[129496] in North American Network Operators' Group
Re: NOC Automation / Best Practices
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Sep 8 13:34:29 2010
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <6A4EBE06CF13034585C3F773EAF836A33B897E0A@exsrv01.hotzecom.local>
Date: Wed, 8 Sep 2010 13:34:09 -0400
To: Martin Hotze <M.Hotze@hotze.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 8, 2010, at 12:59 PM, Martin Hotze wrote:
>> -----Original Message-----
>> Date: Wed, 08 Sep 2010 08:54:20 -0700
>> From: Charles N Wyble <charles@knownelement.com>
>> Subject: NOC Automation / Best Practices
>> To: nanog@nanog.org
>>=20
>> NOGGERS,
>>=20
>> (...)
>> The way I see it, an ounce of prevention is worth a pound of cure.
>> Along
>> those lines, I'm putting in some mitigation techniques are as follows
>> (hopefully this will reduce the number of incidents and therefore =
calls
>> to the abuse desk). I would appreciate any feedback folks can give =
me.
>>=20
>> A) Force any outbound mail through my SMTP server with AV/spam
>> filtering.
>> B) Force HTTP traffic through a SQUID proxy with SNORT/ClamAV running
>> (several other WISPs are doing this with fairly substantial bandwidth
>> savings. However I realize that many sites aren't cache friendly.
>> Anyone
>> know of a good way to check for that? Look at HTTP headers?). Do the
>> bandwidth savings/security checking outweigh the increased support
>> calls
>> due to "broken" web sites?
>> C) Force DNS to go through my server. I hope to reduce DNS hijacking
>> attacks this way.
>>=20
>> Thanks!
>=20
> For either A, B or C you won't get my business, let alone a =
combination of all 3. *wah!* There is too much FORCE here. :-)
So
A) is fairly common in "hotel" networks. Make sure you only are looking =
at tcp/25 and not tcp/587.
B) is fairly common in "hotel" networks. There are a lot of things you =
need to do to make things work "correctly". I've found some websites =
will actually block you if you are behind a cache and it adds the Via: =
headers per standard. I've had to turn a lot of these options off in my =
home setup (ie: break standards on purpose).
You may also want to reach out to the CDNs themselves, eg:akamai, llnw, =
etc.. as they may have a way to just drop the cache in your network and =
send your customers there automagically.
C) is also common in a number of networks. You may want to 'whitelist' =
some other common open resolvers that are intended to be open. (eg: =
OpenDNS). You may be able to approach dns operators to have them put an =
instance in your network.
Make sure you don't construct the network such that you're forced to do =
this for all subscribers. Many WISPs have a 'flat' or simple routed =
network. This is because the hardware doesn't always support nice =
routing protocols eg: OSPF/ISIS so you're stuck with RIP/RIPv2 (ick!).
Here's some settings that I use, to optimize for software updates and =
other items. If you have a lot of Windows machines, you may need to =
read this page: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
-- snip --
# hide our existance
forwarded_for off
via off
# workaround facebook bug
ignore_expect_100 on
# Comcast is sometimes busted
ignore_unknown_nameservers off
# allow up to 8G to be cached
maximum_object_size 8192 MB
# allow squid daemon to get 1024 MB ahead of client
read_ahead_gap 1024 MB
