Why Are DDoS attacks so hard to block?

I started off this post thinking about whether or not moving your infrastructure to a cloud would give organizations better protection against DDoS attackers, and the short answer is: not really.

The issue with a coordinated DDoS attack is that it is usually orchestrated from a wide range of attacking computers, which are typically hijacked, and retrofitted with undetected scripts that can be turned on to send out a flood of data at target when directed by the hijacker.

When the attack is commenced all these disparate computers start sending data to your organization in unison. In order to stop  just one  of these attacking computers from flooding your network you have to cut it off upstream at the source.

Blocking the attackers incoming IP  at your local firewall doesn’t do any good because the  main pipe  coming from your upstream provider is still flooded with garbage, and most likely unusable.   So you have to follow the trail of attacking computer farther upstream. Your provider should be able to help if you can work with them, but that may or may not be effective, because the DDOS attack, if large enough can also torment your provider.   And even if you do manage to work upstream and block the IP’s where the attack is coming from , some DDOS attackers can just keep coming at you from new wave of  IP addresses.  One person acting alone can Hi-jack millions of computers from around the world and use them in waves of recurring attacks, with little effort.

How does a hijacker have the time to take over a million computers?

I’ll cover that in my next post.

As for the cloud offering protection, a cloud hosted IT infrastructure cannot provide any immunity, the cloud can be attacked; however the cloud providres might have the resources to detect and more easily block an attacker farther upstream  and a bit more quickly so there is some benefit.


See also

Regulate DDOS like pollution

DD4BC Group Targets Companies with Ransom-Driven DDoS Attacks




Do We Really Need a Home Security Network Device ?

A friend of mine sent me a note this morning, asking if our bandwidth shaping device could provide the same type of service as this new DoJo application. Their niche is basically that you cannot trust third-party devices in your home network from being hijacked. For example, the software engineers writing the code that allows you to remote control your dishwasher from your iPhone, are likely not security experts. It is a reasonable assertion that a hacker might exploit a security hole in their software.  The Dojo will detect any smart device breaches and take action, a good idea for sure.

I spent about 20 minutes reading  and thinking about their specification and what value that provides to the home user.  And then it hit me, there is a more obvious precaution to  secure your home network that you might be overlooking.


  • Gmail in the cloud
  • Quick books in the cloud
  • Banking in the cloud
  • Facebook in the cloud
  • Google Docs in the cloud
  • Stock Trading in the Cloud

No, nothing is ever completely  secure, and certainly anything you put in the cloud can be hacked, but in my opinion, the level of security afforded by the cloud is far better than anything you can rig together on your home network.

Think about it…

Your bank spends hundreds of millions on staying ahead of hackers. You have secret pictures, secret questions that  challenge you about your second cousin’s favorite hobby.  They know when you coming from new or different IP address.

Gmail now tells you when there is a login from a non standard computer.

These modern cloud applications are about as secure as a consumer could hope for. For the same reason you should not keep wads of cash in a safe in your house, you should not keep any personal information on storage devices in your house. Let your dishwasher go hog wild, who cares. I catch hackers on my network all the time, they have hijacked a few servers to send spam and attack other consumers (my bad), but there is really nothing of interest laying around on any of my devices other than some geezer MP3 music, and my vacation photos on my iPad that nobody else wants to look at anyway.

But if you must secure important data in your home network yes go ahead and invest in a device like the Dojo, it can’t hurt, but before you do that change your habits and use the cloud whenever possible.

Art Reisman

CTO http://www.netequalizer.com

Dear Comcast, Please Stop Slowing my iOS Update

Last week I was forced to re-load my iPad from scratch. So I fired it up and went through the routine that wipes it clean and re-loads the entire OS from the Apple cloud.  As I watched the progress moniker it slowly climbed from 1 hour, then 2 hours, then all the way up to 23 hours –  and then it just stayed there. Now I know the iOS, or whatever they call it on the iPad, is big, but 23 hours big?  I double-checked the download throughput on my NetEqualizer status screen, and sure enough, it was only running at about 60 to 100kbs, no where near my advertised Business Class 20 megabits. So I did a little experiment. I turned on my VPN tunnel, unplugged my iPad for a minute, and then took some steps to hide my DNS (so Comcast had no way to see my DNS requests).  I then restarted my update and sure enough it sped up to about 10 megabits.

To make sure I was not imagining anything I repeated the test.

Without VPN  (slow)

With VPN (fast)

So what is going here, does the VPN make things go faster?   No not really, but it does prevent Comcast from recognizing my iOS update from Apple and singling it out for slower bandwidth.

Why does Comcast (allegedly) shape my download from Apple?

The long story behind this basically boils down to this: it is likely that Comcast really does not have a big enough switch going out to the Internet to support the deluge of bandwidth needed when a group of subscribers all try to update their devices at once.  Especially during peak hours!  Therefor, in order to keep basic services from becoming slow, they single out a few big hitters such as iOS updates.

NetEqualizer News: July 2015

July 2015


Enjoy another issue of NetEqualizer News! This month, we highlight exciting 8.3 Release features, talk about our experience at edAccess’s Vendor Day, encourage you to sign up for a Tech Refresh, spotlight our Hotel & Resorts offering, and update you on the NetEqualizer DDoS monitoring and prevention tool. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

Now that summer arthas officially arrived, we are ready for the heat in Colorado. It has been unusually rainy and cloudy here in July so far, and I would like more sunshine please!

Speaking of heat, this month we turn the heat up on several of our new features in 8.3, which are spotlighted below. 8.3 has been G/A since early June, in case you missed it. We also want you to take a Summer Course, no tests involved, and update you on Art’s latest visit back to school, namely the edAccess Conference. And finally, if you need relief from the heat of potential DDoS attacks, you have come to the right place. Our DDoS Monitor and Firewall can help! Read more below.

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at art@apconnections.net. I would love to hear from you!

Spotlight: 8.3 Release Hot New Features

8.3 has been G/A since early June, and we have been receiving a lot of positive feedback on the new RTR reports. If you have not yet requested 8.3, what are you waiting for? Click here to request an upgrade to 8.3 from our support team.

This month, we are highlighting two features available in 8.3 – Historical and Active Penalty Tracking. We also talk our activated Management Port, a feature available on all new NetEqualizers!

One of the best features in the 8.3 release is increased visibility into how your NetEqualizer is penalizing traffic. We’ve added interfaces to the 8.3 release that allow you to see both the number of penalties enforced on your network historically, as well as all of the current connections that are being penalized.

Historical Penalty Tracking

The General Penalty Reports page under the Traffic History menu shows the number of penalties enforced on your network at a given point in time. This allows you to see when connections on your network were being Equalized.


Active Penalty Tracking

The View Active Penalties page under the Active Connections menu shows which connections are currently being Equalized along with their current state (New, Increased, or Decreased). This allows you to diagnose any performance issues and also gives you a real time look at how the penalties are being enforced and who they are being enforced on.


