400Gbps: Winter of Whopping Weekend DDoS Attacks

Over the last month, we’ve been watching some of the largest distributed denial of service (DDoS) attacks ever seen unfold. As CloudFlare has grown we've brought on line systems capable of absorbing and accurately measuring attacks. Since we don't need to resort to crude techniques to block traffic we can measure and filter attacks with accuracy. Our systems sort bad packets from good, keep websites online and keep track of attack packet rates and bits per second.

The current spate of large attacks are all layer 3 (L3) DDoS. Layer 3 attacks consist of a large volume of packets hitting the target network, and the aim is usually to overwhelm the target network hardware or connectivity.

L3 attacks are dangerous because most of the time the only solution is to acquire large network capacity and buy beefy networking hardware, which is simply not an option for most independent website operators. Or, faced with huge packet rates, some providers simply turn off connections or entirely block IP addresses.

A Typical Day At CloudFlare

Historically, L3 attacks were the biggest headache for CloudFlare. Over the last two years, we’ve automated almost all of our L3 attack handling and these automatic systems protect Continue reading

An open letter to Sec. Ashton Carter

Hi.

For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.

The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.

These threats are likely standard procedure at the DoD, investigating every major source of scans and shutting down those you might have power over. But the effect of this is typical government corruption, preventing me from reporting the embarrassing detail of how many DoD systems are still vulnerable to Heartbleed (but without stopping the Chinese or Russians from knowing this detail).

Please remove your threats, so that I can scan the DoD in the same way I scan the rest of the Internet. This weekend I'll be scanning the Internet for system susceptible to the DROWN attack. I would like to include DoD in those scans.

I write to you now because you are Continue reading

Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms

So Cisco had some big announcements today. Cisco Digital Network Architecture (DNA).  Ohhh, sounds fancy. Let me put on something a little more formal before I get too involved in the post. So what are all these awesome acronyms, you may be wondering? Well basically we start with DNA, which is the overall ecosystem that […]

The post Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms appeared first on Packet Pushers.

Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms

So Cisco had some big announcements today. Cisco Digital Network Architecture (DNA).  Ohhh, sounds fancy. Let me put on something a little more formal before I get too involved in the post. So what are all these awesome acronyms, you may be wondering? Well basically we start with DNA, which is the overall ecosystem that […]

The post Cisco Enterprise NFV, DNA, IWAN and a bunch of other acronyms appeared first on Packet Pushers.

Latest attack against TLS shows the pitfalls of intentionally weakening encryption

For the third time in less than a year, security researchers have found a method to attack encrypted Web communications, a direct result of weaknesses that were mandated two decades ago by the U.S. government.These new attacks show the dangers of deliberately weakening security protocols by introducing backdoors or other access mechanisms like those that law enforcement agencies and the intelligence community are calling for today.The field of cryptography escaped the military domain in the 1970s and reached the general public through the works of pioneers like Whitfield Diffie and Martin Hellman, and ever since, the government has tried to keep it under control and limit its usefulness in one way or another.To read this article in full or to leave a comment, please click here

The IoT liability jumble

The Internet of Things (IoT) is disrupting just about every industry. But it may get disrupted itself as the nation’s legal and regulatory system slowly catches up with the massive security and privacy risks it creates. Not anytime soon, however. “Work in progress” was the operative phrase at a panel session at this week’s RSA conference titled, “Flaming toasters to crashing cars – the Internet of Things and mass liability.” Most of the problem with establishing legal liability surrounding the IoT is that while its growth is regularly called “explosive,” there is a lot more, and bigger, exploding yet to come. The number of connected things is expected to expand so exponentially that one of the panelists, Jay Brudz, an attorney at Drinker Biddle & Reath, declared that “Internet of Things” is already a “dumb phrase. In years to come, it’s going to be everything but computers with a human interface, so it’s just going to be the Internet,” he said.To read this article in full or to leave a comment, please click here

Energy Dept. sets 9 finalists for $2.25M wave energy prize

The US Department of Energy said it has whittled 92 teams down to 9 finalists for its competition that aims to double the current amount of energy captured from ocean waves.Each of the finalists in the Wave Energy Prize and two alternates will now receive seed DOE funding to develop a 1/20th-scale model of their deep water wave energy converter (WEC) devices. The final round of testing will take place this summer at the nation's most advanced wave-making facility—the Naval Surface Warfare Center's Maneuvering and Seakeeping Basin in Carderock, Maryland.To read this article in full or to leave a comment, please click here

Energy Dept. sets 9 finalists for $2.25M wave energy prize

The US Department of Energy said it has whittled 92 teams down to 9 finalists for its competition that aims to double the current amount of energy captured from ocean waves.Each of the finalists in the Wave Energy Prize and two alternates will now receive seed DOE funding to develop a 1/20th-scale model of their deep water wave energy converter (WEC) devices. The final round of testing will take place this summer at the nation's most advanced wave-making facility—the Naval Surface Warfare Center's Maneuvering and Seakeeping Basin in Carderock, Maryland.To read this article in full or to leave a comment, please click here

Arrest of Facebook exec, now freed, stirs debate in Brazil

The arrest of Diego Dzodan, the vice president of Facebook for Latin America, by Brazilian federal police in Sao Paulo has stirred up controversy in the country.The executive was arrested on Tuesday morning after Facebook, the parent company of WhatsApp, declined to follow the orders of a court in the state of Sergipe to turn over information on application usage by people accused of drug trafficking.After the arrest, the company filed a habeas corpus petition that was reviewed and granted by a judge in the highest state court in Sergipe early Wednesday, leading to Dzodan’s release, according to local media.The police, however, acted appropriately in the case, according to Frederico Meinberg Ceroy, the president of the Brazilian Digital Law Institute. Facebook and WhatsApp, which has no official representation in the country, are the only two large technology companies that do not cooperate with law enforcement in Brazil in such cases, he pointed out.To read this article in full or to leave a comment, please click here

Key database considerations for hybrid cloud

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Hybrid cloud implementations are becoming standard for companies building next-generation cloud applications, but their adoption raises questions about how to run and manage database operations that support both environments.

