Archive

Category Archives for "Networking"

Iter8 Unifies Performance Validation for gRPC and HTTP

Srinivasan Parthasarathy Sri is an applied machine learning researcher with a track record of creating scalable AI/ML/advanced optimization-based enterprise solutions for hybrid cloud, cybersecurity and data-exploration problem domains. A co-founder of Iter8, he has presented at Kubecon 2020 and 2021, and at community meetups like Knative and KFServing. gRPC is an open source remote procedure call (RPC) system that is becoming increasingly popular for connecting microservices and connecting mobile/web clients to backend services. Benchmarking and performance validation is an essential building block in the continuous integration and delivery (CI/CD) of robust gRPC services. In this hands-on article, we show how Iter8 unifies performance validation for HTTP and gRPC services. What Is Iter8?

CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks

CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks
CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks

A zero-day vulnerability in the Mitel MiCollab business phone system has recently been discovered (CVE-2022-26143). This vulnerability, called TP240PhoneHome, which Cloudflare customers are already protected against, can be used to launch UDP amplification attacks. This type of attack reflects traffic off vulnerable servers to victims, amplifying the amount of traffic sent in the process by an amplification factor of 220 billion percent in this specific case.

Cloudflare has been actively involved in investigating the TP240PhoneHome exploit, along with other members of the InfoSec community. Read our joint disclosure here for more details. As far as we can tell, the vulnerability has been exploited as early as February 18, 2022. We have deployed emergency mitigation rules to protect Cloudflare customers against the amplification DDoS attacks.

Mitel has been informed of the vulnerability. As of February 22, they have issued a high severity security advisory advising their customers to block exploitation attempts using a firewall, until a software patch is made available. Cloudflare Magic Transit customers can use the Magic Firewall to block external traffic to the exposed Mitel UDP port 10074 by following the example in the screenshot below, or by pasting the following expression into their Magic Firewall Continue reading

CVE-2022-26143: TP240PhoneHome reflection/amplification DDoS attack vector

CVE-2022-26143: TP240PhoneHome reflection/amplification DDoS attack vector

Beginning in mid-February 2022, security researchers, network operators, and security vendors observed a spike in DDoS attacks sourced from UDP port 10074 targeting broadband access ISPs, financial institutions, logistics companies, and organizations in other vertical markets.

Upon further investigation, it was determined that the devices abused to launch these attacks are MiCollab and MiVoice Business Express collaboration systems produced by Mitel, which incorporate TP-240 VoIP- processing interface cards and supporting software; their primary function is to provide Internet-based site-to-site voice connectivity for PBX systems.

Approximately 2600 of these systems have been incorrectly provisioned so that an unauthenticated system test facility has been inadvertently exposed to the public Internet, allowing attackers to leverage these PBX VoIP gateways as DDoS reflectors/amplifiers.

Mitel is aware that these systems are being abused to facilitate high-pps (packets-per-second) DDoS attacks, and have been actively working with customers to remediate abusable devices with patched software that disables public access to the system test facility.

In this blog, we will further explore the observed activity, explain how the driver has been abused, and share recommended mitigation steps. This research was created cooperatively among a team of researchers from Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, NETSCOUT ASERT, Continue reading

Cloud Networking Needs a New Vision

While hyperscale public clouds grab attention, the majority of workloads and cloud infrastructure will continue to remain elsewhere for the foreseeable future. Enterprise private clouds are not only NOT disappearing but growing, spanning on-premises data centers, colocation sites and increasingly distributed edge sites. Tier 2 cloud service providers cater to local markets and provide services more closely tailored to their customers’ needs. Telecom service providers operate highly distributed clouds to support their network services.

These cloud operators all have two similar goals for their network infrastructure, goals that are so critical to remaining competitive that we can even call them mandates:

  1. Transform cloud networks to become as agile, highly available and simple to operate as the hyperscale public clouds.
  2. Move rapidly toward a new, more highly distributed networking and zero-trust security architecture to address increasing cybersecurity risks.

Unfortunately, achieving these goals is far from simple. Current networking solutions are not only insufficient, they are in many ways the biggest problem. The below datapoint, from The State of Data Center Networking: 2021 Annual Report, illustrates just that. The top two challenges in achieving a highly agile and available active-active or active-hot standby data center architectures are both related to network Continue reading

International Women’s Day 2022

International Women’s Day 2022
“I would venture to guess that Anon,
who wrote so many poems without signing them,
was often a woman.” - Virginia Woolf
International Women’s Day 2022

Welcome to International Women’s Day 2022! Here at Cloudflare, we are happy to celebrate it with you! Our celebration is not only this blog post, but many events prepared for the month of March: our way of honoring Women’s History Month by showcasing women’s empowerment. We want to celebrate the achievements, ideas, passion and work that women bring to the world. We want to advocate for equality and to achieve gender parity. And we want to highlight the brilliant work that our women colleagues do every day. Welcome!

This is a time of celebration but also one to reflect on the current state. The global gender gap is not expected to close for another 136 years. This gap has also worsened due to the COVID-19 pandemic, which has negatively impacted the lives of women and girls by deepening pre-existing inequalities. Improving this state is a collective effort—we all need to get involved!

Who are we? Womenflare!

