Category Archives: Uncategorized

Fault Tolerant Network

Definition of fault tolerance Fault tolerance is the ability of a system to continue performing its intended function in spite of faults. In a broad sense, fault tolerance is associated with reliability, with successful operation, and with the absence of breakdowns. A fault-tolerant system should be able to handle faults in individual hardware or software components, power failures or other kinds of unexpected disasters and still meet its specification.

Why do we need fault-tolerance?

• It is practically impossible to build a perfect system – suppose a component has the reliability 99.99% – a system consisting of 100 non-redundant components will have the reliability 99.01% – a system consisting of 10.000 components will have the reliability 36.79% • It is hard to forsee all the factors

A system is said to fail if it ceased to perform its intended function. System is used in this book in a generic sense of a group of independent but interrelated elements comprising a unified whole. Therefore, the techniques presented are also applicable to the variety of products, devices and subsystems. Failure can be a total cessation of function, or a performance of some function in a subnormal quality or quantity, like deterioration or instability of operation. The aim of fault-tolerant design is to minimize the probability of failures, whether those failures simply annoy the customers or result in lost fortunes, human injury or environmental disaster

Fault tolerance and redundancy

Redundancy • Redundancy is the provision of functional capabilities that would be unnecessary in a fault-free environment – replicated hardware component – parity check bit attached to digital data – a line of program verifying the correctness of the result

Applications of fault-tolerance

Applications • safety-critical applications – critical to human safety • aircraft flight control – environmental disaster must be avoided • chemical plants, nuclear plants – requirements • 99.99999% probability to be operational at the end of a 3-hour period

mission-critical applications – it is important to complete the mission – repair is impossible or prohibitively expensive • Pioneer 10 was launched 2 March 1970, passed Pluto 13 June 1983 • requirements • 95% probability to be operational at the end of mission (e.g. 10 years) • may be degraded or reconfigured before (operator interaction possible)

• bisness-critical applications – users want to have a high probability of receiving service when it is requested – transaction processing (banking, stock exchange or other time-shared systems) • ATM: < 10 hours/year unavailable • airline reservation: < 1 min/day unavailable

maintenance postponement applications – avoid unscheduled maintenance – should continue to function until next planned repair (economical benefits) – examples: • remotely controlled systems • telephone switching systems (in remote areas)


The main goal of fault tolerance is to increase the dependability of a system

Dependability is the ability of a system to deliver its intended level of service to its users

Dependability tree

dependability tree





Distributed Publish/Subscribe Network

Motivations for Pub/Sub model

  • Traditional Client/Server communication model (Employs RPC, message queue, shared memory etc..)
    • ¨Synchronous, tightly-coupled request invocations.
    • ¨Very restrictive for distributed applications, especially for WAN and mobile environments.
    • ¨When nodes/links fail, system is affected. Fault Tolerance must be built in to support this.
  • Require a more flexible and de-coupled communication style that offers anonymous and asynchronous mechanisms.

What is a Publish/Subscribe System?

  • Distributed Pub/Sub System is a communication paradigm that allows freedom in the distributed system by the decoupling of communication entities in terms of time, space and synchronization.
  • An event service system that is asynchronous, anonymous and loosely-coupled.
  • Ability to quickly adapt in a dynamic environment.

Key components of Pub/Sub System

  • Publishers : Publishers generate event data and publishes them.
  • Subscribers : Subscribers submit their subscriptions and  process the events received
  • P/S service: It’s the mediator/broker that filters and routes events from publishers to interested subscribers.

Publish/Subscribe System



Decoupling in time, space and synchronization



Classification of Pub/Sub Architectures

  • Centralized Broker model
    • ¨Consists of multiple publishers and multiple subscribers and centralized broker/brokers (an overlay network of brokers interacting with each other).
    • ¨Subscribers/Publishers will contact 1 broker, and does not need to have knowledge about others.
    • ¨E.g. CORBA event services, JMS, JEDI etc…
  • Peer-to-Peer model
    • ¨Each node can be publisher, subscriber or broker.
    • ¨Subscribers subscribe to publishers directly and publishers notify subscribers directly. Therefore they must maintain knowledge of each other.
    • ¨Complex in nature, mechanisms such as DHT and CHORD are employed to locate nodes in the network.
    • ¨E.g. Java distributed event service

 Key functions implemented by   P/S middleware service

  • Event filtering (event selection)
    • ¨The process which selects the set of subscribers that have shown interest in a given event. Subscriptions are stored in memory and searched when a publisher publishes a new event.
  • Event routing (event delivery)
    • ¨The process of routing the published events from the publisher to all interested subscribers

Event Filtering (Subscription Model) Topic based VS Content based

  • Topic based
    • ¨Generally also  known as topic based, group based or channel based event filtering.
    • ¨Each event is published to one of these channels  by its publisher.
    • ¨Subscribers subscribes to a particular channel and will receive ALL events published to the subscribed channel.

Topic-based subscription

topic based

  • ¨Simple  process  for  matching an event to subscriptions. However, limited expressiveness.
  • ¨Event filtering is easy, event routing is difficult (Heavy load on the network). The challenge is to multicast event effectively to subscribers.

Event Filtering- Subscription Model Topic based VS Content based

  • Content based
    • ¨More flexibility and power to subscribers, by allowing more expression in arbitrary/customized query over the contents of the event.
    • ¨Event publication by a key/value attribute pair, and subscriptions specify filters using a explicit subscription language.
    • ¨E.g. Notify me of all stock quotes of IBM from New York stock exchange if the price is greater than 150

Content-based Subscription


  • ¨Added complexity in matching an event to subscriptions. (Implementation: Subscription arranged in a matching tree, where each node is a partial condition.
  • However, more precision is provided and event routing is easier

Event Routing

  • After filtering the events, the broker/brokers must route the events to the corresponding subscribers.
  • Can be done in the following ways:
    • ¨Unicast
    • ¨Multicast
    • ¨Server push/ client pull
  • The broker makes the decision: how to route the message to the subscriber.
  • Several optimization schemes are available.
    • “Profile forwarding scheme – brokers only forward the event to their neighbor broker which fulfill their subscription
    • ¨Filtering the total covering of the subscription of the system – accept publisher events only if a subscriber has subscribed this event.

