Worth Reading: The venerable, vulnerable firewall

There is no network security technology more ubiquitous than the firewall. With nearly three decades of deployment history and a growing myriad of corporate and industrial compliance policies mandating its use, no matter how irrelevant you may think a firewall is in preventing today’s spectrum of cyber threats, any breached corporation found without the technology can expect to be hung, drawn, and quartered by both shareholders and industry experts alike. … From a hacker’s perspective, with most targeted systems providing HTTP or HTTPS services, firewalls have rarely been a hindrance to breaching a network and siphoning data. What many people fail to realize is that the firewall is itself a target of particular interest — especially to sophisticated adversaries. Sitting at the very edge of the network and rarely configured or monitored for active compromise, the firewall represents a safe and valuable beachhead for persistent and targeted attacks. —CircleID

The post Worth Reading: The venerable, vulnerable firewall appeared first on 'net work.

Elephant Flows, Fabrics, and I2RS

The last post in this series on I2RS argues that this interface is designed to augment, rather than replace, the normal, distributed routing protocol. What sort of use case could we construct that would use I2RS in this way? What about elephant flows in data center fabrics? An earlier post considers how to solve the elephant flow using segment routing (SR); can elephant flows also be guided using I2RS? The network below will be used to consider this question.

Assume that A hashes a long lived elephant flow representing some 50% of the total bandwidth available on any single link in the fabric towards F. At the same time, A will hash other flows, represented by the red flow lines, onto each of the three links towards the core of the fabric in pretty much equal proportion. Smaller flows that are hashed onto the A->F link will likely suffer, while flows hashed onto the other two links will not.

This is a particularly bad problem in applications that have been decomposed into microservices, as the various components of the application tend to rely on fairly fixed delay and jitter budgets over the network to keep everything synchronized and running quickly. Continue reading

Worth Reading: Digital Racket

Has our enslavement to dopamine — to the instant hits of validation that come with a well-crafted tweet or Snapchat streak — made us happier? I suspect it has simply made us less unhappy, or rather less aware of our unhappiness, and that our phones are merely new and powerful antidepressants of a non-pharmaceutical variety. —NY Mag, via Ethan Banks

The post Worth Reading: Digital Racket appeared first on 'net work.

Worth Reading: What is segment routing?

Do you remember source routing, used in token ring bridging networks? If you’re relatively new to networking, you may not know about it. In source routing, the hosts determine the path to take through the network and build a frame header that specifies the forwarding nodes that the frame should pass through as it goes from source to destination. The token ring implementation typically used special frames called explorer packets to discover the set of paths from source to destination. Too many explorer packets could cause overloading problems with the network nodes (source route bridges) and with the hosts that had to process them, much like a broadcast storm in Ethernet networks. —Netcraftsmen

The post Worth Reading: What is segment routing? appeared first on 'net work.

Grand Staircase

The post Grand Staircase appeared first on 'net work.

Worth Reading: The biggest attack in internet history

For a long time, Akamai offered their DOS protection service to Krebs pro bono, both as a public service and because it’s fantastic advertising. Brian is perhaps the most high-profile target for cyber-criminals: if Akamai can defend his site, they can defend anybody’s. But it would appear Brian’s latest round of reporting—including both the Israeli arrests and outing the fact that an anti-DOS service’s former owner appeared to control a huge DOS botnet—has managed to annoy someone enough to launch a DOS attack that not only disrupted Kreb’s site but actually caused disruption to Akamai’s other services! This attack was so disruptive that Akamai had to prioritize their paying customers and stop supporting Kreb’s site. —LawFare

The post Worth Reading: The biggest attack in internet history appeared first on 'net work.

Worth Reading: A digital rumor should never lead to a police raid

If police raided a home based only on an anonymous phone call claiming residents broke the law, it would be clearly unconstitutional. Yet EFF has found that police and courts are regularly conducting and approving raids based on the similar type of unreliable digital evidence: Internet Protocol (IP) address information. In a whitepaper released today, EFF challenges law enforcement and courts’ reliance on IP addresses, without more, to identify the location of crimes and the individuals responsible. —EFF

The post Worth Reading: A digital rumor should never lead to a police raid appeared first on 'net work.

Worth Reading: the growing problem of bots that fight on line

“An increasing number of decisions, options, choices, and services depend now on bots working properly, efficaciously, and successfully,” say Taha Yasseri and pals at the University of Oxford in the U.K. “Yet, we know very little about the life and evolution of our digital minions.” This raises an interesting question. How do bots interact with each other? And how do these interactions differ from the way humans interact? —MIT Technology Review

The post Worth Reading: the growing problem of bots that fight on line appeared first on 'net work.

Worth Reading: Upstream surveillence

First disclosed as part of the Snowden revelations, Upstream surveillance involves the NSA’s bulk interception and searching of Americans’ international Internet communications — including emails, chats, and web-browsing traffic — as their communications travel the spine of the Internet between sender and receiver. If you send emails to friends abroad, message family members overseas, or browse websites hosted outside of the United States, the NSA has almost certainly searched through the contents of your communications — and it has done so without a warrant. —Just Security

The post Worth Reading: Upstream surveillence appeared first on 'net work.

But it’s a Virtual Ocean

The post But it’s a Virtual Ocean appeared first on 'net work.

Worth Reading: Hollywood and ‘net neutrality

70% of all U.S. bandwidth – is consumed by video streaming. Netflix all by itself – uses 37%. Netflix and YouTube-owning-Google all by themselves – use 50%. And Amazon – in addition to their inordinately busy online shopping mega-mall – offers video-content-streaming Amazon Prime. And thanks to uber-stupid Net Neutrality – these bandwidth hogs don’t have to pay for their unlimited time at the trough. Even though they’re consuming more than half the bill of fare. —Heartland

The post Worth Reading: Hollywood and ‘net neutrality appeared first on 'net work.

