Introducing Spectrum: Extending Cloudflare To 65,533 More Ports

Introducing Spectrum: Extending Cloudflare To 65,533 More Ports

Today we are introducing Spectrum, which brings Cloudflare’s security and acceleration to the whole spectrum of TCP ports and protocols for our Enterprise customers. It’s DDoS protection for any box, container or VM that connects to the internet; whether it runs email, file transfer or a custom protocol, it can now get the full benefits of Cloudflare. If you want to skip ahead and see it in action, you can scroll to the video demo at the bottom.

Introducing Spectrum: Extending Cloudflare To 65,533 More Ports

DDoS Protection

The core functionality of Spectrum is its ability to block large DDoS attacks. Spectrum benefits from Cloudflare’s existing DDoS mitigation (which this week blocked a 900 Gbps flood). Spectrum’s DDoS protection has already been battle tested. Just soon as we opened up Spectrum for beta, Spectrum received its first SYN flood.

One of Spectrum's earliest deployments was in front of Hypixel’s infrastructure. Hypixel runs the largest minecraft server, and because gamers can be - uh, passionate - they were one of the earliest targets of the terabit-per-second Mirai botnet. “Hypixel was one of the first subjects of the Mirai botnet DDoS attacks and frequently receives large attacks. Before Spectrum, we had to rely on unstable services & techniques Continue reading

Abusing Linux’s firewall: the hack that allowed us to build Spectrum

Abusing Linux's firewall: the hack that allowed us to build Spectrum

Today we are introducing Spectrum: a new Cloudflare feature that brings DDoS protection, load balancing, and content acceleration to any TCP-based protocol.

Abusing Linux's firewall: the hack that allowed us to build Spectrum
CC BY-SA 2.0 image by Staffan Vilcans

Soon after we started building Spectrum, we hit a major technical obstacle: Spectrum requires us to accept connections on any valid TCP port, from 1 to 65535. On our Linux edge servers it's impossible to "accept inbound connections on any port number". This is not a Linux-specific limitation: it's a characteristic of the BSD sockets API, the basis for network applications on most operating systems. Under the hood there are two overlapping problems that we needed to solve in order to deliver Spectrum:

  • how to accept TCP connections on all port numbers from 1 to 65535
  • how to configure a single Linux server to accept connections on a very large number of IP addresses (we have many thousands of IP addresses in our anycast ranges)

Assigning millions of IPs to a server

Cloudflare’s edge servers have an almost identical configuration. In our early days, we used to assign specific /32 (and /128) IP addresses to the loopback network interface[1]. This worked well when we had dozens of IP Continue reading

리눅스 방화벽을 남용하기: Spectrum 을 만들 수 있었던 ​해킹​

리눅스 방화벽을 남용하기: Spectrum 을 만들 수 있었던 ​해킹​

This is a Korean translation of a prior post by Marek Majkowski.

얼마전 우리는 Spectrum을 발표하였습니다: 어떤 TCP 기반의 프로토콜이라도 DDoS 방어, 로드밸런싱 그리고 컨텐츠 가속을 할 수 있는 새로운 Cloudflare의 기능입니다.

리눅스 방화벽을 남용하기: Spectrum 을 만들 수 있었던 ​해킹​
CC BY-SA 2.0 image by Staffan Vilcans

Spectrum을 만들기 시작하고 얼마 되지 않아서 중요한 기술적 난관에 부딛히게 되었습니다: Spectrum은 1부터 65535 사이의 어떤 유효한 TCP 포트라도 접속을 허용해야 합니다. 우리의 리눅스 엣지 서버에서는 "임의의 포트 번호에 인바운드 연결을 허용"은 불가능합니다. 이것은 리눅스만의 제한은 아닙니다: 이것은 대부분 운영 체제의 네트워크 어플리케이션의 기반인 BSD 소켓 API의 특성입니다. 내부적으로 Spectrum을 완성하기 위해서 풀어야 하는 서로 겹치는 문제가 둘 있었습니다:

  • 1에서 65535 사이의 모든 포트 번호에 TCP 연결을 어떻게 받아들일 것인가
  • 매우 많은 수의 IP 주소로 오는 연결을 받아들이도록 단일 리눅스 서버를 어떻게 설정할 것인가 (우리는 애니캐스트 대역에 수많은 IP주소를 갖고 있습니다)

서버에 수백만의 IP를 할당

Cloudflare의 엣지 서버는 거의 동일한 구성을 갖고 있습니다. 초창기에는 루프백 네트워크 인터페이스에 특정한 /32 (그리고 /128) IP 주소를 할당하였습니다[1]. 이것은 수십개의 IP주소만 갖고 있었을 때에는 잘 동작 하였지만 더 성장함에 따라 확대 적용하는 것에는 실패하였습니다.

그때 "AnyIP" 트릭이 등장하였습니다. AnyIP는 단일 주소가 아니라 전체 IP 프리픽스 (서브넷)을 루프백 인터페이스에 할당하도록 해 줍니다. 사실 AnyIP를 많이 사용하고 있습니다: 여러분 컴퓨터에는 루브백 인터페이스에 Continue reading

IDG Contributor Network: To 400G and beyond: the arrival of adaptive networks and the next technology boom

We live in a world in which we’re regularly streaming Netflix in 4K, using the power of the phones in our pockets to augment our realities with virtual gaming, and even watching basketball from a virtual courtside seat. Our networks have evolved to cater for these technologies, and each evolutionary step has brought with it a technological boom enabled by greater capacity, speed, automation, intelligence and programmability.The next step has arrived and it’s just in time, because when you thought we were finally content with, well, content, new technologies have emerged that push beyond what we ever thought possible.At the 2018 Consumer Electronics Show (CES), Intel Studios unveiled what it’s calling Volumetric Video – and it’s nothing short of stunning. Volumetric Video uses multiple cameras to shoot a 360-degree field of view, but it differs from standard 360-degree or VR video in that it captures footage “from the outside in”. To picture how it works, visualize the action scenes from The Matrix, in which the cameras pan around a frozen-in-mid-air Keanu Reeves. But now imagine being a viewer with the ability to zoom in on any part of that scene or look at any part of the Continue reading