Management Port Enabled by Default on all NEW NetEqualizers

We strive to make setting up the NetEqualizer as simple as possible. In this spirit, last year we moved all new NetEqualizers to a four port model, and started using colored port plugs to help our customers identify the ports. Two ports (eth0 and eth1) are used for network traffic, a 3rd port (eth2) is used as a management port, and the 4th port is a spare. We use four colors: 1) blue (WAN), 2) orange (LAN), 3) clear (Management Port) and 4) black (unused).

Prior to 8.3, only a subset of our customers used the Management Port, typically those on VLANs. As of 8.3, we standardized everything so that our NetEqualizer code automatically enables the Management Port, and ALL customers will use this to configure new NetEqualizers. While not a huge change, we think this will make setup just a little bit easier for everyone.

Please note that this feature is only available on new NetEqualizers.

You can read more about all of the features of the 8.3 Release here in the 8.3 Software Update. If you would like to upgrade to 8.3, just click on the button below to send a request to Support.


These features are free to all customers with valid NetEqualizer Software and Support. If you are not current with NSS, contact us today!

We Had a Blast at edAccess!

Art recently joined the edAccess Conference in Mercersberg, PA on June 24th for Vendor Day. It was a great event and was well-attended by small schools and colleges (members come from schools with an FTE of under 1,000 students).edaccess

Art got to visit with quite a few current NetEqualizer customers, as you can see in the picture below:


Art is on the left of the picture and is shown along with representatives from Williston Northampton School, Choate Rosemary Hall, Blair Academy, Mt. St. Mary Academy, Merceyhurst University, Peddie School, and Groton School.

Art would like to personally thank everyone for a great event…

I’d like to thank John Johnson from Williston Northampton School, Rainelle Dixon from Mercersberg Academy and the entire edAccess steering committee for being such wonderful hosts to the vendors. Mercersburg is such a lovely campus and my drive through central Pennsylvania was also relaxing and fun, I took some time on my return stopping at the various waysides, and even took in a game, featuring the Single A Crosscutters of Williamsport.

Thanks Again!

To learn more about NetEqualizer and how we help educational institutions of all sizes, click below.


Take a Summer Course! Sign Up for a Tech Refresh

Remember those days? If you ever took a summer course, you know that the key was to keep it short, so that you could get back outside. Our NetEqualizer Technical Refresh is short! – only a 30 minute discussion with you and your fellow team members to help get caught up on new NetEqualizer functionality or answer any other questions you have.

The Tech Refresh is great for both new and longtime customers because we are constantly enhancing our product to give you the most value in managing and shaping bandwidth.

To schedule your Tech Refresh, contact us today!


Tech Refreshes are free to all customers with valid NetEqualizer Software and Support. If you are not current with NSS, contact us today!

Spotlight: GX2 – NetEqualizer Hotel & Resort Industry Wi-Fi Partner

NetEqualizer’s Wi-Fi management partner for the hotel and resort industry, GX2 (formerly Global Gossip), recently attended the HITEC 2015 Conference in Austin, Texas, and brought along the NetEqualizer. According to their website, HITEC is the world’s largest hospitality conference.hmsio

Visitors to GX2’s booth and luncheon were able to review the NetEqualizer offering, and also walk away with some trade show bling (a foam NetEqualizer soccer ball!).

Here is a screenshot of the GX2 application used in the managed Wi-Fi service offering:


As we have reported here in the past, GX2 utilizes the NetEqualizer as part of their Wi-Fi offering supporting our National Parks. So, if you have a summer vacation planned at Yellowstone, Mammoth, Mount Rushmore, Zion, Crater Lake, or the Grand Canyon, to name a few, chances are you are experiencing the benefits of NetEqualizer’s traffic shaping.

If you are already on our technology, you have part of the solution already in place. If you have ever wanted to learn more about a managed service Wi-Fi solution for the Hotel & Resort industry, you can read about our joint offering (HMSIO).


NetEqualizer DDoS Tool Gaining Momentum

We keep getting reports of ongoing Distributed Denial of Service (DDoS) attacks from our customers, and are glad to hear the NetEqualizer is helping in many cases. If you are interested in chatting about using the NetEqualizer as a DDoS prevention tool please contact us to set up a time to chat.

Note: We do have a consulting charge for custom activation of firewall rules, but the initial consult is free.

The 8.3 Release includes our DDoS Monitor at no extra charge! In addition, our new DDoS Firewall tool (DFW) can be purchased as an add-on module for an additional fee.


The new DDoS Monitor shows you some basic metrics on the outside intrusion hit rate into your network. It can be used to spot anomalies which would indicate a likely DDoS attack in progress. The DDoS Firewall tools helps to actually thwart the attack.


Best Of The Blog

Is Your Bandwidth Controller Obsolete Technology?

By Art Reisman – CTO – APconnections

Although not free yet, bandwidth contracts have been dropping in cost faster than a bad stock during a recession. With cheaper bandwidth costs, the question often arises on whether or not an enterprise can do without their trusty bandwidth controller.

Below, we have compiled a list of factors that will determine whether or not Bandwidth Controllers stick around for a while, or go the route of the analog modem, a relic of when people received their Internet from AOL and dial up…

Photo Of The Month
Cinque Terre, Italy
This picture was taken by one of our staff while walking the trail that connects the five towns of the Cinque Terre on the coast of Italy. These towns are built into the sides of the tall hills that meet the sea. The trek between each town is a manageable 2 miles and provides picturesque views of the water and surrounding forests.

Behind The Scenes, How Many Users Can an Access Point Handle ?

Assume you are teaching a class with thirty students, and every one of them needs help with their homework, what would you do? You’d probably schedule a time slot for each student to come in and talk to you one on one (assuming they all had different problems and there was no overlap in your tutoring).

Fast forward to your wireless access point.  You have perhaps heard all the rhetoric about 3.5 gigaherts, or 5.3 megahertz ?

Unfortunately, the word frequency is tossed around in tech buzzword circles the same way car companies and their marketing arms talk about engine sizes. I have no idea what 2.5 Liter Engine is,  it might sound cool and it might be better than a 2 liter engine, but in reality I don’t know how to compare the two numbers. So to answer our original question, we first need a little background on frequencies to get beyond the marketing speak.

A good example of a frequency, that is also easy to visualize, are ripples on pond. When you drop a rock in the water, ripples propagate out in all directions. Now imagine if  you stood in the water, thigh deep across the pond,  and the ripples hit your leg once each second.  The frequency of the ripples in the water would be 1 hertz, or one peak per second. With access points, there are similar ripples that we call radio waves. Although you can’t see them, like the ripples on the water, they are essentially the same thing. Little peaks and values of electromagnetic waves going up and down and hitting the antenna of the wireless device in your computer or Iphone. So when a marketing person tells you their AP is 2.4 Gigahertz, that means those little ripples coming out of  it are hitting your head, and everything else around them, 2.4 billion times each second. That is quite a few ripples per second.

