Introducing Cloudflare Warp: Hide Behind The Edge

Introducing Cloudflare Warp: Hide Behind The Edge

I work at a company whose job it is to be attacked. As I’m writing this, an automatic mitigation is fighting two ongoing DDoS attacks. Any machine that’s publicly routable on the internet today can be a vector for attack, and that’s a problem.

Today we want to turn the tables and give you a new way of exposing services to the internet without having them be directly, publicly routable. Meet Cloudflare Warp.

Introducing Cloudflare Warp: Hide Behind The EdgeCC BY-SA 2.0 image by Christian Ortiz

Playing Hide and Seek with Bots and Hackers

Cloudflare internally runs about 4,000 containers that make up about 1.5K services and applications. Some of these containers need to network with other local containers, and others need to accept connections over the wire.

Every devops engineer knows that bad things happen to good machines, and so our platform operations team tries to hide servers altogether from the internet. There are several ways to do this:

  • Rotate IP addresses
  • Deploy proxies
  • Create firewall rules
  • Configure IP tables
  • Limit connections by client certificate
  • Cross connect with an upstream provider
  • Configure a GRE tunnel
  • Authentication mechanisms like OAuth or OIDC

These can be complicated or time consuming, yet none of them are Continue reading

What is PI and PA ? Provider Independent and Provider Assigned ?

What is PI and PA ? Provider Independent and Provider Assigned ? In this post, I will explain the important considerations on PI (Provider Independent) and PA (Provider Assigned).     In this post, I will explain below points :   What is PI and PA ?  Why PI and PA addresses are used ? […]

The post What is PI and PA ? Provider Independent and Provider Assigned ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Down the Rabbit Hole: The Making of Cloudflare Warp

Down the Rabbit Hole: The Making of Cloudflare Warp

In the real world, tunnels are often carved out from the mass of something bigger - a hill, the ground, but also man-made structures.

Down the Rabbit Hole: The Making of Cloudflare WarpCC BY-SA 2.0 image by Matt Brown

In an abstract sense Cloudflare Warp is similar; its connection strategy punches a hole through firewalls and NAT, and provides easy and secure passage for HTTP traffic to your origin. But the technical reality is a bit more interesting than this strained metaphor invoked by the name of similar predecessor technologies like GRE tunnels.

Relics

Generic Routing Encapsulation or GRE is a well-supported standard, commonly used to join two networks together over the public Internet, and by some CDNs to shield an origin from DDoS attacks. It forms the basis of the legacy VPN protocol PPTP.

Establishing a GRE tunnel requires configuring both ends of the tunnel to accept the other end’s packets and deciding which IP ranges should be routed through the tunnel. With this in place, an IP packet destined for any address in the configured range will be encapsulated within a GRE packet. The GRE packet is delivered directly to the other end of the tunnel, which removes the encapsulation and forwards the original Continue reading

IDG Contributor Network: How the hybrid cloud has made the digital transformation possible

Competition in the 21st Century economy is fierce. Consumers are more tech-savvy than ever, as we all carry around more computing power in our pockets than Neil Armstrong took to the moon—and potential customers pay attention to differentiated experiences. Increasingly for all businesses, investing in agile software development is a way to achieve that differentiation.In other words, in the 21st Century, every business is a software business.All that software that’s enabling this transformation toward digital experiences has to run somewhere, and it turns out a hybrid cloud strategy gives businesses maximum choice when it comes to what runs where.To read this article in full or to leave a comment, please click here

Upcoming Spousetivities Events

Long-time readers/followers know that my wife, Crystal, runs a program called Spousetivities. This program organizes events for spouses/partners/significant others at IT industry conferences. This fall is a particularly busy season for Crystal and Spousetivities, as she’ll be organizing events at DockerCon EU, the fall OpenStack Summit, and AWS re:Invent! Here are some details on these upcoming events.

DockerCon EU 2017

For the first time, Spousetivities will be present at DockerCon EU, taking place this year in Copenhagen, Denmark. There’s a great set of activities planned:

  • City tour of Copenhagen
  • Castle tour, including Kronborg and Frederiksborg
  • Food tour and Tivoli Gardens

More information is available on the Spousetivities web site; if you’d like to register for any of the events, tickets are available right now.

OpenStack Summit Sydney

Spousetivities returns to the fall OpenStack Summit, held this year in beautiful Sydney, Australia. Spousetivities is no stranger to the OpenStack Summits, having supported the OpenStack community for several years now.

Once again, Crystal has arranged a great set of activities in and around Sydney:

  • Picturesque tour up to the Blue Mountains
  • City tour of Sydney, including some beautiful hidden beaches
  • Hunter Valley wine tour

This blog post on the Spousetivities Continue reading

What is happening to the World !! Shall we expect World War ?