First, let’s introduce ourselves. We are Womenflare—Cloudflare’s Employee Resource Group (ERG) for all who identify as and advocate for Continue reading

Wi-Fi 6E scarcity has enterprises delaying upgrades until Wi-Fi 7 gear ships

Supply chain problems for Wi-Fi 6E access points are so bad that enterprises are skipping that version of wireless technology and waiting until Wi-Fi 7 equipment starts to ship late next year, says market researcher Dell'Oro Group.Wi-Fi 6E builds on Wi-Fi 6 by adding the the 6GHz band (5.925 GHz to 7.125 GHz), where, currently, there is a lot less traffic and much lower latency than in 2.4GHz and 5GHz bands that Wi-Fi 6. That extra bandwidth makes 6E a logical choice for latency-sensitive applications.But you can’t use something if you can’t buy it, and Dell'Oro says that based on its discussions with enterprises, 6E products are in very limited supply or unavailable.To read this article in full, please click here

Wi-Fi 6E scarcity has enterprises pre-ordering Wi-Fi 7

Supply chain problems for Wi-Fi 6E access points are so bad that enterprises are skipping that version of wireless technology and waiting until Wi-Fi 7 equipment starts to ship late next year, says market researcher Dell'Oro Group.Wi-Fi 6E builds on Wi-Fi 6 by adding the the 6GHz band (5.925 GHz to 7.125 GHz), where, currently, there is a lot less traffic and much lower latency than in 2.4GHz and 5GHz bands that Wi-Fi 6. That extra bandwidth makes 6E a logical choice for latency-sensitive applications.But you can’t use something if you can’t buy it, and Dell'Oro says that based on its discussions with enterprises, 6E products are in very limited supply or unavailable.To read this article in full, please click here

Flow-Based Packet Forwarding

In the Cache-Based Packet Forwarding blog post I described what happens when someone tries to bypass the complexities of IP routing table lookup with a forwarding cache.

Now imagine you want to implement full-featured fast packet forwarding including ingress- and egress ACL, NAT, QoS… but find the required hardware (TCAM) too expensive. Wouldn’t it be nice if we could send the first packet of every flow to a CPU to figure out what to do with it, and download the results into a high-speed flow cache where they could be used to switch the subsequent packets of the same flow. Welcome to flow-based packet forwarding.

Flow-Based Packet Forwarding

In the Cache-Based Packet Forwarding blog post I described what happens when someone tries to bypass the complexities of IP routing table lookup with a forwarding cache.

Now imagine you want to implement full-featured fast packet forwarding including ingress- and egress ACL, NAT, QoS… but find the required hardware (TCAM) too expensive. Wouldn’t it be nice if we could send the first packet of every flow to a CPU to figure out what to do with it, and download the results into a high-speed flow cache where they could be used to switch the subsequent packets of the same flow. Welcome to flow-based packet forwarding.

How To Create A Python Function You Can Call From Other Scripts

Python gives you the ability to write a bit of code and the call that code as a function. You can call the function from within the same script where the function is defined, or you can save the function in a separate script and then import the function inside of other scripts.

Writing and calling functions is a key component of the Don’t Repeat Yourself (DRY) principle of software development. Creating a function in a single script and calling that function from other scripts is preferable to performing copypasta of the same bit of code throughout several scripts. When a function lives in a single script, it only needs to be updated in that one place when it inevitably needs updating.

While Python functions can perform isolated tasks, my typical use cases send values into the function and receive a value returned from the function. In this example, I’ll import a Python function used to refresh an access token required to authenticate to a remote API endpoint. I’ll pass other tokens required to refresh the access token into the function, and the function will return the refreshed access token back to the calling script.

The Function

The names of Continue reading

Wireless growth, IoT and cars will drive semiconductor demand

The ongoing deployment of 5G networks, IoT and the automotive sector are the three biggest drivers of semiconductor revenue in the coming fiscal year, according to a new survey and analysis issued by KPMG.The accounting firm noted that semiconductor makers had shifted their organizational structures in response to those trends, with 53% of respondents reporting that they had increased their focus on specific operational requirements for hot applications — and away from general-use chipsets that can be used in multiple products.To read this article in full, please click here

Wireless growth, IoT, and cars will drive semiconductor demand

The ongoing deployment of 5G networks, IoT, and demand from the automotive sector are the three biggest drivers of semiconductor revenue in the coming fiscal year, according to a new survey and analysis issued by KPMG.The accounting firm noted that semiconductor makers had shifted their organizational structures in response to those trends, with 53% of respondents reporting that they had increased their focus on specific operational requirements for hot applications—and away from general-use chipsets that can be used in multiple products.To read this article in full, please click here

Tech Bytes: Credit Union Taps Aruba ESP For SD-WAN, Branch Networking (Sponsored)

Today on the Tech Bytes podcast we dive into a real-world SD-WAN deployment. Our sponsor is Aruba and we’re talking with Aruba ESP customer Alabama ONE, a credit union. Our guest is Bobby Umfress II, Director of IT and Operations at Alabama ONE.

The post Tech Bytes: Credit Union Taps Aruba ESP For SD-WAN, Branch Networking (Sponsored) appeared first on Packet Pushers.

BGP Policies (part 1)

At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.

In the following network—

There are many reasons an operator might want to select which neighboring AS through which to send traffic towards a given reachable destination (for instance, 100::/64). Each of these examples assumes the AS in question has learned multiple paths towards 100::/64, one from each peer, and must choose one of the two available paths to forward along.

Examining this from AS65006’s Perspective …

Assuming AS65006 is an edge operator (commonly called enterprise, but generally just originating and terminating traffic, and never transiting traffic), there are several reasons the operator may prefer one exit point (through an upstream provider), including:

  • An automated system may determine AS65004 has some sort of brownout; in this case, the operator at 65006 has configured the system to prefer the exit through AS65005
  • The traffic Continue reading