Net Access Blog

Dan Spataro

Find me on:

Recent Posts

IPv4 Era Comes to a Close, But Not at Net Access

Posted by Dan Spataro on Sep 27, 2015 8:21:21 PM

The American Registry for Internet Numbers announced late last week that its free pool of IPv4 addresses has reached zero. There is a waiting list for reclaimed/returned IPv4 space and an active IPv4 transfer market but this event marks the end of the ARIN allocated IPv4 era.

The total amount of IPv4 space is 4.3 billion addresses which was a staggering number when IPv4 was first deployed in the early 1980s. In today’s internet (over 3 billion internet users and climbing) where everyone seemingly has a need for multiple IP connected devices, 4.3 billion IPv4 addresses are quickly becoming exhausted. IPv6 is here to fix this problem but many providers are slow to adopt the technology, leaving IPv4 critical to the workings of the internet.

ARIN may be out of IPv4 space, but not Net Access. We started off 20 years ago as a dial-up ISP and as a result have close to 1 million IPv4 addresses under our ASN and several hundred thousand still available. Like any responsible Internet provider we have a strict IP allocation policy but there are many legitimate reasons why a customer could require a large amount of IP space. From a hosting company needing a /23 to a VoIP provider needing a /29 Net Access can provide those IPv4 addresses.

Our network has been IPv4/IPv6 dual stack since 2008 and we know our “stash” of IPv4 space will not last forever. So if you have a project that requires a lot of IP space, and have a preference for IPv4, come talk to us, we’d be happy to figure out if we can help.

 

7sR0Q

Read More

Topics: network

Net Access Establishes Direct IP Peering with Verizon

Posted by Dan Spataro on Aug 4, 2015 8:34:31 AM

We are pleased to announce that effective last month the Net Access IP network is now directly connected to the Verizon IP backbone. With this new direct peering arrangement our network customers will see improved performance with reduced congestion and lower latency when exchanging traffic with Verizon subscribers. They will also benefit from increased redundancy (by reducing the dependence on transit providers), dedicated, not shared, capacity and increased routing control over traffic. Since Verizon is one of the largest ASNs in the market, this is an especially significant milestone for customers with Internet facing applications/websites, and who distribute content via infrastructure located in our data center.

The below graph illustrates the improvements we have seen in both latency and packet loss since moving from transit providers to direct peering with Verizon late in week 26:

image001

Read More

Topics: network, IP

The Evolution of Data Center Connectivity

Posted by Dan Spataro on Apr 27, 2015 10:54:00 AM

IP in the Data Center: The Early Days

Net Access first started offering IP to our data center customers in the early 2000’s. Back then Layer 3 connectivity was pretty expensive, so our solution was to have customers to buy an unmanaged switch for their cabinet, connect it to our data center network and use it as the Layer 3 gateway for all their devices. At a higher level we deployed Layer 2 switches to aggregate traffic from all of our customers around the data center and we would only need to purchase devices capable of Layer 3 on the core. This model worked fine until customers started requesting redundancy within their rack and within our data center. Redundantly connecting our Layer 2 network to a customer’s Layer 2 network has a bunch of potential consequences, the big one being creation of a Layer 2 switching loop. A loop causes switches to flood the network by repeatedly broadcasting the same information. Even with protections such as broadcast and multicast suppression enabled across the fabric, a loop accidently created by a customer inside their cabinet could take down the entire data center network. We had to work closely with our customers on the selection and configuration of all devices to ensure that they would work properly in our environment. We nicknamed those ‘loop causing’ switches “The Switch of Doom.”

Switch_of_Doom

The Next Generation of IP Connectivity

The next generation of delivering IP to data center customers, and the way we still do it today, is by bringing Layer 3 directly to the customer-facing port. VRRP or BGP is used to obtain layer 3 redundancies, and we are able to perform maintenances on all of our data center routers without impacting any of our customers. Since the customers’ Layer 2 environments are now isolated to their own cabinets, if they create loops in their network it will only impact their network and not the entire data center. As you can imagine, this has allowed the Net Access engineers to sleep much better at night.

Interfacing with the Cloud and Coming Full Circle

As Net Access transitions from a colocation provider that offers power, ping , and POP to a full service cloud and managed services provider, we have experienced a whole new set of demands from our customers when it comes to connectivity. The need now is for flexible connectivity options – the ability to securely, redundantly and dynamically connect colocation and cloud-based resources, and have them appear as if they are part of the same Layer 2 network. Our customers have also requested that we not follow the AWS model of running a VPN or BGP to access the inside of their cloud networks.

So we needed to come up with a connectivity solution that goes back in time and again interfaces directly with the customer’s Layer 2 networks and addresses that loop concerns that arise with redundancy. That is why we developed FLEXBridge. FLEXBridge is designed specifically to bridge the network gap between the data center and the cloud in a flexible, secure, and redundant way, and allows all of our products to coexist in one environment. FLEXBridge provides private 100meg, 1gig or 10gig connections which allow customers to split their workloads between virtualized cloud and bare metal, and have both on the same LAN behind a pair of firewalls in their cabinet. In this scenario the customer uses their collocated cabinet as the network head end and then connects to our cloud services via FLEXBridge. All the cloud services feel like they are in the customer’s cabinet.

