DDoS detection and remediation with Akvorado and Flowspec

Akvorado collects sFlow and IPFIX flows, stores them in a ClickHouse database, and presents them in a web console. Although it lacks built-in DDoS detection, it’s possible to create one by crafting custom ClickHouse queries.

DDoS detection

Let’s assume we want to detect DDoS targeting our customers. As an example, we consider a DDoS attack as a collection of flows over one minute targeting a single customer IP address, from a single source port and matching one of these conditions:

  • an average bandwidth of 1 Gbps,
  • an average bandwidth of 200 Mbps when the protocol is UDP,
  • more than 20 source IP addresses and an average bandwidth of 100 Mbps, or
  • more than 10 source countries and an average bandwidth of 100 Mbps.

Here is the SQL query to detect such attacks over the last 5 minutes:

SELECT *
FROM (
  SELECT
    toStartOfMinute(TimeReceived) AS TimeReceived,
    DstAddr,
    SrcPort,
    dictGetOrDefault('protocols', 'name', Proto, '???') AS Proto,
    SUM(((((Bytes * SamplingRate) * 8) / 1000) / 1000) / 1000) / 60 AS Gbps,
    uniq(SrcAddr) AS sources,
    uniq Continue reading

netlab: Change Stub Networks into Loopbacks

One of the least-documented limitations of virtual networking labs is the number of network interfaces a virtual machine could have. vSphere supports up to 10 interfaces per VM, the default setting for vagrant-libvirt is eight, and I couldn’t find the exact numbers for KVM. Many vendors claim their KVM limit is around 25; I was able to bring up a Nexus 9300v device with 40 adapters.

Anyway, a dozen interfaces should be good enough if you’re building a proof-of-concept fabric, but it might get a bit tight if you want to emulate plenty of edge subnets.

Read more …

netlab: Change Stub Networks into Loopbacks

One of the least-documented limitations of virtual networking labs is the number of network interfaces a virtual machine could have. vSphere supports up to 10 interfaces per VM, the default setting for vagrant-libvirt is eight, and I couldn’t find the exact numbers for KVM. Many vendors claim their KVM limit is around 25; I was able to bring up a Nexus 9300v device with 40 adapters.

Anyway, a dozen interfaces should be good enough if you’re building a proof-of-concept fabric, but it might get a bit tight if you want to emulate plenty of edge subnets.

Read more …

Controversial Reads 030423


Privacy campaigners say such systems could be used as tools of oppression. In Moscow, Vyborov and countless others now face that oppression on a daily basis.


The general problem statement for technological standards is how to avoid the power imbalance of a single source for essential goods and services; in other words, standards are a line of defense against concentration risk. Interoperability is the goal, and multiple suppliers is the proof.


In this episode, they focus particularly on how social media has become a place where predators will search and highlight children’s vulnerabilities — which so many young people share online.


Tech policy, however, has its own set of “culture war issues” including net neutrality and encryption that largely serve as a distraction from the real issues at stake. Victims of child porn are now caught in the fray.


A major escalation in official online censorship regimes is progressing rapidly in Brazil, with implications for everyone in the democratic world. Under Brazil’s new government headed by President Lula da Silva, the country is poised to become the first in the democratic world to implement a law censoring and banning “fake news and disinformation” online, and then punishing those deemed Continue reading

Gravity Model

Motivation I recently read Google’s latest sigcomm paper: Jupiter Evolving on their Datacenter fabric evolution. It is an excellent paper with tons of good information, and the depth and width show what an engineering thought process should look like. The central theme talks about the challenges faced with deploying and scaling Clos fabrics and how they have evolved by replacing the spine layer with OCS that allows the blocks to be directly connected, calling it Direct connect topology.

Gravity Model

Motivation

I recently read Google’s latest sigcomm paper: Jupiter Evolving on their Datacenter fabric evolution. It is an excellent paper with tons of good information, and the depth and width show what an engineering thought process should look like. The central theme talks about the challenges faced with deploying and scaling Clos fabrics and how they have evolved by replacing the spine layer with OCS that allows the blocks to be directly connected, calling it Direct connect topology.

