#11 in mind). I totally understand that sentiment – reading the reactions from industry press it seems to be the best thing that happened to Enterprise IT in decades.

Let me explain in simple terms why I think it’s not such a big deal and definitely not something new, let alone revolutionary.

Read more ...

by Ivan Pepelnjak ( at March 08, 2018 10:14 AM

March 07, 2018

My Etherealmind Blog (Ivan Pepelnjak)

Who’s Pushing Layer-2 VPN Services?

Here’s another great point Tiziano Tofoni raised in his comment to my EVPN in small data center fabrics blog post:

I cannot understand the usefulness of L2 services. I think that the preference for L2 services has its origin in the enterprise world (pushed by well known $vendors) while ISPs tend to work at Layer 3 (L3) only, even if they are urged to offer L2 services by their customers.

Some (but not all) ISPs are really good at offering IP transport services with fixed endpoints. Some Service Providers are good at offering per-tenant IP routing services required by MPLS/VPN, but unfortunately many of them simply don’t have the skills needed to integrate with enterprise routing environments.

Read more ...

by Ivan Pepelnjak ( at March 07, 2018 09:38 AM

XKCD Comics

March 06, 2018

Internetwork Expert Blog

Don’t forget to tune into our CCNA Kickoff Session tomorrow!

Watch our March 2018 CCNA Kickoff Session with Keith Bogart TOMORROW at 1:30 PM EST.

<iframe frameborder="0" height="315" src="" width="560"></iframe>

This kickoff session for those who are interested in, or have started to study for the CCNA certification. In this free session, we will cover common trouble areas that most people experience when getting started with their certification. Topics include: how to approach making a study schedule, strategies for not becoming overwhelmed during the study process, deciding whether to take one test or two to get your CCNA, what to expect when you walk into the testing center, which topics to study and how in depth, and what study tools can be useful. Keith will also discuss the testing experience and the CCNA Certification test format.

When: March 7th at 10:30 am PST/ 1:30 pm EST

Estimated Length: 3 hours

Instructor: Keith Bogart CCIE #4923

Cost: FREE

by jdoss at March 06, 2018 07:10 PM

My Etherealmind

Popping Kernels – ACM Queue

Insights into the user vs kernel space debate.

by Greg Ferro at March 06, 2018 06:32 PM

The Networking Nerd

Cisco Live CAE and Guest Keynote Announcements

As you may have heard by now, there have been a few exciting announcements from Cisco Live 2018 regarding the venue for the customer appreciation event and the closing keynote speakers.

Across The Universe

The first big announcement is the venue for the CAE. When you’re in Orlando, there are really only two options for the CAE. You either go to the House of the Mouse or you go to Universal Studios. The last two times that Cisco Live has gone to Orlando it has been to Universal. 2018 marks the third time!

Cisco is going big this year. They’ve rented the ENTIRE Universal Studios park. Not just the backlot. Not just the side parks. They WHOLE thing. You can get your fix on the Transformers ride, visit Harry Potter, or even partake of some of the other attractions as well. It’s a huge park with a lot of room for people to spread out and enjoy the scenery.

That’s not all. The wristband that gets you into the CAE also gets you access to Islands of Adventure before the full park opens! You can pregame the party by hanging out at Hogwarts, going to Jurassic Park, or joining your favorite superheroes for a picture or two for the kids. Access to Islands of Adventure isn’t exclusive, so you’ll be there with all the other tourists from around the world but it’s a great place to hang out before the party gets going!

Note that this year you will need the new Imagine pass or the Party Pass Add-on in order to access the CAE. There is no standalone social pass option or social add-on for conference passes.

Welcome To The Future

The closing keynote speakers have also been announced. Dr. Michio Kaku and Amy Webb will be on stage talking about the future of technology and how it will be impacting our society. Given the keynote that Rowan Trollope delivered during Cisco Live Barcelona, this comes as no surprise to me.

Cisco is very much trying to show that they are getting back on the leading edge of technology and driving innovation in the market. The problem with being the “800lb Gorilla” is that you’re also big and difficult to move. IBM faced the same problem before they shed their legacy and became leaner, more future-focused company. Others that tried to follow in their footsteps were less successful and either split apart or got scooped up in mergers.

Cisco is going through a transition period after the departure of John Chambers. Chuck Robbins is turning the ship as quickly as possible, but there need to be more outwards signs that things are being done to look toward a future where hardware isn’t as important as the innovation happening in software. By bringing in two of the most well known futurists in science and technology, Cisco is sending a signal to their audience of users and investors that the focus is going to be on emerging technology. This is a bit of a gamble for Cisco but it’s hoped that things pay off for them.

