srn: November 2014 Archives

DDOS response time

| | Comments (0)
I have added cellular out of band access to our network.  This should help with our response time in case of any future DDOS.

Packet loss mitigation

| | Comments (0)
We had been experiencing a low level of packet loss on incoming traffic. Using "ethtool -S" I determined that the drops were due to a lack of available buffers. The number of buffers has been increased and no incoming packets are being dropped at this time.

There's a high probability we will set up a new router within the next few months, though figuring out exactly what to replace the current router with needs more research.

Explanation of ipv6 issues

| | Comments (0)
This probably should have been obvious, but:

Let's say that on Linux we have this networking configuration



And only eth1 has an IP address assigned.

If traffic shows up on br0 that something wants to respond to (for example centos' default response that the packet is prohibited), and the response is within the subnet of eth1, the response will be sent out from eth1.

One specific example is there was a ping to 2001:470:0:76::2 showing up on br0. The ip6tables forward rules specified that this was to be rejected. eth1 had an ip address in the same subnet as 2001:470:0:76::2 and so the response was sent out on eth1.

Either changing the REJECT to DROP or having no IP address assigned in the same subnet as the traffic on br0 would have kept this from happening.

ipv6 issues

| | Comments (0)
UPDATE 2014-11-06: This was my fault, I screwed something up on a box we had set up for testing monitoring such that it was responding to traffic when it shouldn't have been.  It's off now and I'll be working with Luke later to figure out what I did wrong and keep it from happening in the future.
ipv6 addresses in the 2001:470::/32 subnet are currently unable to reliably reach outside the network.  We are working with our upstream to resolve the issue.

About this Archive

This page is a archive of recent entries written by srn in November 2014.

srn: October 2014 is the previous archive.

srn: December 2014 is the next archive.

Find recent content on the main index or look in the archives to find all content.