BGP Hijacks: Two more papers consider the problem

The security of the global Default Free Zone DFZ) has been a topic of much debate and concern for the last twenty years (or more). Two recent papers have brought this issue to the surface once again—it is worth looking at what these two papers add to the mix of what is known, and what solutions might be available. The first of these—

Demchak, Chris, and Yuval Shavitt. 2018. “China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking.” Military Cyber Affairs 3 (1). https://doi.org/10.5038/2378-0789.3.1.1050.

—traces the impact of Chinese “state actor” effects on BGP routing in recent years. Whether these are actual attacks, or mistakes from human error for various reasons generally cannot be known, but the potential, at least, for serious damage to companies and institutions relying on the DFZ is hard to overestimate. This paper lays out the basic problem, and the works through a number of BGP hijacks in recent years, showing how they misdirected traffic in ways that could have facilitated attacks, whether by mistake or intentionally. For instance, quoting from the paper—

The Push to Modernize at William & Mary

 

At William & Mary, our IT infrastructure team needs to be nimble enough to support a leading-edge research university — and deliver the stability expected of a 325 year old institution. We’re not a large school, but we have a long history. We’re a public university located in Williamsburg, Virginia, and founded in 1693, making us the second-oldest institution of higher education in America. Our alumni range from three U.S. presidents to Jon Stewart.

The Linux team in the university’s central IT department is made up of 5 engineers. We run web servers, DNS, LDAP, the backend for our ERP system, components of the content management system, applications for administrative computing, some academic computing, plus a long list of niche applications and middleware. In a university environment with limited IT resources, legacy applications and infrastructure are expensive and time-consuming to keep going.

Some niche applications are tools built by developers in university departments outside of IT. Others are academic projects. We provide infrastructure for all of them, and sometimes demand can ramp up quickly. For instance, an experimental online course catalog was discovered by our students during a registration period. Many students decided they liked the experimental version Continue reading

The Week in Internet News: Companies Fear AI Will Destroy Business Models

AI against businesses: More than 40 percent of U.K. companies believe Artificial Intelligence will destroy their business models within five years, according to a Microsoft survey featured on CNBC.com. Still, more than half of businesses in the U.K. have no AI strategy. And while 45 percent workers are concerned their job could be replaced by AI, 51 percent are not learning skills to prepare for the changes.

Government AI board: Meanwhile, Public Knowledge, a digital rights advocacy group, has called on the U.S. government to create a new federal authority to develop AI expertise, as a way to effectively regulate and govern the technology, reports IP-watch.org. “The rapid and pervasive rise of artificial intelligence risks exploiting the most marginalized and vulnerable in our society,” the group argues.

Math against fake news: Professors from the U.K. and Switzerland have released a mathematical definition of fake news, in the hope that it will give lawmakers ideas on how to combat it, Phys.org says. The researchers have also introduced a model for fake news that can be used to study the phenomenon.

Vietnam against fake news: A new cybersecurity law in Vietnam is intended to combat Continue reading

Check Point CloudGuard now supports North-South service insertion for NSX-T Data Center

With VMworld Europe just around the corner, we are excited to announce that our valued partner Check Point’s product CloudGuard has met all the certification requirements for NSX-T Data Center North-South service insertion! This is the first such certification following the recent release of version 2.3. It is particularly exciting given that NSX-T is designed to connect and protect workloads running in multiple environments like public clouds and on-premises data centers, and CloudGuard for North-South traffic works at the point of connection between these networks. 

Enhancing security gateway capabilities with Check Point’s CloudGuard for traffic moving between virtual machines and external networks secures your assets and data in the cloud against even the most sophisticated threats, with multi-layered protections including: Firewall, IPS, Application Control, IPsec VPN, Antivirus, Anti-Bot, and award-winning SandBlast Threat Emulation and Threat Extraction technologies.  

NSX-T Data Center was designed with the concept of service insertion top of mind, enabling users with specific needs to seamlessly add third party applications at various points throughout the network. Having a robust ecosystem of partners is key to providing maximum flexibility for NSX-T Data Center, enabling you to add partner functionality that is tailored to your unique requirements without degrading performance elsewhere in the SDDC. Partner applications are Continue reading

Intel To Challenge AMD With 48 Core “Cascade Lake” Xeon AP

AMD is hosting its “Next Horizon” datacenter event in San Francisco this week, and archrival Intel, which is losing some market share to AMD but not feeling the pain on its books yet thanks to a massive buildout in server infrastructure at hyperscalers, cloud builders, and smaller service providers like telcos, is hitting back by divulging some of its plans for next year’s “Cascade Lake” Xeon lineup.

Intel To Challenge AMD With 48 Core “Cascade Lake” Xeon AP was written by Timothy Prickett Morgan at .

ELK series: Monitoring MySQL database with ELK stack

In an effort to diversify the blog content, I am introducing new series about other technologies than Cisco, that make the life of a network engineer easier. These technologies include but not limited to Juniper, logging analysis with ELK stack, Docker swarm, Kubernetes, Rancher, DevOps, Public Clouds (AWS, GCP…), Linux, Python programming, etc…   In […]

Sharding the shards: managing datastore locality at scale with Akkio

Sharding the shards: managing datastore locality at scale with Akkio Annamalai et al., OSDI’18

In Harry Potter, the Accio Summoning Charm summons an object to the caster of the spell, sometimes transporting it over a significant distance. In Facebook, Akkio summons data to a datacenter with the goal of improving data access locality for clients. Central to Akkio is the notion of microshards (μ-shards), units of data much smaller than a typical shard. μ-shards are defined by the client application, and should exhibit strong access locality (i.e., the application tends to read/write the data in a μ-shard together in a small window of time). Sitting as a layer between client applications and underlying datastores, Akkio has been in production at Facebook since 2014, where it manages around 100PB of data.