Lots of stupid things I am hearing everyday anymore, which affect my business and affects so many people I think. Will World War III start or what ?   Couple months before I think at least it was , six countries announced that they closed their borders and airspace for Qatar, a country where I live. […]

The post What is happening to the World !! Shall we expect World War ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Nvidia gets broad support for cutting-edge Volta GPUs in the data center

Data center workloads for AI, graphics rendering, high-performance computing and business intelligence are getting a boost as a Who's Who of the world's biggest server makers and cloud providers snap up Nvidia's Volta-based Tesla V100 GPU accelerators.Nvidia is rallying its entire ecosystem, including software makers, around the new Tesla V100s, effectively consolidating its dominance in GPUs for data centers.IBM, HPE, Dell EMC and Supermicro announced at the Strata Data Conference in New York Wednesday that they are or will be using the GPUs, which are now shipping. Earlier this week at Nvidia's GPU Technology Conference in Beijing, Lenovo, Huawei and Inspur said they would be using Nvidia's HGX reference architecture to offer Volta architecture-based systems for hyperscale data centers.To read this article in full or to leave a comment, please click here

Nvidia gets broad support for cutting-edge Volta GPUs in the data center

Data center workloads for AI, graphics rendering, high-performance computing and business intelligence are getting a boost as a Who's Who of the world's biggest server makers and cloud providers snap up Nvidia's Volta-based Tesla V100 GPU accelerators.Nvidia is rallying its entire ecosystem, including software makers, around the new Tesla V100s, effectively consolidating its dominance in GPUs for data centers.IBM, HPE, Dell EMC and Supermicro announced at the Strata Data Conference in New York Wednesday that they are or will be using the GPUs, which are now shipping. Earlier this week at Nvidia's GPU Technology Conference in Beijing, Lenovo, Huawei and Inspur said they would be using Nvidia's HGX reference architecture to offer Volta architecture-based systems for hyperscale data centers.To read this article in full or to leave a comment, please click here

Volta GPU Accelerators Hit The Streets

Announcements of new iron are exciting, but it doesn’t get real until customers beyond the handful of elite early adopters can get their hands on the gear.

Nvidia launched its “Volta” Tesla V100 GPU accelerators back in May, meeting and in some important ways exceeding most of its performance goals, and has been shipping devices, both in PCI-Express and SXM2 form factors, for a few months. Now, the ramp of this complex processor and its packaging of stacked High Bandwidth Memory – HMB2 from Samsung, to be specific – is progressing and the server OEMs and ODMs of the

Volta GPU Accelerators Hit The Streets was written by Timothy Prickett Morgan at The Next Platform.

BrandPost: Four Ways To Bridge The Digital Talent Gap

Rapid technological development not only fuels business innovation, but also disrupts traditional business models. In order to keep pace with the latest technology trends, businesses must employ the right professionals who combine technology expertise with business acumen. Unfortunately, corporations often lack this kind of talent to help make the right technology decisions and avoid costly and potentially disastrous mistakes. According to the Global Knowledge 2017 IT Skills and Salary Report, there are significant skills shortages in key ICT sectors, such as, security and cloud computing. These findings highlight the difficulties that recruiters face in times where the demand for ICT talent far exceeds the supply. Scouting, recruiting and retaining talent in such a competitive environment is a challenge; however, the criticality of it calls for a contingency plan to build a pipeline of professionals that can boost the future of businesses and the economy in the digital age.To read this article in full or to leave a comment, please click here

Can IoT platforms from Apple, Google and Samsung make home automation systems more secure?

In August 2017, a new botnet called WireX appeared and began causing damage by launching significant DDoS attacks. The botnet counted tens of thousands of nodes, most of which appeared to be hacked Android mobile devices.

There are a few important aspects of this story.

First, tracking the botnet down and mitigating its activities was part of a wide collaborative effort by several tech companies. Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other organizations cooperated to combat this botnet. This is a great example of Collaborative Security in practice.

Second, while researchers shared the data, analysed the signatures, and were able to track a set of malware apps, Google played an important role in cleaning them up from the Play Store and infected devices.

Its Verify Apps is a cloud-based service that proactively checks every application prior to install to determine if the application is potentially harmful, and subsequently rechecks devices regularly to help ensure they’re safe. Verify Apps checks more than 6 billion instances of installed applications and scans around 400 million devices per day.

In the case of WireX, the apps had previously passed the checks. But thanks to the researcher’s findings, Google Continue reading

Out of the Section 230 Weeds: Internet Publisher-Providers

On Tuesday, the U.S. Congress continued to grapple with the potential implications of the Stop Enabling Sex Traffickers Act (SESTA). SESTA would carve out an exception to Section 230 of the 1996 Communications Decency Act, which is considered a bedrock upon which the modern Internet has flourished. If SESTA became law, websites that host ads for sex with children would be not be immune from state prosecutions and private lawsuits [although under 320(c)(1), websites are already subject to federal criminal law statutes].

Section 230 of the Communications Decency Act (c)(1) states, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 230(c)(2) protects actors who proactively block and screen for offensive material. These provisions have allowed the Internet to grow and develop without the threat of lawsuits smothering its potential. If the websites of 1990 had been liable for everything their users posted, the Internet would look very different today.

Since 1996, the Internet has dramatically changed in ways unanticipated by the Communications Decency Act. The Internet provides the platform to publish material that can reach enormous numbers of people around Continue reading

Browser hacking for 280 character tweets

Twitter has raised the limit to 280 characters for a select number of people. However, they left open a hole, allowing anybody to make large tweets with a little bit of hacking. The hacking skills needed are basic hacking skills, which I thought I'd write up in a blog post.


Specifically, the skills you will exercise are:

  • basic command-line shell
  • basic HTTP requests
  • basic browser DOM editing

The short instructions

The basic instructions were found in tweets like the following:

These instructions are clear to the average hacker, but of course, a bit difficult for those learning hacking, hence this post.

The command-line

The basics of most hacking start with knowledge of the command-line. This is the "Terminal" app under macOS or cmd.exe under Windows. Almost always when you see hacking dramatized in the movies, they are using the command-line.

1 1,881 1,882 1,883 1,884 1,885 3,836