Archive

Category Archives for "Security"

Mitigating DDoS

Your first line of defense to any DDoS, at least on the network side, should be to disperse the traffic across as many resources as you can. Basic math implies that if you have fifteen entry points, and each entry point is capable of supporting 10g of traffic, then you should be able to simply absorb a 100g DDoS attack while still leaving 50g of overhead for real traffic (assuming perfect efficiency, of course—YMMV). Dispersing a DDoS in this way may impact performance—but taking bandwidth and resources down is almost always the wrong way to react to a DDoS attack.

But what if you cannot, for some reason, disperse the attack? Maybe you only have two edge connections, or if the size of the DDoS is larger than your total edge bandwidth combined? It is typically difficult to mitigate a DDoS attack, but there is an escalating chain of actions you can take that often prove useful. Let’s deal with local mitigation techniques first, and then consider some fancier methods.

  • TCP SYN filtering: A lot of DDoS attacks rely on exhausting TCP open resources. If all inbound TCP sessions can be terminated in a proxy (such as a load balancer), Continue reading

Technology Short Take #77

Welcome to Technology Short Take #77. I’ve got a new collection of links and articles from around the Web on various data center-focused technologies.

Networking

ENISA online training material updated and extended — ENISA

Free Training materials on IT Security incident and breach response. Looks quite good.

The new training material provides a step-by-step guide on how to address and respond to incidents, as an incident handler and investigator, teaching best practices and covering both sides of the breach. The material is technical and aims to provide a guided training both to incident handlers and investigators, while providing lifelike conditions. The training material mainly uses open source and free tools.

ENISA online training material updated and extended — ENISA : https://www.enisa.europa.eu/news/enisa-news/enisa-online-training-material-updated-and-extended

The post ENISA online training material updated and extended — ENISA appeared first on EtherealMind.

Introducing VMware NSX for vSphere 6.3 & VMware NSX-T 1.1 

This past week at VMware has been quite exciting! Pat Gelsinger, VMware CEO, reported on the Q4 2016 earnings call that VMware NSX has more than 2,400 customers exiting 2016. Today, we continue that momentum by announcing new releases of our two different VMware NSX platforms – VMware NSX™ for vSphere® 6.3 and VMware NSX-T 1.1.

These releases continue to accelerate digital transformation for organizations through the most critical IT use cases – Security, Automation, and Application Continuity – while expanding support for new application frameworks and architectures.

NSX use case projects

As more and more customers adopt NSX for vSphere, we continue to add features to make it easier for you to deploy, operate and scale-out your environment. NSX empowers customers on their cloud journey. It is driving value inside the data center today and expanding across datacenters and to the cloud via our Cloud Air Network partnerships, and soon to VMware Cloud on AWS and native public cloud workloads via VMware Cross-Cloud Services.

Let’s take a look at some of the new features in NSX for vSphere 6.3:

Security

Some of the new capabilities delivered in NSX for vSphere 6.3 are the Application Rule Manager (available in NSX Advanced Continue reading

Home products that fix/mitigate bufferbloat…

My new years resolution is to restart blogging.

Trying to steer anything the size of the Internet into a better direction is very slow and difficult at best. From the time changes in the upstream operating systems are complete to when consumers can buy new product is typically four years caused by the broken and insecure ecosystem in the embedded device market. Chip vendors, box vendors, I’m looking at you… So much of what is now finally appearing in the market is based on work that is often four years old. Market pull may do what push has not.

The fq_codel & cake work going on in the bufferbloat project is called SQM – “smart queue management.”

See What to do About Bufferbloat for general information. And the DSLReports Speedtest makes it easy to test for bufferbloat. But new commercial products are becoming increasingly available.  Here’s some of them.

Evenroute IQrouter

First up, I’d like call out the Evenroute IQrouter. DSL users have often suffered more than other broadband users, due to bad bloat in the modems compounded by minimal bandwidth, so the DSL version of the IQrouter is particularly welcome.   Often DSL ISP’s seem to have the tendency (more Continue reading

1984 is the new Bible in the age of Trump

In the age of Trump, Orwell's book 1984 is becoming the new Bible: a religious text which few read, but which many claim supports their beliefs. A good demonstration is this CNN op-ed, in which the author describes Trump as being Orwellian, but mostly just because Trump is a Republican.

