Introducing Spectrum: Extending Cloudflare To 65,533 More Ports
Today we are introducing Spectrum, which brings Cloudflare’s security and acceleration to the whole spectrum of TCP ports and protocols for our Enterprise customers. It’s DDoS protection for any box, container or VM that connects to the internet; whether it runs email, file transfer or a custom protocol, it can now get the full benefits of Cloudflare. If you want to skip ahead and see it in action, you can scroll to the video demo at the bottom.
DDoS Protection
The core functionality of Spectrum is its ability to block large DDoS attacks. Spectrum benefits from Cloudflare’s existing DDoS mitigation (which this week blocked a 900 Gbps flood). Spectrum’s DDoS protection has already been battle tested. Just soon as we opened up Spectrum for beta, Spectrum received its first SYN flood.
One of Spectrum's earliest deployments was in front of Hypixel’s infrastructure. Hypixel runs the largest minecraft server, and because gamers can be - uh, passionate - they were one of the earliest targets of the terabit-per-second Mirai botnet. “Hypixel was one of the first subjects of the Mirai botnet DDoS attacks and frequently receives large attacks. Before Spectrum, we had to rely on unstable services & techniques Continue reading
Cisco Live 2018 – Big Ideas Theater
We are just around 60 days or so away from Geek Summer Camp 2018, or more commonly known as Cisco …
The post Cisco Live 2018 – Big Ideas Theater appeared first on Fryguy's Blog.
Abusing Linux’s firewall: the hack that allowed us to build Spectrum
Today we are introducing Spectrum: a new Cloudflare feature that brings DDoS protection, load balancing, and content acceleration to any TCP-based protocol.
CC BY-SA 2.0 image by Staffan Vilcans
Soon after we started building Spectrum, we hit a major technical obstacle: Spectrum requires us to accept connections on any valid TCP port, from 1 to 65535. On our Linux edge servers it's impossible to "accept inbound connections on any port number". This is not a Linux-specific limitation: it's a characteristic of the BSD sockets API, the basis for network applications on most operating systems. Under the hood there are two overlapping problems that we needed to solve in order to deliver Spectrum:
- how to accept TCP connections on all port numbers from 1 to 65535
- how to configure a single Linux server to accept connections on a very large number of IP addresses (we have many thousands of IP addresses in our anycast ranges)
Assigning millions of IPs to a server
Cloudflare’s edge servers have an almost identical configuration. In our early days, we used to assign specific /32 (and /128) IP addresses to the loopback network interface[1]. This worked well when we had dozens of IP Continue reading
리눅스 방화벽을 남용하기: Spectrum 을 만들 수 있었던 해킹
This is a Korean translation of a prior post by Marek Majkowski.
얼마전 우리는 Spectrum을 발표하였습니다: 어떤 TCP 기반의 프로토콜이라도 DDoS 방어, 로드밸런싱 그리고 컨텐츠 가속을 할 수 있는 새로운 Cloudflare의 기능입니다.
CC BY-SA 2.0 image by Staffan Vilcans
Spectrum을 만들기 시작하고 얼마 되지 않아서 중요한 기술적 난관에 부딛히게 되었습니다: Spectrum은 1부터 65535 사이의 어떤 유효한 TCP 포트라도 접속을 허용해야 합니다. 우리의 리눅스 엣지 서버에서는 "임의의 포트 번호에 인바운드 연결을 허용"은 불가능합니다. 이것은 리눅스만의 제한은 아닙니다: 이것은 대부분 운영 체제의 네트워크 어플리케이션의 기반인 BSD 소켓 API의 특성입니다. 내부적으로 Spectrum을 완성하기 위해서 풀어야 하는 서로 겹치는 문제가 둘 있었습니다:
- 1에서 65535 사이의 모든 포트 번호에 TCP 연결을 어떻게 받아들일 것인가
- 매우 많은 수의 IP 주소로 오는 연결을 받아들이도록 단일 리눅스 서버를 어떻게 설정할 것인가 (우리는 애니캐스트 대역에 수많은 IP주소를 갖고 있습니다)
서버에 수백만의 IP를 할당
Cloudflare의 엣지 서버는 거의 동일한 구성을 갖고 있습니다. 초창기에는 루프백 네트워크 인터페이스에 특정한 /32 (그리고 /128) IP 주소를 할당하였습니다[1]. 이것은 수십개의 IP주소만 갖고 있었을 때에는 잘 동작 하였지만 더 성장함에 따라 확대 적용하는 것에는 실패하였습니다.