Clos and Direct Connect

If you look closely, the Direct Connect topology resembles Dragonfly+, where you have directly connected blocks.

Dragonfly+

The paper has many interesting topics, including Traffic and Topology Engineering and Traffic aware routing. One of the most exciting parts to me, which will be understandably missing, is the formulation of Traffic engineering problems as Optimization problems. I would love to see some pseudo-real-world code examples made publicly available.

However, one thing that surprised me the most was from a Traffic characteristics perspective, a Gravity model best described Google’s Inter-Block traffic. When I studied Gravity Model, I thought this was such a simplistic model that I would never see that in real life, but it turns out I was wrong, and it still has practical Continue reading

Datacenter System Makers Leary But Not Weary

The central banks of the world, led by the European Central Bank and the US Federal Reserve, want to curb inflation and they are willing to cause a small recession or at least get very close to one to shock us all into controlling the acquisitive habits we developed during the lockdowns of the early years of the coronavirus pandemic.

Datacenter System Makers Leary But Not Weary was written by Timothy Prickett Morgan at The Next Platform.

Heavy Networking 668: Inside A Virtualization Consultant’s Home Lab

On Heavy Networking today we look at a home lab running VMware products including NSX, as well as infrastructure-as-code products Terraform, Packer, and Ansible. These use cases create a different hardware demand than virtualized network operating system images. Guest Maarten Van Driessen explains it all, including how he saves money on lab gear.

The post Heavy Networking 668: Inside A Virtualization Consultant’s Home Lab appeared first on Packet Pushers.

Weekend Reads 030323

https://cacm.acm.org/magazines/2023/3/270206-a-turning-point-for-cyber-insurance/fulltext
Insuring against the consequences of cybersecurity seems too good to be true given the underlying problem has perplexed researchers and practitioners for going on 50 years.

https://cacm.acm.org/magazines/2023/3/270207-mapping-the-privacy-landscape-for-central-bank-digital-currencies/fulltext
Payment records paint a detailed picture of an individual’s behavior. They reveal wealth, health, and interests, but individuals do not want the burden of deciding which are sensitive or private.

https://cacm.acm.org/magazines/2023/3/270211-the-ai-tech-stack-model/fulltext
Presently, enterprises have implemented advanced artificial intelligence (AI) technologies to support business process automation (BPA), provide valuable data insights, and facilitate employee and customer engagement.

https://www.theregister.com/2023/02/22/google_milestone_quantum/
Google is claiming a new milestone on the road to fault-tolerant quantum computers with a demonstration that a key error correction method that groups multiple qubits into logical qubits can deliver lower error rates, paving the way for quantum systems that can scale reliably.

https://telecoms.com/520115/mwc-2023-whats-the-point-of-5g/
Four years into the 5G era, the technology is still struggling to find an identity. 3G was about the introduction of mobile data, which matured in the form of 4G, but what is 5G all about?

https://www.theregister.com/2023/02/24/europe_gigabit_transformation_consultation/
The European Union yesterday decided it’s time to start “laying the ground for the transformation of the connectivity sector” in the region Continue reading

Ansible Limit When Using Netbox as Inventory

I’m currently using Ansible to template a large and growing number of devices for an ISP that I’m working for. The last part of the process is to use Netbox as a source of truth to write the configs using Jinja2 templates. The work is done as part of a CI/CD pipeline, and runs on a specific Gitlab Runner instance – finally the config is pre-staged onto the device’s filesystem to be checked by a engineer before deployment.

I’ve been finding the growing list of hosts a bit hard work, and, seemingly undocumented in the Netbox docs is how to put a site-specific limit on the playbook run. This is easily done in regular Ansible by using .ini-style host file groups like this:

[siteA]
sitea-router001
sitea-router002

[siteB]
siteb-router001
siteb-router002

You can then do ‘ansible-playbook -l siteB’ to restrict what gets generated. How you do this when Netbox is the source of inventory is less clear.

