Why is there a “V” in SIGSEGV Segmentation Fault?
Another long night. I was working on my perfect, bug-free program in C, when the predictable thing happened:
$ clang skynet.c -o skynet
$ ./skynet.out
Segmentation fault (core dumped)
Oh, well... Maybe I'll be more lucky taking over the world another night. But then it struck me. My program received a SIGSEGV signal and crashed with "Segmentation Fault" message. Where does the "V" come from?
Did I read it wrong? Was there a "Segmentation Vault?"? Or did Linux authors make a mistake? Shouldn't the signal be named SIGSEGF?
I asked my colleagues and David Wragg quickly told me that the signal name stands for "Segmentation Violation". I guess that makes sense. Long long time ago, computers used to have memory segmentation. Each memory segment had defined length - called Segment Limit. Accessing data over this limit caused a processor fault. This error code got re-used by newer systems that used paging. I think the Intel manuals call this error "Invalid Page Fault". When it's triggered it gets reported to the userspace as a SIGSEGV signal. End of story.
Or is it?
Martin Levy pointed me to an ancient Version 6th UNIX documentation on "signal". This is Continue reading
Virtual Interning Offers Unique Challenges and Opportunities
I am in my third year at Northeastern University, pursuing an undergraduate degree in Marketing and Psychology. Five months ago I joined Cloudflare as an intern on the APAC Marketing team in the beautiful Singapore office. When searching for internships Cloudflare stood out as a place I could gain skills in marketing, learn from amazing mentors, and have space to take ownership in projects. As a young, but well-established company, Cloudflare provides the resources for their interns to work cross functionally and creatively and truly be a part of the exponential growth of the company.
My experience at Cloudflare
Earlier this week, I hopped on a virtual meeting with a few coworkers, thinking everything was set to record a webinar. As I shared my screen to explain how to navigate the platform I realised the set up was incorrect and we couldn’t start on time. Due to the virtual nature of the meeting, my coworkers didn’t see the panic on my face and had no idea what was going on. I corrected the issue and set up an additional trial run session, issuing apologies to both coworkers. They both took it in stride and expressed that it happens to the Continue reading
Introducing Cache Analytics
Today, I’m delighted to announce Cache Analytics: a new tool that gives deeper exploration capabilities into what Cloudflare’s caching and content delivery services are doing for your web presence.
Caching is the most effective way to improve the performance and economics of serving your website to the world. Unsurprisingly, customers consistently ask us how they can optimize their cache performance to get the most out of Cloudflare.
With Cache Analytics, it’s easier than ever to learn how to speed up your website, and reduce traffic sent to your origin. Some of my favorite capabilities include:
- See what resources are missing from cache, expired, or never eligible for cache in the first place
- Slice and dice your data as you see fit: filter by hostnames, or see a list of top URLs that miss cache
- Switch between views of requests and data Transfer to understand both performance and cost
Cache Analytics is available today for all customers on our Pro, Business, and Enterprise plans.
In this blog post, I’ll explain why we built Cache Analytics and how you can get the most out of it.
Why do we need analytics focused on caching?
If you want Continue reading
Using data science and machine learning for improved customer support
In this blog post we’ll explore three tricks that can be used for data science that helped us solve real problems for our customer support group and our customers. Two for natural language processing in a customer support context and one for identifying attack Internet attack traffic.
Through these examples, we hope to demonstrate how invaluable data processing tricks, visualisations and tools can be before putting data into a machine learning algorithm. By refining data prior to processing, we are able to achieve dramatically improved results without needing to change the underlying machine learning strategies which are used.
Know the Limits (Language Classification)
When browsing a social media site, you may find the site prompts you to translate a post even though it is in your language.