Example: SIENA

  • SIENA is a wide area notification service that uses covering-based routing.
    • ¨Consists of Nodes and servers (access points), Event notifications & filters, Publish/subscribe protocol + advertisements, Identities and handlers, Filtering
  • Siena system can be configured in three types of inter-connection topologies:
    • ¨Hierarchical client/server architecture
    • ¨Acyclic P2P architecture
    • ¨General P2P architecture

SIENA: Hierarchical Architecture

siena arc

  • Servers interact with each other in an asymmetric client-server fashion.
  • Server is not distinguished from objects of interest or interested parties
  • Potential overloading of server stationed at higher level of hierarchy
  • Failure of one node in hierarchy causes all the nodes below that node to fail

Acyclic P2P architecture and General P2P architecture

  • The acyclic P2P architecture and General P2P architecture are very similar.
    • ¨Both represented by an undirected graph and allows bidirectional communication.
    • ¨Scaling an issue for both.
  • Acyclic P2P
    • ¨Restriction on the configuration of connections between servers to forming acyclic graph representation
    • ¨Therefore no redundant connections/ multiple paths are not allowed. (Enforcement by a cycle avoiding algorithm)
    • ¨Can be difficult to maintain and not as robust as general P2P architecture.¨
  • General P2P architecture
    • ¨Requires less coordination among servers.
    • ¨Redundancy enforces robustness of Siena system with respect to failure of single servers.
    • ¨Drawback: Special algorithms must be run to choose the best path.

Siena: Routing

  • Simplest strategy is to maintain the subscriptions at their access point and broadcast the notification throughout the network
    • ¨Least efficient
    • ¨Consumes lots of bandwidth
  • Send the notification towards the event servers that have clients that are interested in that notification (possibly using shortest path)
  • Downstream Replication
    • ¨Events are kept as one copy as long as possible and only replicated when it is as close as possible to the subscribing servers/clients.


  • Upstream Evaluation
    • ¨Applying filters upstream, that is as close to the event publisher as possible


Advantages of Pub/Sub

  • Highly suited for mobile applications, ubiquitous computing and distributed embedded systems
  • Robust – Failure of publishers or subscribers does not bring down the entire system
  • Scalability- Suited to build distributed applications consisting a large number  of entities
  • Adaptability- can be varied to suit different environments (mobile, internet game, embedded systems etc…)

Disadvantages of Pub/Sub

  • Reliability – no strong guarantee on broker to deliver content to subscriber. After a publisher publishes the event, it assumes that all corresponding subscribers would receive it.
  • Potential bottleneck in brokers when subscribers and publishers overload them. (Solve by load balancing techniques)
  • Security an issue:
    • ¨Encryption hard to implement when the brokers has to filter out the events according to context.
    • ¨Brokers might be fooled into sending notifications to the wrong client, amplifying denial of service requests against the client.


  • Distributed Pub/Sub System provides a loosely-coupled, asynchronous model which is useful in many fields of network utilization.
  • Several areas are still open for research:
    • ¨Effective routing and filtering algorithms for better performance
    • ¨Scalability versus expressiveness issue
    • ¨Fault tolerance
    • ¨Security


  • Papers:
    • ¨P.Eugster, P.Felber,RGuerraoui and A.Kermarrec. The Many Faces of Publish/Subscribe. In ACM Computing Surveys, Vol. 35, No.2, June 2003.
    • ¨A.Carzaniga, D.Rosenblum, A.Wolf . Design and Evaluation of a Wide-Area Event Notification Service. ACM Transactions on Computer Systems, Vol. 19, No. 3, August 2001.¨
  • Wikipedia:


Presentation by : Yu-Ling Chang




Virtual LAN

A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2).LAN is an abbreviation of local area network.

To subdivide a network into virtual LANs, one configures a network switch or router. Simpler network devices can only partition per physical port (if at all), in which case each VLAN is connected with a dedicated network cable (and VLAN connectivity is limited by the number of hardware ports available). More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Since VLANs share bandwidth, a VLAN trunk can use link aggregation and/or quality-of-service prioritization to route data efficiently.

VLANs allow network administrators to group hosts together even if the hosts are not on the same network switch. This can greatly simplify network design and deployment, because VLAN membership can be configured through software. Without VLANs, grouping hosts according to their resource needs necessitates the labor of relocating nodes or rewiring data links.


A basic switch not configured for VLANs has VLAN functionality disabled or permanently enabled with a default VLAN that contains all ports on the device as members. Every device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting the devices to another, distinct switch of their own.

Configuration of the first custom VLAN port group usually involves removing ports from the default VLAN, such that the first custom group of VLAN ports is actually the second VLAN on the device, in addition to the default VLAN. The default VLAN typically has an ID of 1.

If a VLAN port group were to exist only on one device, no ports that are members of the VLAN group would need to be tagged. These ports would hence be considered “untagged”. It is only when the VLAN port group is to extend to another device that tagging is used. Since communications between ports on two different switches travel via the uplink ports of each switch involved, every VLAN containing such ports must also contain the uplink port of each switch involved, and these ports must be tagged. This also applies to the default VLAN.

Some switches either allow or require that a name be created for the VLAN, but only the VLAN group number is important from one switch to the next.

Where a VLAN group is to simply pass through an intermediate switch via two pass-through ports, only the two ports must be a member of the VLAN, and are tagged to pass both the required VLAN and the default VLAN on the intermediate switch.

Management of the switch requires that the administrative functions be associated with one of the configured VLANs. If the default VLAN were deleted or renumbered without first moving the management connection to a different VLAN, it is possible for the administrator to be locked out of the switch configuration, requiring a forced clearing of the device configuration (possibly to the factory default) to regain access or physical access to the switch if it has a console port or other means of direct management.

Switches typically have no built-in method to indicate VLAN port members to someone working in a wiring closet. It is necessary for a technician to either have administrative access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet. These charts must be manually updated by the technical staff whenever port membership changes are made to the VLANs.

Remote configuration of VLANs involves the risk for the administrator to cut off communications accidentally and lose connectivity to the devices they are attempting to configure. Actions such as subdividing the default VLAN by moving the switch uplink ports into a separate new VLAN can suddenly terminate all remote connectivity, requiring the device to be physically accessed at the distant location to continue the configuration process.