그때 "AnyIP" 트릭이 등장하였습니다. AnyIP는 단일 주소가 아니라 전체 IP 프리픽스 (서브넷)을 루프백 인터페이스에 할당하도록 해 줍니다. 사실 AnyIP를 많이 사용하고 있습니다: 여러분 컴퓨터에는 루브백 인터페이스에 Continue reading
Encoding data in dubstep drops
Encoding data in dubstep drops
[Warning: Those who can’t stand EDM/dubstep, oh boy do I have bad news for you in regards to this blog post]
Dubstep songs are often criticized as sounding extremely computer generated and often just too aggressi
Public WiFi Risks Worry IT Pros
Spiceworks research reveals IT pros' data security concerns about users connecting to public WiFi networks.
Piloting “White Space” to connect the underserved of rural Tanzania
Beyond the Net Journal
As economies develop in Tanzania, rural residents have growing needs for communication and broadband access. However, mobile operators are reluctant to invest in remote areas due to the elevated infrastructure cost and the high percentage of people that can’t afford the payment of the services.
The Internet Society Tanzania Chapter, supported by Beyond the Net Funding Programme in partnership with The University of Dodoma will target the remote areas of Dodoma Region, where conventional deployments are not available. Together, they will build a pilot project using TV White Space equipment as a community network solution.
White Space Internet is not widely adopted so far, but has the potential to transform the way we use wireless Internet. Being a free form of broadband, it is as a good alternative to provide underserved communities with Internet access that is similar to that of 4G mobile. White Space power stations can be charged with solar panels and broadband can travel up to 10 kilometers through vegetation, buildings and other obstacles.
“It’s amazing how life has changed in Tanzania thanks to the Internet”, explains Jabhera Matogoro, project manager and coordinator of Microsoft Innovation Center at the University of Continue reading
EVPN Route Target Considerations in EBGP Environment
The proponents of the “let’s run EVPN over EBGP underlay” idea often ignore an interesting challenge: EVPN advocates use of automatically-generated Route Targets, which might not work when every leaf switch uses a different AS number.
I explored this particular can of worms in the EVPN Route Target Considerations section of the Using BGP in a Data Center Leaf-and-Spine Fabric saga.
BiB 039: Reviewing The D-Link DGS-1510-52
Ethan Banks does a five minute review of the enterprise-oriented D-Link DGS-1510-52 Ethernet switch.
The post BiB 039: Reviewing The D-Link DGS-1510-52 appeared first on Packet Pushers.
Palo Alto Networks Buys Endpoint Security Startup Secdo
This is the third Israeli security startup that Palo Alto Networks has purchased.
BiB 038: Gluware Automates The Brownfield
Jeff Gray, CEO at Gluware, chatted to the Packet Pushers about how they can automate any network, including the one you've already got.
The post BiB 038: Gluware Automates The Brownfield appeared first on Packet Pushers.
Juniper Spotlights Integration Efforts As Service Providers Chase Disaggregation
Juniper stitches together telemetry, AppFormix & its NorthStar controller to highlight integration benefits as service providers contemplate disaggregation.Mellanox, Ixia and Cumulus: Part 2
This post is part two of three in a series looking at the joint presentations made by Mellanox, Ixia and Cumulus at Networking Field Day 17, in February 2018. More specifically, this post looks at what part Ixia has to play in the deployment of an Ethernet switch fabric built using Mellanox switches and running Cumulus Linux as the Network Operating System (NOS).
Ixia
What confused me most about a presentation from Mellanox, Ixia and Cumulus about Ethernet fabrics was to figure out what role Ixia would be playing in the disaggregated model. Mellanox makes the switch hardware and Cumulus makes the switch software, so Ixia fits, well, where exactly?
IxNetwork
IxNetwork is billed as an end-to-end validation solution which in many ways undersells what it’s all about. Rather than being just more traffic-generating test equipment, IxNetwork can emulate multiple switch and server devices so that a single piece of test hardware can be connected to what it believes is a large existing infrastructure, and that hardware’s behavior and resiliency can be validated. In the demo topology, IxNetwork connects to a physical Mellanox Spectrum switch running Cumulus Linux, emulating connected servers as well as an entire leaf/switch EVPN/VXLAN fabric, attached Continue reading
RAD Creates VNF for White Boxes to Talk to Physical Network
RAD's vAccess allows operators to use white boxes with VNFs over whatever access infrastructure they have installed.
Container Security Should Be Simple, Serverless Is More of a Challenge
New entrants, updates, and money continue to flow into the space, but organizations sometimes ignore the basics.