April 27, 2015

PacketLife.net Blog

Traceroute and Not-so-Equal ECMP

I came across an odd little issue recently involving equal-cost multipath (ECMP) routing and traceroute. Traceroutes from within our network to destinations out on the Internet were following two different paths, with one path being one hop longer than the other. This resulted in mangled traceroute output, impeding our ability to troubleshoot.

The relevant network topology comprises a mesh of two edge routers and two core switches. Each edge router has a number of transit circuits to different providers, and advertises a default route via OSPF to the two core switches below. The core switches each load-balance traffic across both default routes to either edge routers.

topology.png

Because each edge router has different providers, some destinations are routed out via edge1 and others via edge2, which means sometimes a packet will be routed to edge2 via edge1, or vice versa.

two_paths.png

Routers typically employ a hash function using layer three and four information from each packet to pseudo-randomly distribute traffic across equal links. Typically, all packets belonging to a flow (e.g. all packets with the same source and destination IP and port numbers) follow the same path.

However, in this case traceroute packets were being split across two path of unequal length, which made traceroute output pretty much unreadable. We noticed that only UDP traceroutes were affected; ICMP traceroutes reported one path as normal.

Continue reading · No comments

by Jeremy Stretch at April 27, 2015 02:05 PM

XKCD Comics

April 26, 2015

Peter's CCIE Musings and Rants

Cisco Data Center Product Line Update (UCS M-Series)

Hey Guys!

There has been lots of new Cisco Data Center products released in the past 6-12 months that due to moving country I haven't had the chance to talk about!

Hopefully the next upcoming blogposts will change some of that. I have been doing a lot of UC blogposts recently, so here's hopefully a catchup for you on some of the things in Data Center World!

First of all, let's talk about the UCS M-Series of servers. When first reading about the M-Series, your initial reaction may be one of confusion, it certainly was for me. Read on for more information...

The UCS M-Series server is kind of like a chassis-based rack server, you have a 2RU unit that can take up to 8 "Compute cartridges." These cartridges consist of CPU and memory, they don't have any HDD's or Adapters! Each compute cartridge is actually giving you TWO servers! So this 2 RU unit is providing 16 servers (when fully populated.)

 Supported count for these blades is 2, 4, 6 or 8. You can't have an uneven number for some reason.

A closer look at the specs of these servers reveals an interesting constraint:




The Intel CPU's available to you are not exactly going to set the world on fire, the E3 only has 4 cores for example.  This is by design: these servers are meant to use the minimum amount of power and cooling. The memory fully populates out at 32 gig (I believe 64 gig is coming.)

Here's the kicker that made me realise the purpose of these servers: they're not intended to run VMWare!

These servers are intended for custom applications where you need lots of easily accessible compute resources, where the application itself provides it's own fail-over capabilities.


For custom, bespoke applications like this, the ability to add more compute resources, as well as easily replace failed components is paramount. Cisco UCS M-Series enables this!

Imagine a world without VMware for a second: imagine how incredibly powerful Cisco UCS Service Profiles would be in a non-VM world, suddenly the statelessness of servers doesn't just make it easier to replace ESX-Hosts after failure. It would have been an absolute game changer.

For those companies with bespoke, custom applications that already have their own failover and scaling methods, the UCS M-Series provides the hardware piece of the puzzle, allowing them to easily provision new servers and replace failed servers.

To quote Todd Brannon of Cisco -  “We just see the increasing use of distributed computing, which is very different from heavy enterprise workloads, where you put many applications in virtual machines on a server node, This is about one application spanning dozens, hundreds, or thousands of nodes.”

For distributed computing or enterprise workloads, all that cooling and power costs money and takes up valuable space. The M-Series allows you to reach a density you simply couldn't reach even with a blade-chassis!

Hopefully I have done a decent job of explaining the real-world application for Cisco M-Series servers. It's all about high density for bespoke, single applications that use many servers (think online gaming, ecommerce, webhosting, etc.)

To make this possible, A few technologies where developed.

The first problem to be solved: All we want in the blade cartridges is CPU and RAM, no local disk and no adapters.