Generally, VLANs within the same organization will be assigned different non-overlapping network addresses. This is not a requirement of VLANs. There is no issue with separate VLANs using identical overlapping address ranges (e.g. two VLANs each use the private network / CIDR 16). However, it is generally not possible to route data between two networks with overlapping addresses, so if the goal of VLANs is segmentation of a larger overall organizational network, non-overlapping addresses must be used in each separate VLAN.

VLSM example

Internet Service Providers may face a situation where they need to allocate IP subnets of different sizes as per the requirement of customer. One customer may ask Class C subnet of 3 IP addresses and another may ask for 10 IPs. For an ISP, it is not feasible to divide the IP addresses into fixed size subnets, rather he may want to subnet the subnets in such a way which results in minimum wastage of IP addresses.

For example, an administrator have network. The suffix /24 (pronounced as “slash 24″) tells the number of bits used for network address. In this example, the administrator has three different departments with different number of hosts. Sales department has 100 computers, Purchase department has 50 computers, Accounts has 25 computers and Management has 5 computers. In CIDR, the subnets are of fixed size. Using the same methodology the administrator cannot fulfill all the requirements of the network.

The following procedure shows how VLSM can be used in order to allocate department-wise IP addresses as mentioned in the example.

Step – 1

Make a list of Subnets possible.

subnet list

Step – 2

Sort the requirements of IPs in descending order (Highest to Lowest).

  • Sales 100
  • Purchase 50
  • Accounts 25
  • Management 5

Step – 3

Allocate the highest range of IPs to the highest requirement, so let’s assign /25 ( to the Sales department. This IP subnet with Network number has 126 valid Host IP addresses which satisfy the requirement of the Sales department. The subnet mask used for this subnet has 10000000 as the last octet.

Step – 4

Allocate the next highest range, so let’s assign /26 ( to the Purchase department. This IP subnet with Network number has 62 valid Host IP Addresses which can be easily assigned to all the PCs of the Purchase department. The subnet mask used has 11000000 in the last octet.

Step – 5

Allocate the next highest range, i.e. Accounts. The requirement of 25 IPs can be fulfilled with /27 ( IP subnet, which contains 30 valid host IPs. The network number of Accounts department will be The last octet of subnet mask is 11100000.

Step – 6

Allocate the next highest range to Management. The Management department contains only 5 computers. The subnet /29 with the Mask has exactly 6 valid host IP addresses. So this can be assigned to Management. The last octet of the subnet mask will contain 11111000.

By using VLSM, the administrator can subnet the IP subnet in such a way that least number of IP addresses are wasted. Even after assigning IPs to every department, the administrator, in this example, is still left with plenty of IP addresses which was not possible if he has used CIDR.

LAN Design

Designing a network can be a challenging task, and involves more than just connecting computers together.
A network requires many features in order to be scalable and manageable. To design reliable, scalable  networks, network designers must realize that each of the major components of a network has distinct design requirements. Even a network that consists of only fifty nodes can pose complex problems that lead to unpredictable results. Attempting to design and build networks that contain thousands of nodes can pose even more complex problems.The first step in designing a LAN is to establish and document the goals of the design. These goals are particular to each organization or situation. However, the following requirements tend to show up in most network designs:
-The network must work. That is, it must allow users to meet their job requirements.
The network must provide user-to-user and user-to-application connectivity with reasonable speed and reliability.
-The network must be able to grow. That is, the initial design should grow without any major changes to the overall design.
-The network must be designed with an eye toward future technologies, and it should include no element that would limit implementation of new technologies as they become available.
-The network should be designed to facilitate network monitoring and management to ensure ongoing stability of operation

LAN Trobleshooting


This document will explain you initial layer 2 troubleshooting steps with some helpful IOS command.

Approaching Steps:

Check for physical interface  problems like duplex mismatch. By default, each Cisco Switch port uses  Ethernet auto-negotiation to determine the speed and duplex setting  (whether it can be half or Full).These switches can set their duplex  setting with “duplex” interface subcommand and their speed with the  “Speed” interface subcommand.

A duplex mismatch usually does not bring link down; it just creates suboptimal performance.

Duplex mismatch might be caused due to hard-coding one side of  the link to full duplex but leaving other side to auto negotiates. You  would suspect a duplex mismatch if you saw collision on a full-duplex  link because a full-duplex link should never have collisions. Half  duplex on both sides will show some error.

IMP IOS Command: “Show interface”


R1#sh int fa0/0

FastEthernet0/0 is up, line protocol is up

Hardware is Gt96k FE, address is c000.3710.0000 (bia c000.3710.0000)

MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 10Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:33, output 00:00:00, output hang never

Last clearing of “show interface” counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

5 packets input, 1765 bytes

Received 5 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

22 packets output, 2785 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out


Watch for some of the errors like

Runts: Runts are frames smaller than 64bytes

CRC error: This is CRC called cyclic redundancy checksum value does not match one calculated by switch or router etc.

Collisions: Look for collisions on a full-duplex interface or excessive collision on a half-duplex interface.

Late collision on a half-duplex interface: This is occurs after first 64 bytes of a frame.

Frames: frame error has a CRC error.

There is another helpful command display interface statistics is “show controllers fa0/0″.This will have very give you very long output but you can find the no of frames with bad frame check, CRC error, Collision, late collision and its own interface auto negotiation status, speed duplex capability as well as its neighbor.

Also read “Configuring and Troubleshooting Ethernet 10/100/1000Mb Half/Full Duplex Auto-Negotiation” document for more information.

No Connectivity between Switches

1) Check for interface shut down using “show ip interface” command”.

Here is example below:

R1#show ip interface fa0/0

FastEthernet0/0 is up, line protocol is up

Internet protocol processing disabled



If an interface shows and UP/UP means physical and logical connection has been made. If it is showing Up/down, you have some l2 troubleshooting to do. An interface status of err-disable could be caused by many different problem .common problem can be security violation or detection of a unidirectional link.
When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port. The port LED is set to the color orange. You can check using “show interface status err-disabled” command on your device.

