Network Break 420: Cisco, HPE Buy Security Startups; Can We Finally Hold Vendors Responsible For Software Defects?
Take a Network Break! We begin with some FU on what constitutes on-prem and off-prem, and then dive into news. Cisco and T-Mobile are partnering on 5G gateways, Cisco Webex is getting installed as a feature(?) in Mercedes E-Class cars, and Cisco is buying multi-cloud security startup Valtix. Valtix offers firewalling, IPS, a cloud Web... Read more »Five Things You Need for Today’s Network Monitoring
By extending into environments such as the cloud, SD-WAN, and applications, today's network monitoring platforms are turning into powerful solution that can improve the overall operations IT environment. Let's drill down into the top five needs for networking monitoring.
The post Five Things You Need for Today’s Network Monitoring appeared first on Packet Pushers.
DDoS detection and remediation with Akvorado and Flowspec
Akvorado collects sFlow and IPFIX flows, stores them in a ClickHouse database, and presents them in a web console. Although it lacks built-in DDoS detection, it’s possible to create one by crafting custom ClickHouse queries.
DDoS detection
Let’s assume we want to detect DDoS targeting our customers. As an example, we consider a DDoS attack as a collection of flows over one minute targeting a single customer IP address, from a single source port and matching one of these conditions:
- an average bandwidth of 1 Gbps,
- an average bandwidth of 200 Mbps when the protocol is UDP,
- more than 20 source IP addresses and an average bandwidth of 100 Mbps, or
- more than 10 source countries and an average bandwidth of 100 Mbps.
Here is the SQL query to detect such attacks over the last 5 minutes:
SELECT * FROM ( SELECT toStartOfMinute(TimeReceived) AS TimeReceived, DstAddr, SrcPort, dictGetOrDefault('protocols', 'name', Proto, '???') AS Proto, SUM(((((Bytes * SamplingRate) * 8) / 1000) / 1000) / 1000) / 60 AS Gbps, uniq(SrcAddr) AS sources, uniq Continue reading
netlab: Change Stub Networks into Loopbacks
One of the least-documented limitations of virtual networking labs is the number of network interfaces a virtual machine could have. vSphere supports up to 10 interfaces per VM, the default setting for vagrant-libvirt is eight, and I couldn’t find the exact numbers for KVM. Many vendors claim their KVM limit is around 25; I was able to bring up a Nexus 9300v device with 40 adapters.
Anyway, a dozen interfaces should be good enough if you’re building a proof-of-concept fabric, but it might get a bit tight if you want to emulate plenty of edge subnets.
Why Application Security is Critical to Network Security
Application security is inseparable from network security. As such, enterprises must now take a holistic approach to securing networks and the applications within them.Controversial Reads 030423
s vulnerabilities — which so many young people share online.
A major escalation in official online censorship regimes is progressing rapidly in Brazil, with implications for everyone in the democratic world. Under Brazil’s new government headed by President Lula da Silva, the country is poised to become the first in the democratic world to implement a law censoring and banning “fake news and disinformation” online, and then punishing those deemed Continue reading
Gravity Model
Motivation
I recently read Google’s latest sigcomm paper: Jupiter Evolving on their Datacenter fabric evolution. It is an excellent paper with tons of good information, and the depth and width show what an engineering thought process should look like. The central theme talks about the challenges faced with deploying and scaling Clos fabrics and how they have evolved by replacing the spine layer with OCS that allows the blocks to be directly connected, calling it Direct connect topology.
If you look closely, the Direct Connect topology resembles Dragonfly+, where you have directly connected blocks.
The paper has many interesting topics, including Traffic and Topology Engineering and Traffic aware routing. One of the most exciting parts to me, which will be understandably missing, is the formulation of Traffic engineering problems as Optimization problems. I would love to see some pseudo-real-world code examples made publicly available.
However, one thing that surprised me the most was from a Traffic characteristics perspective, a Gravity model best described Google’s Inter-Block traffic. When I studied Gravity Model, I thought this was such a simplistic model that I would never see that in real life, but it turns out I was wrong, and it still has practical Continue reading
Datacenter System Makers Leary But Not Weary
The central banks of the world, led by the European Central Bank and the US Federal Reserve, want to curb inflation and they are willing to cause a small recession or at least get very close to one to shock us all into controlling the acquisitive habits we developed during the lockdowns of the early years of the coronavirus pandemic. …
Datacenter System Makers Leary But Not Weary was written by Timothy Prickett Morgan at The Next Platform.
Heavy Networking 668: Inside A Virtualization Consultant’s Home Lab
On Heavy Networking today we look at a home lab running VMware products including NSX, as well as infrastructure-as-code products Terraform, Packer, and Ansible. These use cases create a different hardware demand than virtualized network operating system images. Guest Maarten Van Driessen explains it all, including how he saves money on lab gear.