Instead of boot from SAN, each M-Series chassis has a collection of local disks, shared amongst the Compute-catridges. This is done in a similar fashion to the virtualization of adapters we see in VM-FEX by doing some nifty things with the PCI-E bus and the Virtual Interface Controller:


I am not sure why Cisco did not consider the use of boot-from-SAN to resolve this problem, perhaps they don't want the applications to rely on boot from SAN? Can I even configure boot from SAN on the M-Series? I intend to find the answers to these questions and will let you guys know ASAP!

In the back of the chassis you will find a slot for 4 local HDD's that will be shared amongst the blades (more detail on exactly how you configure that will be given in a later blogpost)






The table above gives you an idea of some of the options available.

From a network-out perspective, the chassis has 2 x QSFP 40 Gig connectors, providing tons of bandwidth out to your fabric interconnects, obviously you would cable from one port to FI-A and the other port to FI-B.

What's that I hear you say? But Pete! These are uplinked to an FI and the 6248 series is currently 10 gig SFP compatible only!


No problem here, simply use the QSFP 40 gig to 4 x 10 Gig SFP+ cable:



When you go into the UCS-Manager for these M-series, you will even see that the fabric interconnect shows 4 links per fabric interconnect (8 in total) even though their are only 2 physical interfaces:



Let's take a look at one of these chassis's so you can see all the uplinks:




You can see the slots for the disks (4 per chassis), the Management interfaces, console access, and of course the power supplies and 2 x 40 Gig QSFP+ uplinks.

Here's a look at the front of the chassis:





Finally, a logical diagram provides an overview of these connections:











I hope this gives you a deeper understanding and appreciation of the real-world problem the M-Series is trying to solve!

by peter_revill (noreply@blogger.com) at April 26, 2015 01:17 AM

April 24, 2015

Peter's CCIE Musings and Rants

Cisco Jabber Directory options.

Hi Guys!

It's been a while since I posted my Cisco Jabber huge improvements blog! I even promised you I would explain the new directory options available in jabber!

Moving country etc got in the way and their has been a delay but better late than never right? I am also finding more and more customers are asking for jabber, It's no longer the joke compared to Microsoft Lync that it used to be. With collaboration edge and other improvements, it's a great program.

OK, on to directory options.

Cisco Jabber has three directory options:

Enhanced Directory Integration (EDI)
  • Windows devices only
  • Easiest to setup/No real setup required
  • The way I often hear this described is that it uses the outlook address book, this isn't actually what happens, the way EDI works is that the client uses DNS to find the local AD global catalog and binds to this using the login credentials of the user. A lot of Windows Applications use this Windows Directory API in a similar fashion. 
  • Other than making sure the client is a Windows PC and is actually on the domain, and that the user who is logging in is part of the domain, you should not have to perform much configuration here. 
  • This of course assumes your Windows Domain has been setup correctly, but you as the network engineer should not have to do anything to get this going.
  • When you go to "Show connection status" in your jabber client, you will not see any mention of trying to connect to the EDI directory, it will not show up in your jabber client as connected/not connected as it's all part of the Windows API. So keep this in mind!

Basic Directory Integration (BDI)
  • This is the "Traditional" method of LDAP integration with jabber where by you must specify the LDAP server and directory information as part of the service profile for that user. 
  • You can create a user who is able to bind to LDAP for this OR you can support an anonymous bind. You can provide this information via the service profile (which is downloaded by the client) or the client configuration file.
Universal Directory Service (UDS)
    • UDS will use the users that are part of the CUCM end user webpage as the directory entries
    • This is designed for when users are outside your network, on the collab-edge
    • It prevents you from having to expose your LDAP server to the internet for jabber for iphone etc.
    • you CAN force both internal and external clients to use UDS if for example, your an all-mac shop who do not use LDAP, or your cluster covers multiple AD domains, or any other reason you can think where you would rather use the CUCM database than the AD database to retrieve contacts.
    • You MUST have DNS setup properly for this to work, _cisco-uds must exist and must point to the hostname of the CUCM, the actual hostname of the CUCM (for example, perpub.cucm.com) must be fully resolvable, best bet is to point the _cisco-uds.cucm.com to perpub.cucm.com, which in turn will point to the IP address of your CUCM server.
    • Your jabber client WILL cache these entries, separately from your operating system cache of these entries meaning if at first you forget to setup the _cisco-uds record and then add it later. it still may not work. if you suspect this is the issue your having, be sure to completely uninstall the application from your device and clear out any appropriate folders such as the Application Data folder in Windows for your jabber application.
    Check out what the deployment guide has to say about the DNS entries:






    Make sure all the above is correct! UDS simply won't work without all the above being true.


