Archive

Category Archives for "Networking"

Too Big To Fail is More Likely to Fail ?

People think that big companies are too big to fail and thats why you should buy from big companies.  Except that this is no longer true. To whit: HPE just divested all of its software assets. While HPE maintains a substantial interest in the new owner, I’m confident that HPE will walk away from those […]

BrandPost: BUILDING A BEST-OF-BREED MULTICLOUD STRATEGY

Best-of-breed strategies have long since fallen out of favor in the enterprise, because the work required to stitch together the components proved to be too difficult. But best of breed is back with cloud. Companies today are hell-bent on buying the ideal SaaS, PaaS, and IaaS cloud services for the job, and while APIs make the integration work easier, the resultant cloud silos create a new challenge: How do you assure service performance in this multi-cloud world?The short answer: By maintaining global knowledge of what is happening (and where) across IT infrastructure, applications, and services. But we’ll get back to that.Companies use eight cloud providers on average, according to IHS Markit Ltd., a research firm in London. IHS’ survey of 155 companies in a range of industries shows that number swelling to 11 within two years. When you include any and all SaaS services, the average number of cloud applications that companies use explodes to almost 1,500, by some counts. To read this article in full, please click here

BrandPost: SERVICE INTELLIGENCE: CLOUD MIGRATION’S SECRET WEAPON

By now, it's pretty clear that cloud migration can yield big benefits. In fact, a recent survey from research firm ESG found that nearly 40% of respondents said migrating reduced data center build-out costs. It also increases resource elasticity and speeds up service provisioning.Reaping those benefits is by no means a sure thing, however.  To attain cloud migration nirvana, companies must successfully navigate a host of challenges, including retaining visibility and control over service quality and performance.To read this article in full, please click here

Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more

There was an important development this month with the launch of Cloudflare’s new 1.1.1.1 DNS resolver service. This is a significant development for several reasons, but in particular it supports the new DNS-over-TLS and DNS-over-HTTPS protocols that allow for confidential DNS querying and response.

Why 1.1.1.1?

Before we get to that though, Cloudflare joins Google’s Public DNS that uses 8.8.8.8 and Quad9 DNS that uses 9.9.9.9, by implementing 1.1.1.1 as a memorable IP address for accessing its new DNS service. IP addresses are generally not as memorable as domain names, but you need access to a DNS server before you can resolve domain names to IP addresses, so configuring numbers is a necessity. And whilst a memorable IP address might be cool, it’s also proved important recently when DNS resolvers have been blocked or taken down, requiring devices to be pointed elsewhere.

The 1.1.1.1 address is part of the 1.1.1.0 – 1.1.1.255 public IP address range actually allocated to APNIC, one of the five Regional Internet Registries, but it has been randomly used as an address for Continue reading

One in five serverless apps has a critical security vulnerability

Serverless computing is an emerging trend that is likely to explode in popularity this year. It takes the idea of a smaller server footprint to the next level. First, there were virtual machines, which ran a whole instance of an operating system. Then they were shrunk to containers, which only loaded the bare minimum of the OS required to run the app. This led to a smaller footprint.Now we have “serverless” apps, which is a bit of a misnomer. They still run on a server; they just don’t have a dedicated server, virtual machine, or container running 24/7. They run in a server instance until they complete their task, then shut down. It’s the ultimate in small server footprint and reducing server load.To read this article in full, please click here

One in five serverless apps has a critical security vulnerability

Serverless computing is an emerging trend that is likely to explode in popularity this year. It takes the idea of a smaller server footprint to the next level. First, there were virtual machines, which ran a whole instance of an operating system. Then they were shrunk to containers, which only loaded the bare minimum of the OS required to run the app. This led to a smaller footprint.Now we have “serverless” apps, which is a bit of a misnomer. They still run on a server; they just don’t have a dedicated server, virtual machine, or container running 24/7. They run in a server instance until they complete their task, then shut down. It’s the ultimate in small server footprint and reducing server load.To read this article in full, please click here

One in five serverless apps has a critical security vulnerability

Serverless computing is an emerging trend that is likely to explode in popularity this year. It takes the idea of a smaller server footprint to the next level. First, there were virtual machines, which ran a whole instance of an operating system. Then they were shrunk to containers, which only loaded the bare minimum of the OS required to run the app. This led to a smaller footprint.Now we have “serverless” apps, which is a bit of a misnomer. They still run on a server; they just don’t have a dedicated server, virtual machine, or container running 24/7. They run in a server instance until they complete their task, then shut down. It’s the ultimate in small server footprint and reducing server load.To read this article in full, please click here

DNA data storage closer to becoming reality

Hundreds of megabytes of data have been encoded using DNA in the last few years by scientists. But more recently, not only has the media been stored perfectly in the synthetic variant of the genetic instructions that make up all organic life, but archived data files have been individually retrieved with zero errors, too.It appears that Microsoft Research’s target of a DNA storage system actually functioning within a data center by the turn of the decade, as reported by MIT’s Technological Review a year ago, might be becoming increasingly viable.To read this article in full, please click here

Introducing Spectrum: Extending Cloudflare To 65,533 More Ports

Introducing Spectrum: Extending Cloudflare To 65,533 More Ports

Today we are introducing Spectrum, which brings Cloudflare’s security and acceleration to the whole spectrum of TCP ports and protocols for our Enterprise customers. It’s DDoS protection for any box, container or VM that connects to the internet; whether it runs email, file transfer or a custom protocol, it can now get the full benefits of Cloudflare. If you want to skip ahead and see it in action, you can scroll to the video demo at the bottom.