Note that there are also going to be other speakers in the Big Ideas Theater on the World of Solutions floor during the event. Access to the World of Solutions is restricted behind the new Imagine pass or full conference pass. There is no Social Pass option, and the party pass add-on does not grant access to the World of Solutions floor.

Tom’s Take

The Cisco Live CAE in Orlando is pretty much a known thing. It’s nice to see all of Universal this year with access to the new attractions at Islands of Adventure. People should be able to enjoy being outside in the Florida humidity instead of the blistering Las Vegas inferno. As well, the rides are going to be fun for a large number of the attendees.

It’s also good to see future-looking keynote speakers that are going to give their viewpoints on things that will impact our lives. With two speakers, I’m expecting another “interview” style closing keynote, which isn’t quite my favorite. But this is a step in the right direction. Here’s hoping that these additions to the event make Cisco Live a great show for those that will be attending.

by networkingnerd at March 06, 2018 03:12 PM

My Etherealmind

Why GE Digital Failed |

Yet another big, dumb company telling lies about innovation and digital.

by Greg Ferro at March 06, 2018 03:03 PM Blog (Ivan Pepelnjak)

Model-Driven Telemetry Isn’t as New as Some People Think

During the Campus Evolution with Cat9K presentation (I hope I got it right - the whole event was an absolute overload) the presenter mentioned the benefits of brand-new model-driven telemetry, which immediately caused me to put my academic hat on and state that we had model-driven telemetry for at least 30 years.

Don’t believe me? Have you ever looked at an SNMP MIB description? Did it look like random prose to you or did it seem to have some internal structure?

Read more ...

by Ivan Pepelnjak ( at March 06, 2018 08:30 AM

March 05, 2018

Internetwork Expert Blog

We just added another module to our Ethical Hacker v9 Technology Course series

Last week we added Certified Ethical Hacker Module 7: Sniffing to our video Library. This is the 7th video to be released as part of an 18 video CEH course series. All Access Pass members can watch Module 7 by logging into their All Access Pass account. For those who are not members, you can buy the series here.


Why You Should Watch:
Attaining sniffing capabilities is a great achievement for hackers, because even when it’s difficult to get there, the rewards might be worth the risk.

About The Course:
This is the 7th of 18 video courses in our CEH v9 Technology Course series and will prepare viewers for the sniffing portion of the Certified Ethical Hacker v9 Exam. This Module is 3 hours in length and is taught by Josué Vargas.

What You’ll Learn:
During this module you will learn about gathering valuable data through sniffing techniques. You will learn LAN based and Internet based sniffing attacks and even use an experimental setting in Wireshark as a remote sniffing tool.

About The Instructor:
Josué Vargas is a networks and security engineer and also owns his own company in Costa Rica, Netquarks Technologies S.R.L. He started law school, but soon realized this wasn’t the path for him. While working in the call center industry he discovered Cisco and started researching careers in the IT industry. Josué quickly began taking classes and became CCNA, CCNP and CCDA Security certified. Later, he took a detour towards Juniper Technologies where he achieved JNCIP-Sec and JNCIP-ENT. He was then recruited by IBM to become a deployment and integration engineer for Managed Security Services, where he obtained his CEH certification. This career allowed him to discover the world of information security, the discipline that would take him to Africa as a consultant, to INE as an instructor and to build an entire SOC from scratch. Outside of work, Josué enjoys music, travelling, learning languages and trying all sorts of food.

by jdoss at March 05, 2018 09:44 PM

Security to the Core | Arbor Networks Security

NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us

Last week, after Akamai confirmed a 1.3Tbps DDoS attack against Github. I published a blog that looked at the last five years of reflection/amplification attack innovation. I hope that it provides a helpful backgrounder on how we got here, to the terabit attack era, because […]

by Carlos Morales at March 05, 2018 05:34 PM Blog (Ivan Pepelnjak)

Not Interested in Network Automation? No Problem (for now)

In the Business Impact of Network Automation podcast Ethan Banks asked an interesting question: “what will happen with older networking engineers who are not willing to embrace automation

The response somewhat surprised me: Alejandro Salisas said something along the lines “they’ll be just fine” (for a while).

Let me recap his argument and add a few twists of my own:

Read more ...

by Ivan Pepelnjak ( at March 05, 2018 08:20 AM

XKCD Comics

March 03, 2018 Blog (Ivan Pepelnjak)

Worth Reading: There Are No Enterprises and Service Providers

Russ White wrote a great article along the lines of what we discussed a while ago. My favorite part:

There are companies who consider the network an asset, and companies that consider the network a necessary evil.


