0

Introducing Cloudflare Domain Protection — Making Domain Compromise a Thing of the Past

Everything on the web starts with a domain name. It is the foundation on which a company’s online presence is built. If that foundation is compromised, the damage can be immense.

As part of CIO Week, we looked at all the biggest risks that companies continue to face online, and how we could address them. The compromise of a domain name remains one of the greatest. There are many ways in which a domain may be hijacked or otherwise compromised, all the way up to the most serious: losing control of your domain name altogether.

You don’t want it to happen to you. Imagine not just losing your website, but all your company’s email, a myriad of systems tied to your corporate domain, and who knows what else. Having an attacker compromise your corporate domain is the stuff of nightmares for every CIO. And, if you’re a CIO and it’s not something you’re worrying about, know that we literally surveyed every other domain registrar and were so unsatisfied with their security practices we needed to launch our own.

But, now that we have, we want to make domain compromise something that should never, ever happen again. For that reason, we’re Continue reading

0

Cumulus Part X – VXLAN EVPN and MLAG

In this post, we take a look at the interaction of MLAG with an EVPN based VXLAN fabric on Cumulus Linux.

0

Cumulus Part IX – Understanding VXLAN EVPN Route-Target control

In this post, we look at how route-targets extended communities can be used to control VXLAN BGP EVPN routes in Cumulus Linux.

0

Cumulus Basics Part VIII – VXLAN symmetric routing and multi-tenancy

In this post, we look at VXLAN routing with symmetric IRB and multi-tenancy on Cumulus Linux.

0

Cumulus Basics Part VII – VXLAN routing – asymmetric IRB

In this post, we look at VXLAN routing with asymmetric IRB on Cumulus Linux.

0

Cumulus Basics Part VI – VXLAN L2VNIs with BGP EVPN

In this post, we introduce BGP EVPN and a VXLAN fabric in Cumulus Linux, with L2VNIs.

0

Cumulus Basics Part V – BGP unnumbered

In this post, we’ll look at BGP unnumbered on Cumulus Linux.

0

Cumulus Basics Part IV – BGP introduction

In this post, we introduce BGP on Cumulus Linux.

0

CVE-2021-44228 – Log4j RCE 0-day mitigation

A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).

This vulnerability is actively being exploited and anyone using Log4j should update to version 2.15.0 as soon as possible. The latest version can already be found on the Log4j download page.

If updating to the latest version is not possible, customers can also mitigate exploit attempts by setting the system property "log4j2.formatMsgNoLookups" to “true”; or by removing the JndiLookup class from the classpath. Java release 8u121 also protects against this remote code execution vector.

Customers using the Cloudflare WAF can also leverage three newly deployed rules to help mitigate any exploit attempts:

Rule ID	Description	Default Action
100514 (legacy WAF) 6b1cc72dff9746469d4695a474430f12 (new WAF)	Log4j Headers	BLOCK
100515 (legacy WAF) 0c054d4e4dd5455c9ff8f01efe5abb10 (new WAF)	Log4j Body	LOG
100516 (legacy WAF) 5f6744fa026a4638bda5b3d7d5e015dd (new WAF)	Log4j URL	LOG

The mitigation has been split across three rules inspecting HTTP headers, body and URL respectively.

Due to the risk of false positives, customers should immediately review Firewall Event logs and switch the Log4j Body and URL rules to BLOCK if none are found. Continue reading

0

Podcast: Ironing Out the BGP Ruffles

After the (in)famous October 2021 Facebook outage, Corey Quinn invited me for another Screaming in the Cloud chat, this time focusing on what went wrong (hint: it wasn’t DNS or BGP).

We also touched on VAX/VMS history, how early CCIE lab exams worked, how BGP started, why there are only 13 root name servers (not really), and the transition from networking being pure magic to becoming a commodity. Hope you’ll enjoy our chat as much as I did.

0

Podcast: Ironing Out the BGP Ruffles

After the (in)famous October 2021 Facebook outage, Corey Quinn invited me for another Screaming in the Cloud chat, this time focusing on what went wrong (hint: it wasn’t DNS or BGP).

We also touched on VAX/VMS history, how early CCIE lab exams worked, how BGP started, why there are only 13 root name servers (not really), and the transition from networking being pure magic to becoming a commodity. Hope you’ll enjoy our chat as much as I did.

0

Cumulus Basics Part III – static routing and OSPF

In this post, we will look at an introduction to routing on Cumulus Linux, with static routing and OSPF.

0

Why We Need Infrastructure-led Innovation to Transform Network Security

Despite how convenient it may seem, we cannot prioritize digital advancement first and leave security as an afterthought. The goal now is to build environments and infrastructure that are secure from the foundation up.

0

How to use the dmesg command: 2-Minute Linux Tips

In this Linux tip, learn how to use the dmesg command. It's a command that displays the content of the kernel message buffer – messages that were sent by various system services such as device drivers. You can view a lot of information that you would normally not see and get insights into how your system is working.