    Let's see how to configure each of them shall we?

    Login to CUCM and navigate to User Management -> User Settings -> Service profile


    You will see something like the below:


    As you can see, a directory server hasn't been selected and most of the config is missing, this is perfectly fine if your using EDI, the "Use UDS for Contact Resolution" means that external users who don't have access to the Windows Directory API since they are outside your firewall will automatically use UDS when connecting externally.

    The features labelled "Only used for Advance Directory" can be used to set filters for the Windows Directory API. This allows you to narrow down the results returned by the Windows Directory Api to just users enabled for Jabber. You could safely leave this alone if you preferred however.

    So for those of you planning to use  a combination of EDI and UDS, your job is complete, so long as your windows domain is setup correctly, for those planning to use BDI, read on!

    For BDI, you will need to define the LDAP Directory servers, this can be done under User Management -> User Settings -> UC Service.

    Create a directory profile and add in the appropriate details:


    An important note about the protocol, according to the deployment guide, you need to use a particular protocol for each type of device:
    • Protocol Type — From the drop-down list, select:
      • TCP or UDP for Cisco Jabber for Windows 
      • TLS for Cisco Jabber for iPhone or iPad 
      • TCP for Cisco Jabber for Android


    Once this is done, go back to your service profile and select the LDAP directory server you just created.


    As you can see, in my example above I have created a separate user and assigned that user to be able to read the LDAP directory (must be able to bind to it), the format must be the username@domain format. You can also use the users logged in credentials if you prefer, the search bases (which unfortunately their are only 3 of) should be in the standard LDAP format.

    My advice if your having trouble getting this going is to use jxplorer (http://jxplorer.org/downloads/) to test connectivity.

    Finally, for some people it may make sense to do away with LDAP completely and strictly use the CUCM directory for contacts. This is done by strictly using UDS. The method to do this requires you make a modification to the client configuration file to force the use of UDS.

    (Important note: Whatever you place into the client configuration settings will be overwritten if their UC service profile has a directory listed, so keep that in mind!)

    The modifications you will need to make to the jabber-config.xml file are shown below:


            UDS
      11.22.33.444
            http://server-name/%%uid%%.jpg


    However, you might find using the config generator a heck of a lot easier:

    https://supportforums.cisco.com/document/106926/jabber-config-file-generator
     
    You can generate a nice config from this, simply unzip the html files and run them in a local web browser, then upload the file to your tftp servers, don't forget to upload it for ALL your tftp servers that your jabber client might use.

    All of the material for the above blogpost was obtained through a bit of trial and error as well as reading a lot of material from the Jabber Deployment Guide for Version 10.5

    I cannot stress enough how good this deployment guide is, it has all the information you could ever need. It is quite long but goes down to what version of office you need, failover and just about any other jabber setting you can think of.

    by peter_revill (noreply@blogger.com) at April 24, 2015 10:34 PM

    PACKETattack

    Network Engineering In A World Of Data Center Haves & Have Nots

    If we assume economies of scale, eventually, it may become silly for a business to own lots of IT infrastructure. Why not lease it from cloud providers? They'll be able to do it cheaper, and besides…they’re experts. I think it’s possible that businesses will eventually migrate most (if not all) of their applications to the cloud.

    by Ethan Banks at April 24, 2015 04:59 PM

    Loopback Mountain

    ADN - Awk Defined Networking

    Because I have yet to transition to a completely software-defined network in which everything configures itself (wink wink), I still have to do tasks like bulk VLAN changes.

