Tag Archive for Hosting

Anthony Spiteri | 04/10/2013
No comments

Passion

During last weeks #APACVirtual Podcast (Episode 70 – Engineers Anonymous pt1 – Engineer2PreSales) the panelists (of which, I was one) where discussing what it took to become a successful candidate in transitioning from a technical engineering role to a pre-sales/architecture role. It was universally agreed upon that passion is a much sort after trait in those roles. Someone who is passionate about what they are doing can overcome almost any professional deficiency and succeed where others might fail. It was discussed that someone who is seen to be passionate is a more sort after asset than someone who is simply technically brilliant.

I’m a passionate guy…those that know me generally would describe me as such. When I find something I love I tend to embrace it with all that I have and it becomes a driving force in life…I wear my heart on my sleeve in most aspects of life…be it family, playing cricket or work, and for each of those…passion manifests it’s self in different ways.

I’ve mulled over this post for about a week now…it’s been written and re-written a number of times as I try to best represent and explain passion and how it can contribute to a successful and rewarding career in IT. At the end of the day I can’t explain passion with any great level of verbal prowess…it’s too much of a basic raw emotion!

Passion is something you have, or don’t have…it’s a driving force that makes you strive to better yourself and it fuels the fire within to drives you to succeed and excel in anything you attempt in life.

Passion has the ability to lay down the foundation of a lasting legacy…

I posses a driving force when it comes to my work…I truly believe in the technology I work with…When talking with colleagues and clients alike, I am always passionate in my evangalization of those products and technologies.

My current passion lies within Hosting and Cloud technologies and i’m a big believer in what VMware is doing in the market at the moment. Previously I was (still am to a lessor extent) passionate around Hosted Exchange services and other Microsoft technologies…in that, the driver of passion can change depending on current circumstance and in my case, the agent of change was directly related to the way Microsoft started treating their partners…that and I was consumed by the vSphere, ESX, vCloud Virtualization stack and the power of transformational change it can offer clients…look no further than the EUC push for evidence of this change.

Not everyone possess passion, and I see examples of people without passion everyday…I can’t comprehend this…I can’t understand people that work without anything truly driving them…

One person with passion is better than forty people merely interested.

— E. M. Forste

Again, it’s almost impossible to represent what drives me…but I know i’d rather be passionate in life than not.


Category: General | Tags: , , ,
Anthony Spiteri | 03/04/2013
One comment

DDoS Annihilation – What Can Service Providers Do?

Recently we have experienced a series of DDoS attacks against client hosted sites that resulted in varying level of service outages to hosted services across a section of our hosting platform. In my 10+ years of working in the hosting industry this series of attacks was by far the most intense I’ve experienced and certainly was the most successful in terms of achieving the core goal of a DDoS.

On the one hand, as a collective you might think “…we had been lucky to avoid an attack up to this point” while on the other hand you are dealing with the misguided expectations of clients that you are protected against such attacks and when you explain the realities of a DDoS to a customer who is expecting 100% up-time the responses generally encountered is along the lines of “…I thought you said your service will never go down?” or “…I thought you have full redundancy?”

The absolute reality (that I have no problem in explaining to clients) is that most, if not all service providers are pretty helpless against a DDoS dependent on the size and scale of the attack. In our case we where able to mitigate the service disruption by re-routing all traffic to the affected IP to a NULL route at our carrier edge which reduced the load under which the firewall had been placed under which in turn caused the CPU to spike…making the DDoS successful in it’s end game.

So what can be done to mitigate the risk a DDoS presents? Service Providers can look at spending money by purchasing extremely expensive IDS systems and/or larger capacity routing and firewall devices that might only shield against and attack a little more effectively than less expensive options. An example there is that if a firewall device is capable of 10,000 connections per second and 100,000 total connections a DDoS will look to saturate it’s capability to a point where it’s memory and/or CPU resources are consumed trying to process the attack traffic…upgrading to a device capable of 20,000 connections per second and 200,000 total connections will only serve to buffer the resources that little bit longer which might give you more time to mitigate the attack…but the point that’s made here is that…

…service provider resources will always come off second best if an attack is large enough.