0

Real-Time Observability with InfluxDB for BAI Communications

Jason Myers Jason is a technical marketing writer at InfluxData. In public transportation, there’s little room for error when it comes to passenger safety. At the same time, rail operators don’t have bottomless financial resources to oversee their rail system. The team at BAI Communications in Toronto faced these two, diametrically opposed realities. Fortunately, by using their existing network infrastructure, a time-series platform and a sizable helping of ingenuity, the BAI team was able to close that gap between their technical needs and cost. Here’s how they did it. Background BAI Communications is a global company and a leader in providing communications infrastructure, pioneering the future of advanced connectivity and delivering the ubiquitous coverage that can transform lives, power business ambitions and shape the future of our cities. The company focuses on three key verticals: broadcast, neutral host and 5G, and transit. It seeks to enrich lives by connecting communities and advancing economies. BAI manages and operates the networking infrastructure for T-Connect, the wireless network used by the Toronto Transit Commission (TTC). T-Connect averages over 200,000 daily sessions, and over 5 million every month from approximately 100,000 unique devices every weekday. The T-Connect network consists of more than 1,000 access Continue reading

0

Optimizing Your Cybersecurity Budget

Strong cybersecurity comes at a price. The exact amount depends on your risk tolerance.

0

Cloudflare announces partnerships with leading cyber insurers and incident response providers

We are excited to announce our cyber risk partnership program with leading cyber insurance carriers and incident response providers to help our customers reduce their cyber risk. Cloudflare customers can qualify for discounts on premiums or enhanced coverage with our partners. Additionally, our incident response partners are partnering with us for mitigating under attack scenarios in an accelerated manner.  

What is a business’ cyber risk?

Let's start with security and insurance —  e.g., being a homeowner is an adventure and a responsibility. You personalize your home, maintain it, and make it secure against the slightest possibility of intrusion — fence it up, lock the doors, install a state of the art security system, and so on. These measures definitely reduce the probability of an intrusion, but you still buy insurance. Why? To cover for the rare possibility that something might go wrong — human errors, like leaving the garage door open, or unlikely events, like a fire, hurricane etc. And when something does go wrong, you call the experts (aka police) to investigate and respond to the situation.

Running a business that has any sort of online presence is evolving along the same lines. Getting the right Continue reading

0

Introducing Cloudflare Security Center

Today we are launching Cloudflare Security Center, which brings together our suite of security products, our security expertise, and unique Internet intelligence as a unified security intelligence solution.

Cloudflare was launched in 2009 to help build a better Internet and make Internet performance and security accessible to everyone. Over the last twelve years, we’ve disrupted the security industry and launched a broad range of products to address our customer’s pain points across Application Security, Network Security, and Enterprise Security.

While there are a plethora of solutions on the market to solve specific pain points, we’ve architected Cloudflare One as a unified platform to holistically address our customers’ most pressing security challenges.  As part of this vision, we are extremely excited to launch the public beta of Security Center. Our goal is to help customers understand their attack surface and quickly take action to reduce their risk of an incident.

Starting today, all Cloudflare users can use Security Center (available in your Cloudflare dashboard) to map their attack surface, review potential security risks and threats to their organizations, and mitigate these risks with a few clicks.

The changing corporate attack surface

A year ago, we announced Cloudflare One to address Continue reading

0

Shadow IT: make it easy for users to follow the rules

SaaS application usage has exploded over the last decade. According to Gartner, global spending on SaaS in 2021 was $145bn and is forecasted to reach $171bn in 2022. A key benefit of SaaS applications is that they are easy to get started with and either free or low cost. This is great for both users and leaders — it’s easy to try out new tools with no commitment or procurement process. But this convenience also presents a challenge to CIOs and security teams. Many SaaS applications are great for a specific task, but lack required security controls or visibility. It can be easy for employees to start using SaaS applications for their everyday job without IT teams noticing — these “unapproved” applications are popularly referred to as Shadow IT.

CIOs often have no visibility over what applications their SaaS employees are using. Even when they do, they may not have an easy way to block users from using unapproved applications, or on the contrary, to provide easy access to approved ones.

Visibility into application usage

In an office, it was easier for CIOs and their teams to monitor application usage in their organization. Mechanisms existed to inspect outbound DNS Continue reading

0

How to customize your layer 3/4 DDoS protection settings

After initially providing our customers control over the HTTP-layer DDoS protection settings earlier this year, we’re now excited to extend the control our customers have to the packet layer. Using these new controls, Cloudflare Enterprise customers using the Magic Transit and Spectrum services can now tune and tweak their L3/4 DDoS protection settings directly from the Cloudflare dashboard or via the Cloudflare API.

The new functionality provides customers control over two main DDoS rulesets:

1. Network-layer DDoS Protection ruleset — This ruleset includes rules to detect and mitigate DDoS attacks on layer 3/4 of the OSI model such as UDP floods, SYN-ACK reflection attacks, SYN Floods, and DNS floods. This ruleset is available for Spectrum and Magic Transit customers on the Enterprise plan.
2. Advanced TCP Protection ruleset — This ruleset includes rules to detect and mitigate sophisticated out-of-state TCP attacks such as spoofed ACK Floods, Randomized SYN Floods, and distributed SYN-ACK Reflection attacks. This ruleset is available for Magic Transit customers only.

To learn more, review our DDoS Managed Ruleset developer documentation. We’ve put together a few guides that we hope will be helpful for you:

1. Onboarding & getting started with Cloudflare DDoS protection
2. Handling false negatives
3. Handling false positives
4. Continue reading