There are many scripts out there, especially on Mikrotik, which list drop as the action for denying bad guy traffic. While this isn’t wrong, you could put the tarpit action to better use for actions which are dropping attacking type of traffic.
So what is Tarpit?
Tarpit is fairly simple. When connections come in and are “tarpitted” they don’t go back out. The connection is accepted, but when data transfer begins to happen, the TCP window size is set to zero. This means no data can be transferred during the session. The session is held open, and requests from the sender (aka attacker) to close the session are ignored. They must wait for the connection to timeout.
So what’s the downside?
TCP is not really designed to hold onto a connection. It can be additional overhead on a taxed system. Most modern firewalls can handle tarpitting without an issue. However, if you get thousands of connections it can overwhelm a system or a particular protocol.
How can I use it?
If you have scripts, such as the SSH drop off the Mikrotik wiki, simply change the action to “tarpit” instead of “drop”.
I am writing on behalf of my Company MTIN.NET LLC in regard to the proposed changes to the CBRS band. We are primarily a consulting company for Wireless Internet Providers (WISPs). One of the biggest changes our customers face is the availability of spectrum to operate in. These are companies who primarily are investing their own money into providing access in their own communities. They help to support local businesses by giving them a choice in high-speed broadband access. Sometimes, these WISPs are the only option.
Please take into consideration how any changes will affect these Entrepreneurs and their mission to bring broadband into underserved areas of the country. Without WISPs, many homes and businesses would not have high-speed access that works with Voice, or streaming services. Satellite is unable to deliver low-latency connections to users.
The ability of a WISP to have access to more spectrum not only allows them to provider more speeds and better service, but it has other benefits as well. WISPs have usually been started to fill a broadband need in an area. Having access to high-speed access allows schools to offer greater learning tools, allows businesses to generate new revenue streams as well as saving money. Please don’t leave the companies who are investing their own money, not shareholder’s money, out in the cold.
We are opposed to both petitions by CTIA and T-mobile. Please consider the comments from the WISP community before making any decisions. It is estimated WISPs service over 3 Million subscribers across the country. Give them tools they need to thrive.
For those of you who are curious where many of your cyber attacks appear to come from the following is a sample of just some of the locations the MTIN servers have blocked for malicious attempts.
#1 CN/China/
#2 KR/Korea, Republic of
#3 CZ/Czech Republic
Russian IPs are # 7 and US (mainly AWS IPs) are #8
Are you a WISP who needs just a little help now and then? Need a sanity check on configuration changes? Need someone who knows your network enough to say whether you need that most recent software upgrade? Don’t have a big budget for the occasional issue? Need peace of mind you can call someone who won’t break the bank on a simple question? MTIN has a solution for you.
We are calling this the “Supply Drop Plan”. it’s designed for the WISP who needs someone who knows their network and their business for occasional questions outside of their comfort zone. It consists of the following:
-2 Hours of consulting time a month.
-Reasonable amount of e-mail questions
-Be put on our e-mail notification list of relevant information
$89 a month.
Details
-Access to MTIN via phone during business hours or pre-arranged time (24 hour notice).
-e-mail questions tracked via a ticket system with a maximum of 24 hour response. Most of the time same day.
-1 year contract
Just some things you can do with your two hours
-Have our engineers look at any new configurations you want to implement
-Unbiased advice on what equipment to order
-Help source equipment for wireless deployments on towers
-Make recommendations on upgrades
-Do audits on things like upstream providers, etc.
What’s not included
-Emergency support (we have plans for that). Emergency support is available but at non-contract rates on a first come first serve basis.
-Additional hours can be purchased on an as-needed basis. Please note without an hourly block you will be first come first serve.
-Phone calls after hours must be pre-arranged. We can accommodate your schedule. Otherwise, support will be billed at after hours rates.
Service Provider Designation of Agent to Receive Notifications of Claimed Infringement
The Digital Millennium Copyright Act (“DMCA”) provides safe harbors from copyright infringement liability for online service providers. In order to qualify for safe harbor protection, certain kinds of service providers—for example, those that allow users to post or store material on their systems, and search engines, directories, and other information location tools— must designate an agent to receive notifications of claimed copyright infringement. To designate an agent, a service provider must do two things: (1) make certain contact information for the agent available to the public on its website; and (2) provide the same information to the Copyright Office, which maintains a centralized online directory of designated agent contact information for public use. The service provider must also ensure that this information is up to date.
In December 2016, the Office introduced an online registration system and electronically generated directory to replace the Office’s old paper-based system and directory. Accordingly, the Office no longer accepts paper designations. To designate an agent, a service provider must register with and use the Office’s online system.
Transition period: Any service provider that has designated an agent with the Office prior to December 1, 2016, in order to maintain an active designation with the Office, must submit a new designation electronically using the online registration system by December 31, 2017. Any designation not made through the online registration system will expire and become invalid after December 31, 2017. Until then, the Copyright Office will maintain two directories of designated agents: the directory consisting of paper designations made pursuant to the Office’s prior interim regulations which were in effect between November 3, 1998 and November 30, 2016 (the “old directory”), and the directory consisting of designations made electronically through the online registration system (the “new directory”). During the transition period, a compliant designation in either the old directory or the new directory will satisfy the service provider’s obligation under section 512(c)(2) to designate an agent with the Copyright Office. During the transition period, to search for a service provider’s most up-to-date designation, begin by using the new directory. The old directory should only be consulted if a service provider has not yet designated an agent in the new directory.