We recently came across a similar problem at Cloudflare when we were looking into language classification for chat support messages. Using an off-the-shelf classification algorithm, users with short messages often had their chats classified incorrectly and our analysis found there’s a correlation between the length of a message and the accuracy of the classification (based on the browser Accept-Language header and the languages of the country where the request was submitted):
On a Continue reading
2020年第1四半期ネットワーク層DDoS攻撃の傾向
2020年第1四半期の締め括りにあたり、当社は、DDoS攻撃の傾向が、未曾有の世界的外出禁止令の中、変わったのかどうか、変わったのであればどのように変わったのかの把握に着手しました。それ以降、トラフィックレベルは多くの国で50%以上も増加していますが、DDoS攻撃も同様に増えているのでしょうか。
長期休暇の時期は、トラフィックの増加が見られます。この時期、世の中の人は、オンラインで買い物や食べ物を注文したり、オンラインゲームで遊んだり、その他オンラインでさまざまなことを楽しんでいるものです。使用量の増加は、種々多様なオンラインサービスを提供する企業にとって分刻みの収益増加につながります。
こうしたピーク時にダウンタイムやサービス低下が発生すると、あっという間にユーザーの解約や大規模な減収という事態になりかねません。ITICの見積もりでは、停止時の損失額は、1分あたり平均5,600ドルとなります。これは1時間あたり30万ドル以上の損失に相当します。したがって、長期休暇時期に攻撃者がDDoS攻撃の数を増やすことで、この機会を利用するのは驚くべきことではありません。
現在のコロナ禍は、同じような因果関係を持っています。多くの人が、家にいることを余儀なくされています。日々の仕事をこなすために、オンラインサービスへの依存度を高めている現状が、インターネットトラフィックとDDoS攻撃の急増を引き起こします。
小規模で短時間の攻撃の台頭
2020年の第1四半期に観測された攻撃のほとんどが、ビットレートで比較的小規模なものでした。次の図で示すように、10Gbps未満の攻撃が起きたのは、2020年第1四半期が92%、一方、2019年の第4四半期は、84%でした。
さらに深く掘り下げると、第1四半期の10Gbps未満の攻撃の分布には、前四半期と比較すると興味深い変化が見られます。前年第4四半期では、47%のネットワーク層DDoS攻撃の最大値は500Mbps以下であるのに対して、今年の第1四半期では、それが64%まで増加しています。
パケットレートの観点からは、攻撃の大部分で最大値は100万pps以下でした。ビットレートとともに、このレートは攻撃者が1秒あたり数ビットまたはパケットの高速フラッドを生成するために努力もリソースも集中させていないことを示しています。
ところが、減少しているのはパケットとビットレートだけでなく、攻撃持続時間も減少しています。下の図を見ると、第1四半期に30~60分間続いたDDoS攻撃は79%で、第4四半期の60%から19%増加したことがわかります。
この3つの傾向は、次のように説明できます。
- DDoS攻撃を始めるのは安価で、技術的な知識はそれほど必要ではありません。DDoS-as-a-service(サービスとしてのDDoS攻撃)ツールは、専門知識を持たない悪者が費用対効果の高い方法で、帯域幅も多く使わずに迅速かつ簡単にDDoS攻撃を仕掛けることを可能にしました。Kaperskyによると、DDoS攻撃サービスは300秒間(5分間)の攻撃でわずか5ドルです。さらに、アマチュアの攻撃者でも簡単に無料ツールを使って、パケットのフラッドを引き起こすことができてしまいます。次のセクションで説明しますが、第1四半期の全DDoS攻撃のうち13.5%が一般に公開されているMiraiコードの変種を使って生成されていました。
- 10Gbps未満の攻撃は小さいように見えるかもしれませんが、未保護のインターネットプロパティに影響を与えるには十分な規模です。より小規模でより速い攻撃は、インターネットプロパティの可用性を妨害しない代わりに、攻撃者が企業から身代金を要求することのROIが高いということになるかもしれません。
大規模な攻撃は少数ながら依然として存在する
攻撃の大部分は10Gbps未満ですが、大規模な攻撃も依然として蔓延しています。以下のグラフでは、2019年第4四半期と2020年第1四半期にCloudflareが観測し、軽減したネットワーク層DDoS攻撃の最大ビットレートの傾向を示しています。今四半期に起きた最大の攻撃は3月に発生し、ピークは550Gbpsをわずかに上回りました。
失敗しても諦めず、再試行を繰り返す
しつこい攻撃者は、攻撃に失敗しても諦めないタイプです。何度も仕掛けてきます。ターゲットに向けて複数の攻撃を仕掛け、攻撃ベクトルを複数利用することもあります。2019年第4四半期の年末期間中に、攻撃者は単一のCloudflare IPに対して1日に523件ものDDoS攻撃をしつこく仕掛けてきました。攻撃下にあったCloudflare IPそれぞれが、毎日平均4.6ものDDoS攻撃の標的となりました。
各国で新型コロナウイルスによる都市封鎖が始まった第1四半期中、例年の月間平均と比べると、攻撃数に大幅な増加が見られました。このような増加を目の当たりにしたのは、2019年の第4四半期以来です。ただし、そこには興味深い違いがあり、現在の攻撃は年末時期より持続性が低かったように見えました。2020年第1四半期、各Cloudflare IPアドレスへの1日あたりの攻撃の持続率は2.2件まで低下しており、単一IPアドレスへの攻撃の最大数は311件でした。これは前期の年末時期に比べ40%の削減でした。