Now in order to transmit a bit of data, the AP actually stops and starts transmitting ripples. One moment it is sending out 2.4 billion ripples pdf second the next moment it is not.  Now this is where it gets a bit weird, at least for me. The 2.4 billion ripples a second really have no meaning as far as data transmission by themselves; what the AP does is set up a schedule of time slots, let’s say 10 million time slots a second, where it is either transmitting ripples, or it turns the ripple generator off. Everybody that is in communication with the AP is aware of the schedule and all the 10 million time slots.  Think of these time slots as dates on your Calendar, and if you have a sunny day, call that a one, while if you have a cloudy day call that a 0.  Cloudy days are a binary 1 and clear day a binary 0. After we string together 8 days we have a sequence of 1’s and 0’s and a full byte. Now 8 days is a long time to transmit a byte, that is why the AP does not use 24 hours for a time slot, but it could , if we were some laid back hippie society where time did not matter.

So let’s go back over what we have learned and plug in some realistic parameters.
Let’s start with a frequency of 2.4 gigahertz. The fastest an AP can realistically turn this ripple generator off and on is about 1/4 the frequency or about 600 time slots/bits per second. This assumes a perfect world and all the bits get out without any interference from other things generating ripples (like your microwave) or something. So in reality the effective rate might be more on the order of 100 million bits a second.
Now let’s say there are 20 users in the room, sharing the available bits equally. They would all be able to run 5 megabits each. But again, there is over head switching between these users (sometimes they talk at the same time and have to constantly back off and re-synch)  Realistically with 20 users all competing for talk time,  1 to 2 megabits per user is more likely.

Other factors that can affect the number of users.
As you can imagine the radio AP manufacturers do all sorts of things to get better numbers. The latest AP’s have multiple antennas and run in two frequencies (two ripple generators) for more bits.

There are also often interference problems with multiple AP’s in the area , all making ripples . The transmission of  ripples for one AP do not stop at a fixed boundary, and this complexity will cause the data rates to slow down while the AP’s sort themselves out.

For related readings on Users and Access Points:

How Many Users Can a Wireless Access Point Handle?

How to Build Your Own Linux Access Points

How to use Access Points to set up and In-Home Music System

Does Your School Have Enough Bandwidth for On-line Testing?

K-12 schools are all rapidly moving toward “one-for-one” programs, where every student has a computer, usually a laptop. Couple this with standardized, cloud-based testing services, and you have the potential for an Internet gridlock during the testing periods. Some of the common questions we hear are:

How will all of these students using the cloud affect our internet resource?

Will there be enough bandwidth for all of those students using on-line testing?

What type of QoS should we deploy, or should we buy more bandwidth?

The good news is that most cloud testing services are designed with a fairly modest bandwidth footprint.

For example, a student connection to a cloud testing application will average around 150kbs (kilo-bits per second).

In a perfect world, a 40 megabit link could handle about 400 students simultaneously doing on-line testing as long as there was no other major traffic.

On the other hand, a video stream may average 1500kbs or more.

A raw download, such as an iOS update, may take as much as 15,000kbs, that is 100 times more bandwidth than the student taking an on-line test.

A common belief when choosing a bandwidth controller to support on-line testing is to find a tool which will specifically identify the on-line testing service and the non-essential applications, thus allowing the IT staff at the school to make adjustments giving the testing a higher priority (QoS). Yes, this strategy seems logical but there are several drawbacks:

  • It does require a fairly sophisticated form of bandwidth control and can be fairly labor intensive and expensive.
  • Much of the public Internet traffic may be encrypted or tunneled, and hard to identify.
  • Another complication trying to give Internet traffic traditional priority is that a typical router cannot give priority to incoming traffic, and most of the test traffic is incoming (from the outside in). We detailed this phenomenon in our post about QoS and the Internet.

The key is not to make the problem more complicated than it needs to be. If you just look at the footprint of the streams coming into the testing facility, you can assume, from our observation, that all streams of 150kbs are of a higher priority than the larger streams, and simply throttle the larger streams. Doing so will insure there is enough bandwidth for the testing service connections to the students. The easiest way to do this is with a heuristic-based bandwidth controller, a class of bandwidth shapers that dynamically give priority to smaller streams by slowing down larger streams.

The other option is to purchase more bandwidth, or in some cases a combination of more bandwidth and a heuristic-based bandwidth controller, to be safe.

Please contact us for a more in-depth discussion of options.

For more information on cloud usage in K-12 schools, check out these posts:

Schools View Cloud Infrastructure as a Viable Option

K-12 Education is Moving to the Cloud

For more information on Bandwidth Usage by Cloud systems, check out this article:

Know Your Bandwidth Needs: Is Your Network Capacity Big Enough for Cloud Computing?

NetEqualizer News: June 2015

June 2015


Enjoy another issue of NetEqualizer News! This month, we announce the 8.3 Release – Expanded RTR, introduce our End of Spring Sale, update you on our DDoS monitoring and prevention technology, and preview our upcoming seminars and conferences. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

Spring has been interesting in Colorado this year – artif you like to set records for the most rain in 20 years, that is! Luckily, one of my favorite TV channels is The Weather Channel, so I have been enjoying all the storms… With spring coming to an end soon, I look forward to warmer summer weather.

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at art@apconnections.net. I would love to hear from you!

8.3 Release is G/A

We are very excited to announce that our 8.3 Release – Expanded RTR is now generally available!

The beta tests for the 8.3 Release have gone very well, and we are ready to release the new reporting features to everyone! Here is a comment from one of our beta customers:

“One of the things that really got my attention on the new 8.3 Release was the ability to see, in real-time, the traffic on all my subnets on one screen. I simply created a pool for all the subnets in my network, and I can instantly see the saturation in the dynamic bar charts that update once a second. I know instantly which segments are saturated by glancing at my monitor screen.”

This release expands our current reporting features to include even more useful information, graphs, and tables. Here are just a few of the new additions you’ll find in the 8.3 Release:

1) Top Talkers Report – this has been one of the most requested graphs and was a popular feature of our previous reporting tool, ntop. You can use this feature to see which IP addresses have used the most bandwidth over time.


2) General Penalty Report – we are bringing this one back from the first version of RTR! You can see both IPs that are currently being penalized, as well as a historical count of penalties that have occurred over time.


3) Connection Count Report – NetEqualizer controls P2P traffic by using connection count limits on IP addresses. However, figuring out what limit to set for your network depends on how it’s used. You can use the new Connection Count Report to see how many connections individual IP addresses have, and thus set your connection limit to the appropriate level.


You can read more about all of the features of the 8.3 Release here in the 8.3 Software Update. If you would like to upgrade to 8.3, just click on the button below to send a request to Support.


These features are free to all customers with valid NetEqualizer Software and Support. If you are not current with NSS, contact us today!

Spring for a Lease in our End of Spring Sale

Our Leasing Program continues to be a popular choice for customers that want to use a NetEqualizer with no long-term leasecommitment, and also want to spread out their costs over each month instead of incurring one upfront expense. If you have ever considered leasing a NetEqualizer, now is the time!

