Archive

Category Archives for "Networking"

Cloudflare’s handling of a bug in interpreting IPv4-mapped IPv6 addresses

Cloudflare's handling of a bug in interpreting IPv4-mapped IPv6 addresses
Cloudflare's handling of a bug in interpreting IPv4-mapped IPv6 addresses

In November 2022, our bug bounty program received a critical and very interesting report. The report stated that certain types of DNS records could be used to bypass some of our network policies and connect to ports on the loopback address (e.g. 127.0.0.1) of our servers. This post will explain how we dealt with the report, how we fixed the bug, and the outcome of our internal investigation to see if the vulnerability had been previously exploited.

RFC 4291 defines ways to embed an IPv4 address into IPv6 addresses. One of the methods defined in the RFC is to use IPv4-mapped IPv6 addresses, that have the following format:

   |                80 bits               | 16 |      32 bits        |
   +--------------------------------------+--------------------------+
   |0000..............................0000|FFFF|    IPv4 address     |
   +--------------------------------------+----+---------------------+

In IPv6 notation, the corresponding mapping for 127.0.0.1 is ::ffff:127.0.0.1 (RFC 4038)

The researcher was able to use DNS entries based on mapped addresses to bypass some of our controls and access ports on the loopback address or non-routable IPs.

This vulnerability was reported on November 27 to our bug bounty program. Our Security Incident Response Team (SIRT) was contacted, and incident response activities Continue reading

NTT, Palo Alto partner for managed SASE with AIOps

A new offering from IT services provider NTT combines Palo Alto Networks' Prisma SASE offering with NTT's managed network services and AIOps infrastructure.SASE – secure access service edge – has been gaining interest for its potential to reduce networking complexity while improving security. It combines SD-WAN with security services, including secure web access gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall-as-a-service (FWaaS), in a single, cloud-delivered service model.To read this article in full, please click here

NTT, Palo Alto partner for managed SASE with AIOps

A new offering from IT services provider NTT combines Palo Alto Networks' Prisma SASE offering with NTT's managed network services and AIOps infrastructure.SASE – secure access service edge – has been gaining interest for its potential to reduce networking complexity while improving security. It combines SD-WAN with security services, including secure web access gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), and firewall-as-a-service (FWaaS), in a single, cloud-delivered service model.To read this article in full, please click here

EU Analyst: The End of the Internet Is Near

The internet as we know it may no longer be a thing, warns a European Union-funded researcher. If it continues to fray, our favorite “network of networks” will just go back to being a bunch of networks again. And it will be the fault of us all. “The idea of an open and global internet is progressively deteriorating and the internet itself is changing,” writes Internet Fragmentation: Why It Matters for Europe” posted Tuesday by the

Enterprises turn to single-vendor SASE for ease of manageability

Before the start of the Covid epidemic, a traditional WAN architecture with centralized security worked well for Village Roadshow. "Advanced security inspection services can be applied, firewalls can provide separation, and a demilitarized zone can be implemented," said Michael Fagan, chief transformation officer at Village Roadshow, the largest theme park owner in Australia.But it required backhauling traffic from remote sites to a data center or hub for security inspection, which can hurt application performance, create a poor user experience, and cost the company in productivity, he said.When the pandemic led the company to transition to a hybrid workforce, with most people working from home or from a remote site, it prompted Village Roadshow to rethink its network and security approach.To read this article in full, please click here

Enterprises turn to single-vendor SASE for ease of manageability

Before the start of the Covid epidemic, a traditional WAN architecture with centralized security worked well for Village Roadshow. "Advanced security inspection services can be applied, firewalls can provide separation, and a demilitarized zone can be implemented," said Michael Fagan, chief transformation officer at Village Roadshow, the largest theme park owner in Australia.But it required backhauling traffic from remote sites to a data center or hub for security inspection, which can hurt application performance, create a poor user experience, and cost the company in productivity, he said.When the pandemic led the company to transition to a hybrid workforce, with most people working from home or from a remote site, it prompted Village Roadshow to rethink its network and security approach.To read this article in full, please click here

What is a virtual network

A computer network as we usually visualize it involves various cables (Ethernet, fiber optic, coaxial) connecting to appliances like routers and switches, which direct data packets where they need to go.The rise of Wi-Fi and cellular data networks have replaced some of those wires with wireless signals, but even radio waves are in the realm of the physical, and they connect back to cell towers or Wi-Fi access points.In the seven-layer OSI network reference model, all of that network equipment, processing, and communication occupies the lowest three layers: Level 3 (the network), Level 2 (the data link), and Level 1 (the physical layer).To read this article in full, please click here

What is a virtual network

A computer network as we usually visualize it involves various cables (Ethernet, fiber optic, coaxial) connecting to appliances like routers and switches, which direct data packets where they need to go.The rise of Wi-Fi and cellular data networks have replaced some of those wires with wireless signals, but even radio waves are in the realm of the physical, and they connect back to cell towers or Wi-Fi access points.In the seven-layer OSI network reference model, all of that network equipment, processing, and communication occupies the lowest three layers: Level 3 (the network), Level 2 (the data link), and Level 1 (the physical layer).To read this article in full, please click here

Uptick in healthcare organizations experiencing targeted DDoS attacks

Uptick in healthcare organizations experiencing targeted DDoS attacks

Healthcare in the crosshairs

Uptick in healthcare organizations experiencing targeted DDoS attacks

Over the past few days, Cloudflare, as well as other sources, have observed healthcare organizations targeted by a pro-Russian hacktivist group claiming to be Killnet. There has been an increase in the amount of healthcare organizations coming to us to help get out from under these types of attacks. Multiple healthcare organizations behind Cloudflare have also been targeted by HTTP DDoS attacks and Cloudflare has helped them successfully mitigate these attacks. The United States Department of Health and Human Services issued an Analyst Note detailing the threat of Killnet-related cyberattacks to the healthcare industry.

A rise in political tensions and escalation of the conflict in Ukraine are all factors that play into the current cybersecurity threat landscape. Unlike traditional warfare, the Internet has enabled and empowered groups of individuals to carry out targeted attacks regardless of their location or involvement. Distributed-denial-of-Service (DDoS) attacks have the unfortunate advantage of not requiring an intrusion or a foothold to be launched and have, unfortunately, become more accessible than ever before.

The attacks observed by the Cloudflare global network do not show a clear indication that they are originating from a single botnet and the attack methods and sources Continue reading

1 319 320 321 322 323 3,492