過去2四半期にわたり、1日あたりIPごとのDDoS攻撃で使われた攻撃ベクトルの平均数はほぼ一定して約1.4で、最大数は10でした。
この四半期では、第3/4層で34種類の攻撃ベクトルが見られました。ACK攻撃は第1四半期の最大数(50.1%)を占め、次はSYN攻撃の16.6%でした。第3位はMiraiで、それでも攻撃の大きな割合(15.4%)を占めています。SYN攻撃とACK DDoS攻撃(TCP)を合わせると、第1四半期の第3/4層への全攻撃ベクトルの66%となります。
攻撃ベクトルのトップ
すべての攻撃ベクトル
| Attack Vector | Percent in Q1 |
|---|---|
| ACK | 50.121% |
| SYN | 16.636% |
| Mirai | 15.404% |
| UDP | 5.714% |
| LDAP | 2.898% |
| SSDP | 2.833% |
| DNS | 2.677% |
| Other | 0.876% |
| QUIC | 0.527% |
| NTP | 0.373% |
| RST | 0.353% |
| Memcached | 0.296% |
| ChargeGen | 0.236% |
| WS Discovery | 0.221% |
| ACK-PSH | 0.208% |
| SNMP | 0.159% |
| VSE | 0.081% |
| MSSQL | 0.079% |
| ICMP | 0.072% |
| Bittorrent | 0.056% |
| OpenVPN | 0.046% |
| Dahua | 0.032% |
| GRE | 0.022% |
| TFTP | 0.014% |
| LOIC | 0.014% |
| STUN | 0.011% |
| Lantronix | 0.009% |
| CoAP | 0.008% |
| Jenkins | 0.006% |
| VXWorks | 0.005% |
| Ubiquity | 0.005% |
| TeamSpeak | 0.004% |
| XMAS | 0.003% |
| SPSS | 0.001% |
残念なことに、危機的状況とは時に悪意の好機である
2020年3月のDDoS攻撃数は、1月と2月と比較して増加しました。以下に示されるように、この危機的時期を、攻撃者はDDoS攻撃を増やす絶好の機会であると考えました。
さらに、各国の政府当局が都市封鎖と一時待機の義務づけを始めたのに合わせて、攻撃者は3月下旬に大規模な攻撃を増加させに至りました。3月の後半(3月16~31日)には、前半(3月1~15日)に比べて検出された攻撃は55%も増加していました。さらに、300-400 Gbpsをピークとする攻撃の94%が3月中に発生したものでした。
規模に関わりなく、ソースにより近くでDDoS攻撃を阻止
DDoSの状況は常に変化しており、包括的で適応性の高いDDoS保護ソリューションを備えることが重要です。上記の攻撃への洞察の観点から、ここではCloudflareがお客様を保護するために、こうした変化に対して機先を制していく方法をご紹介しましょう。
- 攻撃の速度も持続時間も短縮を続け、今までのベンダーが提示してきたような、最大15分の軽減時間のSLAは、実用性がありません。Cloudflareは、多くの場合、ネットワーク層DDoS攻撃を10秒未満で軽減します。これはますます短くなる攻撃に対抗するために重要です。こちらで最新のDDoS攻撃検出と軽減システムについてお読みください。このシステムでは、DDoS攻撃の自動検出と軽減を迅速に、かつ大規模に行うことができます。
- 近年より多くのDDoS攻撃がローカライズされています。つまり、スクラビングセンターアプローチを採用する従来のDDoSソリューションは、グローバルなカバレッジに制限があると同時に、DDoSトラフィックをセンター経由で動かす必要があるためチョークポイントとなり、実用性が低いということになります。Cloudflare独自の分散型アーキテクチャは、世界200都市に広がり、完全なDDoS対策機能を提供して、データセンター全てを強化します。
- 大規模に分散された帯域幅消費型攻撃はまだ存在し、チャンスが増えたとき、高い処理能力を持った攻撃者に使われてしまいます。1Tbpsを超える攻撃が将来的に予想されるため、大規模なDDoS攻撃を軽減する能力は、今日のDDoSソリューションにとって大切です。Cloudflareは、最大規模のDDoS攻撃でさえも軽減することが可能となる35Tbpsを超える容量を持つ世界で最も相互接続しているネットワークの一つです。この大規模なネットワーク容量と世界的に分散されたアーキテクチャによって、Cloudflareはどのような規模でも、ソースに近いところで攻撃を軽減することができます。
CloudflareのDDoSソリューションの詳細は、こちらにお問い合わせいただくか、今すぐ始めましょう。
Health Check Analytics and how you can use it
