Internap
Re: Internap
I find these complaints about DDoS migration very ironic as peering opportunities for instance in New York aren't even being used. Myself being one of the best examples of this. I'm sitting the same cogent transit link as loads of other people, when my ISPs port is open the NYIIX and has really low latency plus fast transfer speeds.
Re: Internap
Internap has peering to various providers through many exchanges, and also has connections to a wide range of transit providers in NYC. I do not know if your ISP is one of its peers. Whether a particular ISP is a direct peer is not the most important factor in outbound route selection. Outbound route selection does not relate to DDoS mitigation.
In NYC, Internap's limitations with regards to DDoS mitigation are mostly internal and policy-related; Internap has plenty of external (upstream provider) capacity. Having GTT in their mix helped because GTT applied filters upstream and we were able to shape traffic to largely come in over GTT and compensate for these internal limitations. With GTT gone, Internap could make configuration adjustments there that would fix the internal problems, but Internap has chosen not to do this yet.
At other locations, unlike NYC, Internap does not already have the external capacity to accept large volumes of DDoS traffic. GTT helped them (and us) to compensate for this lack of capacity by filtering upstream; their links to GTT also simply gave them more capacity. Following the loss of GTT, Internap can't just make internal adjustments to fix the situation; it will need to work with other upstream providers to provide filtering, or simply upgrade its connections. So far, Internap has been resistant to these.
We're continuing to explore options on our end to help protect our customers. Unfortunately, moving away from Internap would be a costly and complicated business, so this can't be done quickly. The time factor is why Internap's abrupt removal of GTT was particularly unwelcome; Internap could have let us know months earlier.
In NYC, Internap's limitations with regards to DDoS mitigation are mostly internal and policy-related; Internap has plenty of external (upstream provider) capacity. Having GTT in their mix helped because GTT applied filters upstream and we were able to shape traffic to largely come in over GTT and compensate for these internal limitations. With GTT gone, Internap could make configuration adjustments there that would fix the internal problems, but Internap has chosen not to do this yet.
At other locations, unlike NYC, Internap does not already have the external capacity to accept large volumes of DDoS traffic. GTT helped them (and us) to compensate for this lack of capacity by filtering upstream; their links to GTT also simply gave them more capacity. Following the loss of GTT, Internap can't just make internal adjustments to fix the situation; it will need to work with other upstream providers to provide filtering, or simply upgrade its connections. So far, Internap has been resistant to these.
We're continuing to explore options on our end to help protect our customers. Unfortunately, moving away from Internap would be a costly and complicated business, so this can't be done quickly. The time factor is why Internap's abrupt removal of GTT was particularly unwelcome; Internap could have let us know months earlier.
-
stickz
Re: Internap
My ISP is one of it's peers and other providers (ie. choopa) are running them as an inbound off the NYIIX as well. Having that extra redundancy would definitely help for load balancing. Missed opportunities like this worsen DDoS mitigation; especially, when the transit link is lower latency than cogent with fast transfer speeds and no congestion.Edge100x wrote:Internap has peering to various providers through many exchanges, and also has connections to a wide range of transit providers in NYC. I do not know if your ISP is one of its peers. Whether a particular ISP is a direct peer is not the most important factor in outbound route selection. Outbound route selection does not relate to DDoS mitigation.
-
smallcrush
- New to forums
- Posts: 7
- Joined: Sat Aug 23, 2014 8:46 pm
Re: Internap
I am surprised you deem it a big loss considering GTT/TiNET/nLayer has been known to be unstable and bad bandwidth overall.
I remember in 2014 I was with another dedi provider using them massively and they had 4 months worth of terribad latencies throughout the US, latencies that would daily reach 2x to 3x the normal values. We still use that dedi provider as a file server and get reports of intermittent-but-recurrent packet losses issues on GTT, a few every month. That bandwidth is absolute crap, and I would think in terms of routing quality it's a good riddance.
Wish they would drop QWEST as well in NY, at least not advertising it on the inbound, it's another crap provider.
I remember in 2014 I was with another dedi provider using them massively and they had 4 months worth of terribad latencies throughout the US, latencies that would daily reach 2x to 3x the normal values. We still use that dedi provider as a file server and get reports of intermittent-but-recurrent packet losses issues on GTT, a few every month. That bandwidth is absolute crap, and I would think in terms of routing quality it's a good riddance.
Wish they would drop QWEST as well in NY, at least not advertising it on the inbound, it's another crap provider.
Re: Internap
stickz, public peering links can also be congested, so the calculation is not quite that simple. I've seen it many times. I can't speak to the specific reasons why Internap would not be using the link in your case, but it will likely relate to measurable factors such as latencies, packet loss, jitter, and link utilization thresholds. If you feel that a different outbound path would work better for you by more than a few milliseconds, contact us directly and we can bring it up with Internap. Edit: I checked the path to you, stickz, and Internap is currently using that NYIIX peering to reach your IP address on the outbound. The inbound will be dictated by your ISP.