    Thanks to a recent innovation called ADN, or "AWK Defined Networking", I can do this in a shorter time window that the average bathroom break. For example, I just had a request to change all ports on a large access switch stack that  are currently in VLAN 76 to VLAN 64:

    # ssh switch_name.foo.com 'show int status | i _76_' | grep Gi | awk '{print "int ",$1,"\n","description PC/Phone","\n","switchport access vlan 64"}'
    Password: ***


    int  Gi1/0/25
     description PC/Phone
     switchport access vlan 64
    int  Gi1/0/26
     description PC/Phone
     switchport access vlan 64

    [many more deleted]

    Then I copied and pasted the results into config mode. Back to lounging on the beach.

    Not even any Python skills required!

    by noreply@blogger.com (Jay Swan) at April 24, 2015 04:39 PM

    My Etherealmind

    Response: A QUIC update on Google’s experimental transport – Chromium.org

    Google is set to make QUIC the default protocol for web browsing to improve performance by using HTTP over UDP.


    The post Response: A QUIC update on Google’s experimental transport – Chromium.org appeared first on EtherealMind.

    by Greg Ferro at April 24, 2015 04:15 PM

    Network Dictionary: Homoglyphs

    A homoglyph is a text characters with shapes that identical or similar to each other. Common examples are zero/O and one/l . More complex Homoglyphs are derived from characters used in other languages that are a part of Unicode. In the following, this website converts english text “EtherealMind” into characters that looks similar but use completely different HTML […]


    The post Network Dictionary: Homoglyphs appeared first on EtherealMind.

    by Greg Ferro at April 24, 2015 10:27 AM

    XKCD Comics

    April 23, 2015

    Network Design and Architecture

    Basic Networking Questions – 3

    There are 8 basic networking questions below. Although this post is related with networking basics, you can  click here to solve advanced networking tests. If you are interested in more basic networking questions, you should click here   How was it ? Leave your comment in the comment box.

    The post Basic Networking Questions – 3 appeared first on Network Design and Architecture.

    by orhanergun at April 23, 2015 06:30 AM

    April 22, 2015

    XKCD Comics

    April 21, 2015

    The Networking Nerd

    Betting On The Right Horse

    HobbyHorse

    The annoucement of the merger of Alcatel-Lucent and Nokia was a pretty big discussion last week. One of the quotes that kept being brought up in several articles was from John Chambers of Cisco. Chambers has said the IT industry is in for a big round of “brutal consolidation” spurred by “missed market transitions”, which is a favorite term for Chambers. While I agree that consolidation is coming in the industry, I don’t think market transitions are the driver. Instead, it helps to think of it more like a day at the races.

    Tricky Ponies

    Startups in the networking industry have to find a hook to get traction with investors and customers. Since you can’t boil the ocean, you have to stand out. You need to find an application that gives you the capability to sell into a market. That is much easier to do with SDN than hardware-based innovation. The time-to-market for software is much lower than the barriers to ramp up production of actual devices.

    Being a one-trick pony isn’t a bad thing when it comes to SDN startups. If you pour all your talent into one project, you get the best you can build. If that happens to be what your company is known for, you can hit a home run with your potential customers. You could be the overlay company. Or the policy company. Or the Docker networking layer company.

    That rapid development time and relative ease of creation makes startups a tantalizing target for acquistion as well. Bigger companies looking to develop expertise often buy that expertise. Either acquiring the product or the team that built it gives the acquiring company a new horse in their stable.

    If you can assemble an entire stable of ponies, you can build a networking company that addresses a lot of the needs of your customers. In fact, that’s how Cisco has managed to thrive to the point where they can gamble on those “market transitions”. The entity we call Cisco is really Crescendo, Insieme, Nuova, Andiamo, and hundreds of other single focus networking companies. There’s nothing wrong with that strategy if you have patience and good leadership.

    Buy Your Own Stable

    If you don’t have patience but have deep pockets, you will probably end up going down a different road. Rather than buying a startup here and there to add to a core strategy, you’ll be buying the whole strategy. That’s what Dell did when they bought Force10. If the rumors are true, that’s what EMC is looking to do soon.

    Buying a company to provide your strategy has benefits. You can immediately compete. You don’t have to figure out synergies. Just sell those products and keep moving forward. You may not be the most agile company on the market but you will get the job done.

