Research: Practical Challenge-Response for DNS

Because the speed of DNS is so important to the performance of any connection on the ‘net, a lot of thought goes into making DNS servers fast, including optimized software that can respond to queries in milliseconds, and connecting DNS servers to the ‘net through high bandwidth links. To set the stage for massive DDoS attacks based in the DNS system, add a third point: DNS responses tend to be much larger than DNS queries. In fact, a carefully DNS response can be many times larger than the query.

To use a DNS server as an amplifier in a DDoS attack, then, the attacker sends a query to some number of publicly accessible DNS servers. The source of this query is the address of the system to be attacked. If the DNS query is carefully crafted, the attacker can send small packets that cause a number of DNS servers to send large responses to a single IP address, causing large amounts of traffic to the system under attack.

Rami Al-Dalky, Michael Rabinovich, and Mark Allman. 2018. Practical Challenge-Response for DNS. In Proceedings of the Applied Networking Research Workshop (ANRW ’18). ACM, New York, NY, USA, 74-74. DOI: https://doi.org/10.1145/3232755. Continue reading

Network Break 225: Juniper Buys WiFi Startup Mist Systems; Huawei Sues The U.S.

Today's Network Break analyzes Juniper's $405 billion purchase of WiFi vendor Mist Systems, discusses VMware's new service-defined firewall, digs into the launch of a new security analytics service, opines on Huawei's lawsuit against the U.S., plus more tech news.

The post Network Break 225: Juniper Buys WiFi Startup Mist Systems; Huawei Sues The U.S. appeared first on Packet Pushers.

NSX-T 2.4 – NSX Cloud eases your Adoption/Operations between on-premises Datacenter, AWS and Azure

2018 was a great year for NSX with Cloud seeing increased customer traction, strong partnerships established across the board, and a whole host of new features being released throughout the year! While most of our competitors are just starting on their public cloud solution, NSX Cloud is entering its second year of adoption, enabling consistent networking and security across on-premises Datacenter, AWS, and Azure. With NSX-T 2.4, we’re extending our industry-leading capabilities, which will further enable our customers to seamlessly, & consistently manage their public cloud and private cloud workloads.

If you would like to have a refresher on NSX Cloud before we get into the details of what’s new in NSX-T 2.4, here are some pointers to our previous blogs:

At a high level these are some of the key NSX Cloud features that were released in NSX-T 2.4:

  • Shared Gateway in Transit VPC/VNET for simplified, faster onboarding and consolidation
  • VPN support in Public Cloud
  • Selective North-South Service Insertion and Partner Integration
  • Micro-segmentation on Horizon Cloud for Azure.
  • Declarative Policy for Hybrid Workloads

Now, let’s Continue reading

The Week in Internet News: Companies Encouraged to Conduct Q & AI

Uncomfortable AI: Inc.com has a story asking 16 “uncomfortable” questions that companies should ask about Artificial Intelligence. Among them: Are your reasons for deploying AI in the best long-term interests of humanity? And, how can we ensure that our behavior is inclusive?

Russia attacks fake news: Russian lawmakers have passed two bills, one that outlaws the spreading of fake news, at least as determined by the government there. Another bill makes it illegal to “disrespect” authorities in Russia, the BBC reports. Both bills come with heavy fines, and critics said the laws will limit the ability of journalists to report critical information.

The way forward: Facebook believes encrypted communications and privacy are its future, Recode reports. CEO Mark Zuckerberg outlined the website’s commitments to private messaging in a lengthy blog post.

The way backward: A teen who decided to get himself vaccinated said his mother got misinformation about the dangers of vaccines on Facebook, USA Today says. Ethan Lindenberger, an 18-year-old from Ohio, asked Reddit users if he should get vaccinated as an adult. There’s never misinformation on Reddit, of course.

Break ‘em up: U.S. Senator Elizabeth Warren, who is running for president in 2020, wants to break Continue reading

Facebook gets into the fiber-optic connectivity business

When you think of Facebook services, high-speed connectivity is not the first thing that comes to mind. But the social media giant is doing just that, offering high-capacity fiber-optic routes to sell unused capacity between its data centers for third parties.Facebook has created a subsidiary called Middle Mile Infrastructure to sell excess capacity on its fiber, starting with new fiber routes between its data center campuses in Virginia, Ohio, and North Carolina. The company made the announcement in a blog post by Kevin Salvadori, director of network investments.To read this article in full, please click here

Facebook gets into the fiber-optic connectivity business

When you think of Facebook services, high-speed connectivity is not the first thing that comes to mind. But the social media giant is doing just that, offering high-capacity fiber-optic routes to sell unused capacity between its data centers for third parties.Facebook has created a subsidiary called Middle Mile Infrastructure to sell excess capacity on its fiber, starting with new fiber routes between its data center campuses in Virginia, Ohio, and North Carolina. The company made the announcement in a blog post by Kevin Salvadori, director of network investments.To read this article in full, please click here