At the end of last year, we introduced Standalone Health Checks - a service that lets you monitor the health of your origin servers and avoid the need to purchase additional third party services. The more that can be controlled from Cloudflare decreases maintenance cost, vendor management, and infrastructure complexity. This is important as it ensures you are able to scale your infrastructure seamlessly as your company grows. Today, we are introducing Standalone Health Check Analytics to help decrease your time to resolution for any potential issues. You can find Health Check Analytics in the sub-menu under the Traffic tab in your Cloudflare Dashboard.
As a refresher, Standalone Health Checks is a service that monitors an IP address or hostname for your origin servers or application and notifies you in near real-time if there happens to be a problem. These Health Checks support fine-tuned configurations based on expected codes, interval, protocols, timeout and more. These configurations enable you to properly target your checks based on the unique setup of your infrastructure. An example of a Health Check can be seen below which is monitoring an origin server in a staging environment with a notification set via email.
Once you set Continue reading
Project Galileo’s 6th year Anniversary: The Impact of COVID-19 on the most vulnerable groups on the Internet
Consistent with our mission to “help build a better Internet,” Cloudflare believes that one of the most important roles for the Internet is to empower marginalized voices that may not be heard, or bring together oppressed groups of people that may otherwise find themselves isolated and alone. Six years ago, Cloudflare started Project Galileo to provide free services to vulnerable nonprofits, journalism and independent media voices online who might otherwise be in danger of being silenced by cyberattacks. Much has changed in the past couple of months as the COVID-19 pandemic has transformed the world while the United States faces a wave of protests addressing racial violence and inequality. These events have put further strain on vulnerable groups working in these spaces, and we have seen many organizations step up to ensure that those who are most affected by these circumstances are protected. At Cloudflare, we believe that protecting these groups from attack is essential to helping build a better Internet.
We are excited to mark the 6th anniversary of the project this month, and it is a good time for us to reflect, talk to participants, and see how the Project has grown and changed over the course of Continue reading
High Availability Load Balancers with Maglev
Background
We run many backend services that power our customer dashboard, APIs, and features available at our edge. We own and operate physical infrastructure for our backend services. We need an effective way to route arbitrary TCP and UDP traffic between services and also from outside these data centers.