Worth Reading: Project autobuild

LinkedIn’s data center infrastructure has grown at a massive scale. Starting with one server setup, one cabinet at a time, we’re now powering on hundreds of servers at a time and seeing them come online automatically. You could call it “Zero Touch Provisioning” for systems. This evolution presented us with many challenges, however. This post will describe how our Systems Platform team solved several of the problems they faced during this transformation by using a combination of innovations from the open source community and the team’s own technical talent. —LinkedIn Engineering Blog

The post Worth Reading: Project autobuild appeared first on 'net work.

Being an Effective Interviewer

One challenging aspect of being an engineer is interviewing other engineers. The interview process is rife with various problems, including the discomfort of interviewing someone who you perceive as being a better engineer than you are, or figuring out how to draw out actual engineering skill versus simply finding out how much someone has memorized. Does that CCIE or degree on their resume really mean anything? What does an effective network engineering interview look like?

There are, of course, several different theories “out there.” For instance, some companies focus on giving candidates “real world” problems to solve, and checking with them several days later to see how they’ve done. This is potentially useful, but quite often I find my best work is done with a team, rather than by myself. Such systems seem to tend towards pitting the candidate against well known or well established problem sets, which can easily revert back to memorization skills, or towards difficult/obtuse problems. Either way, this doesn’t test the candidate’s ability to work in a team, or interact with others in solving difficult problems.

What about tossing other sorts of puzzles towards the candidate to see how they do? This also seems problematic Continue reading

Worth Reading: Pre-Internet digital communications

The Internet is a platform for universal communication. You can plug a device into any Internet connection, and provided it speaks TCP/IP, you can communicate with any other point on earth. But before the Internet, even before ARPANET, people and devices needed to talk. I thought I would take a look at some of the technologies which enabled people to communicate in a pre-Internet world. —eager

The post Worth Reading: Pre-Internet digital communications appeared first on 'net work.

Worth Reading: The Internet revolution is nothing to email home about

Economist Robert Gordon argues that the Second Industrial Revolution, entailing developments in electricity, internal combustion engines, modern communications, entertainment, petroleum/hydrocarbons, and chemicals, has had the most impact on productivity and living standards. By comparison, the Third Industrial Revolution, based around computing and the internet, appears to be less important. —Market Watch

The post Worth Reading: The Internet revolution is nothing to email home about appeared first on 'net work.

snaproute Go BGP Code Dive (11): Moving to Open Confirm

In the last post in this series, we began considering the bgp code that handles the open message that begins moving a new peer to open confirmed state. This is the particular bit of code of interest—

case BGPEventBGPOpen:
  st.fsm.StopConnectRetryTimer()
  bgpMsg := data.(*packet.BGPMessage)
  if st.fsm.ProcessOpenMessage(bgpMsg) {
    st.fsm.sendKeepAliveMessage()
    st.fsm.StartHoldTimer()
    st.fsm.ChangeState(NewOpenConfirmState(st.fsm))
  }

We looked at how this code assigns the contents of the received packet to bgpMsg; now we need to look at how this information is actually processed. bgpMsg is passed to st.fsm.ProcessOpenMessage() in the next line. This call is preceded by the st.fsm, which means this function is going to be found in the FSM, which means fsm.go. Indeed, func (fsm *FSM) ProcessOpenMessage... is around line 1172 in fsm.go—

func (fsm *FSM) ProcessOpenMessage(pkt *packet.BGPMessage) bool {
 body := pkt.Body.(*packet.BGPOpen)

 if uint32(body.HoldTime) < fsm.holdTime {
  fsm.SetHoldTime(uint32(body.HoldTime), uint32(body.HoldTime/3))
 }

 if body.MyAS == fsm.Manager.gConf.AS {
  fsm.peerType = config.PeerTypeInternal—
 } else {
  fsm.peerType = config.PeerTypeExternal
 }

 afiSafiMap := packet.GetProtocolFromOpenMsg(body)
 for protoFamily, _ := range afiSafiMap {
  if fsm. Continue reading

Worth Reading: Source code is not standards

One of the oft-repeated messages of the Software-Defined Pundits is “Standard bodies are broken, (open) source code is king”… and I’d guess that anyone who was too idealistic before being exposed to how the sausage is being made within IETF has no problems agreeing with them. However… —ipspace

The post Worth Reading: Source code is not standards appeared first on 'net work.

Worth Reading: Organizational Doxing and Disinformation

In the past few years, the devastating effects of hackers breaking into an organization’s network, stealing confidential data, and publishing everything have been made clear. It happened to the Democratic National Committee, to Sony, to the National Security Agency, to the cyber-arms weapons manufacturer Hacking Team, to the online adultery site Ashley Madison, and to the Panamanian tax-evasion law firm Mossack Fonseca. —Schneier on Security

The post Worth Reading: Organizational Doxing and Disinformation appeared first on 'net work.

Plastic Frog on a Plastic Log

The post Plastic Frog on a Plastic Log appeared first on 'net work.

Worth Reading: Google as an advertising gatekeeper

When Google decided in May to stop accepting online ads for short-term, ultra-high-cost personal loans known as payday loans, some people wondered whether the company was acting more like a publisher exercising editorial control than a supposedly neutral search engine. Now that Google’s policy has gone into effect, it’s worth asking: To what extent should the company be a gatekeeper, judging which online ads are okay and which are not? And if the world’s largest Internet search engine is going to be selective about accepting ads, where does it draw the line? —MIT Technology Review

The post Worth Reading: Google as an advertising gatekeeper appeared first on 'net work.