Recently, we had a client question why we didn’t mount antennas higher up on a tower with an FM repeater on it. The top of the tower has an FM repeater on it so we mounted the equipment about 25 feet below that.
When you are talking about antennas and transmitters the basic thing to remember is it’s all radiation. Good antennas have predictable drop off patterns and, when paired with a good transmitter, have crisp frequency drop offs. However, there is still radiation emitting from feedline and the antenna on the tower. Many FM repeaters use a dipole design. Some are folded, others are different types. Below is an antenna pattern from a Dipole antenna.
As you can see there are a few patterns radiating from the antenna. These patterns should be taken into consideration when mounting your equipment near FM, UHF, or VHF systems. Radiation may interfere with things such as your cat-5, or your PIM. In an earlier article, I talk about low-pim cables and what affects PIM. This is very important when you are deploying LTE gear. RF radiation from high power transmitters can cause PIM issues if the wavelength happens to coincide with the wavelength of the other transmitter. This does not mean they are on the same frequency. Remember, in RF you have full wave, 3/4,1/2, and 1/4 wavelengths to deal with.
Other things to consider are near and far field patterns. If you want some heavy reading you can read about it on Wikipedia.
Our next issue and the most common issue is the radiation getting into our Ethernet cables as well as our radios on the tower. Below illustrates the propagation of signals coming out of an antenna on the top of the tower. If you notice, some of the radiation is directed underneath of the antenna. Any equipment mounted too close underneath will be bombarded with radiation.
Too much radiation can cause link negotiation issues, signal degradation, and other issues. By moving our antennas out of the patterns of other antennas we can make for a more reliable system. This is one case where higher on the tower is not always better. Just because another antenna is not mounted in front of another it does not mean they are in each other’s radiated patterns.
Point-to-multipoint is treated as a collection of point-to-point links and thus no DR/BDR is required.
Point-to-Point is a single link and no election is needed.
Broadcast: OSPF routers on broadcast networks will elect a DR and a BDR (since it is multiaccess) – OSPF packets are multicast.
NBMA: Routers will elect DR and BDR (since it is multiaccess), but since it is a non-broadcast, routers will have to communicate via unicast rather than multicast.
The Occupational Safety and Health Administration and the Federal Communications Commission are concerned about the risks faced by employees in the communication tower industry. Employees climb communication towers to perform construction and maintenance activities and face numerous hazards, including fall hazards, hazards associated with structural collapses and improper rigging and hoisting practices, and “struck-by” hazards.
We like to refer to Indianapolis, Indiana as an “NFL City” when explaining the connectivity and peering landscape. It is not a large network presence like Chicago or Ashburn but has enough networks to make it a place for great interconnects.
At the heart of Indianapolis is the Indy Telcom complex. www.indytelcom.com (currently down as of this writing). This is also referred to as the “Henry Street” complex because West Henry Street runs past several of the buildings. This is a large complex with many buildings on it.
One of the things many of our clients ask about is getting connectivity from building to building on the Indy Telcom campus. Lifeline Data Centers ( www.lifelinedatacenters.com ) operates a carrier hotel at 733 Henry. With at least 30 on-net carriers and access to many more 733 is the place to go for cross-connect connectivity in Indianapolis. We have been told by Indy Telcom the conduits between the buildings on the campus are 100% full. This makes connectivity challenging at best when going between buildings. The campus has lots of space, but the buildings are on islands if you wish to establish dark fiber cross-connects between buildings. Many carriers have lit services, but due to the ways many carriers provision things getting a strand, or even a wave is not possible. We do have some options from companies like Zayo or Lightedge for getting connectivity between buildings, but it is not like Chicago or other big Date centers. However, there is a solution for those looking for to establish interconnections. Lifeline also operates a facility at 401 North Shadeland, which is referred to as the EastGate facility. This facility is built on 41 acres, is FEDRAMP certified, and has a bunch of features. There is a dark fiber ring going between 733 and 401. This is ideal for folks looking for both co-location and connectivity. Servers and other infrastructure can be housed at Eastgate and connectivity can be pulled from 733. This solves the 100% full conduit issue with Indy Telcom. MidWest Internet Exchange ( www.midwest-ix.com ) is also on-net at both 401 and 733.
Another location where MidWest-IX is at is 365 Data Centers (http://www.365datacenters.com ) at 701 West Henry. 365 has a national footprint and thus draws some different clients than some of the other facilities. 365 operates Data centers in Tennessee, Michigan, New York, and others. MidWest has dark fiber over to 365 in order to bring them on their Indy fabric.
Another large presence at Henry Street is Lightbound ( www.lightbound.com ). They have a couple of large facilities. According to PeeringDB, only three carriers are in their 731 facility. However, their web-site lists 18+ carriers in their facilities. The web-site does not list these carriers.
I am a big fan of peeringdb for knowing who is at what facilities, where peering points are, and other geeky information. Many of the facilities in Indianapolis are not listed on peering DB. Some other Data Centers which we know about:
On the north side of Indianapolis, you have Expedient ( www.expedient.com ) in Carmel. Expedient says they have “dozens of on net carriers among all markets”. There are some other data centers in the Indianapolis Metro area. Data Cave in Columbus is within decent driving distance.
You must be logged in to post a comment.