It turns out that sites are pre-pended in Netbox with the string ‘sites_’. So, in your dynamic inventory file (in my case, called nb-inventory.yml) you need to tell it to group hosts by site by including the sites keyword under the group_by section:

plugin:  Continue reading

How Cloudflare runs Prometheus at scale

How Cloudflare runs Prometheus at scale
How Cloudflare runs Prometheus at scale

We use Prometheus to gain insight into all the different pieces of hardware and software that make up our global network. Prometheus allows us to measure health & performance over time and, if there’s anything wrong with any service, let our team know before it becomes a problem.

At the moment of writing this post we run 916 Prometheus instances with a total of around 4.9 billion time series. Here’s a screenshot that shows exact numbers:

How Cloudflare runs Prometheus at scale

That’s an average of around 5 million time series per instance, but in reality we have a mixture of very tiny and very large instances, with the biggest instances storing around 30 million time series each.

Operating such a large Prometheus deployment doesn’t come without challenges. In this blog post we’ll cover some of the issues one might encounter when trying to collect many millions of time series per Prometheus instance.

Metrics cardinality

One of the first problems you’re likely to hear about when you start running your own Prometheus instances is cardinality, with the most dramatic cases of this problem being referred to as “cardinality explosion”.

So let’s start by looking at what cardinality means from Prometheus' perspective, when it can Continue reading

Video: Getting Started with netlab

After explaining how netlab fits into the virtual lab orchestration picture and what exactly it can do, let’s focus on what’s the easiest way to get started.

The next video in the Using netlab to Build Networking Labs series describes:

Watch the video
You need Free ipSpace.net Subscription to watch the video and Standard ipSpace.net Subscription to watch the rest of the webinar.

Video: Getting Started with netlab

After explaining how netlab fits into the virtual lab orchestration picture and what exactly it can do, let’s focus on what’s the easiest way to get started.

The next video in the Using netlab to Build Networking Labs series describes:

Watch the video
You need Free ipSpace.net Subscription to watch the video and Standard ipSpace.net Subscription to watch the rest of the webinar.

MWC analysis: Conditions are ripe for cloud providers to drive faster network services.

Big challenges don’t usually suddenly explode on the scene. There are little symptoms, warning signs that signal developing issues. One place to look for them is a trade show, because there are a lot of buyers and sellers collected in one place. The Mobile World Congress (MWC) that just ended is a good example, because it validated some little signals that networking might be facing a big challenge. Back in 2007, Australia created a National Broadband Network (NBN) as a national infrastructure project because access infrastructure was too expensive to support competition and reasonable consumer prices. At MWC, Telecom Italia said that retail pricing pressure and exploding data consumption meant it was “facing a perfect storm.”  Ericsson said that the 200 operators in Europe need to consolidate significantly in order to be financially efficient and stable. Last year, because consumer willingness to pay for broadband hasn’t grown and their appetite for bandwidth has exploded, European Union operators have asked the union to approve subsidies to them from big tech. Stories spread through MWC that the EU favored the subsidies, called the fair share. An EU regulator suggested that fair-share policies were essential to assure gigabit connectivity by 2030.  Continue reading

Looking up words and terms with the Linux dict command

If you’re sitting at your Linux computer and feeling curious about some word or term, you don’t have to jump up and grab a dictionary. Instead, you can install the dict command and you’ll probably be amazed by the wealth of information that will be available to you on the command line.You will be able to find multiple definitions for nearly any term you ask about, often with considerable depth. Just looking up the word “seven”, I was provided with four definitions. They included references to the Pleiades (a star cluster that is also known as the "Seven Sisters"), a mention of the seven wonders of the world, scriptural references to the number seven, a note about how many days are in a week, and an explanation that seven is one greater than six.To read this article in full, please click here

1 330 331 332 333 334 3,832