Previously, all traffic for these backend services would pass through several layers of stateful TCP proxies and NATs before reaching an available instance. This solution worked for several years, but as we grew it caused our service and operations teams many issues. Our service teams needed to deal with drops of availability, and our operations teams had much toil when needing to do maintenance on load balancer servers.
Goals
With the experience with our stateful TCP proxy and NAT solutions in mind, we had several goals for a replacement load balancing service, while remaining on our own infrastructure:
- Preserve source IPs through routing decisions to destination servers. This allows us to support servers that require client IP addresses as part of their operation, without workarounds such as X-Forwarded-For headers or the PROXY TCP extension.
- Support an architecture where backends are located across many racks and subnets. This prevents solutions that cannot Continue reading
7 Layers: IoT Part 2 — IoT Devices are Dangerously Insecure
This week is the second in a two-part series on the Internet of Things. We cover IoT security...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
UtahFS: Encrypted File Storage
Encryption is one of the most powerful technologies that everyone uses on a daily basis without realizing it. Transport-layer encryption, which protects data as it’s sent across the Internet to its intended destination, is now ubiquitous because it’s a fundamental tool for creating a trustworthy Internet. Disk encryption, which protects data while it’s sitting idly on your phone or laptop’s hard drive, is also becoming ubiquitous because it prevents anybody who steals your device from also being able to see what’s on your desktop or read your email.
The next improvement on this technology that’s starting to gain popularity is end-to-end encryption, which refers to a system where only the end-users are able to access their data -- not any intermediate service providers. Some of the most popular examples of this type of encryption are chat apps like WhatsApp and Signal. End-to-end encryption significantly reduces the likelihood of a user’s data being maliciously stolen from, or otherwise mishandled by a service provider. This is because even if the service provider loses the data, nobody will have the keys to decrypt it!
Several months ago, I realized that I had a lot of sensitive files on my computer (my diary, if Continue reading
Ladies and Gentlemen… Cloudflare TV!
I'm excited to announce the upcoming launch of Cloudflare TV. A 24x7 live television broadcast, streamed globally via the Cloudflare network. You can tune in to the pre-broadcast station and check out the upcoming schedule at: cloudflare.tv
I'm kicking off the first live broadcast starting at 12:00pm Pacific (1900 UTC) on Monday, June 8 with a conversation with Chris Young (add to calendar). Chris was most recently the CEO of McAfee and has had a career defining the cyber security industry, from his own startup Cyveillance in the 1990s, to leadership positions at AOL, RSA, VMWare, Cisco, and Intel. I hope you'll tune in and then stay tuned for all the content our team has in store.
Which leaves the question: why on earth is Cloudflare launching a 24x7 television station?
The Uniting Power of Television and Tech Conferences
I was born in the 70's, am a child of the 80's, and got started in my career in the 90's. In the background, throughout much of it, was linear television we watched together. Over the last few months I've learned that Michelle Zatlyn, my co-founder and Cloudflare's COO, and I shared a love of Children's Television Network's Continue reading
How we use HashiCorp Nomad
In this blog post, we will walk you through the reliability model of services running in our more than 200 edge cities worldwide. Then, we will go over how deploying a new dynamic task scheduling system, HashiCorp Nomad, helped us improve the availability of services in each of those data centers, covering how we deployed Nomad and the challenges we overcame along the way. Finally, we will show you both how we currently use Nomad and how we are planning on using it in the future.
Reliability model of services running in each data center
For this blog post, we will distinguish between two different categories of services running in each data center:
- Customer-facing services: all of our stack of products that our customers use, such as caching, WAF, DDoS protection, rate-limiting, load-balancing, etc.
- Management services: software required to operate the data center, that is not in the direct request path of customer traffic.
Customer-facing services
The reliability model of our customer-facing services is to run them on all machines in each data center. This works well as it allows each data center’s capacity to scale dynamically by adding more machines.