And this is the really scary thing for service providers…if someone (individual or organisation) wants to maliciously target your network and/or a client service hosted on your network and they want to inflict maximum service disruption…the best thing that can be done is attempt to mitigate where possible and ride it out.

There are a number of sites that track and list current and trending DDoS attack frequency and origin…one of the better ones I’ve come across is Prolexic’s real time Attack Tracker linked below.

Companies such as Prolexic generally provide services and physical devices that are linked to global networks that act to shield client networks from attacks similar to ways in which SenderBase.org shields email users from obvious SPAM. In discussions with Steven Crockett (Anittel CTO) he described a service which effectively re-routes traffic at the upstream providers end to route through overseas carrier networks who’s connectivity throughput allows otherwise crippling DDoS traffic to be filtered and cleaned before being sent onto it’s destination. This service isn’t site or service specific but involved routing entire subnets…so at this level it’s much more expensive and holistic than reverse proxy content delivery networks.

Working with a CDN will add protection in the form of a value-add service to current service offerings.

So what alternative measures can service providers take to add some level of protection to their key client/internal services. Unless the SP is loaded with more cash than it knows what to do with (at which point there is a case to scale out/upgrade the hosting platform itsself) the only option is to utilize the services of bigger companies that run dedicated Content Delivery Networks.

CDN companies are popping up all over internet, and while a company like Akamai have dominated the website caching market for many years, CDN’s are becoming more the norm whereby caching of static site content is making way for reverse proxy DNS redirection. In wake of the DDoS attacks experienced recently I’ve been testing a couple of the better known CDN providers. One of the those is CloudFlare. The way that a CloudFlare, or Amazon Web Services CloudFront works is by taking over a websites DNS records and use geo-routing to distribute visitors through their CDN network which also filters for potential DDoS or other malicious traffic that would otherwise hit the origin web server.

CDN services are charged generally on a usage basis which commoditizes the service, however CloudFlare charge per site, with their business plans going around the $200 per month mark. For a service providers customer after added insurance against a DDoS or even to generally attempt to increase site responsiveness and performance I believe it’s a no brainier in the age of increasingly brutal DDoS attacks to offer these services as a value-add. At the end of the day the more sites a Service Provider fronts with CDN’s the better able their own hosting network will be able to deal with the inevitability of a DDoS.

One final point to make on going down the CDN path is to ensure that customers understand that their sites are still subject to downtime…this is best illustrated by CloudFlare’s recent outage on the 3rd of March 2013, due to a router bug propagated into their network during a routine DDoS prevention exercise. To their credit, they where very open and transparent of the Root Cause while sites where offline for a period of time, there where options available to re-route the site DNS records back to the origin such is the flexibility of offering a service such as this to service provider clients.

A Hypothetical…

So what’s the title all about? DDoS Annihilation? In my opinion we are getting closer to DDoS events on such large scales that they will have the potential to take down the majority of all service provider and carrier networks which, in turn will have huge social and economic impact around the globe. We don’t have to wait for a Coronal Mass Ejection to blackout the planet…a massive DDoS has the ability to inflict severe damage.

Near on 1 Billion internet hosts used against us in an global DDoS?? No network has the ability to handle that!

Category: General | Tags: , ,
Anthony Spiteri | 10/26/2012
No comments

How-To: Citrix NetScaler GeoIP Restrictions

I had a request from a Hosting Client this week to look at options around blocking malicious users from causing trouble on a local Auction site. As the site was only for Australian and New Zealand users we needed to come up with a solution to block the whole world except AU and NZ visitors. Obviously I know there are mechanisms in existence that have annoyed me in the past while trying to source overseas content and getting the message telling you that you can’t access this site in your region.

I’ve never personally had to act on a request like this, and thought about options relating to some sort of code based filtering or filtering at the gateway level. I’ve known that in real terms I haven’t even scratched the surface of what our Citrix NetScaler VPX’s can do, and with that I searched for some guidelines on getting up GeoIP Responder rules at the Load Balancer’s Virtual Server level. Not being able to find anything definitive end to end, here are the steps I took to achieve the end result.