On a tangential topic: Russ will talk about network complexity in the Building Next-Generation Data Center online course starting on April 25th.

by Ivan Pepelnjak ( at March 03, 2018 08:38 AM

March 02, 2018

The Networking Nerd

Memcached DDoS – There’s Still Time to Save Your Mind

In case you haven’t heard, there’s a new vector for Distributed Denial of Service (DDoS) attacks out there right now and it’s pretty massive. The first mention I saw this week was from Cloudflare, where they details that they were seeing a huge influx of traffic from UDP port 11211. That’s the port used by memcached, a database caching system.

Surprisingly, or not, there were thousands of companies that had left UDP/11211 open to the entire Internet. And, by design, memcached responds to anyone that queries that port. Also, carefully crafted packets can be amplified to have massive responses. In Cloudflare’s testing they were able to send a 15 byte packet and get a 134KB response. Given that this protocol is UDP and capable of responding to forged packets in such a way as to make life miserable for Cloudflare and, now, Github, which got blasted with the largest DDoS attack on record.

How can you fix this problem in your network? There are many steps you can take, whether you are a system admin or a network admin:

  • Go to Shodan and see if you’re affected. Just plug in your company’s IP address ranges and have it search for UDP 11211. If you pop up, you need to find out why memcached is exposed to the internet.
  • If memcached isn’t supposed to be publicly available, you need to block it at the edge. Don’t let anyone connect to UDP port 11211 on any device inside your network from outside of it. That sounds like a no-brainer, but you’d be surprised how many firewall rules aren’t carefully crafted in that way.
  • If you have to have memcached exposed, make sure you talk to that team and find out what their bandwidth requirements are for the application. If it’s something small-ish, create a policer or QoS policy that rate limits the memcached traffic so there’s no way it can exceed that amount. And if that amount is more than 100Mbit of traffic, you need to have an entirely different discussion with your developers.
  • From Cloudflare’s blog, you can disable UDP on memcached on startup by adding the -U 0 flag. Make sure you check with the team that uses it before you disable it though before you break something.

Tom’s Take

Exposing unnecessary services to the Internet is asking for trouble. Given an infinite amount of time, a thousand monkeys on typewriters will create a Shakespearean play that details how to exploit that service for a massive DDoS attack. The nature of protocols to want to help make things easier doesn’t make our jobs easier. They respond to what they hear and deliver what they’re asked. We have to prevent bad actors from getting away with things in the network and at the system level because application developers rarely ask “may I” before turning on every feature to make users happy.

Make sure you check your memcached settings today and immunize yourself from this problem. If Github got blasted with 1.3Tbps of traffic this week there’s no telling who’s going to get hit next.

by networkingnerd at March 02, 2018 02:46 PM Blog (Ivan Pepelnjak)

Video: Create an NSX Logical Switch with PowerNSX

After introducing PowerNSX Anthony Burke illustrated how easy it is to use with a Hello, World equivalent: creating a logical switch (VXLAN segment).

You’ll need at least free subscription to watch the video.

Want to know more about VMware NSX? We’ll run an NSX-focused event and a NSX Deep Dive workshop in Zurich on April 19th 2018, an overview webinar comparing NSX, ACI and EVPN on March 1st, and a deep dive in VMware NSX architecture later in 2018.

by Ivan Pepelnjak ( at March 02, 2018 08:35 AM

XKCD Comics

March 01, 2018

Security to the Core | Arbor Networks Security

1 Terabit DDoS Attacks Become a Reality; Reflecting on Five Years of Reflections

Special thanks to Hardik Modi, Steve Siadak and Roland Dobbins for their contributions on this post. Reflection amplification is a technique that allows cyber attackers to both magnify the amount of malicious traffic they can generate, and obfuscate the sources of that attack traffic. For […]

by Carlos Morales at March 01, 2018 07:24 PM

My Etherealmind
Networking Now (Juniper Blog)

More SRX Platforms complete FIPS 140-2 Certification

Former US President, Ronald Reagan frequently used the Russian proverb “Trust, but verify”.  This adage is also frequently used in the blockchain community.  The idea is that some things are important enough that they must be verified.

by bshelton at March 01, 2018 04:22 PM Blog (Ivan Pepelnjak)

Lack of Fast Convergence in SD-WAN Products

One of my readers sent me this question:

I'm in the process of researching SD-WAN solutions and have hit upon what I believe is a consistent deficiency across most of the current SD-WAN/SDx offerings. The standard "best practice" seems to be 60/180 BGP timers between the SD-WAN hub and the network core or WAN edge.

Needless to say, he wasn’t able to find BFD in these products either.

Does that matter? My reader thinks it does:

Read more ...

by Ivan Pepelnjak ( at March 01, 2018 08:21 AM

February 28, 2018

Honest Networker