HTTP/2 is here! Goodbye SPDY? Not quite yet

Why choose, if you can have both? Today CloudFlare is introducing HTTP/2 support for all customers using SSL/TLS connections, while still supporting SPDY. There is no need to make a decision between SPDY or HTTP/2. Both are automatically there for you and your customers.

Enabling HTTP/2

If you are a customer on the Free or Pro plan, there is no need to do anything at all. Both SPDY and HTTP/2 are already enabled for you. With this improvement, your website’s audience will always use the fastest protocol version when accessing your site over TLS/SSL.

Customers on Business and Enterprise plans may enable HTTP/2 within the "Network" application of the CloudFlare Dashboard.

Enabling HTTP/2 in the CloudFlare dashboard

HTTP/2 is here!

In February of 2015, the IETF’s steering group for publication as standards-track RFCs approved the HTTP/2 and associated HPACK specifications.

After more than 15 years, the Hypertext Transfer Protocol (HTTP) received a long-overdue upgrade. HTTP/2 is largely based on Google's experimental SPDY protocol, which was first announced in November 2009 as an internal project to increase the speed of the web.

Benefits of HTTP/2 and SPDY

The main focus of both SPDY and HTTP/2 is on performance, especially latency as perceived by the end-user while using Continue reading

New legislation aims at stalling NSA reform

A new bill introduced in the Senate aims to let the U.S. National Security Agency hold on for five years to phone records collected by the agency, while also making permanent some anti-terrorist provisions that have been criticized by civil rights groups.Senator Tom Cotton, a Republican from Arkansas, said Wednesday he would introduce the "Liberty Through Strength Act II" to require the federal government to hold on to the legacy phone metadata of Americans for five years and authorize its use for queries.INSIDER: Traditional anti-virus is dead: Long live the new and improved AV The Senator introduced last month legislation, also called the Liberty Through Strength Act, that would delay the end of the bulk collection of phone metadata of Americans by the NSA to Jan. 31, 2017, in the wake of security concerns after the terror attacks in Paris. The bill was introduced a little before the Thanksgiving break.To read this article in full or to leave a comment, please click here

DDoS attacks are more than disruptions to service

Distributed denial-of-service attacks have increased in complexity so that they are no longer just an annoyance causing a disruption in service. Criminals are using these attacks as a distraction while targeting sensitive data, leaving enterprises to pay for lost business and breach recovery.Any conversation that involved breaches this year included the statement, “It’s not if but when.” The expectation has become, as IDC’s Christina Richmond, program director, security services, said, “Breach is a foregone conclusion.”For many companies, the attacks are frequent and more advanced. Richmond said, "Distributed-denial-of-service attacks are no longer an isolated event. Sophisticated attacks hit companies of all sizes, in all industries.”To read this article in full or to leave a comment, please click here

Why Electronic Health Records aren’t more usable

Federal government incentives worth about $30 billion have persuaded the majority of physicians and hospitals to adopt electronic health record (EHR) systems over the past few years. However, most physicians do not find EHRs easy to use. Physicians often have difficulty entering structured data in EHRs, especially during patient encounters. The records are hard to read because they're full of irrelevant boilerplates generated by the software and lack individualized information about the patient. Alerts frequently fire for inconsequential reasons, leading to alert fatigue. EHRs from different vendors are not interoperable with each other, making it impossible to exchange information without expensive interfaces or the use of secure messaging systems. To read this article in full or to leave a comment, please click here

Searching for routes with non-IP address next-hops

I am searching in a series of large Redback config files for certain things, and I’m beginning to find Regex and Atom really powerful for this.  The files are sometimes 20,000 lines long, and there are over 100 of them.

Of course I should script this, and someone more script savvy than me would do that in a trice, but I’ve come up with a part manual solution.  Perhaps I will build it into a script later.

What I need to do is search each file for any ‘ip route’ commands that have a named interface as a next-hop rather than an IP address.   So to do this, I am doing inverse-matching on four sets of numbers separated by dots.

I also need to exclude the keyword ‘context’ and the interface ‘null0’. This took me a while to figure out.

Here’s my pattern match:

ip route [0-9]+.[0-9]+.[0-9]+.[0-9]+/[0-9]+ (?![0-9]+.[0-9]+.[0-9]+.[0-9]+|context|null0)

This matches the string:

 ip route 172.21.0.0/16 MADEUPINTERFACE

But not:

 ip route 172.16.4.0/24 10.0.0.1

The expression is not very accurate, since it could match IP addresses like 999.999.999.999, but that does not matter in Continue reading

Hosted bare metal emerges as alternative to IaaS cloud

AppLovin is a 4-year old marketing platform that places advertisements in mobile apps. And it’s a data-intensive business to say the least.When AppLovin learns of an advertising opportunity in an app, the company has 100 milliseconds to decide if it will bid on the spot in a real-time auction. If it wins the bid, it consults a database storing billions of user preferences to serve an ad personalized to that user. AppLovin processes about 30 billion to 50 billion actions per day, all of which need to happen in millisecond timeframes and on a global basis.The company started as a customer of Amazon Web Services' IaaS public cloud. But in the past few years CTO John Krystynak – an early VMware employee - has moved AppLovin’s operations to another platform: Hosted bare metal infrastructure.To read this article in full or to leave a comment, please click here

Sometimes It’s Not the Network

Marek Majkowski published an awesome real-life story on CloudFlare blog: users experienced occasional short-term sluggish performance and while everything pointed to a network problem, it turned out to be a garbage collection problem in Linux kernel.