Scaling is especially made easy thanks to Continue reading
Cyberattacks since the murder of George Floyd
As we’ve often seen in the past, real world protest and violence is usually accompanied by attacks on the Internet. This past week has been no exception. The shocking murder of George Floyd on May 25 was followed, over the weekend of May 30/31, by widespread protests and violence in the US. At the same time, Cloudflare saw a large uptick in cyberattacks, particularly cyberattacks on advocacy organizations fighting racism.
This chart shows the number of cyberattack HTTP requests blocked by Cloudflare over the last week (blue line) compared to the corresponding week in April a month before (green line). Cloudflare’s scale means that we are blocking attacks in the many 10s of billions per day, but even with that scale it’s clear that during the last week there have been even more attacks than before. And those attacks grew over the weekend.
Digging in a little deeper we can compare the attacks over this past weekend with a corresponding weekend a month before. Over the weekend of April 25/26, Cloudflare blocked a total of 116,317,347,341 (a little over 116 billion cyberattack HTTP requests performing DDoS or trying to break into websites, apps or APIs were blocked).
Since 116,317,347,341 can Continue reading
Export logs from Cloudflare Gateway with Logpush
Like many people, I have spent a lot more time at home in the last several weeks. I use the free version of Cloudflare Gateway, part of Cloudflare for Teams, to secure the Internet-connected devices on my WiFi network. In the last week, Gateway has processed about 114,000 DNS queries from those devices and blocked nearly 100 as potential security risks.
I can search those requests in the Cloudflare for Teams UI. The logs capture the hostname requested, the time of the request, and Gateway’s decision to allow or block. This works fine for one-off investigations into a block, but does not help if I want to analyze the data more thoroughly. The last thing I want to do is click through hundreds or thousands of pages.
That problem is even more difficult for organizations attempting to keep hundreds or thousands of users and their devices secure. Whether they secure roaming devices with DoH or a static IP address, or keep users safe as they return to offices, deployments at that scale need a better option for auditing tens or hundreds of millions of queries each week.
Starting today, you can configure the automatic export of logs from Cloudflare Gateway Continue reading
Tanium’s endpoint security meets Cloudflare for Teams
When Cloudflare first launched in 2010, network security still relied heavily on physical security. To connect to a private network, most users simply needed to be inside the walls of the office. Once on that network, users could connect to corporate applications and infrastructure.
When users left the office, a Virtual Private Network (VPN) became a bandaid to let users connect back into that office network. Administrators poked holes in their firewall that allowed traffic to route back through headquarters. The backhaul degraded user experience and organizations had no visibility into patterns and events that occurred once users were on the network.
Cloudflare Access launched two years ago to replace that model with an identity-based solution built on Cloudflare’s global network. Instead of a private network, teams secure applications with Cloudflare’s network. Cloudflare checks every request to those applications for identity, rather than IP ranges, and accelerates those connections using the same network that powers some of the world’s largest web properties.
In this zero-trust model, Cloudflare Access checks identity on every request - not just the initial login to a VPN client. Administrators build rules that Cloudflare’s network continuously enforces. Each request is evaluated for permission and logged for Continue reading
Test your home network performance
With many people being forced to work from home, there’s increased load on consumer ISPs. You may be asking yourself: how well is my ISP performing with even more traffic? Today we’re announcing the general availability of speed.cloudflare.com, a way to gain meaningful insights into exactly how well your network is performing.
We’ve seen a massive shift from users accessing the Internet from busy office districts to spread out urban areas.
Although there are a slew of speed testing tools out there, none of them give you precise insights into how they came to those measurements and how they map to real-world performance. With speed.cloudflare.com, we give you insights into what we’re measuring and how exactly we calculate the scores for your network connection. Best of all, you can easily download the measurements from right inside the tool if you’d like to perform your own analysis.