    The issue with buying the strategy is most often “brain drain”. We see brain drain with a small startup going to a mid-sized company. Startup founders aren’t usually geared to stay in a corporate structure for long. They vest their interest and cash out. Losing a founder or key engineer on a product line is tough, but can be overcome with a good team.

    What happens when the whole team walks out the door? If the larger acquiring company mistreats the acquired assets or influences creativity in a negative way, you can quickly find your best and brightest teams heading for green pastures. You have to make sure those people are taken care of and have their needs met. Otherwise your new product strategy will crumble before you know it.


    Tom’s Take

    The Nokia/Alcatel deal isn’t the last time we’ll hear about mergers of networking companies. But I don’t think it’s because of missed market transitions or shifting strategies. It comes down to companies with one or two products wanting protection from external factors. There is strength in numbers. And those numbers will also allow development of new synergies, just like horses in a stable learning from the other horses. If you’re a rich company with an interest in racing, you aren’t going to assemble a stable piece by piece. You’ll buy your way into an established stable. In the end, all the horses end up in a stable owned by someone. Just make sure your horse is the right one to bet on.


    by networkingnerd at April 21, 2015 03:08 PM

    Peter's CCIE Musings and Rants

    Cisco Mediasense (Cheap and cheerful Call recording)

    Hi Guys!

    Edit: I have found a great free enhancement for Cisco Mediasense http://www.aurus5.com/phoneup/record/mediasense.php that allows you to easily search and categorize records. I haven't personally checked it out yet but it looks interesting.

    I recently had to install Cisco MediaSense to configure another feature, Cisco Mediasense from everything I can tell is essentially a fairly rudimentary call recording solution. Cisco talk a lot about it's open API, network-based etc. etc. but for me it's really just a great way to get cheap recording.

    To deploy it, first all you need to do is obtain the ISO and install it as a virtual machine just like any other Voice application.

    It is licensed per concurrent recording, from what I could say the price per user hovers between $20 to $40 bucks, so for an organization with a T1 and a small call center it's pretty cost effective, around $400 to $500 bucks (maybe a little more once maintenance is added) to record up to 24 sessions at a time.

    There is another part number available for it:  MCP-10X-AUD-10PACK which includes 10 concurrent ports.

    The configuration of media sense itself is extremely straightforward, when you first login to the mediasense server it will prompt you to configure a username/password for connectivity to AXL on CUCM.

    Note: this SHOULD NOT and infact CANNOT be your usual admin user, resist the temptation to just slack off and use your admin account and instead create a new AXL user for this, they will also require CM administration privileges.


    Once this is done MediaSense is essentially configured! Their is very little you can configure except for selecting which users can utilize the 'Search and play' functionality.

    You do this by navigating to Administration - Mediasense API user Configuration



    The fact that they call this section Mediasense API user, along with the very limited functionality available to the user makes Cisco's insistence that this is simply a device for COLLECTING the media, not for organizing/searching through it even more obvious.

    The GUI that is available to search through recordings can be found on at the following URL:

    https://:8440/mediasense/
     

    You can login with the user you defined as a mediasense API user previously.


    The GUI is pretty limited as you can see and you can see in terms of searching and organizing, but you can export the recordings, save them and even perform a live monitor by clicking on "Active Calls"

    For CUCM configuration the first step is to configure a SIP trunk pointing to the IP address of the Mediasense server, this is straightforward so the steps for this are not outlined below.

    Once this is done, you need to create a route pattern and point a number to this SIP trunk.

    Finally, you need to define a call recording profile under:
    Device -> Device Settings -> Call Recording Profile

     The settings for this are shown below, obviously replace 9998 with the number you configured previously and pointed to the SIP trunk



    To configure a phone to use the call recording feature, you must first make sure the phone has a Built in Bridge enabled under the phone configuration, next, you must go to the phones line and select the call recording profile:




     For troubleshooting, I find it helpful to turn on the recording beeps so that you can tell the call is being recorded. This can be found back under the phone device configuration:




     So there you have it, cheap and cheerful call recording that might be all you need for certain situations.