Survey: Cloud monitoring, management tools come up short

(Editor’s note: Recent research by Enterprise Management Associates takes a look at how enterprises regard cloud management tools. This article by Shamus McGillicuddy, EMA’s research director for network management, details highlights of “Network Engineering and Operations in the Multi-Cloud Era,” a report based on EMA’s survey of 250 IT professionals and telephone interviews with a half dozen IT leaders.) Three-out-of-four network managers say that at least one of their network monitoring tools has failed to address their requirements for monitoring the public cloud environments – perilous, given the extent of public-cloud adoption today.To read this article in full, please click here

BrandPost: How IPsec UDP Helps Scale and Secure SD-WAN Fabrics

IPsec is a critical element in building a scalable and secure SD-WAN fabric. The right IPsec is key to making it happen.Robert Sturt published an article title “SD-WAN vs. VPN: How do they compare?” While Robert tried to illustrate when and how to use SD-WAN vs. VPN, the objective of this blog is to look deeper into existing IPsec approaches and challenges in building and securing an SD-WAN fabric, and how IPsec UDP can help address these challenges. At the end of this blog, I have included a link to a Silver Peak white paper that provides a detailed explanation of IPsec options.To read this article in full, please click here

Last Week on ipSpace.net (2019W10)

The Spring 2019 Building Network Automation Solutions course continued with an awesome presentation by David Gee. He started with what you should do before writing a single line of code (identify processes and document them in workflows and sequence diagrams) and covered tons of boring stuff nobody ever wants to talk about.

On Thursday Rachel Traylor continued exploring graphs and their relevance in networking, this time focusing on trees and spanning trees.

The Network Connectivity, Graph Theory, and Reliable Network Design webinar is part of standard ipSpace.net subscription You can access David’s presentation and all other materials of the Building Network Automation Solutions online course with Expert Subscription (assuming you choose this course as part of your subscription).

Efficient synchronisation of state-based CRDTs

Efficient synchronisation of state-based CRDTs Enes et al., arXiv’18

CRDTs are a great example of consistency as logical monotonicity. They come in two main variations:

  • operation-based CRDTs send operations to remote replicas using a reliable dissemination layer with exactly-once causal delivery. (If operations are idempotent then at-least-once is ok too).
  • state-based CRDTs exchange information about the resulting state of the data structure (not the operations that led to the state being what it is). In the original form the full-state is sent each time. State-based CRDTs can tolerate dropped, duplicated, and re-ordered messages.

State-based CRDTs look attractive therefore, but over time as the state grows sending the full state every time quickly becomes expensive. That’s where Delta-based CRDTs come in. These send only the delta to the state needed to reconstruct the full state.

Delta-based CRDTs… define delta-mutators that return a delta ( \delta ), typically much smaller than the full state of the replica, to be merged with the local state. The same \delta is also added to an outbound \delta-buffer, to be periodically propagated to remote replicas. Delta-based CRDTs have been adopted in industry as part of the Akka Distributed Data framework and IPFS.

So far so good, but Continue reading

How IPv6 SLAAC responds to Renumbering Events

If you follow the IPv6 Maintenance (6man) Working Group of the Internet Engineering Task Force (IETF), you may have noticed the 300+ message email thread on an Internet Draft that was recently published on the “Reaction of Stateless Address Autoconfiguration (SLAAC) to Renumbering Events”. This was prompted by the experiences of developing Best Current Operational Practice on IPv6 prefix assignment for end-users, an activity led by ISOC’s Jan Žorž and published as ripe-690.

SLAAC is used to automatically assign an IPv6 address to a host, but there are a number of scenario where hosts may end up using stale configuration information and thereby leading to interoperability problems.

For example, a typical IPv6 deployment scenario is when a CPE (Customer Premises Equipment) router requests an IPv6 prefix to an ISP via DHCPv6-PD, and advertises a sub-prefix of the leased prefix on the LAN-side via SLAAC.

In such scenarios, if the CPE router crashes and reboots, it may lose all information about the previously leased prefix. Upon reboot, the CPE router may be leased a new prefix that will result in a new sub-prefix being advertised on the LAN-side of the CPE router. As a result, hosts will normally configure addresses for the newly-advertised prefix, Continue reading

A quick lesson in confirmation bias

In my experience, hacking investigations are driven by ignorance and confirmation bias. We regularly see things we cannot explain. We respond by coming up with a story where our pet theory explains it. Since there is no alternative explanation, this then becomes evidence of our theory, where this otherwise inexplicable thing becomes proof.


For example, take that "Trump-AlfaBank" theory. One of the oddities noted by researchers is lookups for "trump-email.com.moscow.alfaintra.net". One of the conspiracy theorists explains has proof of human error, somebody "fat fingered" the wrong name when typing it in, thus proving humans were involved in trying to communicate between the two entities, as opposed to simple automated systems.

But that's because this "expert" doesn't know how DNS works. Your computer is configured to automatically put local suffices on the end of names, so that you only have to lookup "2ndfloorprinter" instead of a full name like "2ndfloorprinter.engineering.example.com".

When looking up a DNS name, your computer may try to lookup the name both with and without the suffix. Thus, sometimes your computer looks up "www.google.com.engineering.exmaple.com" when it wants simply "www.google.com".

Apparently, Alfabank configures Continue reading
1 1,241 1,242 1,243 1,244 1,245 3,792