The post Heavy Networking 668: Inside A Virtualization Consultant’s Home Lab appeared first on Packet Pushers.
Heavy Networking 668: Inside A Virtualization Consultant’s Home Lab
On Heavy Networking today we look at a home lab running VMware products including NSX, as well as infrastructure-as-code products Terraform, Packer, and Ansible. These use cases create a different hardware demand than virtualized network operating system images. Guest Maarten Van Driessen explains it all, including how he saves money on lab gear.Weekend Reads 030323
https://cacm.acm.org/magazines/2023/3/270206-a-turning-point-for-cyber-insurance/fulltext
Insuring against the consequences of cybersecurity seems too good to be true given the underlying problem has perplexed researchers and practitioners for going on 50 years.
https://cacm.acm.org/magazines/2023/3/270207-mapping-the-privacy-landscape-for-central-bank-digital-currencies/fulltext
Payment records paint a detailed picture of an individual’s behavior. They reveal wealth, health, and interests, but individuals do not want the burden of deciding which are sensitive or private.
https://cacm.acm.org/magazines/2023/3/270211-the-ai-tech-stack-model/fulltext
Presently, enterprises have implemented advanced artificial intelligence (AI) technologies to support business process automation (BPA), provide valuable data insights, and facilitate employee and customer engagement.
https://www.theregister.com/2023/02/22/google_milestone_quantum/
Google is claiming a new milestone on the road to fault-tolerant quantum computers with a demonstration that a key error correction method that groups multiple qubits into logical qubits can deliver lower error rates, paving the way for quantum systems that can scale reliably.
https://telecoms.com/520115/mwc-2023-whats-the-point-of-5g/
Four years into the 5G era, the technology is still struggling to find an identity. 3G was about the introduction of mobile data, which matured in the form of 4G, but what is 5G all about?
https://www.theregister.com/2023/02/24/europe_gigabit_transformation_consultation/
The European Union yesterday decided it’s time to start “laying the ground for the transformation of the connectivity sector” in the region Continue reading
Ansible Limit When Using Netbox as Inventory
I’m currently using Ansible to template a large and growing number of devices for an ISP that I’m working for. The last part of the process is to use Netbox as a source of truth to write the configs using Jinja2 templates. The work is done as part of a CI/CD pipeline, and runs on a specific Gitlab Runner instance – finally the config is pre-staged onto the device’s filesystem to be checked by a engineer before deployment.
I’ve been finding the growing list of hosts a bit hard work, and, seemingly undocumented in the Netbox docs is how to put a site-specific limit on the playbook run. This is easily done in regular Ansible by using .ini-style host file groups like this:
[siteA]
sitea-router001
sitea-router002
[siteB]
siteb-router001
siteb-router002You can then do ‘ansible-playbook -l siteB’ to restrict what gets generated. How you do this when Netbox is the source of inventory is less clear.
It turns out that sites are pre-pended in Netbox with the string ‘sites_’. So, in your dynamic inventory file (in my case, called nb-inventory.yml) you need to tell it to group hosts by site by including the sites keyword under the group_by section:
plugin: Continue readingHow Cloudflare runs Prometheus at scale
We use Prometheus to gain insight into all the different pieces of hardware and software that make up our global network. Prometheus allows us to measure health & performance over time and, if there’s anything wrong with any service, let our team know before it becomes a problem.
At the moment of writing this post we run 916 Prometheus instances with a total of around 4.9 billion time series. Here’s a screenshot that shows exact numbers:
That’s an average of around 5 million time series per instance, but in reality we have a mixture of very tiny and very large instances, with the biggest instances storing around 30 million time series each.
Operating such a large Prometheus deployment doesn’t come without challenges. In this blog post we’ll cover some of the issues one might encounter when trying to collect many millions of time series per Prometheus instance.
Metrics cardinality
One of the first problems you’re likely to hear about when you start running your own Prometheus instances is cardinality, with the most dramatic cases of this problem being referred to as “cardinality explosion”.
So let’s start by looking at what cardinality means from Prometheus' perspective, when it can Continue reading
Video: Getting Started with netlab
After explaining how netlab fits into the virtual lab orchestration picture and what exactly it can do, let’s focus on what’s the easiest way to get started.
The next video in the Using netlab to Build Networking Labs series describes:
- Typical deployment scenarios: VirtualBox on Windows or MacOS, or libvirt/KVM on a Linux server or a virtual machine (running on Windows or MacOS).
- Hardware and software requirements
- Behind-the-scene operations performed by netlab create, netlab initial and netlab up commands.
You need Free ipSpace.net Subscription to watch the video and Standard ipSpace.net Subscription to watch the rest of the webinar.