To celebrate two years of the NetEqualizer Leasing Program, all new NetEqualizer Leases started before August 31st, 2015 will get 50% off the 1st month fee.

This offer is subject to availability, and customers must qualify to participate in our Leasing Program.

We also are excited to announce that we have added fiber connectivity to our leasing program, in both the 1Gbps and 10Gbps levels. And, to provide more flexibility in financing for our larger customers, we are now offering an Enterprise-Level Lease, for customers with more than 10,000 end users.

If you are interested in learning more, you can read the details of our Leasing Program here, or contact us below.


DDoS Update

The 8.3 Release also includes our recent Distributed Denial of Service (DDoS) Monitor at no extra charge! In addition, our new DDoS Firewall tool (DFW) can be purchased as an add-on module for an additional fee.

Here are some tips from our security experts for how to handle DDoS attacks, or stop them in the first place:
• Lock out unexpected geographies – Most businesses do not need global availability for their websites.
• If an attack occurs, look for fraud – Sometimes DDoS attacks can be smokescreens for other breaches.
• Route traffic through a system like CloudFlare – Their vast network can help thwart bandwidth overloads.
• Have a plan – Build DDoS into your Disaster Recovery Plan, and know who to call when an attack occurs.

The NetEqualizer can help you have a plan.

The new DDoS Monitor, which comes standard, shows you some basic metrics on the outside intrusion hit rate into your network. It can be used to spot anomalies which would indicate a likely DDoS attack in progress.

See our detailed blog article on the subject for how this technology works. Here is a screenshot of the DDoS Monitor dashboard:


If you decide you need something more proactive to mitigate a DDoS attack, we have a solution for you! For a one time charge of $3,500, which includes one hour of training and consulting, we install our DDoS Firewall (DFW) feature, which can be configured to block standard DDoS attacks.


NetEqualizer Tech Seminars and Conferences

Our CTO, Art Reisman, will be on-site at Mercersburg Academy in Mercersburg, Pennsylvania during edACCESS Vendor Day, June 24th.edaccess

If you have ever been curious about the NetEqualizer, and want to learn more, stop by to talk to Art. We also look forward to visiting with customers as well, so please come by and say hello. You might even get some free NetEqualizer bling from Art!

If you cannot attend the edACCESS conference, but are in the area of South Central Pennsylvania, and would like to meet with Art, email him at:


Art will be in the area for a few days after the conference as well.

How do you tell if edACCESS is right for you? Their mission is to provide support and networking for information technology staff at secondary schools and small colleges. Most edACCESS members come from schools with an FTE of under 1,000 students. So, if that sounds like you, consider attending the 2015 edACCESS Conference.

If you have never been to an edACCESS Conference, you might not know that they are purposely run small (100 attendees maximum) and that they use the peer conference mode.

Here is what they say on the edACCESS website:

“Each edACCESS conference is small, responsive, and participant-driven. Small, because edACCESS conferences are limited to one hundred attendees. Responsive, because half the conference is spent discussing topics chosen by attendees through a careful first-day process. Participant-driven, because we believe that, collectively, we are the experts.”

We hope to see you there!


Best Of The Blog

The Facts and Myths of Network Latency

By Art Reisman – CTO – APconnections

There are many good references that explain how some applications such as VoIP are sensitive to network latency, but there is also some confusion as to what latency actually is as well as perhaps some misinformation about the causes.

In the article below, we’ll separate the facts from the myths and also provide some practical analogies to help paint a clear picture of latency and what may be behind it…

Photo Of The Month
Brighton Beach, UK
This picture was taken by one of our staff on Brighton Beach, UK during our recent Tech Seminar. Brighton Beach features Brighton Pier, which is a pleasure pier that opened in 1899. Here, the ride operators are shown taking a break from work.

Firewall Recipe for DDoS Attack Prevention and Mitigation

Although you cannot “technically” stop a DDoS attack, there are ways to detect and automatically mitigate the debilitating effects on your public facing servers. Below, we shed some light on how to accomplish this without spending hundreds of thousands of dollars on a full service security solution that may be overkill for this situation.

Most of the damage done by a targeted DDoS attack is the result of the overhead incurred on your servers from large volume of  fake inquiries into your network. Often with these attacks, it is not the volume of raw bandwidth  that is the issue, but the reduced the slow response time due to the overhead on your servers. For a detailed discussion of how a DDoS attack is initiated please visit http://computer.howstuffworks.com/zombie-computer3.htm zombie-computer-3d

We assume in our recipe below, that you have some sort of firewall device on your edge that can actually count hits into your network from an outside IP, and also that you can program this device to take blocking action automatically.

Note: We provide this type of service with our NetGladiator line. As of our 8.2 software update, we also provide this in our NetEqualizer line of products.

Step 1
Calculate your base-line incoming activity. This should be a running average of unique hits per minute or perhaps per second. The important thing is that you have an idea of what is normal. Remember we are only concerned with Un-initiated hits into your network, meaning outside clients that contact you without being contacted first.

Step 2
Once you have your base hit rate of incoming queries, then set a flag to take action ( step 3 below), should this hit rate exceed more than 1.5 standard deviations above your base line.  In other words if your hit rate jumps by statistically large amount compared to your base line for no apparent reason i.e .you did not mail out a newsletter.

Step 3
You are at step 3 because you have noticed a much larger than average hit rate of un-initiated requested into your web site. Now you need to look for a hit count by external IP. We assume that the average human will only generate at most a hit every 10 seconds or so, maybe higher. And also on average they will like not generate more than 5 or 6 hits over a period of a few minutes.  Where as a hijacked client attacking your site as part of a DDOS attack is likely to hit you at a much higher rate.  Identify these incoming IP’s and go to Step 4.

Step 4
Block these IP’s on your firewall for a period of 24 hours. You don’t want to block them permanently because it is likely they are just hijacked clients ,and also if they are coming from behind a Nat’d community ( like a University) you will be blocking a larger number of users who had nothing to do with the attack.

If you follow these steps you should have a nice pro-active watch-dog on your firewall to mitigate the effects of any DDoS attack.

For further consulting on DDoS or other security related issues feel free to contact us at admin@apconnections.net.

Related Articles:

Defend your Web Server against DDoS Attacks – techrecipes.com

How DDoS Attacks Work, and Why They’re Hard to Stop

How to Launch a 65 gbps DDoS Attack – and How to Stop It

NetEqualizer News: November 2014

November 2014


Enjoy another issue of NetEqualizer News! This month, we discuss features for our 2015 NetEqualizer Releases, announce a last call for trading in old NE2000’s and Lite units, introduce our NetEqualizer Holiday Giving Campaign, and share a technical tip on how to export data from NetEqualizer’s Dynamic Real-Time Reporting (RTR). As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

The holiday season is almost underway in the United States. Before I get caught up in thefancy thank-you

whirlwind of activities that seems to happen at this time of year, I’d like to pause and give thanks for all the blessings in my life. As we end our 11th year, I continue to be thankful for all of our loyal customers.