IDG Contributor Network: To 400G and beyond: the arrival of adaptive networks and the next technology boom

We live in a world in which we’re regularly streaming Netflix in 4K, using the power of the phones in our pockets to augment our realities with virtual gaming, and even watching basketball from a virtual courtside seat. Our networks have evolved to cater for these technologies, and each evolutionary step has brought with it a technological boom enabled by greater capacity, speed, automation, intelligence and programmability.The next step has arrived and it’s just in time, because when you thought we were finally content with, well, content, new technologies have emerged that push beyond what we ever thought possible.At the 2018 Consumer Electronics Show (CES), Intel Studios unveiled what it’s calling Volumetric Video – and it’s nothing short of stunning. Volumetric Video uses multiple cameras to shoot a 360-degree field of view, but it differs from standard 360-degree or VR video in that it captures footage “from the outside in”. To picture how it works, visualize the action scenes from The Matrix, in which the cameras pan around a frozen-in-mid-air Keanu Reeves. But now imagine being a viewer with the ability to zoom in on any part of that scene or look at any part of the Continue reading

Encoding data in dubstep drops

Encoding data in dubstep drops

[Warning: Those who can’t stand EDM/dubstep, oh boy do I have bad news for you in regards to this blog post]

Dubstep songs are often criticized as sounding extremely computer generated and often just too aggressi

BrandPost: Managed SD-WAN: New offerings must meet customer demand

In 2017, many service providers introduced their initial managed SD-WAN services to meet early market demand. Throughout the year, they thoroughly tested multiple SD-WAN technologies with the intention of selecting a lead platform for the initial service launch. There were many proofs of concept and beta tests prior to building the services wrap around those initial platforms. Providers developed their own trial programs and started to introduce services to their customers while completing all the necessary support to develop the platform as a fully managed service. Early offers generally included a handful of customers and, at times, restricted the service provider’s own network services.To read this article in full, please click here

Piloting “White Space” to connect the underserved of rural Tanzania

Beyond the Net Journal

As economies develop in Tanzania, rural residents have growing needs for communication and broadband access. However, mobile operators are reluctant to invest in remote areas due to the elevated infrastructure cost and the high percentage of people that can’t afford the payment of the services.

The Internet Society Tanzania Chapter, supported by Beyond the Net Funding Programme in partnership with The University of Dodoma will target the remote areas of Dodoma Region, where conventional deployments are not available. Together, they will build a pilot project using TV White Space equipment as a community network solution.

White Space Internet is not widely adopted so far, but has the potential to transform the way we use wireless Internet. Being a free form of broadband, it is as a good alternative to provide underserved communities with Internet access that is similar to that of 4G mobile. White Space power stations can be charged with solar panels and broadband can travel up to 10 kilometers through vegetation, buildings and other obstacles.

“It’s amazing how life has changed in Tanzania thanks to the Internet”, explains Jabhera Matogoro, project manager and coordinator of Microsoft Innovation Center at the University of Continue reading

It’s Back… The Contribute and Collaborate track returns to DockerCon 2018

A significant number of Docker early adopters, advanced container users and Open Source lovers come to DockerCon to contribute to open source projects and collaborate on technical system implementations. Last year, these activities were taking place at the Moby Summit scheduled on the last day of the conference. Listening to feedback from attendees who expressed interest in participating in such activities earlier in the week, we’ve decided to bring back the Contribute & Collaborate track to the main conference days!

DockerCon Contribute & Collaborate

The goal of this track is to raise awareness and educate users around the upstream components of the Docker Platform, provide a path for new contributors and unleash new opportunities for innovation and collaboration within the broader Cloud Native and Open Source communities.

This track is organized in 4 half days (one for each of the categories below). Each will start by a series of lightning talks during which maintainers will be introducing their projects and doing a brief demo. We’ll then break into smaller groups for roundtables and informal, interactive Birds-of-a-Feather discussions with maintainers. This time will be a great opportunity to collaborate with peers who share the same interest, ask questions to maintainers, get insights into project roadmaps Continue reading

Mellanox, Ixia and Cumulus: Part 2

This post is part two of three in a series looking at the joint presentations made by Mellanox, Ixia and Cumulus at Networking Field Day 17, in February 2018. More specifically, this post looks at what part Ixia has to play in the deployment of an Ethernet switch fabric built using Mellanox switches and running Cumulus Linux as the Network Operating System (NOS).

Cumulus/Mellanox/Ixia Logos

Ixia

What confused me most about a presentation from Mellanox, Ixia and Cumulus about Ethernet fabrics was to figure out what role Ixia would be playing in the disaggregated model. Mellanox makes the switch hardware and Cumulus makes the switch software, so Ixia fits, well, where exactly?

IxNetwork

IxNetwork is billed as an end-to-end validation solution which in many ways undersells what it’s all about. Rather than being just more traffic-generating test equipment, IxNetwork can emulate multiple switch and server devices so that a single piece of test hardware can be connected to what it believes is a large existing infrastructure, and that hardware’s behavior and resiliency can be validated. In the demo topology, IxNetwork connects to a physical Mellanox Spectrum switch running Cumulus Linux, emulating connected servers as well as an entire leaf/switch EVPN/VXLAN fabric, attached Continue reading

1 1,668 1,669 1,670 1,671 1,672 3,860