We also know you care about privacy. We believe that you should know what happens with the results generated by this tool. Many other tools sell the data to third parties. Cloudflare does not sell your data. Performance data is collected and anonymized and is governed by the terms of Continue reading
Making DNS record changes more reliable
DNS is the very first step in accessing any website, API, or pretty much anything on the Internet, which makes it mission-critical to keeping your site up and running. This week, we are launching two significant changes that allow our customers to better maintain and update their DNS records. For customers who use Cloudflare as their authoritative DNS provider, we’ve added a much asked for feature: confirmation to DNS record edits. For our secondary DNS customers, we’re excited to provide a brand new onboarding experience.
Confirm and Commit
One of the benefits of using Cloudflare DNS is that changes quickly propagate to our 200+ data centers. And I mean very quickly: DNS propagation typically takes <5 seconds worldwide. Our UI was set up to allow customers to edit records, click out of the input box, and boom! The record has propagated!
There are a lot of advantages to fast DNS, but there's also one clear downside – it leaves room for fat fingering. What if you accidentally toggle the proxy icon, or mistype the content of your DNS record? This could result in users not being able to access your website or API and could cause a significant outage. To Continue reading
Secondary DNS — A faster, more resilient way to serve your DNS records
What is secondary DNS, and why is it important?
In DNS, nameservers are responsible for serving DNS records for a zone. How the DNS records populate into the nameservers differs based on the type of nameserver.
A primary master is a nameserver that manages a zone’s DNS records. This is where the zone file is maintained and where DNS records are added, removed, and modified. However, relying on one DNS server can be risky. What if that server goes down, or your DNS provider has an outage? If you run a storefront, then your customers would have to wait until your DNS server is back up to access your site. If your website were a brick and mortar store, this would be effectively like boarding up the door while customers are trying to get in.This type of outage can be very costly.
Now imagine you have another DNS server that has a replica of your DNS records. Wouldn’t it be great to have it as a back-up if your primary nameserver went down? Or better yet, what if both served your DNS records at all times— this could help decrease the latency of DNS requests, distribute the load between Continue reading
Releasing Cloudflare Access’ most requested feature
Cloudflare Access, part of Cloudflare for Teams, replaces legacy corporate VPNs with Cloudflare’s global network. Instead of starting a VPN client to backhaul traffic through an office, users visit the hostname of an internal application and login with your team’s SSO provider. While the applications feel like SaaS apps for end users, your security and IT departments can configure granular controls and audit logging in a single place.
Since Access launched two years ago, customers have been able to integrate multiple SSO providers at the same time. This MultiSSO option makes it seamless for teams to have employees login with Okta or Azure AD while partners and contractors use LinkedIN or GitHub.
The integrations always applied globally. Users would see all SSO options when connecting to any application protected by Cloudflare Access. As more organizations use Cloudflare Access to connect distributed and mixed workforces to resources, listing every provider on every app no longer scales.
For example, your team might have an internal GitLab instance that only employees need to access using your corporate G Suite login. Meanwhile, the marketing department needs to share QA versions of new sites with an external agency who authenticates with LinkedIn. Asking both Continue reading
Resolve internal hostnames with Cloudflare for Teams
Phishing attacks begin like any other visit to a site on the Internet. A user opens a suspicious link from an email, and their DNS resolver looks up the hostname, then connects the user to the origin.
Cloudflare Gateway’s secure DNS blocks threats like this by checking every hostname query against a constantly-evolving list of known threats on the Internet. Instead of sending the user to the malicious host, Gateway stops the site from resolving. The user sees a “blocked domain” page instead of the malicious site itself.
As teams migrate to SaaS applications and zero-trust solutions, they rely more on the public Internet to do their jobs. Gateway's security works like a bouncer, keeping users safe as they navigate the Internet. However, some organizations still need to send traffic to internal destinations for testing or as a way to make the migration more seamless.
Starting today, you can use Cloudflare Gateway to direct end user traffic to a different IP than the one they originally requested. Administrators can build rules to override the address that would be returned by a resolver and send traffic to a specified alternative.
Like the security features of Cloudflare Gateway, the redirect function is Continue reading