This example shows how to display the error disabled state of interfaces:

switch# show interface status err-disabled



Port Name Status Reason


Eth114/1/27 — down BPDUGuard errDisable

Eth114/1/28 — down BPDUGuard errDisable

Eth114/1/29 — down BPDUGuard errDisable

Eth114/1/30 — down BPDUGuard errDisable

Eth114/1/31 — down BPDUGuard errDisable

Eth114/1/32 — down BPDUGuard errDisable

Eth114/1/33 — down BPDUGuard errDisable

Eth114/1/34 — down BPDUGuard errDisable




2) Verify your trunk links and ether channel if configure using following command:

Useful command:

“Show interface trunk”
“Show etherchannel summary”

Here is a document for “Troubleshooting Switch Port and Interface Problems”

Lack of reachability to devices in same VLAN

1) Eliminate Layer 1 issue using “show ip interface “command.

R1#show ip interface fa0/0

FastEthernet0/0 is up, line protocol is up

Internet protocol processing disabled



2) Verify VLAN exist on the Switch using “Show VLAN “command.

SW#sh vlan


VLAN Name                             Status   Ports

—- ——————————– ——— ——————————-

1   default                                  active   Fa1/0, Fa1/1, Fa1/2, Fa1/3

Fa1/4, Fa1/5, Fa1/6, Fa1/7

Fa1/8, Fa1/9, Fa1/10, Fa1/11

Fa1/12, Fa1/13, Fa1/14, Fa1/15

2   cisco_test                             active

1002 fddi-default                     act/unsup

1003 token-ring-default           act/unsup

1004 fddinet-default                act/unsup

1005 trnet-default                    act/unsup


VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

—- —– ———- —– —— —— ——– —- ——– —— ——

1   enet 100001           1500 –     –     –       –   –       1002   1003

2   enet 100002           1500 –     –     –       –   –        0     0

1002 fddi 101002       1500 –     –     –       –   –       1     1003

1003 tr   101003         1500 1005   0     –       –   srb     1     1002

1004 fdnet 101004     1500 –     –     1       ibm –       0     0

1005 trnet 101005      1500 –     –     1       ibm –       0     0



3) Verify that the interface is assigned to the correct VLAN using “show interface switchport” command.

sw#show interfaces switchport fa1/15

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Disabled

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: ALL

Trunking VLANs Active: 1

Protected: false

Priority for untagged frames: 0

Override vlan tag priority: FALSE

Voice VLAN: none

Appliance trust: none


If it is not in correct VLAN assign port into correct VLAN using following steps:

Conf t

Int fa1/15

Switchport access vlan 2


4) Verify that VLAN is allowed on trunk port using “show interface trunk” command.

sw#show interfaces trunk


Port      Mode         Encapsulation  Status        Native vlan

Fa1/15    on           802.1q         trunking      1


Port      Vlans allowed on trunk

Fa1/15    1-2,1002-1005


Port      Vlans allowed and active in management domain

Fa1/15    1-2


Port      Vlans in spanning tree forwarding state and not pruned

Fa1/15    none



5) You can also use the Layer 2 traceroute utility to identifies the Layer 2 path that a packet takes from a source device to a destination device using “traceroute mac [interface type interface_number] source_mac_address [interface type interface_number] destination_mac_address [vlan vlan_id] [detail]” command.

Intermittent reachability to devices in same VLAN

1) Check for spanning-tree problems such as BPDU floods or flapping mac address.
Spanning-tree issues are possible in a network that has not been properly configured. One common STP problem is a change in Root Bridge. If Root Bridge is not properly configured a change in root can cause a flood of BPDUs and affect network connectivity. Another Known symptom of loop is flapping of MAC address.A port configuraed with loop guard or root guard put in an inconsistence state if it receive superior BPDU can be verify using “ show spanning-tree inconsistent  port”

Some IOS useful command:
‘Show spanning-tree”
‘Show spanning-tree detail:
‘Show spanning-tree root”
“Show mac-address-table”
Here is another document you would like to look into it “Troubleshooting LAN Switching Environments”

Some Spanning-tree related troubleshooting docs:
“Troubleshooting STP on Catalyst Switches Running Cisco IOS System Software”
“Spanning Tree Loop Troubleshooting and Safeguards”
“Spanning Tree Protection”

Finding IP address connected to a cisco switch port

If you don’t know IP address of devices present on specific VLAN and wanted to track end device IP address please try following steps:

Steps 1: ping to broadcast IP address of subnet from your L3 device(Gateway)

For example: I have following connectivity.R1 connected to Sw1 and Sw1 to Sw2.Host H1 and H2 are connected to SW2.


R1 is default gateway having L3 address. Please find below IP address for each device




So for subnet broadcast IP is

Let’s ping to from your router. All hosts present to that LAN segment will reply as you can see below and your ARP table will get flood with IP address and respective mac-address on L3 device.



Sending 1000, 100-byte ICMP Echos to, timeout is 2 seconds:




Reply to request 8 from, 28 ms


Reply to request 9 from, 64 ms


Step2: then Check arp entries using “show arp” command on L3 device and it will show you mac-address associate with IP address.


R1#sh ip arp


Protocol  Address          Age (min)  Hardware Addr   Type   Interface


Internet                 –   c000.2498.0000  ARPA   Vlan2


Internet                 0   c003.2498.0000  ARPA   Vlan2


From above table you can see host machine mac-address is c003.2498.0000

Step3: Now check mac learned from specific port as shown below:

R1#sh mac address c003.2498.0000


Destination Address  Address Type  VLAN  Destination Port


——————-  ————  —-  ——————–


c003.2498.0000          Dynamic       2     FastEthernet1/1


Step4: Then use CDP (Cisco discovery protocol) to check what device connected to port on which you learn mac –address.

In our scenario we have learned Mac-address from F1/1; we need to check CDP detail for fa1/1.

R1#sh cdp ne fa1/1 detail




Device ID: SW1.lab.local


Once you find connected device, login into it and again use “sh mac address c003.2498.0000” command and “sh cdp ne fa1/1 detail” command till you find your actual end port to which your host is connected.The above method is useful when you CDP enable on your all switches and your end host responds to broadcast message.