Citirx NetScaler ArticleHow to Block Access to a Site by Country using a Location Database

First step is to enable the Responder Feature is it’s not already enabled. Citrix suggest you disable any feature not in use to save on system resources.

> enable feature RESPONDER

In order for the NetScaler to work our what location a visitor is coming from it needs to reference a GeoIP database. MaxMind offer a free database from here: These are updated on the first Tuesday of everymonth, so a little upkeep is required moving forward. There are IPv4/6 versions as well as an extended database City version which lets you get very granular in terms of allowing city access. For this exercise we will use the GeoIPCountryWhois CSV database.

Jump into the shell of the NetScaler and create a new directory. Note that if you have a HA setup, you need to do this on each NetScaler node.

172.1.1.1) Done
> shell
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
 The Regents of the University of California. All rights reserved.
root@NSLB01# cd /var/
root@NSLB01# mkdir geoip

Use SCP to upload the CSV database to that location just created on the NetScaler and then run the following command to import the location parameters. Once done you can query the location database to ensure you have  imported the CSV line items.

> add locationfile /var/geoip/GeoIPCountryWhois.csv -format GeoIP-Country
 Done
> show locationparameter
Static Proximity
----------------
Database mode: File
Flushing: Idle; Loading: Idle
Context: geographic
Qualifier 1 label: Continent
Qualifier 2 label: Country
Qualifier 3 label: Region
Qualifier 4 label: City
Qualifier 5 label: ISP
Qualifier 6 label: Organization
Location file (format: geoip-country):
 /var/geoip/GeoIPCountryWhois.csv
Lines: 170195 Warnings: 0 Errors: 0
Current static entries: 170195 Current custom entries: 0
 Done

Now that you have the GeoIP location locked and loaded, you can created the Responder Policy. I had a little trouble trying to work out how to structure the rule to work correctly limiting visitors to only .AU and .NZ. I’ll be honest here and admit that trial and error was the winner here, but eventually I came up with the following that works.

> add responder policy GeoAusNZOnly "CLIENT.IP.SRC.MATCHES_LOCATION("*.AU.*.*.*.*").NOT && CLIENT.IP.SRC.MATCHES_LOCATION("*.NZ.*.*.*.*").NOT" RESET

Reading through the policy it’s easy enough to see what’s going on…this page references the Location Database General Information and formats, however it’s confusing at best..my advice is for Country Based GeoIP use the above as a template and simply change the country codes to suit.

Back to the GUI of the NetScaler and under Load Balancing settings of the Virtual Server(s) in question, open the Virtual Server for editing and go to the Policies Tab -> Click on the Responder sub tab and right click to Insert Policy and the end result will be similar to what’s shown below.

I was able to use Twitter contacts with servers in global locations to test out the rule which was behaving exactly as expected. If you go back to the Policy menu item under Responder and check the Responder Policies you will be able to see if the rule is active and how many hits the rule has triggered.

The default action of the policy is to DROP or RESET the connection. You do have the option of creating a custom REDIRECT rule that will allow you to make the end user a little nicer in terms of presenting the user with a HTML page letting them know the page is restricted ..with the DROP and REST the browser simply shows a page not found or connection reset. I’ll update this post once i’ve created the REDIRECT rule.

Update: Turns out that if you apply the above rule it’s not that great for Google Analytics and the bots that hit your site. If you want to get the GoogleBot User Agent through the rule, create a rule similar to below

> add responder policy GeoAusNZGoogleOnly "CLIENT.IP.SRC.MATCHES_LOCATION("*.AU.*.*.*.*").NOT && CLIENT.IP.SRC.MATCHES_LOCATION("*.NZ.*.*.*.*").NOT && HTTP.REQ.HEADER("User-Agent").SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re/Googlebot/).NOT" RESET
Looking at that additional condition  you are looking in the HTTP Request Header, ignoring case and matching Googlebot.
Category: NetScaler | Tags: , ,
Anthony Spiteri | 06/29/2012
No comments

Load Balancer Internal IP’s Appearing in IIS/Apache Logs: Quick Fix

If you are NAT’ing public to private addresses with a load balancer in between your web server and your Gateway/FireWall device you might come across the situation where the IIS/Apache logs report the IP of the Load Balancer, when what you really want, is the client IP.