Takeaway: It might not be the network's fault.

Also: How many people would be able to troubleshoot that problem and fix it? Technology is becoming way too complex, and I don’t think software-defined-whatever is the answer.

US, China take first steps toward cybersecurity cooperation

The U.S. and China have reached an agreement on how to begin cooperating on cybersecurity, an issue that has caused high tension between the two nations over the last few years.The agreement, reached in the first high-level meeting of its kind, calls for guidelines on sharing computer security information, a hotline to discuss issues, a so-called tabletop cybersecurity exercise and further dialog on concerns such as the theft of trade secrets. The U.S. and China have had a combative relationship on cybersecurity, which escalated in 2010 when Google directly accused China-based hackers of stealing its intellectual property.To read this article in full or to leave a comment, please click here

Encrypted messaging app Signal available for desktops

The much-lauded encryption app Signal has launched a beta program for a desktop version of the app, which will run through Google's Chrome browser.Signal Desktop is Chrome app that will sync messages transmitted between it and an Android device, wrote Moxie Marlinspike, a cryptography expert who had helped develop Signal, in a blog post on Wednesday.The app comes from Open Whisper Systems, which developed Signal's predecessors, Redphone and TextSecure, which were two Android applications that encrypt calls and messages. Both have been consolidated into Signal.Signal Desktop won't be able to sync messages with iPhone just yet, although there are plans for iOS compatibility, Marlinspike wrote. It also won't support voice initially.To read this article in full or to leave a comment, please click here

Interface naming in Linux – Choose the name you want for your interfaces using udev

Have you tried the recent CentOS7.X flavor or the latest of the Redhat versions? If you have then you would have noticed the change in nomenclature of network interfaces. While the traditional approach was to use "eth" shortened from "Ethernet" as a precursor word followed by a sequence of numbers starting at 0 to name network interfaces in a system and now from the v197 scheme we have the udev rules choose names automatically for interfaces using naming schemes dependent on either the firmware/BIOS indexes for on board NICs or slot numbers for add-on nics or the mac of the nic or the physical/geo location.
Although this intuitively sounds complicated it makes life much more easier and reliable. The older scheme worked in a way that could make naming unpredictable. When a nic interface driver gets initialized udev allocates the next available number to that nic and if a host has more than one nic card (either on board or external-extended) there is a possibility of the driver load order to change thus changing the name for the NICs. A power user could add rules to udev scripts to fix a name for a particular mac address in order Continue reading

Why “Force Awakens” will suck

JJ Abram’s movie “Super 8” is an underrated masterpiece. It leads me to believe that he actually “gets it”. But then, everything else JJ has done convinces me he really doesn’t. He destroyed Star Trek, and I’m convinced he’ll do the same to Star Wars. I thought I’d list the things he almost certainly gets wrong in the “Star Wars: Force Awakens” movie.

The movie hangs on spoilers

The original Star Wars was known for the way that people repeatedly saw it in theatres. There were no spoilers. Sure, they blow up the Death Star, but knowing this ahead of time detracts not a whit from the movie. In Episode I, most of us know that Palpatine is the Emperor. Knowing this spoiler doesn’t detract from the movie, but adds to it. Sure, the original series had the “Luke I am your father” spoiler, but knowing that ahead of time detracts nothing from the movies.

But JJ loves the big reveal. It’s like Lost, where season after season we didn’t know what was going on. Worse yet, it’s like his second Star Trek movie, where we weren’t supposed to know it was really Khan. It Continue reading

Dropbox to add European data storage next year

Dropbox on Wednesday became the latest major cloud provider to announce new storage options in the European Union.Not only will the San Francisco-based company add two new European offices next year to its current roster of three, but it will also build new infrastructure for storing data within the EU.Customer requirements in the region have evolved, explained Thomas Hansen, the company's global vice president of sales and channel, in a post on the Dropbox for Business blog."This will not only build on the technical lead we have over competitors," Hansen wrote, but "will also give our customers more options about where their data is stored."To read this article in full or to leave a comment, please click here

DDoS Blackhole

DDoS Blackhole has been released on GitHub, https://github.com/sflow-rt/ddos-blackhole. The application detects Distributed Denial of Service (DDoS) flood attacks in real-time and can automatically install a null / blackhole route to drop the attack traffic and maintain Internet connectivity. See DDoS for additional background.

The screen capture above shows a simulated DNS amplification attack. The Top Targets chart is a real-time view of external traffic to on-site IP addresses. The red line indicates the threshold that has been set at 10,000 packets per second and it is clear that traffic to address 192.168.151.4 exceeds the threshold. The Top Protocols chart below shows that the increase in traffic is predominantly DNS. The Controls chart shows that a control was added the instant the traffic crossed the threshold.
The Controls tab shows a table of the currently active controls. In this case, the controller is running in Manual mode and is listed with a pending status as it awaits manual confirmation (which is why the attack traffic persists in the Charts page). Clicking on the entry brings up a form that can be used to apply the control.
The chart above from the DDoS article shows an actual attack Continue reading
1 3,172 3,173 3,174 3,175 3,176 3,785