DDOS, IDS, RTBH, and Rate limiting

Sat Nov 22 15:49:32 UTC 2014

> > On the contrary - SPAN nee port mirroring cuts into the
> > frames-per-second budget of linecards, as the traffic is in essence
> > being duplicated.  It is not 'free', and it has a profound impact on
> > the the switch's data-plane traffic forwarding capacity.
> > 
> > Unlike NetFlow.
>
> In hosting case mirroring usually done for uplink port, but i have to 
> agree, it might be a problem.

Have you seen any issues with SPANning?  We usually advise something like
a $1k netoptis tap or to be cheaper there are actually $50 fiber cables
with 30/70 taps embedded (so two such, one for RX tap and one for TX tap).

Of course, that only grabs a single 10gig whereas with SPAN you can 
potentially do more - but the issues we've seen across vendors is that
if you try to send more traffic into a SPAN port than its size, bad
things can happen.  Head of line blocking, random congestion, and other
strange failures.

And you trade off potential catastrophic downtime for SPAN-related
network destabilization, for guaranteed downtime to bring links down
to tap them.

> "Major" expenses - tuning server according author recommendations, and 
> writing shell script that will send to 4948 command to blackhope IP. For 
> qualified sysadmin it is 2 hours of work, and $500 max as a "labor" 
> cost. Thats it. What can be cheaper than $2000 in this case? I guess i 
> wont get answer.

I think the issue is not with your providing the info about fastnetmon,
its genesis, and what you see as the great use cases for it - more around
the statements on flow as an unusable source of data for various purposes.

Things seem to have died down around that though, which is good :)

> ---
> Best regards,
> Denys