THANK YOU for putting your faith and trust in APconnections, we truly appreciate your business!

APconnections also likes to give back to those in need. You can read all about our NetEqualizer Holiday Giving Campaign below.

2015 NetEqualizer Release Plans

We have started planning out our 2015 releases. We are aiming for two releases in 2015:

8.2 – Extended RTRpenalties

Our first release (8.2) will be in the late spring/early summer timeframe. We continue our commitment to robust real-time reporting (RTR) by adding reports to extend our capabilities. 8.2 – Extended RTR is currently planned to include Penalty Graphs, Bandwidth Use by IP Graphs, a Pools Dashboard, Data Export Menus, and an enhanced Active Connections Table.

8.x – Cloud Reporting

As announced in our October Newsletter, we plan to offer data storage in a cloud environment. Cloud Reporting will give you access to longer periods of data, to help with your troubleshooting, capacity planning, and trend analysis needs. Look for more information in the coming months as we start to architect our solution.

We listen to you, and have taken into account feedback provided by those of you that have upgraded to 8.1 in our release planning. As always, if you have feature requests or suggestions, please contact us!

Once 8.2 reaches GA, these features will be free to customers with valid NetEqualizer Software and Support who are running version 8.1. If you are not current with NSS, or have not upgraded to 8.1, contact us today!




Last Call! Trade in Your Older NE2000 or Lite Unit

As we have announced previously in this Newsletter, we are discontinuing support for older NE2000s (any NE2000 purchased prior to August 2011) and the Lite series as of 12/31/2014.

We are moving our NE2000 and Lite license levels onto the NE3000 platform, which can support running our 64-bit software, and is better positioned for the future (more memory, more processing power, etc.).

If you have not already traded in your older NE2000 or Lite unit, we recommend that you do so at this time. As part of our Lifetime Buyer’s Guarantee, we offer a generous trade-in credit of 50% of the original unit price toward a new unit. While you will still be able to trade-in older NE2000’s and Lite units in the future, this is our Last Call because time is running out on Support (NSS) for these units.

Not sure if your NE2000 is an older unit? Call or email us and we will look it up for you.




NetEqualizer Holiday Giving Campaign

Join APconnections in giving back to worthy causes during this holiday season. For every new NetEqualizer that our customers purchase between now and 12/31/2014, APconnections will donate $25 to one of our selected charities.

It is that simple! Just buy the NetEqualizer that you were planning to get anyway in 2015, and you get to help us to do good for others, through the great work of these deserving charities!

To keep this simple, we have selected several charities, and will split the donation amongst them. Our charities for the NetEqualizer Holiday Giving Campaign are:

1) Toys for Tots: The mission for Toys for Tots is to collect new, unwrapped toys during October, November and December each year, and distribute those toys as Christmas gifts to less fortunate children in the community in which the campaign is conducted.


2) The Hunger Project: The Hunger Project is a global, non-profit, strategic organization committed to the sustainable end of world hunger.


3) Doctors Without Borders: Doctors Without Borders works in nearly 70 countries providing medical aid to those most in need regardless of their race, religion, or political affiliation.


Technical Tip: How to Export Your Data

Did you know there is a hidden feature in Release 8.1? Even though the menu option is not visible, it is possible to export the data in your reporting databases to csv files. You can export data for the previous 24 hours or data for the previous 4 weeks. What you do with it is up to you! Import it into Excel for easy graphing, save it locally for longer-term reporting, export data for a specific time period to analyze bandwidth-related issues, and more!export

Please note that the data is returned with Unix timestamps and is in bytes/second. Data for the 24 hour database is sampled every minute and data for the 4 week database is sampled every hour. To export your data, simply change the parameter “page” in the url to “export-data”. So, your URL would be something like:


If you need assistance with data export and are current on NSS, contact us at:




Please note that General Penalty Data is not available or exportable at this time.

Best Of The Blog

More Lies and Deceit From Your ISP

By Art Reisman – CTO – APconnections

Back in 2007, I wrote an article for PC Magazine about all the shenanigans that ISPs use to throttle bandwidth. The article set a record for online comments for one day, and the editor was happy. I recall, at that time, I felt like a lone wolf trying to point out these practices. Finally some redemption, this morning, the FTC is flexing it’s muscle and is now taking on AT&T for false claims with respect to unlimited data…

Photo Of The Month
Interactive Robotic Santa
One of our staff members’ recently stumbled upon an Internet-controllable robotic Santa in his neighborhood. The Santa is viewable via web cam and can speak text entered into the website. It can also play music and dance. Santa was relatively quiet until recently when the URL went viral and Santa was speaking non-stop! Email us for a link to check out the Santacam – but beware that Santa has a gift for gab and no content filter.

More lies and deceit from your ISP

Note: We believe bandwidth shaping is a necessary and very valuable tool for both ISPs and the public. We also support open honest discussion about the need for this technology and encourage our customers to open and honest with their customers.    We do not like deception in the industry at any level and will continue to expose and write about it when we see it. 

Back in 2007, I wrote an article for PC magazine about all the shenanigans that ISPs use to throttle bandwidth.  The article set a record for on-line comments for the day, and the editor was happy.  At that time, I recall feeling like a lone wolf trying to point out these practices.  Finally some redemption came this morning. The FTC is flexing its muscles; they are now taking on AT&T for false claims with respect to unlimited data.

Federal officials on Tuesday sued AT&T, the nation’s second-largest cellular carrier, for allegedly deceiving millions of customers by selling them supposedly “unlimited” data plans that the company later “throttled” by slowing Internet speeds when customers surfed the Web too much.

It seems that you can have an unlimited data plan with AT&T, but if you try to use it all the time, they slow down your speed to the point where the amount of data you get approaches zero. You get unlimited data, as long as you don’t use it – huh?  Does that make sense?

Recently, I have been doing some experiments with Comcast and my live dropcam home video feed.  It seems that if I try to watch this video feed on my business class Comcast, (it comes down from the dropcam cloud), the video will time out within about minute or so. However, other people watching my feed do not have this problem. So, I am starting to suspect that Comcast is using some form of application shaper to cut off my feed (or slow it down to the point where it does not work).  My evidence is only anecdotal.  I am supposed to have unlimited 4 megabits up and 16 megabits down with my new business class service, but I am starting to think there may be some serious caveats hidden in this promise.

NetEqualizer News: October 2014

October 2014


Enjoy another issue of NetEqualizer News! This month, we discuss more details of our upcoming Cloud Reporting offering, highlight two ways to learn more about the NetEqualizer, and preview our new NetEqualizer 8.1 Product Demo Guide. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

October in Colorado has been mild to date. This year, I received an early “Halloween treat” – my garden pumpkin plants are still producing baby pumpkins! Normally by this time everything has been killed off by frost – but not this year.art_canoe_picture

We have a Halloween treat for you as well this month. Due to popular demand and very positive feedback, we are continuing to offer our “Tech Refresh” sessions. For those of you looking for a more extensive training, we are also offering On-Site One Day Training Sessions – see below for details on each of these offerings.