The above point has written through discussion .
Please feel free to add your expertise experience into this document to make it helpful for beginners

sw#show interfaces trunk


Port      Mode         Encapsulation  Status        Native vlan

Fa1/15    on           802.1q         trunking      1


Port      Vlans allowed on trunk

Fa1/15    1-2,1002-1005


Port      Vlans allowed and active in management domain

Fa1/15    1-2


Port      Vlans in spanning tree forwarding state and not pruned

Fa1/15    none


STP Operation

STP Operation



Before you configure STP, select a switch to be the root of the spanning tree. This switch does not need to be the most powerful switch, but choose the most centralized switch on the network. All data flow across the network is from the perspective of this switch. Also, choose the least disturbed switch in the network. The backbone switches often serve as the spanning tree root because these switches typically do not connect to end stations. Also, moves and changes within the network are less likely to affect these switches.

After you decide on the root switch, set the appropriate variables to designate the switch as the root switch. The only variable that you must set is the bridge priority. If the switch has a bridge priority that is lower than all the other switches, the other switches automatically select the switch as the root switch.

Clients (end stations) on Switch Ports

You can also issue the set spantree portfast command, on a per-port basis. When you enable the portfast variable on a port, the port immediately switches from blocking mode to forwarding mode. Enablement of portfast helps to prevent timeouts on clients who use Novell Netware or use DHCP in order to obtain an IP address. However, do not use this command when you have switch-to-switch connection. In this case, the command can result in a loop. The 30- to 60-second delay that occurs during the transition from blocking to forwarding mode prevents a temporal loop condition in the network when you connect two switches.

Leave most other STP variables at their default values.

Rules of Operation

This section lists rules for how STP works. When the switches first come up, they start the root switch selection process. Each switch transmits a BPDU to the directly connected switch on a per-VLAN basis.

As the BPDU goes out through the network, each switch compares the BPDU that the switch sends to the BPDU that the switch receives from the neighbors. The switches then agree on which switch is the root switch. The switch with the lowest bridge ID in the network wins this election process.

Note: Remember that one root switch is identified per-VLAN. After the root switch identification, the switches adhere to these rules:

  • STP Rule 1—All ports of the root switch must be in forwarding mode.Note: In some corner cases, which involve self-looped ports, there is an exception to this rule.

    Next, each switch determines the best path to get to the root. The switches determine this path by a comparison of the information in all the BPDUs that the switches receive on all ports. The switch uses the port with the least amount of information in the BPDU in order to get to the root switch; the port with the least amount of information in the BPDU is the root port. After a switch determines the root port, the switch proceeds to rule 2.

  • STP Rule 2—The root port must be set to forwarding mode.In addition, the switches on each LAN segment communicate with each other to determine which switch is best to use in order to move data from that segment to the root bridge. This switch is called the designated switch.
  • STP Rule 3—In a single LAN segment, the port of the designated switch that connects to that LAN segment must be placed in forwarding mode.
  • STP Rule 4—All the other ports in all the switches (VLAN-specific) must be placed in blocking mode. The rule only applies to ports that connect to other bridges or switches. STP does not affect ports that connect to workstations or PCs. These ports remain forwarded.Note: The addition or removal of VLANs when STP runs in per-VLAN spanning tree (PVST / PVST+) mode triggers spanning tree recalculation for that VLAN instance and the traffic is disrupted only for that VLAN. The other VLAN parts of a trunk link can forward traffic normally. The addition or removal of VLANs for a Multiple Spanning Tree (MST) instance that exists triggers spanning tree recalculation for that instance and traffic is disrupted for all the VLAN parts of that MST instance.

Note: By default, spanning tree runs on every port. The spanning tree feature cannot be turned off in switches on a per-port basis. Although it is not recommended, you can turn off STP on a per-VLAN basis, or globally on the switch. Extreme care should be taken whenever you disable spanning tree because this creates Layer 2 loops within the network.

Step-by-Step Instructions

Complete these steps:

  1. Issue the show version command in order to display the software version that the switch runs.Note: All switches run the same software version.
    Switch-15> (enable)show version
    WS-C5505 Software, Version McpSW: 4.2(1) NmpSW: 4.2(1)
    Copyright (c) 1995-1998 by Cisco Systems
    NMP S/W compiled on Sep  8 1998, 10:30:21
    MCP S/W compiled on Sep 08 1998, 10:26:29
    System Bootstrap Version: 5.1(2)
    Hardware Version: 1.0  Model: WS-C5505  Serial #: 066509927
    Mod Port Model      Serial #  Versions
    --- ---- ---------- --------- ----------------------------------------
    1   0    WS-X5530   008676033 Hw : 2.3
    Fw : 5.1(2)
    Fw1: 4.4(1)
    Sw : 4.2(1)

    In this scenario, Switch 15 is the best choice for the root switch of the network for all the VLANs because Switch 15 is the backbone switch.

  2. Issue the set spantree root vlan_id command in order to set the priority of the switch to 8192 for the VLAN or VLANs that the vlan_id specifies.Note: The default priority for switches is 32768. When you set the priority with this command, you force the selection of Switch 15 as the root switch because Switch 15 has the lowest priority.
    Switch-15> (enable)set spantree root 1
    VLAN 1 bridge priority set to 8192.
    VLAN 1 bridge max aging time set to 20.
    VLAN 1 bridge hello time set to 2.
    VLAN 1 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 1.
    Switch-15> (enable) 
    Switch-15> (enable)set spantree root 200
    VLAN 200 bridge priority set to 8192.
    VLAN 200 bridge max aging time set to 20.
    VLAN 200 bridge hello time set to 2.
    VLAN 200 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 200.
    Switch-15> (enable) 
    Switch-15> (enable)set spantree root 201
    VLAN 201 bridge priority set to 8192.
    VLAN 201 bridge max aging time set to 20.
    VLAN 201 bridge hello time set to 2.
    VLAN 201 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 201.
    Switch-15> (enable)
    Switch-15> (enable)set spantree root 202
    VLAN 202 bridge priority set to 8192.
    VLAN 202 bridge max aging time set to 20.
    VLAN 202 bridge hello time set to 2.
    VLAN 202 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 202.
    Switch-15> (enable)set spantree root 203
    VLAN 203 bridge priority set to 8192.
    VLAN 203 bridge max aging time set to 20.
    VLAN 203 bridge hello time set to 2.
    VLAN 203 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 203.
    Switch-15> (enable)set spantree root 204
    VLAN 204 bridge priority set to 8192.
    VLAN 204 bridge max aging time set to 20.
    VLAN 204 bridge hello time set to 2.
    VLAN 204 bridge forward delay set to 15.
    Switch is now the root switch for active VLAN 204.
    Switch-15> (enable)

