Re: (ASCEND) GRF filter to block Smurf attacks

To: devin@premier1.net
Subject: Re: (ASCEND) GRF filter to block Smurf attacks
From: "Neil J. McRae" <neil@DOMINO.ORG>
Date: Sat, 26 Sep 1998 12:19:19 +0100 (BST)
Cc: ascend-users@bungi.com, undrgrid@undergrid.net
In-Reply-To: <610D9810FB47D211B27300A0C9C99DB29669@illian.premier1.net> from "Devin Ganger" at Sep 24, 98 10:24:10 pm
Sender: owner-ascend-users@max.bungi.com


You wouldn't believe the issues we've had with this machine.

> The best I was able to get out of an Ascend engineer is quoted below (names
> withheld to protect the guilty):
> 
> <begin GRF-Anti-Smurf>
> Hi Devin,
> 
> Basically, the Answer: The GRF does not forward directed broadcast packets
> that it receives from another host.  It will respond to it and it will also
> source/sent/originate a directed broadcast packet, for example, you can ping
> a directed broadcast address.
> <end GRF-Anti-Smurf>
> 
> This is such a load of crap; the person who sent this to me is normally a
> clueful person, so I can only assume somebody was feeding him extremely bad
> data.  I was trivially able to prove this false under 1.4.6, and now that
> I'm back on 1.3.11, I suspect I can do the same thing.

This is true for some of the media cards. 1.4.6 is an abortion of a
release.

> Given the extremely sub-standard documentation for the filtering daemon,
> I've had neither the time nor the energy to sit down and screw with it until
> I figure out where the docs are lying and wrong.  I suspect that situation
> will continue until the frame-relay line to my house is installed and I can
> make some time to play with it on my line.

You cannot filter with filterd at any reasonable rate, it just doesn't
work, we gave up with it long ago.

> <gripe type="disgruntled GRF customer">
> Answers like these are just small reasons why those of us who stuck our
> necks out to buy GRFs feel like we got left holding the bag.  I've had a
> feature request in now for the filtering code for the GRFs to include the
> option to filter by source socket (as well as destination) for quite a few
> months now, with no word whatsoever.  When I found out that my provider,
> Savvis, was hugely dissatisfied with their GRFs and was in the process of
> replacing them for Cisco's (after we'd committed to buying the GRF), I felt
> more than a bit like the proverbial red-headed stepchild.  It took a threat
> to crate the thing back up and send it back to finally get a decent level of
> support for the ongoing ATM problems we were having *after* I'd suggested
> the eventual fix myself after talking with engineers at Savvis.  ("Oh, no,
> Mr. Ganger, you don't have to send your GRF back to us.  It seems that there
> are some known problems with ATM and 1.4.6; why don't we roll you back to
> 1.3.11 plus some patches?"  "You mean, like I suggested that we do two weeks
> ago?"  "Uh, uh, uh...")
> </gripe>

This is exactly what happened to us. The ATM card is fundementally flawed
and doesn't not in any way conform to the specifications that
Ascend advertise, they have actually confirmed this in email. We are also
in the progress of taking our GRFs out of production for 7507 and PA-A3
ATM cards, which are superb. 1.4.6 is completly broken. I've not tried
1.4.10 and I'm not sure I'll even waste the time downloading it. We have had
many feature requests such as DS-3 ATM and packet over cards, 
E1 cards and whatever happened to the gigabit ethernet cards?
Ascend's support of the GRF in Europe is just abysmal. It took us
over 5 months to get someone from the US to look into our problem.
If this had happened when we originally asked for it we wouldn't
have wasted the last 5 months faffing about with workarounds. Just
yesterday we had our core GRF reboot when we typed gdc checkconf.
It core dumped and the router just disappeared.

> To give Ascend their due, once we finally got good answers going, the GRF
> has been performing flawlessly.  Of course, we have a simple network, and we
> come nowhere close to actually stressing the box, but things seem to be
> fine.  We haven't had a GRF-related service outage in almost two months,
> now.  There's a few good people who work in the GRF tech support trenches
> (Hi, Paul and Willie!).

Paul is good but heavily overworked and just isn't getting the internal
support he needs. As for stability yes the box is stable, our router on
the London Internet Exchange has been up for almost a year, but thats
only because of the extreeme change control that we have had to implement
because of GRF GateD instabilities. Change any interface configurations
and GateD just goes beserk.

> However, bad (or non-existent) documentation, obviously false information
> being blindly spouted as the Party line, lack of follow-through from reps
> and support engineers, and no response to simple queries (Is there any sort
> of reference to the Ascend MIBS for the GRF, other than wading through the
> MIBSs themselves?  Are there any plans to correct this?) has left me in the
> unenviable position of wishing I'd bought the Other Guy's router -- *any*
> Other Guy's router -- and having to tell people who ask that Ascend and the
> GRF aren't up to snuff.

Too True.

The biggest joke Ascend currently have is their European Operation, the
amount of chasing I have to do with their account management, support
teams and even to place orders is rediculous, we have a full timetable of
every Ascend related issue, billed at average consultancy rates, we'd be looking
at around $300K worth of our time. Plus the unmeasurable issues our customers
have had to put up with, we've swapped our ATM cards 4 or 5 times, we've
had to swap out other bits of Ascend kit almost as much, and I know
other European ISP's with the GRF are having as terrible a time as we are.

I had to laugh when I got my invitation to Ascend World, boy I'd love
to go and spend time asking difficult questions.

One thing is clear to us atleast. The GRF as a product is dead. In almost
a year no real feature has been added to the box that has actually worked,
we used to hear a lot of talk about it, we hardly hear anything on the GRF
its all MAX6000 and GX-550 [I have another amusing tale about their
sales team in Europe losing a multi-million pound ATM deal], which
leads us to believe that its just a matter of time before they
can the GRF completely.

If you want to be in the core business Ascend, put your house in order.

Regards,
Neil J. McRae
-- 
Neil J. McRae. Alive and Kicking.       Domino: In the glow of the night.
neil@DOMINO.ORG        NetBSD/sparc: 100% SpF (Solaris protection Factor) 

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) GRF filter to block Smurf attacks

From: RG <rg1@icanect.net>

References:

RE: (ASCEND) GRF filter to block Smurf attacks

From: Devin Ganger <devin@premier1.net>

Prev by Date: Re: (ASCEND) Backoff Q full syslog messages
Next by Date: Re: (ASCEND) How to display Memory?
Prev by thread: RE: (ASCEND) GRF filter to block Smurf attacks
Next by thread: Re: (ASCEND) GRF filter to block Smurf attacks
Index(es):
- Main
- Thread