We love it when we hear back from you – so let us know what you think of the new RTR! Email me directly at art@apconnections.net. I would love to hear from you!

Here Comes The Cloud!

Have you had a chance to play with our Release 8.1 reporting features yet? There are some nice traffic graphs and other tools to help you find out what has been happening on your network. If you have not already upgraded to 8.1, contact our Support Team at support@apconnections.net to get current today!


We are now planning for our 8.2 Release. As always, if you have RTR feedback or other feature requests for 8.2, please email your thoughts to sales@apconnections.net.

Our 8.2 development focus will be centered on long-term data resolution. Data resolution, or the granularity for which you can drill down on historical data in reporting, is based on three factors:

1. Sample rate
2. Length of time you store data
3. Amount of storage available

As you can imagine, the three factors above are interrelated. In order to increase our storage out to a year or more, there are two options. One would be to install larger disk drives on systems. The second option would be to take advantage of the cloud, where storage is essentially infinite and access to the data is fast.

We are choosing the latter option, for the same reasons the rest of the world is moving away from local data storage. We are planning on having NetEqualizer Cloud Reporting (NCR) ready to go by the summer of 2015, with beta trials this spring.

It will be easy to set up with a few clicks, and will be a cost-effective option for keeping NetEqualizer data long-term. Please note that you must be on Release 8.1+ to take advantage of our NetEqualizer Cloud Reporting (NCR).

If you have questions on the above, please don’t hesitate to contact us:




NetEqualizer 8.1 Product Demo GuideScreenshot at Oct 19 16-57-23

Our Product Demonstration Guide has been updated to highlight the new reporting capabilities available in 8.1.

Click here to get the updated guide, which you can use to review key features and functions of the NetEqualizer.

The Product Demo Guide is a great self-guided introduction to the NetEqualizer. If you have new staff members that could benefit from a quick tutorial, I highly recommend giving them this updated guide!

The Product Demo Guide is also available as part of our Online Demo Site. Register here to go to the NetEqualizer demonstration site and use the updated guide for a self-guided tour.

Schedule a Tech Refresh Call

We mentioned this offer in last month’s newsletter as well, but due to popular demand, we are highlighting this again for those of you who missed it last month!

We want to make sure that you are getting the most out of your NetEqualizer, as we are sure you do too! For customers that have been using the NetEqualizer awhile, sometimes with staffing changes over the years, and our new software releases, your collective NetEqualizer know-how diminishes. We would like to help you quickly get up-to-speed on all the features & functions of the NetEqualizer that are new to you, or you might have forgotten.

For customers current on NetEqualizer Software and Support (NSS), we would be happy to schedule up to a 1 hour NetEqualizer “Tech Refresh” call with you and your team. We will set up a webex session to screen-share with you, and walk through the NetEqualizer technology.

Call or email us to schedule your Tech Refresh today:




Want More? On-Site Technical Training

While a Tech Refresh call is a great way to get current on all things NetEqualizer, some of you have expressed an interest in even more!

So, we are now offering a limited number of On-Site One Day Technical Training Sessions in the U.S. and Canada, subject to availability.

Our one day training is great if you would like an engineer to train your team at your location, working directly on your NetEqualizer(s). We can highlight key configuration options, assess your set-up, and help you to review your environment in detail.

Pricing is $3500 USD for one day, plus travel expenses.

Call or email to check availability for On-Site Technical Training today:




Best Of The Blog

QoS Over The Internet – Five Must-Know Facts

By Art Reisman – CTO – APconnections

Twelve years ago we crossed a chasm with our NetEqualizer technology. We found a new and completely novel way to provide QoS without controlling both ends of the connection. In other words we are still the only solution that I know of that can sit in your enterprise and ensure that an incoming VoIP call over your public facing Internet connection does not get drowned out from an incoming download.

There is no doubt that we do it well because every month I talk to a customer that thanks us for helping solve this problem. If you do get into a water cooler discussion with other IT people on this subject, please send them this link from a blog post where I explain this technology and how it is different, you will be doing them a favor.

Photo Of The Month
Great Horned Owl
The great horned owl is one of the most beautiful birds in the Americas. This particular owl spends his time in Lafayette, CO in a staff member’s backyard. Due to its natural-colored plumage, it can successfully adapt to most environments.

15 Years to Cross the Technology Chasm ?

Final Jeopardy Answer

Fat Pipe/Thin Client, E-mail, VoIP, Equalizing

And the Question is…

What are  some recent technologies that took a minimum 15 years to cross the chasm from initial viability to widespread commercial acceptance?

Being old allows me to recall, with some historical perspective, the  timeframe it takes for a technology to make it  from production prototype into the mainstream. It is usually much longer than I have patience for. Today, when I see a technology emerging that is obviously superior to what the world is using , I always expect the adoption to take a few weeks.  When in reality, 50 years is close to the historical norm, and 15 years is light-speed for a product to go from concept to societal norm.

For example, Refrigeration and Commercial Air Travel took  50+ years to cross the chasm.  And I am not talking about from the crude idea stage to reality, but rather from the time frame of a working prototype, to wide-spread acceptance.  It was about fifty years from that first, stable airplane, to regular commercial air travel of the late 1950’s.  I should be happy that many of  the world’s technologies are maturing in 15 years, right?

From my historical observations, and a bit of Wikipedia (http://www.wikipedia.org/), lazy man research, here are some  recently completed 15 year chasm crossings.

  • Before Cloud Computing we had, Fat Pipe/Thin Clients.

    This was all the rage of a key note speech by an Apple exec back in 1999 at a wireless conference in San Jose. I remember the speech well, as the exec spent the first 15 minutes making fun of Microsoft and their crotchety cumbersome desktop market. Now, 15 years later we can officially say that cloud computing has overtaken the bloated desktop computer, and small thin devices are the norm to connect with.

  • E-mail has always been around? 

    Well it did not take off until the late 90’s, more than 15 years after its wide use in the educational system. Yes, some early adopters had AOL dial-up accounts with e-mail,  but even as late as 1995 , voice mail was the dominant player for receiving non real-time messages.  I remember this because I worked for a company that was in the voice messaging Business (their logo looks like the Star War’s death star), and we were basically ignoring the e-mail market, and rolling out a major voice mail product release with huge expectations as late as 1995.  Yes, we were pushing other forms of communications – Lotus Notes was a big player then also, but E-mail hit that acceptance curve somewhere in the late 90’s to early 2000’s.

  • VoIP PBX

    Also at that same company, in the early 90’s we thought VoIP was the greatest thing since sliced bread. And we were making quality PBX’s that supported VoIP in the early 90’s.  In this case there was plenty of natural resistance to acceptance.