    The shorter version of the command has the same effect, as this example shows:

    Switch-15> (enable)set spantree root 1,200-204 
    VLANs 1,200-204 bridge priority set to 8189.
    VLANs 1,200-204 bridge max aging time set to 20.
    VLANs 1,200-204 bridge hello time set to 2.
    VLANs 1,200-204 bridge forward delay set to 15.
    Switch is now the root switch for active VLANs 1,200-204.
    Switch-15> (enable)

    The set spantree priority command provides a third method to specify the root switch:

    Switch-15> (enable)set spantree priority 8192 1
    Spantree 1 bridge priority set to 8192.
    Switch-15> (enable)

    Note: In this scenario, all the switches started with cleared configurations. Therefore, all the switches started with a bridge priority of 32768. If you are not certain that all the switches in your network have a priority that is greater than 8192, set the priority of your desired root bridge to 1.

  3. Issue the set spantree portfast mod_num/port_num enable command in order to configure the PortFast setting on Switches 12, 13, 14, 16, and 17.Note: Only configure this setting on ports that connect to workstations or PCs. Do not enable PortFast on any port that connects to another switch.

    This example only configures Switch 12. You can configure other switches in the same way. Switch 12 has these port connections:

    • Port 2/1 connects to Switch 13.
    • Port 2/2 connects to Switch 15.
    • Port 2/3 connects to Switch 16.
    • Ports 3/1 through 3/24 connect to PCs.
    • Ports 4/1 through 4/24 connect to UNIX workstations.

    With this information as a basis, issue the set spantree portfast command on ports 3/1 through 3/24 and on ports 4/1 through 4/24:

    Switch-12> (enable)set spantree portfast 3/1-24 enable
    Warning: Spantree port fast start should only be enabled on ports connected
    to a single host.  Connecting hubs, concentrators, switches, bridges, etc. to
    a fast start port can cause temporary spanning-tree loops.  Use with caution.
    Spantree ports 3/1-24 fast start enabled.
    Switch-12> (enable) 
    Switch-12> (enable)set spantree portfast 4/1-24 enable
    Warning: Spantree port fast start should only be enabled on ports connected
    to a single host.  Connecting hubs, concentrators, switches, bridges, etc. to
    a fast start port can cause temporary spanning-tree loops.  Use with caution.
    Spantree ports 4/1-24 fast start enabled.
    Switch-12> (enable)
  4. Issue the show spantree vlan_id command in order to verify that Switch 15 is the root of all the appropriate VLANs.From the output from this command, compare the MAC address of the switch that is the root switch to the MAC address of the switch from which you issued the command. If the addresses match, the switch that you are in is the root switch of the VLAN. A root port that is 1/0 also indicates that you are at the root switch. This is the sample command output:
    Switch-15> (enable)show spantree 1
    VLAN 1
    spanning-tree enabled
    spanning-tree type          ieee
    Designated Root             00-10-0d-b1-78-00
    !--- This is the MAC address of the root switch for VLAN 1.
    Designated Root Priority    8192
    Designated Root Cost        0
    Designated Root Port        1/0
    Root Max Age   20 sec    Hello Time 2  sec   Forward Delay 15 sec
    Bridge ID MAC ADDR          00-10-0d-b1-78-00
    Bridge ID Priority          8192
    Bridge Max Age 20 sec    Hello Time 2  sec   Forward Delay 15 sec

    This output shows that Switch 15 is the designated root on the spanning tree for VLAN 1. The MAC address of the designated root switch, 00-10-0d-b1-78-00, is the same as the bridge ID MAC address of Switch 15, 00-10-0d-b1-78-00. Another indicator that this switch is the designated root is that the designated root port is 1/0.

    In this output from Switch 12, the switch recognizes Switch 15 as the Designated Root for VLAN 1:

    Switch-12> (enable)show spantree 1
    VLAN 1
    spanning-tree enabled
    spanning-tree type          IEEEDesignated Root             00-10-0d-b1-78-00
    !--- This is the MAC address of the root switch for VLAN 1.
    Designated Root Priority    8192
    Designated Root Cost        19
    Designated Root Port        2/3
    Root Max Age   20 sec    Hello Time 2  sec   Forward Delay 15 sec
    Bridge ID MAC ADDR          00-10-0d-b2-8c-00
    Bridge ID Priority          32768
    Bridge Max Age 20 sec    Hello Time 2  sec   Forward Delay 15 sec

    Note: The output of the show spantree vlan_id command for the other switches and VLANs can also indicate that Switch 15 is the designated root for all VLANs.

Footprinting: The Basics of Hacking

¥ What Is Footprinting?

Footprinting is the first and most convenient way that hackers use to gather information
about computer systems and the companies they belong to. The purpose of footprinting to
learn as much as you can about a system, it’s remote access capabilities, its ports and
services, and the aspects of its security.

In order to perform a successful hack on a system, it is best to know as much as you can,
if not everything, about that system. While there is nary a company in the world that
isn’t aware of hackers, most companies are now hiring hackers to protect their systems.
And since footprinting can be used to attack a system, it can also be used to protect it.
If you can find anything out about a system, the company that owns that system, with the
right personell, can find out anything they want about you.

In this talk, I will explain what the many functions of footprinting are and what they do.
I’ll also footprint everyone’s favorite website, just to see how much info we can get on

¥ Open Source Footprinting

Open Source Footprinting is the easiest and safest way to go about finding information
about a company. Information that is available to the public, such as phone numbers,
addresses, etc. Performing whois requests, searching through DNS tables, and scanning
certain IP addresses for open ports, are other forms of open source footprinting. Most
of this information is fairly easy to get, and getting it is legal, legal is always good.

