Рейтинг
0.00

Zare.co.uk Хостинг

1 читатель, 11 топиков

Staying ahead of IPv4 exhaustion

Темпы устаревания IPv4 оказалось трудным, так как спрос постоянно возрастает при больших объемах выплат наших клиентов. На сегодняшний день мы приобрели 7680 IPv4-адресов в разных подсетях с открытым рынком, плюс финал / 22 от RIPE.
Поскольку Заре всего 3 года, мы присоединились к RIPE, когда они назначали новым членам последнее / 22, и после этого вам пришлось покупать IPv4 на открытом рынке или создать новую учетную запись RIPE. Мы решили сделать первое для простоты.

В каких секторах наибольший спрос на IPv4?
Мы наблюдаем огромный спрос на IPv4 на рынках VPN, VPS и proxy. Мы полагаем, что это было обусловлено усилением государственного мониторинга, геообъектами по содержанию и потребностью в интернет-анонимности.

Переход на IPv6
Zare полностью поддерживает IPv6 по всей нашей сети, однако мы обычно наблюдаем низкий уровень потребления и постоянно растущий спрос и зависимость от IPv4. В настоящее время 5% клиентов запрашивают бесплатный диапазон IPv6.

Current IPv4 open market pricing
  • /24 (256 IPs) 11 GBP 2816 GBP
  • /23 (512 IPs) 9.50 GBP 4864 GBP
  • /22 (1024 IPs) 8 GBP 8192 GBP

Out with the old, in with the new

В течение следующих 4 недель все лондонские клиенты будут переведены на коммутаторы Juniper EX4200, которые заменяют Netgear ProSafe (я расскажу о том, почему мы использовали их позже), и есть несколько причин, почему мы это делаем:
  • Двойной блок питания, чтобы мы могли использовать источники питания A + B для центров обработки данных
  • Нижняя латентность отправки
  • Множественные системы пересылки пакетов
  • 10G волоконно-оптические порты
  • Больший общий / выделенный буферный пул
  • Интерфейс SSH для автоматизации на нашей платформе
  • Коммутаторы Netgear не могли справиться с высокой пропускной способностью, которую требовали клиенты из Лондона

Почему мы использовали Netgear
  • Экономичность — с самого начала мы были небольшой компанией с небольшим бюджетом, поэтому коммутаторы Netgear были единственным оборудованием в нашем ценовом диапазоне — они также были известны как простые в использовании и надежной.
  • Надежность. В настоящее время у нас есть около 50 коммутаторов Netgear, используемых в наших двух местах, и на сегодняшний день у нас не было ни одного отказа. Единственные проблемы, с которыми мы столкнулись, — это возможности программного обеспечения. Это одна из причин, по которым мы продолжали использовать их так долго.
  • Потребляемая мощность. По сравнению с Juniper EX4200, использование Netgear под половиной мощности, поэтому они были более жизнеспособными для начала.

Juniper EX-4200 готова к установке в нашем лондонском месте

Why we moved to Corero


After months of testing and hundreds of packet captures, our new Corero SmartWall solution is now live network wide in both our London and Bristol locations.

Why Corero?
During our testing phase, we tried many different DDoS mitigation appliances and Corero came out on top each time. Here is what we looked for during the process.
  • Raw filtering capacity — Corero provides line-speed filtering with 20Gbps of capacity per SmartWall block, allowing 80Gbps in just a 1U space through their modular design.
  • Inspection techniques — We found many DDoS appliances could not detect the sort of attack patterns that we face daily without deep packet inspection. Corero provides a layer by layer filtering system at almost line rate speeds and thus allowing us to detect and mitigate even the smallest of attacks very easily.
  • Support & Management — This is where Corero really shined and ultimately a huge factor in us choosing their product. Their support from day one was excellent in terms of response times, knowledge and going out of their way to make sure we were 100% happy.

Why the switch?
The reason for switching to our own in house mitigation platform came about after experiencing problems with mitigation / network performance whilst using Voxility previously.
Using Corero puts us in the driving seat and allows us to work on new custom filters for customers in short timeframes, and also allows us to work alongside a company that’s business is providing network security solutions day in, day out to further safeguard our own customers against new and emerging threats.

Why is this solution any better than before?
Previously when using Voxility for DDoS protection we were governed by their off ramp mitigation method, which involved a flow sensor monitoring their network for potential attack traffic patterns, then in the event one was detected it would inject a /32 route for the target of the attack into the network to redirect the traffic to the closest filtering unit. After this was done the filter would then tunnel the “clean” traffic downstream to a switch / router as close to the end destination as possible. This would take potentially up to 15-20 seconds to happen during an attack, depending on the size. Or not at all with smaller UDP floods, specifically targeting game, or voice servers. This is where our new solution excels!
With our new Corero protection solution deployed in line within our network it offers the fastest possible time to mitigate attack traffic, because the attack traffic enters the Smartwall TDS unit first before the rest of the network. There is no need for off-ramp traffic re-direction, or prefix prepending meaning no latency increases whatsoever! Just a smooth steady flow of clean traffic direct to your server.

zare.com/dedicated-servers

New Feature - Firewall Attack Log

We have been working hard to integrate Corero and Splunk into the Zare Manager so that clients can view important information about inbound DDoS attacks on their servers. You will now be able to see an array of different information via your manager, this includes target IP, target port, attack type (UDP, TCP, ICMP, DNS and NTP amps, HTTP flood, SYN pps and attack size per protocol), total attack size, total pps and the time the attack started.
Below is a screenshot of some sample information.

You can view 1 hour, 1 day and 1 week samples of the attack data that we store. You will also be notified by email every time an attack pattern is detected on your server (once per hour, per unique target IP).
All data is available via our API or webhooks.

Rapid Expansion in London Continues

Our London location continues to be a popular choice amongst our customers and thus we are continuing rapid deployments to keep up with demand.
Standard Rack Deployment

Due to higher footprint costs in London, we opted for an extremely high density approach, having only 8 and 12 node SuperMicro Microcloud chassis, this allows us to get up to 144 dedicated servers per rack. Below is a breakdown of what a standard rack would include and its power usage.
Based on 800mm 42U rack with 144 x E3-12XXv5 CPU’s and 90% SSD based deployments


Pros & Cons
Pros
  • Extremely high density, saving on space and running costs.
  • Dual PSU’s allowing us to use A+B feeds and save on power usage
  • Shared fans to save on power usage
  • Passive coolers to save on power usage
  • Easy access to sleds to allow for quick hardware replacements
  • Central IPMI managment port which can be daisychained, meaning only 1 switch port is required to enable IPMI on 144 servers.
  • In the event of chassis failure, blades can be hot-swapped to another chassis in minutes
Cons
  • Shared resources like power supplies, fans and backplanes can mean that the whole chassis would go down in the event of failure.
  • Cost — initial capital expenses are high, however lower running costs offset this in the long run.
  • Because of the high density, the nodes can only take VLP memory whichis considerably more expensive than normal UDIMMS and is only manufactured by Crucial at a viable price point.

Below is a picture of 3 x 3U 12 nodes that were deployed in London today for new setups