Measurements from our production environment show that Akkio reduces latencies by up to 50%, cross-datacenter traffic by up to 50%, and storage footprint by up to 40% compared to reasonable alternatives.

Akkio can support trillions of μ-shards and many 10s of millions of data access requests per second.

Motivation

Our work in this area was initially motivated by our aim to reduce service response times and resource Continue reading

Working with distance sensor – solving overhead water tank problem

This is not a networking post.

Schematic , sensor code and spec  – https://www.linuxnorth.org/raspi-sump

My code – https://github.com/yukthr/auts/blob/master/random_programs/water_sensor.py

1x Breadboard

1x Raspberry pi zero w

1xhcsr04 ultrasonic sensor

2x1kohm resistors

 

Just as a side note i do not have any intro into resistors nor electronics, but what all i did was to follow some posts written by people who already did it, its not hard believe me, if i could do it any one should easily be able to do it as am very far away from electronics and programming, so let these things not overwhelm you.

 

Problem – Am not sure in other parts of the world, but place I live has an over head water Tank which stores water. So every day you technically turn on a water motor which sucks water from a reserve under the ground and pumps it to all the the way to a three store high building

So what’s the issue – The issue is that we have no clue what’s the current water level in the tank nor how long would it take to fill the water tank. There are two tribal ways by which we Continue reading

Brian Kemp is bad on cybersecurity

I'd prefer a Republican governor, but as a cybersecurity expert, I have to point out how bad Brian Kemp (candidate for Georgia governor) is on cybersecurity. When notified about vulnerabilities in election systems, his response has been to shoot the messenger rather than fix the vulnerabilities. This was the premise behind the cybercrime bill earlier this year that was ultimately vetoed by the current governor after vocal opposition from cybersecurity companies. More recently, he just announced that he's investigating the Georgia State Democratic Party for a "failed hacking attempt".


According to news stories, state elections websites are full of common vulnerabilities, those documented by the OWASP Top 10, such as "direct object references" that would allow any election registration information to be read or changed, as allowing a hacker to cancel registrations of those of the other party.

Testing for such weaknesses is not a crime. Indeed, it's desirable that people can test for security weaknesses. Systems that aren't open to test are insecure. This concept is the basis for many policy initiatives at the federal level, to not only protect researchers probing for weaknesses from prosecution, but to even provide bounties encouraging them to do so. Continue reading

IETF 103, Day 1: IPv6, TLS, DNS Privacy & Other Crypto

The Working Group sessions start tomorrow at IETF 103 in Bangkok, Thailand, and we’re bringing you daily blog posts highlighting the topics of interest to us in the ISOC Internet Technology Team. Only four days have been scheduled for the working groups this time around, which means there’s a lot of pack into each day; with Monday being no exception.

V6OPS is a key group and will be meeting on Monday morning starting at 09.00 UTC+7. It’s published four RFCs since its last meeting, including Happy Eyeballs v2, and this time will kick-off with a presentation on the CERNET2 network which is an IPv6-only research and education in China.

There’s also four drafts to be discussed, including three new ones. IPv6-Ready DNS/DNSSSEC Infrastructure recommends how DNS64 should be deployed as it modifies DNS records which in some circumstances can break DNSSEC. IPv6 Address Assignment to End-Sites obsoletes RFC 6177 with best current operational practice from RIPE-690 that makes recommendations on IPv6 prefix assignments, and reiterates that assignment policy and guidelines belong to the RIR community. Pros and Cons of IPv6 Transition Technologies for IPv4aaS discusses different use case scenarios for the five most prominent IPv4-as-a-service (IPv4aaS) transitional technologies, Continue reading

Ansible and Infoblox: Roles Deep Dive

Ansible_and_Infoblox

As Sean Cavanaugh mentioned in his earlier Infoblox blog post, the release of Ansible 2.5 introduced a lookup plugin, a dynamic inventory script, and five modules that allow for Infoblox automation. A combination of these modules and lookups in a role provides a powerful DNS automation framework.

Summary

Today we are going to demonstrate how automating Infoblox Core Network Services using Ansible can help make managing IP addresses and routing traffic across your network easy, quick, and reliable. Your network systems for virtualization and cloud require rapid provisioning life cycles; Infoblox helps you manage those lifecycles. When paired with Infoblox, Ansible lets you automate that work. Ansible’s integration with Infoblox is flexible and powerful: you can automate Infoblox tasks with modules or with direct calls to the Infoblox WAPI REST API.

This post will walk you through six real-world scenarios where Ansible and Infoblox can streamline your network tasks:

  1. Creating a provider in one place that is reusable across a collection of roles.
  2. Expanding your network by creating a new subnet with a forward DNS zone. Ansible modules for Infoblox make this common two-part task simple.
  3. Creating a reverse DNS zone, for example, to flag email from any Continue reading
1 1,410 1,411 1,412 1,413 1,414 3,841