While hybrid cloud allows IT to expand infrastructure resources only when required (i.e. ‘bursting’), improves disaster prevention, and makes it possible to offload some hardware and operational responsibility and associated costs to others, database issues to consider include:

To read this article in full or to leave a comment, please click here

RSA: Geolocation shows just how dead privacy is

A regular refrain within the online security community is that privacy is dead. David Adler’s talk at RSA Tuesday, titled “Where you are is who you are: Legal trends in geolocation privacy and security,” was about one of the major reasons it is so, so dead. To paraphrase Adler, founder of the Adler Law Group, it is not so much that in today’s connected world there is a single, malevolent Big Brother watching you. It’s that there are dozens, perhaps hundreds, of “little brothers” eagerly watching you so they can sell you stuff more effectively. Collectively, they add up to an increasingly omniscient big brother. “Everything is gathering location data – apps, mobile devices and platforms that you use,” he said. “Often it is being done without your knowledge or consent.To read this article in full or to leave a comment, please click here

Scientists working to create book-sized living, breathing supercomputers

If you want to change the world, it might not occur to you to start by getting drunk. At least that’s how it happened for an idea that led to a tiny biological computer which will reportedly be morphed into a “living, breathing supercomputer” about the size of a book.“We’ve managed to create a very complex network in a very small area,” said McGill University’s Dan Nicolau, Chair of the Department of Bioengineering. “This started as a back of an envelope idea, after too much rum I think, with drawings of what looked like small worms exploring mazes.”To read this article in full or to leave a comment, please click here

Slicing and Dicing Flooding Domains (1)

This week two different folks have asked me about when and where I would split up a flooding domain (IS-IS) or area (OSPF); I figured a question asked twice in one week is worth a blog post, so here we are…

Before I start on the technical reasons, I’m going to say something that might surprise long time readers: there is rarely any technical reason to split a single flooding domain into multiple flooding domains. That said, I’ll go through the technical reasons anyway.

There are really three things to think about when considering how a flooding domain is performing:

  • SPF run time
  • flooding frequency
  • LSDB size

design-files
Let’s look at the third issue first, the database size. This is theoretically an issue, but it’s really only an issue if you have a lot of nodes and routes. I can’t ever recall bumping up against this problem, but what if I did? I’d start by taking the transit links out of the database entirely—for instance, by configuring all the interfaces that face actual host devices as passive interfaces (which you should be doing anyway!), and configuring IS-IS to advertise just the passive interfaces. You can pull similar tricks in OSPF. Continue reading

IDG Contributor Network: Microsoft defends PCs, post network penetration

This week at the RSA security conference, Microsoft announced the succinctly named Windows Defender Advanced Threat Detection product. The solutions (which really needs a better or at least shorter name) is focused on helping an organization's IT department detect threats to Windows 10 machines after the perimeter network has been penetrated. This is an important and pragmatic recognition of the fact that despite most solutions focusing on perimeter security, sometimes the outside line gets broken and hackers find a way in.To read this article in full or to leave a comment, please click here

Cisco Engineers Enterprise Genome for Software

 SAN DIEGO – Cisco this week introduced a software-driven architecture designed to extend policy throughout an enterprise wired and wireless network, from branch to edge to core.Cisco’s Digital Network Architecture (DNA) is a blueprint for building an enterprise network with virtualization, automation, analytics, cloud service management and programmability for ease of operation and management. It is delivered through Cisco ONE software licensing on a variety of Cisco platforms, and is anchored by the company’s APIC-Enterprise Module SDN controller, which has been slow to emerge from development and trials.To read this article in full or to leave a comment, please click here

Malice or Stupidity or Inattention? Using Code Reviews to Find Backdoors

The temptation to put a backdoor into a product is almost overwhelming. It’s just so dang convenient. You can go into any office, any lab, any customer site and get your work done. No hassles with getting passwords or clearances. You can just solve problems. You can log into any machine and look at logs, probe the box, issue commands, and debug any problem. This is very attractive to programmers.

I’ve been involved in several command line interfaces to embedded products and though the temptation to put in a backdoor has been great, I never did it, but I understand those who have.

There’s another source of backdoors: infiltration by an attacker.

We’ve seen a number of backdoors hidden in code bases you would not expect. Juniper Networks found two backdoors in its firewalls. Here’s Some Analysis of the Backdoored Backdoor. Here’s more information to reaffirm your lack of faith in humanity: NSA Helped British Spies Find Security Holes In Juniper Firewalls. And here are a A Few Thoughts on Cryptographic Engineering.

Juniper is not alone. Here’s a backdoor in AMX AV equipment. A Secret SSH backdoor in Fortinet hardware found in more products. There were Backdoors Found in Barracuda Continue reading

1 3,108 3,109 3,110 3,111 3,112 3,837