The other provider that you mentioned does not have better DDoS mitigation capabilities, so emulating them would not generally be advisable for Internap to do.
smallcrush, every NSP has its own problems at times, I'm afraid. Frequently these problems stem from overloading peerings with other networks. Just in the last month, I've seen issues at times with at least AT&T, Verizon Business, Telia, and Cogent, for instance. I haven't seen problems with GTT on the inbound to any location, which is where it was extremely useful in DDoS mitigation.
Good traffic engineering practices -- including having multiple upstream providers and intelligently choosing which one to use to reach individual client networks -- allow outbound problems to be avoidable. If your other provider was seeing measurable problems when reaching you over GTT, they should have moved traffic to your prefix or ASN to another upstream. You should also check and make sure that it's not the provider itself that is overloading its links to GTT, as overloaded links are not uncommon at lower-end hosts. One possible reason for temporarily overloaded links at any host: DDoS attacks.
The other provider that you mentioned does not have better DDoS mitigation capabilities, so emulating them would not generally be advisable for Internap to do.
smallcrush, every NSP has its own problems at times, I'm afraid. Frequently these problems stem from overloading peerings with other networks. Just in the last month, I've seen issues at times with at least AT&T, Verizon Business, Telia, and Cogent, for instance. I haven't seen problems with GTT on the inbound to any location, which is where it was extremely useful in DDoS mitigation.
Good traffic engineering practices -- including having multiple upstream providers and intelligently choosing which one to use to reach individual client networks -- allow outbound problems to be avoidable. If your other provider was seeing measurable problems when reaching you over GTT, they should have moved traffic to your prefix or ASN to another upstream. You should also check and make sure that it's not the provider itself that is overloading its links to GTT, as overloaded links are not uncommon at lower-end hosts. One possible reason for temporarily overloaded links at any host: DDoS attacks.
-
smallcrush
- New to forums
- Posts: 7
- Joined: Sat Aug 23, 2014 8:46 pm
Re: Internap
I didn't say I really suffered from GTT here, on the contrary since GTT has been plugged out a majority of the TATA transit goes through Qwest and as a result my latencies on busy hours are doubled (since my ISP like many many others route through TATA), whilst on GTT it was stable (it's an inbound thing, on the outbound it's fine).
Yet I clearly remember GTT being pointed out at being quite bad and not suited for a non intelligent network, all this had been talked about at the time I suffered from it, and it wasn't your standard conventionnal issues most NSPs have but something that happened daily for 4 months, and that was happening on all GTT routes, with latencies that would be tripled, something I've never really heard about before even for HE or Cogent. Simply put it was awful. EDIT: It had been discussed here by a few players of the IT industry.
If you plan ever switching from Inap to something else, purely out of curiosity, do you have an idea of who? I'm just being curious, I would bet something intelligently optimized as well such as Softlayer? Datapipe? Simple cusiosity, I'm interested in what you have in your mind.
Yet I clearly remember GTT being pointed out at being quite bad and not suited for a non intelligent network, all this had been talked about at the time I suffered from it, and it wasn't your standard conventionnal issues most NSPs have but something that happened daily for 4 months, and that was happening on all GTT routes, with latencies that would be tripled, something I've never really heard about before even for HE or Cogent. Simply put it was awful. EDIT: It had been discussed here by a few players of the IT industry.
If you plan ever switching from Inap to something else, purely out of curiosity, do you have an idea of who? I'm just being curious, I would bet something intelligently optimized as well such as Softlayer? Datapipe? Simple cusiosity, I'm interested in what you have in your mind.
Re: Internap
Every individual NSP ("tier 1") has its pros and cons, certainly. GTT has problems at times and I don't expect to be seeing them used too much on the outbound. As the last post in that thread mentioned, I haven't seen major latency problems with them recently except in peerings to specific ISPs, and those are easily avoided.
In Chicago, we have various links, including mixed peers over the Equinix fabric, Internap, Cogent, Telia, Tata, and GTT, that we are evaluating. Any migration from Internap, at any location, will not involve a single provider, and the final mix will still likely have Internap as a component. It's unlikely that we'll deal with additional blended/reseller ("tier 2") providers such as the ones you listed, since they generally have less capacity to filter attack traffic. We do not have to depend on upstream route optimization systems since we have our own.
In Chicago, we have various links, including mixed peers over the Equinix fabric, Internap, Cogent, Telia, Tata, and GTT, that we are evaluating. Any migration from Internap, at any location, will not involve a single provider, and the final mix will still likely have Internap as a component. It's unlikely that we'll deal with additional blended/reseller ("tier 2") providers such as the ones you listed, since they generally have less capacity to filter attack traffic. We do not have to depend on upstream route optimization systems since we have our own.