Weekend Reads 011918: IoT, Cyberthreat Thinking, and Techlash
Deputy Attorney General Rosenstein has given talks where he proposes that tech companies decrease their communications and device security for the benefit of the FBI. In a recent talk, his idea is that tech companies just save a copy of the Continue reading
Nokia Scores 5G Equipment Deal with NTT DoCoMo
It’s the first 3GPP-standards compliant 5G NR equipment deal that’s been announced.
Project Falco joins SONiC Community (Software for Open Networking in the Cloud) | LinkedIn Engineering
Linked chooses SONIC for hardware abstraction
IBM Finally Grows Revenue, Celebrates by ‘Marrying’ Salesforce
IBM’s cloud business brought in $17 billion in annual revenue in 2017.
Iguazio Boldly Taunts AWS’ Lambda with Nuclio Serverless Platform
An analyst firm sees some enterprises bypassing containers in favor of serverless.
Web Cache Deception Attack revisited
In April, we wrote about Web Cache Deception attacks, and how our customers can avoid them using origin configuration.
Read that blog post to learn about how to configure your website, and for those who are not able to do that, how to disable caching for certain URIs to prevent this type of attacks. Since our previous blog post, we have looked for but have not seen any large scale attacks like this in the wild.
Today, we have released a tool to help our customers make sure only assets that should be cached are being cached.
A brief re-introduction to Web Cache Deception attack
Recall that the Web Cache Deception attack happens when an attacker tricks a user into clicking a link in the format of http://www.example.com/newsfeed/foo.jpg, when http://www.example.com/newsfeed is the location of a dynamic script that returns different content for different users. For some website configurations (default in Apache but not in nginx), this would invoke /newsfeed with PATH_INFO set to /foo.jpg. If http://www.example.com/newsfeed/foo.jpg does not return the proper Cache-Control headers to tell a web cache not to cache the content, web caches may decide to cache Continue reading
SDxCentral’s Weekly Roundup — January 19, 2018
Comcast chooses AWS; Qualcomm puts up a fight against Broadcom; Maersk and IBM work with blockchain.
Can Routing Be Oversimplified?
I don’t know if you’ve had a chance to see this Reddit thread yet, but it’s a funny one:
We eliminated routing protocols from our network!
Short non-clickbait summary: We deployed SD-WAN and turned off OSPF. We now have a /16 route for the internal network and a default route to the Internet where a lot of our workloads were moved into the cloud.
Bravo for this networking team for simplifying their network to this point. All other considerations aside, does this kind of future really bode well for SD-WAN?
Now You See Me
As pointed out in the thread above, the network team didn’t really get rid of their dynamic routing protocols. The SD-WAN boxes that they put in place are still running BGP or some other kind of setup under the hood. It’s just invisible to the user. That’s nothing new. Six years ago, Ivan Pepelnjak found out Juniper QFabric was running BGP behind the scenes too.
Hiding the networking infrastructure from the end user is nothing new. It’s a trick that has been used for years to allow infrastructures to be tuned and configured in such a way as to deliver maximum performance without letting anyone tinker Continue reading
The Role of Security in Edge Computing
A look at what's needed to mitigate IoT security threats.
SYN 패킷 처리 실제
역자주: 이 글은 Marek Majkowski의 https://blog.cloudflare.com/syn-packet-handling-in-the-wild/ 를 번역한 것입니다.
우리 Cloudflare 에서는 실제 인터넷상의 서버 운영 경험이 많습니다. 하지만 이런 흑마술 마스터하기를 게을리하지도 않습니다. 이 블로그에서는 인터넷 프로토콜의 여러 어두운 부분을 다룬 적이 있습니다: understanding FIN-WAIT-2 나 receive buffer tuning과 같은 것들입니다.
CC BY 2.0 image by Isaí Moreno
사람들이 충분히 신경쓰지 않는 주제가 하나 있는데, 바로 SYN 홍수(SYN floods) 입니다. 우리는 리눅스를 사용하고 있는데 리눅스에서 SYN 패킷 처리는 매우 복잡하다는 것을 알게 되었습니다. 이 글에서는 이에 대해 좀 더 알아 보도록 하겠습니다.
두개의 큐의 이야기
일단 만들어진 소켓에 대해 "LISTENING" TCP 상태에는 두개의 분리된 큐가 존재 합니다:
- SYN 큐
- Accept 큐
일반적으로 이 큐에는 여러가지 다른 이름이 붙어 있는데, "reqsk_queue", "ACK backlog", "listen backlog", "TCP backlog" 등이 있습니다만 혼란을 피하기 위해 위의 이름을 사용하도록 하겠습니다.
SYN 큐
SYN 큐는 수신 SYN 패킷[1] (구체적으로는 struct inet_request_sock)을 저장합니다. 이는 SYN+ACK 패킷을 보내고 타임아웃시에 재시도하는 역할을 합니다. 리눅스에서 재시도 값은 다음과 같이 설정됩니다:
$ sysctl net.ipv4.tcp_synack_retries
net.ipv4.tcp_synack_retries = 5
문서를 보면 다음과 같습니다:
tcp_synack_retries - 정수
수동 TCP 연결 시도에 대해서 SYNACK를 몇번 다시 보낼지를 지정한다.
이 값은 255 이하이어야 한다. 기본값은 5이며, 1초의 초기 RTO값을 감안하면
마지막 재전송은 31초 Continue readingPacket Forwarding on Linux on Software Gone Wild
Linux operating system is used as the foundation for numerous network operating systems including Arista EOS and Cumulus Linux. It provides most networking constructs we grew familiar with including interfaces, VLANs, routing tables, VRFs and contexts, but they behave slightly differently from what we’re used to.
In Software Gone Wild Episode 86 Roopa Prabhu and David Ahern explained the fundamentals of packet forwarding on Linux, and the differences between Linux and more traditional network operating systems.
Read more ...I Became Cisco Champion for 2018
How Does Internet Work - We know what is networking
I just received an e-mail from Cisco with the notice that I was elected Cisco Champion for 2018. As Cisco says: “Cisco Champions are a group of highly influential technical experts who generously enjoy sharing their knowledge, expertise, and thoughts on the social web and with Cisco. The Cisco Champion program encompasses a diverse set of areas such as Data Center, Internet of Things, Enterprise Networks, Collaboration, and Security. Cisco Champions are located all over the world.” I must say that last 7 years of writing this blog was the primary reason why one should pick me for this flattering
The ARC of Satori
Authors: Pete Arzamendi, Matt Bing, and Kirk Soluk Satori, the heir-apparent to the infamous IOT malware Mirai, was discovered by researchers in December 2017. The word “satori” means “enlightenment” or “understanding” in Japanese, but the evolution of the Satori malware has brought anything but clarity. […]The ARC of Satori
Authors: Pete Arzamendi, Matt Bing, and Kirk Soluk. Satori, the heir-apparent to the infamous IOT malware Mirai, was discovered by researchers in December 2017. The word “satori” means “enlightenment” or “understanding” in Japanese, but the evolution of the Satori malware has brought anything but clarity. […]BiB 023: netYCE Is Orchestrated Control Of Your Network
NetYCE gives Ethan Banks an overview of their platform and shares some of the latest capabilities they’ve baked in.
The post BiB 023: netYCE Is Orchestrated Control Of Your Network appeared first on Packet Pushers.