Trump's populist attacks against our (classically) liberal world order is indeed cause for concern. His assault on the truth is indeed a bit Orwellian. But it's op-eds like this one at CNN that are part of the problem.

While the author of the op-ed spends much time talking about his dogs ("Winston", "Julia"), and how much he hates Trump, he spends little time on the core thesis "Orwellianism". When he does, it's mostly about old political disagreements. For example, the op-ed calls Trump's cabinet appointees Orwellian simply because they are Republicans:
He has provided us with Betsy DeVos, a secretary of education nominee who is widely believed to oppose public education, and who promotes the truly Orwellian-sounding concept of "school choice," a plan that seems well-intentioned but which critics complain actually siphons much-needed funds from public to private education institutions.
Calling school-choice "Orwellian" is absurd. Republicans want to Continue reading

NSX Growth and Success in 2016

Last week VMware hosted its Q4 2016 earnings call and shared financial results. VMware CEO Pat Gelsinger and the executive team have frequently highlighted VMware NSX growth and success on these calls. For Q4, NSX license bookings grew over 50 percent year-over-year. Annualizing our Q4 total bookings for NSX, it is now at a $1B run rate. With one month into 2017, we’d like to share more on NSX customer success in 2016.

Customer Success

2,400+

Exiting 2016, we shared our latest customer count at more than 2,400, which is almost double the customer count from last year. In Q4 we also had the largest NSX-only deal, more than $10M. For every customer I meet with or hear about from my team, I am continued to be impressed how they choose to go about using NSX. We love to share these success stories, whether we’re talking about all the customers we had speaking at VMworld last year, or the many videos and case studies the team publishes regularly. These stories go into details on the significant NSX wins across multiple verticals and every major geography.

Customer Deployments & Expansion

Success for our team is when customers expand their use of Continue reading

Uber was right to disable surge pricing at JFK

Yesterday, the NYC taxi union had a one-hour strike protesting Trump's "Muslim Ban", refusing to pick up passengers at the JFK airport. Uber responded by disabling surge pricing at the airport. This has widely been interpreted as a bad thing, so the hashtag "#DeleteUber" has been trending, encouraging people to delete their Uber accounts/app.

These people are wrong, obviously so.

Surge Pricing

Uber's "Surge Pricing" isn't price gouging, as many assume. Instead, the additional money goes directly to the drivers, to encourage them come to the area surging and pick up riders. Uber isn't a taxi company. It can't direct drivers to go anywhere. All it can do is provide incentives. "Surge Pricing" for customers means "Surge Income" for the drivers, giving them an incentive. Drivers have a map showing which areas of the city are surging, so they can drive there.

Another way of thinking about it is "Demand Pricing". It's simply the economic Law of Supply and Demand. If demand increases, then prices increase, and then supply increases chasing the higher profits. It's why famously you can't get a taxi cab on New Years Eve, but you can get an Uber driver. Taxi drivers can't charge more Continue reading

Is ‘aqenbpuu’ a bad password?

Press secretary Sean Spicer has twice tweeted a random string, leading people to suspect he's accidentally tweeted his Twitter password. One of these was 'aqenbpuu', which some have described as a "shitty password". Is is actually bad?

No. It's adequate. Not the best, perhaps, but not "shitty".


It depends upon your threat model. The common threats are password reuse and phishing, where the strength doesn't matter. When the strength does matter is when Twitter gets hacked and the password hashes stolen.

Twitter uses the bcrypt password hashing technique, which is designed to be slow. A typical desktop with a GPU can only crack bcrypt passwords at a rate of around 321 hashes-per-second. Doing the math (26 to the power of 8, divided by 321, divided by one day) it will take 20 years for this desktop to crack the password.

That's not a good password. A botnet with thousands of desktops, or a somebody willing to invest thousands of dollars on a supercomputer or cluster like Amazon's, can crack that password in a few days.

But, it's not a bad password, either. A hack of a Twitter account like this would be a minor event. It's not Continue reading
1 128 129 130 131 132 178