    I hope this helps someone out there!














    by peter_revill (noreply@blogger.com) at April 21, 2015 02:00 PM

    Security to the Core | Arbor Networks Security

    Bedep’s DGA: Trading Foreign Exchange for Malware Domains

    As initially researched by Trend Micro [1] [2], Zscaler [1] [2], Cyphort, and Malware don’t need Coffee, the Bedep malware family focuses on ad / click fraud and the downloading of additional malware. ASERT’s first sample dates from September 22, 2014, which is in line with when Trend Micro started seeing it in their telemetry. In early 2015, the family got some more attention when it was being observed as the malware payload for some instances of the Angler exploit kit, leveraging the Adobe Flash Player exploit (CVE-2015-0311) which at the time was a 0day. It was also observed that this newer version was using a domain generation algorithm (DGA) to generate its command and control (C2) domain names.

    This post provides some additional notes on the DGA including a proof of concept Python implementation, a look at the two most recent sets of DGA generated domains, and concludes with some sinkhole data.

    Samples

    The following Bedep samples were used for this research:

    • MD5 e5e72baff4fab6ea6a1fcac467dc4351
    • MD5 1b84a502034f7422e40944b1a3d71f29

    The former was originally sourced from KernelMode.

    Algorithm

    I’ve posted a proof of concept (read: works for me) Python implementation of the DGA to ASERT’s Github.

    At the time of writing, I’m aware of two DGA configs. Each config contains three constants and a table of magical dwords used throughout the algorithm. The screenshot below highlights the table from the first sample:

    ida

    Bedep’s DGA starts by downloading an XML file from:

    • http://www.earthtools.org/timezone/0/0

    This legitimate web service provides the time zone and local time at latitude zero and longitude zero. The <utctime> timestamp is parsed out and converted to milliseconds since year zero (0000-00-00). Then, 1-3 days are subtracted from it (depending on tick count timing–this feels like an anti-analysis technique) and it is converted to days since year zero. This value will be used in the next step.

    Next, Bedep downloads an XML file from:

    • http://www.ecb.europa.eu/stats/eurofxref/eurofxref-hist-90d.xml

    This legitimate file from the European Central Bank (ECB) contains the last 90 days of “Euro foreign exchange reference rates” and is updated daily. Each date is extracted from the <Cube time=”…”> tags then the days since year zero is calculated for “date minus one”. If the days since value is less than or equal to the value calculated in the first step AND if it falls on a Monday, then the foreign exchange reference rates for “date” are extracted and used. Here’s a visual showing this process:

    days_since

    After testing, my analysis reveals that Bedep updates using “last Tuesday’s” foreign exchange reference rates—where “last Tuesday” refers to “the preceding week’s Tuesday” until “this week’s Thursday”. After this, it means “this week’s Tuesday.”

    From here, the algorithm becomes a bit opaque. Various values such as “days since,” the first parsed currency’s abbreviation, the low dword of the first parsed currency’s rate, the magical dword values from the extracted table (noted above), and various other constant and calculated values are transformed a number of times. I wasn’t able to deduce the “big picture” of these transforms, so I’m treating them as a blackbox where the output is the number of domains to generate and three values that that will be used to calculate a modular exponent starting seed. If anyone has more details on this blackbox, please reach out!

    The number of domains to generate is 22 for the first config and 28 for the second for a total of 50 domains per set. To generate each domain, the starting seed and foreign exchange reference rates are transformed a number of times to calculate the domain length and the domain characters themselves:

    mixin

    The minimum domain length is 12 and the maximum is 18. I’ve only seen “.com” TLDs so far.

    Campaign

    At the time of writing and using the foreign exchange rates from 2015-04-07, here are the eight registered domains from this set:

    • agabovyxdgcbibu.com
    • rbnfimetzgg9v.com
    • wpqkvmpezecumbvl7.com
    • vtvykahskh9m.com
    • rpmrkmqyxplqitnyd.com
    • akgsuqlnipxhwf.com
    • pdbfeobggolhbgbn.com
    • nimyusfhqwizzgb.com

    The first two were registered on 2015-04-13, the next two on 2015-04-11, then 2015-04-10, and the last two on 2015-04-08. All of them used the following registrant info:

    whois

    This info is inline with what Zscaler observed.