203.123.4.100 - - [29/Jun/2012:00:12:43 +0800] "GET /test.html HTTP/1.1" 404 261 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
172.20.0.16 - - [29/Jun/2012:00:12:45 +0800] "GET /test.html HTTP/1.1" 404 261 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

It’s obvious that the biggest issue with this is that any Log Parser/Analytic’s you do against the site will all be relative to the IP of the load balancer. All useful client and geographical information is lost.

Most Load Balancer’s get around this by inserting a Header into the packet that relates to Client IP. In most cases that I have seen, both Juniper and NetScalers the Header is set to rlnclientipaddr.

What needs to be done at the web server configuration level to help pick up on and translate the header info so it can be used to translate the correct client IP into the log files. There are obviously different way to achieve this in Apache, compared to IIS and Apache has a much simply solution than IIS.

Apache:

In your apache.conf go to the LogFormat sections and modify the default format as shown below (Replace the Red text with the green text) and restart the Apache Service.

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat “%h %l %u %t \"%r\" %>s %b \"%{Referer}i\” \"%{User-Agent}i\""combined 
LogFormat "%{rlnclientipaddr}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent


IIS:

The IIS 5/6/7/8 solution is a little more involved, but still just as efficient and not overly complicated at the end of the day…in fact for me the hardest part was actually chasing up the DLL’s linked below. It must be noted that while this has worked perfectly for me against both a Juniper DX and NetScaler VPX load balancer I would suggest testing the solution before putting it into production. Reason being is that the ISAPI filters are specifically sourced for the Juniper DX series, but in my testing I found that they worked for the NetScalers as well. Sourcing the x64 DLL’s was a mission, so in this I am saving you a great deal of time by provided the files below.

rllog-ISAPI

Download and extract those files into your Windows root. Go to the Features View -> ISAPI Filters and Click on Add. Enter in the Name and Executable Location and click ok. Note that it’s handy to add both 32 and 64 bit version to a 64bit IIS Web Server just in case you are dealing with legacy Application that are required to run in 32bit mode. Adding the ISAPI Filter at the root config of the Web Server so it propagates down to all existing sites and any newly created sites.

Category: General, NetScaler, Quick Fix | Tags: , ,
Anthony Spiteri | 06/25/2012
No comments

The Backup Delusion – Part 2

It’s been a while since my first post on this topic, but there has certainly been a lot of thought and effort put into this subject since then. At first I envisaged this to be a two part post, but I think I’m going to break this up over a couple more posts, that focus on a couple particular area’s that have come to the fore since i’ve begun to seriously think about backups as a hosting provider.

I’ve been running an internal product group that’s tasked with trying to find, test and launch the best overall Backup Application for our diverse client base. As a group we have gone through a process of trying to work out what features and benefits are most important to both us, as a business, and what’s important from a client’s perspective.

We spent some time working on a Backup Selection Matrix that could quantify and rate those features and from there, we would be able to score any Backup Product based on those numbers. In the previous post I listed out some of those features and explained how they effect they way in which, both clients and us as providers look at selecting, developing and deploying products. At the end of that process we where able to clearly graph products against an X and Y axis (as shown below) and from that, clearly get an indication on which products came out on top based on those requirements.

At the sake of not embarrassing some Backup vendor’s I’ve removed the product names from the images above. Suffice to say that some large, well known vendor products fell well short of expectation and rated very poorly. Across the board it was clear that not one product stood out…but some certainly failed and scored poorly.

What it’s allowed the group to do is to quantify against the testing, staging and real world UAT sites which in theory should lead to a calculated decision to be made on which product best fits the requirements.

In the next post in the series i’ll explain why, in some countries such as Australia where high speed broadband is not as widely available as in other countries, we have a fundamental issue with offsite backup technologies which basically cause most large offsite replication and backup jobs to fail…which ultimately renders the offsite backup solution useless…and that effectively puts service providers at risk of credibility issues if expectations are not set based on real world metrics.

The Backup Delusion – Part 1

Category: Backup, General | Tags: ,
« Older Entries