Most companies post a shit load of information about themselves on their website. A lot
of this information can be very useful to hackers and the companies don’t even realize it.
It may also be helpful to skim through the webpage’s HTML source to look for comments.
Comments in HTML code are the equivalent to the small captions under the pictures in high
school science books. Some comments found in the HTML can hold small tid-bits of info
about the company, otherwise not found anywhere else.

¥ Network Enumeration

Network Enumeration is the process of identifying domain names and associated networks.
The process is performing various queries on the many whois databases found on the
internet. The result is the hacker now having the information needed to attack the system
they are learning about. Companie’s domain names are listed with registrars, and the
hacker would simply query the registrar to obtain the information they are looking for.
The hacker simply needs to know which registrar the company is listed with. There are
five types of queries which are as follows:

Registrar Query: This query gives information on potential domains matching the

Organizational Query: This is searching a specific registrar to obtain all
instances of the target’s name. The results show many different domains associated
with the company.

Domain Query: A domain query is based off of results found in an organizational
query. Using a domain query, you could find the company’s address, domain name,
administrator and his/her phone number, and the system’s domain servers. The
administrative contact could be very useful to a hacker as it provides a purpose
for a wardialer. This is also where social engineering comes into play. But
that’s a talk for another time. Many administrators now post false phone numbers
to protect themselves from this.

Network Query: The fourth method one could use the American Registry for Internet
Numbers is to discover certain blocks owned by a company. It’s good to use a
broad search here, as well as in the registrar query.

POC Query: This query finds the many IP adresses a machine may have.

¥ DNS Interrogation

After gathering the information needed using the above techniques, a hacker would begin to
query the DNS. A common problem with system adminstrators is allowing untrusted, or worse,
unknown users, to perform a DNS Zone Transfer. Many freeware tools can be found on the
internet and can be used to perform DNS interrogation. Tools such as nslookup, for PC, and
AGnet Tools, for Mac, are some common programs used for this.

¥ Other Helpful Techniques Used In Footprinting

Ping Sweep: Ping a range of IP addresses to find out which machines are awake.

TCP Scans: Scan ports on machines to see which services are offered. TCP scans
can be performed by scanning a single port on a range of IPs, or by scanning a
range of ports on a single IP. Both techniques yeild helpful information.

UDP Scans: Send garbage UDP packets to a desired port. I normally don’t perform
UDP scans a whole lot because most machines respond with an ICMP ‘port unreachable’
message. Meaning that no service is available.

OS Indentification: This involves sending illegal ICMP or TCP packets to a machine.

The machine responds with unique invalid inputs and allows the hacker to find out what the
target machine is running.

How a lying ‘social engineer’ hacked Wal-Mart

LAS VEGAS (CNNMoney) — A Wal-Mart store manager in a small military town in Canada got an urgent phone call last month from “Gary Darnell” in the home office in Bentonville, Ark.

Darnell told the manager Wal-Mart had a multi-million-dollar opportunity to win a major government contract, and that he was assigned to visit the handful of Wal-Mart stores picked as likely pilot spots. First, he needed to get a complete picture of the store’s operations.

For about 10 minutes, Darnell described who he was (a newly hired manager of government logistics), the outlines of the contract (“all I know is Wal-Mart can make a ton of cash off it”) and the plans for his visit.

Darnell asked the manager about all of his store’s physical logistics: its janitorial contractor, cafeteria food-services provider, employee pay cycle and staff shift schedules. He learned what time the managers take their breaks and where they usually go for lunch.

Keeping up a steady patter about the new project and life in Bentonville, Darnell got the manager to give up some key details about the type of PC he used. Darnell quickly found out the make and version numbers of the computer’s operating system, Web browser and antivirus software.

Finally, Darnell directed the manager to an external website to fill out a survey to prep for the upcoming visit. The manager dutifully plugged the address into his browser. His computer blocked the connection, but Darnell wasn’t fazed. He said he’d call the IT department and have it unlocked.

The manager didn’t think that was a concern. “Sounds good,” he answered. “I’ll try again in a few hours.”

After thanking the manager for his help, Darnell made plans to follow up the next day. The manager promised to send Darnell over a list of good hotels in the area.

Then “Gary Darnell” hung up and stepped out of the soundproof booth he had been in for the last 20 minutes.

“All flags! All flags!” he announced, throwing his arms up in a V-for-Victory symbol.

His audience of some 100 spectators at the Defcon conference in Las Vegas burst into applause. They had been listening to both sides of the call through a loudspeaker broadcast.

“That was insane,” the person next to me murmured, shaking her head in appreciation.

Darnell is actually Shane MacDougall, the champion of this year’s social engineering “capture the flag” contest. He had pinched the identity of a real Wal-Mart executive, who had no idea his name was being used in MacDougall’s con.

MacDougall managed to capture every single data point, or “flag,” on the competition checklist — a first for the three-year-old event.

The hackers’ playground: Held every July, Defcon is where hackers come to swap tips and show off cutting-edge technical exploits.

The social engineering hackathon is an old-fashioned display of con artistry. With nothing more than a phone line and a really good story, a hacker can pry secrets loose from America’s biggest and most guarded corporations.

“Social engineering is the biggest threat to the enterprise, without a doubt,” MacDougall said after his call. “I see all these [chief security officers] that spend all this money on firewalls and stuff, and they spend zero dollars on awareness.”

MacDougall would know: The security firm he runs, Tactical Intelligence in Nova Scotia, specializes in a broad range of corporate espionage defense services. He regularly conducts social-engineering audits for clients, calling their employees to see what sensitive data he can extract.

In his view, it’s a battle everyone is losing. MacDougall picks his victims carefully. Sales employees are a favorite target: “As soon as they think there’s money, common sense goes out the window.”

When asked about the “hack,” Wal-Mart (WMT, Fortune 500) said it views MacDougall’s exploit as a cautionary tale.

“We take the safeguarding of our business information very seriously and we’re disappointed some basic information was shared,” Wal-Mart spokesman Dan Fogleman told CNNMoney.

“When you’re in the customer service business, sometimes our people can be a bit too helpful, as was the case here,” he said. “We emphasize techniques to avoid social engineering attacks in our training programs. We will be looking carefully at what took place and learn all we can from it in order to better protect our business.”