  1. The economic cash cow of embedded PBX’s pushed VoIP systems life-span out a few years.
  2. There was also just fear of using a new technology for something as important as an enterprise phone system. I would estimate that VoIP PBX’s started to outnumber the legacy installed base around 2005 or perhaps later.
  • NetEqualizer

    Equalizing technology for reigning in bandwidth abuse has always been superior to Layer 7 shaping, which incidentally rose up from 1995 to 2000 in just 5 years.  Equalizing has taken 15 years and is still on a linear acceptance curve.  There are several reasons for this:

1) The Equalizing concept crossed a chasm from traditional thinking of intuitive, hands-on control and moved to a heuristic approach which is not always obvious to the non-technical decision maker.

2) The graph below depicts how transit Bandwidth prices have dropped exponentially in the past 15 years. This has squeezed out the more expensive devices in the market , and slowed the need a bit at the NetEqualizer price point.

Year Internet Transit Prices (in Mbps, min commit) % Decline
per Mbps
per Mbps 33%
per Mbps 16%
per Mbps 40%
per Mbps 50%
per Mbps 40%
per Mbps 25%
per Mbps 17%
per Mbps 33%
per Mbps 50%
per Mbps 52%
per Mbps 25%
per Mbps 44%
per Mbps 35%
per Mbps 28%
per Mbps 33%
per Mbps 40%
per Mbps 33%
Source: DrPeering.net

3)  NetEqualizer has stayed with a direct sales channel for the most part. The land-grab mentality of investing in a worldwide sales channel and going fast looks impressive but, with dropping bandwidth prices in some markets, is not a sustainable model due to the channel costs.

 So what will come to maturity 15 years from now ?

In my opinion the following technologies will have crossed the chasm in 2029:

1) Automobiles with standard braking sensors to avoid collisions will be the norm in 15 years.

2) Drones everywhere for anything traveling quickly that is not a human.  But I think the widespread commercial use will be 20+ years out.

3) House automation. You won’t be flipping switches to turn anything on or off in 15 years in a new house.

What are your predictions for 15 years out?

NetEqualizer News: May 2014

May 2014


Enjoy another issue of NetEqualizer News! This month, we preview our new NetEqualizer Cloud Reporting feature, show off our new Internet Providers Guide, and highlight one of our international resellers – Reinaldo Neilla. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

I must admit that my head has been in the clouds a lot lately, as I like to bird watch, and the spring migrations are in full swing here in Colorado. I saw two “life birds” this spring (a life bird is the first time you see a bird in the wild) – the Common Yellowthroat Warbler (not common in my part of Colorado!) and a Lesser Goldfinch (only a tiny slice of its range is in Boulder).art_small

I guess staring at all those clouds gave me an idea, which I share with you this month in more detail below. In a nutshell, we can use the cloud to help store longer periods of data for reporting. Read more about our upcoming NetEqualizer Cloud Reporting offering below.

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at art@netequalizer.com. I would love to hear from you!

NetEqualizer Cloud Reporting

Coming this July, we will offer the ability to store up to one year of reporting data from our Dynamic Real-Time Reports onto a cloud server. The benefits will be numerous, as it will be complete turn key access to historical usage at the touch of button.

For example, if you want to know what your usage data looked like for the same month last year, you can pull it up instantly.


To get started, the requirements will be fairly simple:

1) Your NetEqualizer must have access to the Internet (our cloud server).
2) You must sign up for an account with us. There will be a yearly charge for this service:
– $1,000 for small installations (<= 300 users) – $2,000 for medium installations (> 300 users, <= 1000 users) – $3,000 for large installations (> 1000 users)

Retrieval will be as easy as providing a date range, and IP or subnet. In version 1.0, all usage will be IP based.

We will also include reports for system protocol usage (Netflix, YouTube, etc.) depending on demand for this information in coming releases.

If you have any questions, please feel free to contact us at:




NetEqualizer Summary Guide for Internet Providers

This month we have updated our Internet Providers Guide. If you are a telecommunications, satellite systems, cable, or wireless/wired Internet Services Provider (ISP), and are considering a NetEqualizer, you may want to review our updated Internet Providers Guide.isp_wp

This summary guide (2-3 pages) is focused on issues specific to Internet Providers, and explains how the NetEqualizer is used by our customers to address these common issues. This is a quick way to learn about how the NetEqualizer might apply to your environment.

If you are a current customer, these guides are a great read to optimize your NetEqualizer configuration. Take a look to see if there are features that you might not be using and want to take advantage of in your NetEqualizer installation. We would be happy to help you with your configuration.

If you are current on NetEqualizer Software and Support (NSS), contact:




to get help optimizing your NetEqualizer.

Spotlight: Our South American Reseller, Reinaldo Neilla

As many of our customers know, we sell directly to businesses in most geographies, particularly the U.S. and Canada. However, in some areas of the world, we work with reseller organizations. Many of these international resellers started as our customers, loved our product, and asked to get involved in building out the marketplace in their country.

We find that our international resellers are great at navigating customs requirements, communicating in local languages, and sharing their technical knowledge of the NetEqualizer.

This month we profile one of them, Telefonia Publica y Privada S.A. (TPP S.A.). TPP is an Argentinian WISP with over 30,000 broadband users in different cities in the interior of Argentina (growing at a rate of 450 per month). Reinaldo Neilla of TPP has been using a NetEqualizer for his business since July 2008.

According to Reinaldo, “the NetEqualizer helps us (TPP) to automatically and economically provide flow control for our customers. We converted from an Allot NetEnforcer and have never looked back.”

TPP represents NetEqualizer to customers in South America. If you are in South America, and would like to talk to or email Reinaldo, you can find his contact information on our web page, here:

NetEqualizer TPP Profile

Home Networking Tip

We often have networking tutorials in our blog – but not all of them are for enterprise networks. Recently, our Co-Founder, Steve Wagor, wrote a how-to on improving wireless dead spots in your home and setting up wireless home music. Check it out!

Best Of The Blog

Why Does Fear Sell over Value for IT?

By Art Reisman – CTO – APconnections

When Willie Sutton was asked, why do you rob Banks? He replied, “Because that is where the money is.”

Why do companies sell fear? Ask Willie Sutton. :)

From Y2K and ozone holes, to IP4 address space, sales channels love a good crises to drive a sale. The funny thing is, from my experience, the process of adjusting a product line to accommodate customer fear is evolutionary, akin to natural selection, and not a preplanned conspiracy. Demand seems to be created from some external uncontrolled upwelling, and not from a hard sell within the vendor ranks…

Photo Of The Month


Common Yellowthroat Warbler
Common Yellowthroats are small songbirds that have olive backs, wings and tails, yellow throats and chests, and white bellies. Adult males have black face masks which stretch from the sides of the neck across the eyes and forehead, which are bordered above with white or gray. Females are similar in appearance, but have paler underparts and lack the black mask. These birds are on the move this time of year through Colorado.