Introducing Spectrum: Extending Cloudflare To 65,533 More Ports

DDoS Protection

The core functionality of Spectrum is its ability to block large DDoS attacks. Spectrum benefits from Cloudflare’s existing DDoS mitigation (which this week blocked a 900 Gbps flood). Spectrum’s DDoS protection has already been battle tested. Just soon as we opened up Spectrum for beta, Spectrum received its first SYN flood.

One of Spectrum's earliest deployments was in front of Hypixel’s infrastructure. Hypixel runs the largest minecraft server, and because gamers can be - uh, passionate - they were one of the earliest targets of the terabit-per-second Mirai botnet. “Hypixel was one of the first subjects of the Mirai botnet DDoS attacks and frequently receives large attacks. Before Spectrum, we had to rely on unstable services & techniques Continue reading

Abusing Linux’s firewall: the hack that allowed us to build Spectrum

Abusing Linux's firewall: the hack that allowed us to build Spectrum

Today we are introducing Spectrum: a new Cloudflare feature that brings DDoS protection, load balancing, and content acceleration to any TCP-based protocol.

Abusing Linux's firewall: the hack that allowed us to build Spectrum
CC BY-SA 2.0 image by Staffan Vilcans

Soon after we started building Spectrum, we hit a major technical obstacle: Spectrum requires us to accept connections on any valid TCP port, from 1 to 65535. On our Linux edge servers it's impossible to "accept inbound connections on any port number". This is not a Linux-specific limitation: it's a characteristic of the BSD sockets API, the basis for network applications on most operating systems. Under the hood there are two overlapping problems that we needed to solve in order to deliver Spectrum:

  • how to accept TCP connections on all port numbers from 1 to 65535
  • how to configure a single Linux server to accept connections on a very large number of IP addresses (we have many thousands of IP addresses in our anycast ranges)

Assigning millions of IPs to a server

Cloudflare’s edge servers have an almost identical configuration. In our early days, we used to assign specific /32 (and /128) IP addresses to the loopback network interface[1]. This worked well when we had dozens of IP Continue reading

리눅스 방화벽을 남용하기: Spectrum 을 만들 수 있었던 ​해킹​

리눅스 방화벽을 남용하기: Spectrum 을 만들 수 있었던 ​해킹​

This is a Korean translation of a prior post by Marek Majkowski.


얼마전 우리는 Spectrum을 발표하였습니다: 어떤 TCP 기반의 프로토콜이라도 DDoS 방어, 로드밸런싱 그리고 컨텐츠 가속을 할 수 있는 새로운 Cloudflare의 기능입니다.

리눅스 방화벽을 남용하기: Spectrum 을 만들 수 있었던 ​해킹​
CC BY-SA 2.0 image by Staffan Vilcans

Spectrum을 만들기 시작하고 얼마 되지 않아서 중요한 기술적 난관에 부딛히게 되었습니다: Spectrum은 1부터 65535 사이의 어떤 유효한 TCP 포트라도 접속을 허용해야 합니다. 우리의 리눅스 엣지 서버에서는 "임의의 포트 번호에 인바운드 연결을 허용"은 불가능합니다. 이것은 리눅스만의 제한은 아닙니다: 이것은 대부분 운영 체제의 네트워크 어플리케이션의 기반인 BSD 소켓 API의 특성입니다. 내부적으로 Spectrum을 완성하기 위해서 풀어야 하는 서로 겹치는 문제가 둘 있었습니다:

  • 1에서 65535 사이의 모든 포트 번호에 TCP 연결을 어떻게 받아들일 것인가
  • 매우 많은 수의 IP 주소로 오는 연결을 받아들이도록 단일 리눅스 서버를 어떻게 설정할 것인가 (우리는 애니캐스트 대역에 수많은 IP주소를 갖고 있습니다)

서버에 수백만의 IP를 할당

Cloudflare의 엣지 서버는 거의 동일한 구성을 갖고 있습니다. 초창기에는 루프백 네트워크 인터페이스에 특정한 /32 (그리고 /128) IP 주소를 할당하였습니다[1]. 이것은 수십개의 IP주소만 갖고 있었을 때에는 잘 동작 하였지만 더 성장함에 따라 확대 적용하는 것에는 실패하였습니다.

그때 "AnyIP" 트릭이 등장하였습니다. AnyIP는 단일 주소가 아니라 전체 IP 프리픽스 (서브넷)을 루프백 인터페이스에 할당하도록 해 줍니다. 사실 AnyIP를 많이 사용하고 있습니다: 여러분 컴퓨터에는 루브백 인터페이스에 Continue reading

IDG Contributor Network: To 400G and beyond: the arrival of adaptive networks and the next technology boom

We live in a world in which we’re regularly streaming Netflix in 4K, using the power of the phones in our pockets to augment our realities with virtual gaming, and even watching basketball from a virtual courtside seat. Our networks have evolved to cater for these technologies, and each evolutionary step has brought with it a technological boom enabled by greater capacity, speed, automation, intelligence and programmability.The next step has arrived and it’s just in time, because when you thought we were finally content with, well, content, new technologies have emerged that push beyond what we ever thought possible.At the 2018 Consumer Electronics Show (CES), Intel Studios unveiled what it’s calling Volumetric Video – and it’s nothing short of stunning. Volumetric Video uses multiple cameras to shoot a 360-degree field of view, but it differs from standard 360-degree or VR video in that it captures footage “from the outside in”. To picture how it works, visualize the action scenes from The Matrix, in which the cameras pan around a frozen-in-mid-air Keanu Reeves. But now imagine being a viewer with the ability to zoom in on any part of that scene or look at any part of the Continue reading