But Wal-Mart is not alone. Defcon’s game takes aim at a different set of major corporations each year. This year’s target list had nine other companies: UPS (NYSE), Verizon (VZ, Fortune 500), FedEx (FDX, Fortune 500), Shell, Exxon Mobil (XOM, Fortune 500), Target (TGT, Fortune 500), Cisco (CSCO, Fortune 500), Hewlett-Packard (HPQ, Fortune 500) and AT&T (T, Fortune 500).

Every single one gave up at least a few of the data points competitors sought.

“A lot of the attacks we saw this weekend could have been thwarted just by critical thinking,” contest organizer Chris Hadnagy said toward the end of the showdown. “We need to train people that it’s ok to say ‘no.'”

Defcon’s contestants are given two weeks to “passively” research their targets and gather any information they can get online. The best competitors come prepared with thick dossiers of background gathered from corporate sites and social networks like LinkedIn.

Then they have 20 minutes at the show to make phone calls. Live … while an audience watches.

The information they’re seeking from their targets includes sensitive corporate details like what e-mail software they use and the name of the outside contractor that cleans their office. Contestants don’t ask for dangerously personal information like passwords, Social Security numbers or customer data.

Another critical safeguard: The calls aren’t recorded. Nevada requires all parties to consent to phone taping, but there’s no law against broadcasting them live to an audience. That’s why the Defcon audience was legally allowed to listen in as MacDougall shook down Wal-Mart.

‘I just couldn’t do it': Some contestants got nowhere with their calls, especially when they posed as outside marketers or researchers. Others froze up when they got a live human being on the line.

One first-time contestant landed a receptive HR representative, only to visibly collapse with guilt. She signaled the tech crew to cut the line.

“I just couldn’t do it,” she said afterward. “I’m an honest person. I didn’t realize it would feel so wrong to sit there lying.”

Then there were the competitors like John Carruthers, who dove in with glee. Carruthers, posing as a systems administrator for a Target data center in Minnesota, got a Target store manager on the line with his first phone call and proceeded to rattle off details about the company’s supplier software.

Trying to figure out why a software patch hadn’t been deployed, Carruthers deftly blended small talk — “I’ve got my son’s birthday that I’m trying to make it to” — with a ruthlessly efficient, technical interrogation.

In less than 10 minutes, he extracted all of the high-value flags he wanted. Then, with time left on the clock, he called a second store and repeated the entire stunt.

He had Target’s lingo nailed and had a surprising level of technical knowledge about the company. Carruthers reassured one mildly suspicious manager by citing her store number.

I asked Carruthers how he prepared for his calls. Are store numbers something Target releases publicly? “I used the store locator on Target’s website,” he answered. Pull up the details about a store and you’ll find the number included in the URL.

Target spokesman Antoine LaFromboise told CNNMoney that the company doesn’t consider store numbers confidential information. He added that Target “takes information protection very seriously.”

The contest has ruffled some feathers, but Hadnagy said that some companies actually appreciate having security flaws exposed.

“I’ve had a few call afterward and ask, ‘Hey, can you tell us more about how you did it?'” he said.

America’s top spymaster, National Security Agency director Gen. Keith Alexander, is one of the game’s fans.

Attending Defcon this year for the first time, Alexander dropped by to praise the competition for raising awareness about social engineering attackers and their methods. He even pulled Hadnagy aside for a private chat.

“He shook my hand and thanked me for teaching people to socially engineer,” Hadnagy said, sounding mildly stunned. “That’s first time I’ve ever had that happen.”

Pakar: Ini Serangan “Cyber” Terbesar Sepanjang Sejarah — Sebuah serangan cyber berjenis distributed denial of service (DDoS) terhadap perusahaan keamanan jaringan Spamhaus memiliki dampak yang sangat besar. Akibat serangan tersebut, dikabarkan kecepatan internet dunia, terutama di benua Eropa, terus melambat.

Tidak itu saja, serangan ini diduga dapat membuat dampak yang lebih buruk dari sekadar melambatnya kecepatan internet.

Menurut beberapa ahli keamanan komputer, melihat skala serangan yang semakin kuat, para pengguna bisa saja tidak dapat mengakses layanan dasar internet, seperti e-mail dan layanan perbankan online.

Sebenarnya, seberapa besarkah skala serangan cyber ini? Menurut Matthew Price, Chief Executive of CloudFlare, serangan DDos ini dapat dikatakan sebagai yang terbesar dalam sejarah.

Sekadar catatan, CloudFlare merupakan perusahaan yang ditunjuk oleh Spamhaus untuk melindungi perusahaan tersebut dari serangan DDos ini.

“Serangan ini mirip dengan bom nuklir. Serangan ini mudah untuk menghasilkan kerusakan yang begitu besar,” kata Price, seperti dikutip dari NY Times, Kamis (28/3/2013).

Serangan DDoS ini juga mampu mencapai nilai yang luar biasa besar, yaitu 300 miliar bit per detik. Dikatakan, serangan ini berpuluh kali lipat dibandingkan serangan DDos pada umumnya.

“Ini adalah angka yang sebenarnya. Ini merupakan serangan DDoS terbesar dalam sejarah internet,” kata Patrick Gilmore, Chief Architect Akamai Teknologies, sebuah perusahaan penyedia konten digital.

Serangan ini diduga dimulai saat Spamhaus menambahkan sebuah perusahaan asal Belanda, Cyberbunker, ke daftar hitam (blacklist) miliknya. Spamhaus merupakan perusahaan pembuat daftar hitam yang digunakan oleh penyedia layanan internet sebagai acuan pemblokiran situs-situs web berbahaya.

Sementara Cyberbunker merupakan sebuah layanan penyimpanan data yang mengizinkan penggunanya untuk menyimpan semua data, kecuali pornografi anak dan hal-hal yang berkaitan dengan teroris.

Cyberbunker sebenarnya tidak secara langsung dituduh bertanggung jawab atas serangan ini. Namun, seorang yang mengaku sebagai juru bicara Cyberbunker, Sven Olaf Kamphuis, memberikan sebuah pernyataan yang membuat perusahaan tersebut menjadi tertuduh. Kepada BBC, Kamphuis menyatakan, Spamhaus tidak seharusnya dapat menentukan “apa yang boleh dan tidak di internet”.