NetEqualizer News: November 2013

November 2013


Enjoy another issue of NetEqualizer News! This month, we discuss takeaways from our recent Technical Seminar, update you on our 7.4 RTR Beta progress, and highlight recent enhancements to our NetEqualizer Caching Option. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

As we move into the end of 2013, we start once again to sum up the year and think about all we are thankful for. We would like to take this opportunity to THANK YOU all for being a part of our success! We truly enjoy working with each and every one of you, and appreciate your business!thank_you

As most of you know, 2013 was a big year for us – our 10th Anniversary. Looking back, it has gone so fast! Looking forward, we see a bright future with even more opportunity on a global scale. Speaking of global, we had a staff member this month travel to Malaysia to conduct two 1-day training sessions – a national university there, IIUM, has many campuses throughout Malaysia where they employ NetEqualizers. If you are interested in learning more about our training offerings, contact us anytime!

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at art@apconnections.net. I would love to hear from you!

2013 Fall Technical Seminar Update

We recently held a half day seminar at Western Michigan University in Kalamazoo, Michigan. We would like to thank our host, Fawn Callen, for helping us get this event together, and for offering such as great space for the seminar!
This was a great opportunity for folks to meet with Art in person, pick his brain on all things related to equalizing and caching, and also to share ideas with us on future features.

Here are some of the features that we walked away thinking about:

1) Historical penalty tracking over time – this would be graphical and would help you see an historical trend on how tight your bandwidth is.

2) Enhance the masking feature to allow for more subnets so that organizations can take advantage of ISP-offered bandwidth allotments for traffic such as video.

3) Heuristic-based identification of users based on usage patterns – track individuals not based on IP, necessarily, but based on how they use the Internet, what sites they visit, etc.

Let us know if these are important to you!
neteq seminar logo with border
Contact us at:


Update on 7.4 RTR Beta

We have a great group of customers trying out our 7.4 RTR Beta Software Release – and the results have been very positive!

We are working on making the data logging and graphing more efficient for large networks as well as some other small changes that will help make RTR and NetEqualizer in general even better and more useful!


We’ll be thoroughly testing our enhancements the rest of November and December and all of those will be incorporated into our official 7.5 Software Release on January 1st.

This Release will be free to customers with valid NetEqualizer Software and Support who are running 7.0+. If you are not current with NSS, contact us today!


NetEqualizer Caching Enhancements

As we have discussed in previous issues of NetEqualizer News, we’ve been working hard with the folks at Squid to create a more robust custom caching solution for NetEqualizer.

Our enhancements include:

1) An updated caching solution that includes fixes and the latest features from Squid. This is beyond what open source has, and has been greatly improved with help from our Squid development consultant.

2) We are in the process of debating whether or not to include Netflix in future implementations of our caching. In relation to the NetEqualizer, the cost for doing this could be a bit high. However, there is good news. Providers are starting to offer Netflix traffic at a greatly reduced rate to their clients. We’ve already built in features that will help these clients take advantage of this offering. You can read more about caching in the cloud and Netflix traffic in the Best Of The Blog section of this newsletter.

For more information on the NetEqualizer Caching Option, read our white paper!

Best Of The Blog

Caching in the Cloud is Here

By Art Reisman – CTO – APconnections

I just got a note from a customer, a University, that their ISP is offering them 200 megabit internet at fixed price. The kicker is, they can also have access to a 1 gigabit feed specifically for YouTube at no extra cost. The only explanation for this is that their upstream ISP has an extensive in-network YouTube cache. I am just kicking myself for not seeing this coming!

I was well-aware that many of the larger ISPs cached NetFlix and YouTube on a large scale, but this is the first I have heard of a bandwidth provider offering a special reduced rate for YouTube to a customer downstream. I am just mad at myself for not predicting this type of offer and hearing about it from a third party.

As for the NetEqualizer, we have already made adjustments in our licensing for this differential traffic to come through at no extra charge beyond your regular license level, in this case 200 megabits. So if for example, you have a 350 megabit license, but have access to a 1Gbps YouTube feed, you will pay for a 350 megabit license, not 1Gbps. We will not charge you for the overage while accessing YouTube…

Photo Of The Month
Petronas Towers – Kuala Lumpur, Malaysia
As we mentioned in the Newsletter opener, a staff member of ours recently journeyed to Malaysia to conduct training sessions for NetEqualizer in two locations – Kuala Lumpur and Kuantan. The experience was a memorable one – Malaysia is a beautiful country with fantastic food, culture, and people. The 1,483 foot Petronas Towers are a testament to their success.

Using OpenDNS on Your Wireless Network to Prevent DMCA infringements

Editor’s Note:  The following was written by guest columnist, Sam Beskur, CTO of Global Gossip.  APconnections and Global Gossip have partnered to offer a  joint hotel service solution, HMSIO.  Read our HMSIO service offering datasheet to learn more.

Traffic Filtering with OpenDNS



AUP (Acceptable Use Policy) violations which include DMCA infringements on illegal downloads (P2P, Usenet or otherwise) have been hugely troublesome in many locations where we provide public access WiFi.  Nearly all major carriers here in the US now have some form of notification system to alert customers when violation occur and the once that don’t send notifications are silently tracking this behavior.

As a managed service provider it is incredibly frustrating to receive these violation notifications as they never contain information one needs to stop the abuse but only the WAN IP of the offending location.  An end user who committed the infraction is often behind a NATed private address (192.168.x.x or 172.x.x.x) and for reasons still unknown to me they never provide information on the site hosting the illegal material, botnet, adware etc.

When a customer, on whose behalf one may be providing managed services for, receives one of these notifications this can jeopardize your account.

Expensive layer 7 DPI appliances will do the job in filtering P2P traffic but often times customers are reluctant to invest in these devices for a number of reasons: yet another appliance device to power, configure, maintain, support, another point of failure, another config to backup, no more Rackspace, etc, etc ad nausea.


Below we outline an approach that uses a cloud approach based on OpenDNS and NetEq which has very nearly eliminated all AUP violations across the networks we manage.

Anyone can use the public OpenDNS servers at the following addresses:

If however, one wishes to use the advanced filter capabilities you will need to subscribe to and create a paid account and register the static WAN IP of the address you are trying to filter.  Prices vary.

  1. Adjusted our content filter/traffic shaper (NetEqualizer) to limit/block # P2P connections.

  1. Configure your router / gateway device / dhcp server to use,  as primary and secondary DNS server.


  1. Once you have an OpenDNS account add your location for filtering and configure DNS blocking of P2P and malware sites         

  1. In order to prevent the more technically savvy end users from specifying ones own DNS server (,,, etc.) it is a VERY good idea to configure your gateway to block all traffic on port 53 to all endpoints accept the OpenDNS servers.  DNS uses UDP port 53 so configuring this within IPTables (maybe even another feature for NetEqualizer) or within Cisco IOS is fairly trivial.  If you’re router doesn’t allow this hack it or get another one.


Depending on your setup there are a number of other techniques that can be added to this approach to further augment your ability to track NATed end user traffic but as I mentioned these steps alone have very nearly eliminated our AUP violation notifications.

%d bloggers like this: