Happy 5th Birthday, CloudFlare!

CloudFlare customers recorded videos to celebrate our first five years

Today is September 27, 2015. It's a rare Super Blood Moon. And it's also CloudFlare's birthday. CloudFlare launched 5 years ago today. It was a Monday. While Michelle, Lee, and I had high expectations, we would never have imagined what's happened since then.

In the last five years we've stopped 7 trillion cyber attacks, saved more than 94,116 years worth of time, and served 99.4 trillion requests — nearly half of those in the last 6 months. You can learn more from this timeline of the last five years.

Celebrating by doing the impossible

CloudFlare's Network in China

Every year we like to celebrate our birthday by giving something seemingly impossible back to our users. Two years ago we enabled on our Automatic IPv6 Gateway, allowing our users to support IPv6 without having to update their own servers. Last year we made Universal SSL support available to all our customers, even those on our free plan. And this year, we announced the expansion across Mainland China, building the first truly global performance and security platform.

Internet Summit & Party

We celebrated in San Francisco last week with CloudFlare's first Internet Summit Continue reading

Could VW scandal lead to open-source software for better automobile cybersecurity?

After Volkswagen used software that manipulated exhaust values and defeated emissions tests, it has affected 11 million VW diesel cars built since 2008. A 2007 letter from VW parts supplier Bosch warned Volkswagen not to use the software for regular operations; in 2011, a Volkswagen technician raised concerns about the illegal practices in connection with the emissions levels.“We should be allowed to know how the things we buy work,” Eben Moglen, a Columbia University law professor and technologist told the New York Times. “Let’s say everybody who bought a Volkswagen were guaranteed the right to read the source code of everything in the car. 99% of the buyers would never read anything, but out of the 11 million people whose car was cheating, one of them would have found it. And Volkswagen would have been caught in 2009, not 2015.”To read this article in full or to leave a comment, please click here

Closing out Projects

We put a lot of energy into new projects. We argue about the design, we plan the cutover, we execute it…and then we move on. But decommissioning the old system is critical part of any project. It’s not over until you’ve switched off the old system.

Years ago I was involved in the buildout of a new network. The new network was a thing of beauty. A clear design, the best equipment, redundant everything. It was replacing a legacy network, one that had grown organically.

The new network was built out. Late one night the key services were cut over, and things were looking good. Everyone was happy, and we had a big party to celebrate. The project group disbanded, and everyone moved on to other things. Since the project was closed out, funding & resources stopped. Success, right?

Except…the old equipment was still running. A handful of applications were left on the old network. Some annoying services used undocumented links between the networks. Even worse, disused WAN links were still in place, and still being billed for.

The problem was that the project was officially ‘over.’ Who’s responsible for finishing off that last bit of cleanup?

I’ve seen similar things in Continue reading

Geek Joke of the Week

When encryption is outlawed, bayl bhgynjf jvyy unir rapelcgvba *.If you don't get it or you have a better joke, drop me a note ... * (mouse over, don't click) To read this article in full or to leave a comment, please click here

U.S.-China agreement on cyber espionage is a first step at best

Presidents Obama and Xi agree that the U.S. and China won’t steal corporate secrets from each other, but the wording is so full of loopholes that CISOs shouldn’t take too much comfort in the pact for quite a while.The agreement sets up high-level talks twice a year to deal with complaints the U.S. and China have about whether the other is responding quickly and thoroughly to claims by the other side about malicious cyber activity.It also takes a run at corporate spying in particular: “[N]either country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”To read this article in full or to leave a comment, please click here

Cisco DHCP client bummer

It looks to me like the Cisco IOS DHCP client mis-handles the DNS server option when it's working in a VRF.

I'm working on an IOS 15.4 router with an empty startup-config and only the following configuration applied:
 interface FastEthernet4  
ip address dhcp
no shutdown

debug dhcp detail produces the following when the DHCP lease is claimed:
 Sep 25 19:48:23.316: DHCP: Received a BOOTREP pkt  
Sep 25 19:48:23.316: DHCP: Scan: Message type: DHCP Offer
...
Sep 25 19:48:23.316: DHCP: Scan: DNS Name Server Option: 192.168.100.4

Indeed, we can resolve DNS. We can also see that the DNS server learned from DHCP has been configured (is there a better way to see this?):
 lab-C881#ping google.com  
Translating "google.com"...domain server (192.168.100.4) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 205.158.11.53, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
lab-C881#show hosts summary
Default domain is fragmentationneeded.net
Name/address lookup uses domain service
Name servers are 192.168.100.4
Cache entries: 5
Cache prune timeout: 50
lab-C881#

If I put the interface into a VRF, Continue reading

Nasty Multicast VSS bug on Catalyst 4500-X

I ran into an “exciting” bug yesterday. It was seen in a 4500-X VSS pair running 3.7.0 code. When there has been a switchover meaning that the secondary switch became active, there’s a risk that information is not properly synced between the switches. What we were seeing was that this VSS pair was “eating” the packets, essentially black holing them. Any multicast that came into the VSS pair would not be properly forwarded even though the Outgoing Interface List (OIL) had been properly built. Everything else looked normal, PIM neighbors were active, OILs were good (except no S,G), routing was there, RPF check was passing and so on.

It turns out that there is a bug called CSCus13479 which requires CCO login to view. The bug is active when Portchannels are used and PIM is run over them. To see if an interface is misbehaving, use the following command:

hrn3-4500x-vss-01#sh platfo hardware rxvlan-map-table vl 200 <<< Ingress port

Executing the command on VSS member switch role = VSS Active, id = 1


Vlan 200:
l2LookupId: 200
srcMissIgnored: 0
ipv4UnicastEn: 1
ipv4MulticastEn: 1 <<<<<
ipv6UnicastEn: 0
ipv6MulticastEn: 0
mplsUnicastEn: 0
mplsMulticastEn: 0
privateVlanMode: Normal
ipv4UcastRpfMode: None
ipv6UcastRpfMode: None
routingTableId: 1
rpSet: 0
flcIpLookupKeyType: IpForUcastAndMcast
flcOtherL3LookupKeyTypeIndex: 0
vlanFlcKeyCtrlTableIndex: 0
vlanFlcCtrl: 0


Executing the command on VSS member switch role = VSS Standby, id = 2


Vlan 200:
l2LookupId: 200
srcMissIgnored: 0
ipv4UnicastEn: 1
ipv4MulticastEn: 0 <<<<<
ipv6UnicastEn: 0
ipv6MulticastEn: 0
mplsUnicastEn: 0
mplsMulticastEn: 0
privateVlanMode: Normal
ipv4UcastRpfMode: None
ipv6UcastRpfMode: None
routingTableId: 1
rpSet: 0
flcIpLookupKeyType: IpForUcastAndMcast
flcOtherL3LookupKeyTypeIndex: 0
vlanFlcKeyCtrlTableIndex: 0
vlanFlcCtrl: 0

From the output you can see that "ipv4MulticastEn" is set to 1 on one switch and 0 to the other one. The state has not been properly synched or somehow misprogrammed which leads to this issue with black holing multicast. It was not an easy one to catch so I hope this post might help someone.

This also shows that there are always drawbacks to clustering so weigh the risk of running in systems in clusters and having bugs affecting both devices as opposed to running them stand alone. There's always a tradeoff between complexity, topologies and how a network can be designed depending on your choice.

5 takeaways from Adobe Flash’s death march

Rumors of the demise of Flash have been greatly exaggerated, to paraphrase Mark Twain. The multimedia and software platform's days may well be numbered, but today it’s still alive, even if its kicks are not exactly vigorous.It’s now five years since the late Steve Jobs published his famous Thoughts on Flash memo, in which he put the knife in to Flash on the grounds that it was proprietary, unreliable and insecure, that it drains mobile device batteries and is a cross-platform development tool that results in developers using only a lowest common denominator set of features.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers It's certainly true that Flash has been plagued by security issues – prompting Mozilla to block Flash plugins in Firefox and Google to block most Flash content from its Chrome browser. Google also converts many Flash ads on its AdWords system into HTML5, and Amazon has also stopped accepting Flash ads entirely.To read this article in full or to leave a comment, please click here

British spies cast net to monitor every web surfer, leaked documents show

When British spies gave their Internet surveillance program the codename Karma Police they may have given away a little too much about its epic purpose: "To build a web-browsing profile for every visible user on the Internet."The system ultimately gathered trillions of metadata records about Internet users' browsing habits.In official documents obtained by The Intercept, the intent of Karma Police stands out alongside more cryptically named projects such as Moose Milk (using data mining to detect suspicious use of telephone kiosks) or Salty Otter (a technique for detecting when use of one medium, such as a telephone call, is used to trigger another, such as a chat service).To read this article in full or to leave a comment, please click here

Mobile Ad Networks as DDoS Vectors: A Case Study

CloudFlare servers are constantly being targeted by DDoS'es. We see everything from attempted DNS reflection attacks to L7 HTTP floods involving large botnets.

Recently an unusual flood caught our attention. A site reliability engineer on call noticed a large number of HTTP requests being issued against one of our customers.

The request

Here is one of the requests:

POST /js/404.js HTTP/1.1  
Host: www.victim.com  
Connection: keep-alive  
Content-Length: 426  
Origin: http://attacksite.com  
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.4; zh-cn; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/42.0.0.0 Mobile Safari/537.36 XiaoMi/MiuiBrowser/2.1.1  
Content-Type: application/x-www-form-urlencoded  
Accept: */*  
Referer: http://attacksite.com/html/part/86.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,en-US;q=0.8

id=datadatadasssssssssssssssssssssssssssssssssssssssssssassssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssadatadata  

We received millions of similar requests, clearly suggesting a flood. Let's take a deeper look at this request.

First, let's note that the headers look legitimate. We often see floods issued by Python or Ruby scripts, with weird Accept-Language or User-Agent headers. But this one doesn't look like it. This request is a proper request issued by a real browser.

Next, notice the request is a POST and contains an Origin header — it was issued by an Ajax (XHR) cross Continue reading

PlexxiPulse—The Key to Hyperconverged Success

Earlier this week, my colleague Bob Noel wrote a blog post on converged networking. As industry buzz surrounding hyperconvergance gets louder and louder, it is important to take into account the network that underpins these hyperconverged systems of tomorrow. Here at Plexxi we know that the network has to be more dynamic, innovative and agile to deliver on the promise of hyperconverged infrastructure and we’re thrilled to be a part of the conversation and the solution. Take a look at Bob’s blog post to learn more about our converged networks and why the network is so important for successful converged deployments.

Below please find a few of our top picks for our favorite news articles of the week. Enjoy!

CBR: What does hyper-converged infrastructure mean for the future of enterprise application delivery?
By Gary Newe
Hyper-convergence is an extension of a converged infrastructure, where compute, server, storage, networking resources and software are pooled together on commodity hardware. They are usually systems from separate companies but designed to work very well together. The benefits of this include massively simplified management, which makes things faster, more agile and more efficient. It’s one of the foundations of virtualisation, but hyper-convergence allows for even Continue reading

Researchers tout technology to make electronics out of old tires

Researchers are working with a process that turns old tires – and there are some 300,000 tossed yearly – into electrodes for supercapacitors that would be used on the grid or in cars and other electronics applications.+More on Network World: Real Jobs for Real Robots+ The technology developed at the Department of Energy’s Oak Ridge National Laboratory and Drexel University produces carbon composite papers through a process described like this: “the researchers soaked crumbs of irregularly shaped tire rubber in concentrated sulfuric acid. They then washed the rubber and put it into a tubular furnace under a flowing nitrogen gas atmosphere. They gradually increased the temperature from 400 degrees Celsius to 1,100 degrees. After several additional steps, including mixing the material with potassium hydroxide and additional baking and washing with deionized water and oven drying, researchers have a material they could mix with polyaniline, an electrically conductive polymer, until they have a finished product.”To read this article in full or to leave a comment, please click here

Researchers tout technology to make electronics out of old tires

Researchers are working with a process that turns old tires – and there are some 300,000 tossed yearly – into electrodes for supercapacitors that would be used on the grid or in cars and other electronics applications.+More on Network World: Real Jobs for Real Robots+ The technology developed at the Department of Energy’s Oak Ridge National Laboratory and Drexel University produces carbon composite papers through a process described like this: “the researchers soaked crumbs of irregularly shaped tire rubber in concentrated sulfuric acid. They then washed the rubber and put it into a tubular furnace under a flowing nitrogen gas atmosphere. They gradually increased the temperature from 400 degrees Celsius to 1,100 degrees. After several additional steps, including mixing the material with potassium hydroxide and additional baking and washing with deionized water and oven drying, researchers have a material they could mix with polyaniline, an electrically conductive polymer, until they have a finished product.”To read this article in full or to leave a comment, please click here