Another unique attribute of FLEXBridge is that it can leverage different protocols. The secret sauce (MPLS and layer 2 tunneling) of FLEXBridge allows us to segment a loop generated by a customer to only that customer. This allows our NOC to easily identify the loop and mitigate it without collateral damage across our network, addressing that switching loop concern that we mentioned earlier.

And probably the most important quality of FLEXBridge is that it’s truly flexible. As we continue to migrate more customer workloads to our cloud platform, the need to scale will increase, and the secret sauce of the FlexBridge could very well change change. We are currently looking into VXLAN and other overlay technologies as the next generation of FLEXBridge.

Dan_SpataroDan Spataro has been with Net Access for over 15 years, and currently manages our Engineering and Architechture teams.

Read More

Protect Your Business Network With Managed DDoS Mitigation

Posted by Dan Spataro on May 28, 2014 9:44:00 AM

Dan-Spataro VP of Engineering at Net AccessPrior to January 2014, a typical DDoS attack against our Net Access customers could easily be intercepted and mitigated by our well trained NOC staff.  As an ISP, we have been dealing with DDoS attacks for many years.  The first generation of attacks were small volumetric or packet attacks destined for IRC servers.  Our staff would simply “blackhole” the server that was being attacked and eventually the attack would go away.  We had plenty of capacity on hand to absorb these attacks and mitigate them, without customer impact.

Over the past several years, we built our own tools that hooked into industry-available traffic monitoring and analysis systems like that of Netflow.  With the addition of Netflow we were able see who was being attacked and who was doing the attacking.  Our monitoring systems would alert us to when a customer was being attacked and we could then use Netflow to find the source of the attack.  We would then put an ACL (Access Control List) on the customers interface blocking the attack.  The attackers would usually get frustrated at their lack of success and stop trying.  Again, back then, we had plenty of capacity in the network on hand to absorb these attacks and other than the actual customer being attacked, there was no collateral damage to anyone else within our environment.

DDoS - A Game Changer

The game changed in the early part of this year, when we saw our first 40+ Gbps DDoS attack.  A volumetric attack of this size can fill ports to 100% capacity in a matter of minutes.  Events like this can cause latency and dropped packets across an entire network, negatively affecting Internet facing customers.  We have spoken to many of our contacts, partners, suppliers, competitors and experts in the industry - they are all seeing the same rapid increases and growth in DDoS attacks and experiencing the same types of issues we are.  These attacks are exceptionally large, UDP based and frequent.  We all agree this is definitely an industry and Internet wide problem.

What Is Net Access Doing About DDoS Attacks?

In response to this rapidly growing problem, we have or are in the process of:

  • Expanding our network capacity with the addition of more ports, peering bandwidth, upstream bandwidth, new high capacity border routers and greater metro backbone capacity – in total spending over $1m on new equipment alone in the past few months.

  • Crafted many custom filters to lessen the impact of these large attacks by stopping the attacks at the borders, which in turn does not let the majority of the bad traffic reach, its destination (typically a customer).

  • Deployed an in-network advanced early warning system that provides Analytics and Monitoring with DDoS Mitigation to rapidly identify new attacks natively; and by referencing the DDoS Fingerprint database automatically alerting the NOC.

  • Implemented processes to deploy new filters at the borders using data provided by our early warning system to stop attacks with new signatures.


We understand our customers running critical applications need 100% network uptime, and even a couple minutes of congestion is completely unacceptable.  These upgrades allow us to exponentially increase our network capacity which allows us to detect, absorb and mitigate these next generation attacks; limiting the impact to our Internet facing customers to an absolute minimum.

Application and protocol attacks destined for our customers have also increased in frequency and complexity.  Attackers know they can easily defeat firewalls or servers by throwing a large number of packets at it.  So in addition to the steps Net Access is taking to protect the borders, network and mitigate attacks, we have made our Arbor Networks based Analytics and Monitoring with DDoS Mitigation solution available to customers as a managed service; providing yet another line of defense.

The Managed DDoS Mitigation service will notify customers and our Network Operation Center (NOC) of an attack on their environment, as it starts.  Customers can then choose to log into the our custom web portal and mitigate the attack themselves or let the Net Access NOC mitigate the attack for them, providing a completely hands-off solution.

How Good Is This?

As recently as last week, we intercepted a 40-60 Gbps DDoS attack targeted at one of our Internet facing customers.  We identified the attack, mitigated and blocked it in under 4 minutes – and that’s before we have completed all the upgrades!  So we are more than confident that we’ll do an even better job in the very near future!

To learn more about Net Access' Managed DDoS and our complete portfolio of managed services, please contact us today.

Dan Spataro, VP of Engineering

Read More

Topics: Managed DDoS