    Using the foreign exchange rates from 2015-04-14, here are the domains registered out of the set, so far:

    • prlvlpdeiopx.com (5.196.181.244)
    • tqadnvxgppn1.com (5.196.181.244)
    • gllmrtvteldx.com
    • uydsqobdcmcxpdxng.com
    • owwiloxvthttt1.com
    • gcrnbgjlsgchu.com

    The first two were registered on 2015-04-19, then 2015-04-17, and the last two on 2015-04-15. All six used the same registrant noted above.

    Sinkhole

    To get a better idea of how active and widespread the above campaign is, we setup a sinkhole. The sinkhole was vmznlwrgtcnasmfhz.com and from 2015-04-13 13:47 UTC to 2015-04-16 17:06 UTC (about 3 days) it received phone homes from about 82,127 unique source IPs. The top 10 TLDs of the resolved source IPs were:

    1. net (31578)
    2. com (11952)
    3. de (3193)
    4. mx (2611)
    5. tr (2104)
    6. it (1521)
    7. pl (1500)
    8. fr (1440)
    9. br (1360)
    10. au (1247)
    11. ca (1107)
    12. jp (1054)
    13. es (769)

    And, except for Russia, infections were all over the map:

    sinkhole1

    Conclusion

    This post has taken a closer look at Bedep’s DGA and the recent campaign around it. Compared to some of the other date based DGAs we’ve looked at in the past, this algorithm is quite a bit more complicated and involved—effectively relying on the foreign exchange markets to generate its C2 domains. Based on the domain registration and sinkhole activity, Bedep is a current and active threat and will likely remain so for the foreseeable future.

    by Dennis Schwarz at April 21, 2015 06:00 AM

    April 20, 2015

    Networking Now (Juniper Blog)

    IS THERE A VIRTUAL FIREWALL IN YOUR FUTURE? Eight essentials to guide your way.

    vSRX Virtual Firewall

    Virtual security appliances have arrived. And they’re catching on at a fast and furious rate. Whereas today 95 percent of enterprises have physical security devices deployed, by 2017 that slips to just 54 percent while enterprises deploying virtual security appliance rises to 80 percent, according to Infonetics.

     

    by Mora Gozani at April 20, 2015 02:00 PM

    Network Design and Architecture

    What is the real reason behind IP and MPLS Traffic Engineering ?

    MPLS traffic engineering has many use cases and it helps to solve the problems in an MPLS enabled networks. These use cases are in general; QoS guarantee, End to End SLA , Fast reroute, Admission control and so on. All of them at the end is done for the COST SAVING. The real reason behind MPLS Traffic… Read More »

    The post What is the real reason behind IP and MPLS Traffic Engineering ? appeared first on Network Design and Architecture.

    by orhanergun at April 20, 2015 08:28 AM

    XKCD Comics

    April 19, 2015

    PACKETattack

    Enterprise WAN Design & Last Mile Considerations

    The connection between your office and the central office is what we call the last mile. The last mile, at least in the US, has one big problem: it’s often owned by a single organization.

    by Ethan Banks at April 19, 2015 08:42 PM

    My Etherealmind

    Basics: What Is a Network Service ?

    This article provide a practical and workable definition of "What Is a Network Service ?"


    The post Basics: What Is a Network Service ? appeared first on EtherealMind.

    by Greg Ferro at April 19, 2015 12:58 PM

    April 17, 2015

    PACKETattack

    SD-WAN’s Value Prop Conundrum

    My interpretation of the SD-WAN value prop can be boiled down to cost savings, simplified operations, and improved application performance over inconsistently performing WAN links. Here's the conundrum. An engineer might instinctively recoil at this sort of value proposition.

    by Ethan Banks at April 17, 2015 03:34 PM

    My Etherealmind

    Is the Cisco Nexus 9000 is a Whitebrand strategy ?

    I was reviewing the non-ACI Nexus 9000 products this week and started thinking that the Nexus 9000 will become Cisco's response to whitebox disruption.


    The post Is the Cisco Nexus 9000 is a Whitebrand strategy ? appeared first on EtherealMind.

    by Greg Ferro at April 17, 2015 07:45 AM

    XKCD Comics