NetworkingNexus.net

Containerlab DDoS testbed

Real-time telemetry from a 5 stage Clos fabric describes lightweight emulation of realistic data center switch topologies using Containerlab. This article extends the testbed to experiment with distributed denial of service (DDoS) detection and mitigation techniques described in Real-time DDoS mitigation using BGP RTBH and FlowSpec.

docker run --rm -it --privileged --network host --pid="host" \
  -v /var/run/docker.sock:/var/run/docker.sock -v /run/netns:/run/netns \
  -v ~/clab:/home/clab -w /home/clab \
  ghcr.io/srl-labs/clab bash

Start Containerlab.

curl -O https://raw.githubusercontent.com/sflow-rt/containerlab/master/ddos.yml

Download the Containerlab topology file.

containerlab deploy -t ddos.yml

Finally, deploy the topology.

Connect to the web interface, http://localhost:8008. The sFlow-RT dashboard verifies that telemetry is being received from 1 agent (the Customer Network, ce-router, in the diagram above). See the sFlow-RT Quickstart guide for more information.

Now access the DDoS Protect application at http://localhost:8008/app/ddos-protect/html/. The BGP chart at the bottom right verifies that BGP connection has been established so that controls can be sent to the Customer Router, ce-router.

docker exec -it clab-ddos-attacker hping3 --flood --udp -k -s 53 192.0.2.129

Start a simulated DNS amplification attack using hping3.

The udp_amplification chart shows that traffic matching the attack signature has crossed the threshold. The Controls chart shows Continue reading

Simple Load Testing with GitHub Actions

Michael Kalantar Michael is a senior software engineer who has contributed to the design and development of a number of scalable distributed and cloud-based enterprise systems. He is a co-founder of the Iter8 project. In this article, we show how to use GitHub Actions to load-test, benchmark and validate HTTP and gRPC services with service-level objectives (SLOs). When developing a new version of an HTTP or gRPC service, it is desirable to benchmark its performance and to validate that it satisfies desired service-level objectives (SLOs) before upgrading the current version. We describe a no-code approach based on GitHub Actions that can be used to automate such testing at any point in a continuous integration/continuous delivery (CI/CD) pipeline. For example, at build time it can be used to validate the new version as soon as possible. Alternatively, at deployment time it can be used to validate SLOs in the production environment. HTTP Load Testing with the Iter8 GitHub Action The Iter8 GitHub Action, iter8-tools/iter8-action@v1, enables automated Iter8 experiments in a GitHub workflow. To use the action, specify an experiment chart and its configuration via a Helm valuesFile. No programming is necessary — all configuration is declarative. Typical use is to Continue reading

Day Two Cloud 138: Rethinking Logs And Analysis With vRealize Log Insight Cloud (Sponsored)

VMware is our sponsor today for a Day Two Cloud episode about logging. Specifically, we're talking about vRealize Log Insight Cloud. It’s not just about collecting logs and events, and it's not just for VMware products. What do you get out of the data being logged? That’s what’s interesting. This is much more than a pile of syslogs with a search engine dropped on top.

Announcing the Cloudflare API Gateway

Over the past decade, the Internet has experienced a tectonic shift. It used to be composed of static websites: with text, images, and the occasional embedded movie. But the Internet has grown enormously. We now rely on API-driven applications to help with almost every aspect of life. Rather than just download files, we are able to engage with apps by exchanging rich data. We track workouts and send the results to the cloud. We use smart locks and all kinds of IoT devices. And we interact with our friends online.

This is all wonderful, but it comes with an explosion of complexity on the back end. Why? Developers need to manage APIs in order to support this functionality. They need to monitor and authenticate every single request. And because these tasks are so difficult, they’re usually outsourced to an API gateway provider.

Unfortunately, today’s gateways leave a lot to be desired. First: they’re not cheap. Then there’s the performance impact. And finally, there’s a data and privacy risk, since more than 50% of traffic reaches APIs (and is presumably sent through a third party gateway). What a mess.

Today we’re announcing the Cloudflare API Gateway. We’re going to completely replace Continue reading

Envoy Media: using Cloudflare’s Bot Management & ML

This is a guest post by Ryan Marlow, CTO, and Michael Taggart, Co-founder of Envoy Media Group.

My name is Ryan Marlow, and I’m the CTO of Envoy Media Group. I’m excited to share a story with you about Envoy, Cloudflare, and how we use Bot Management to monitor automated traffic.

Background

Envoy Media Group is a digital marketing and lead generation company. The aim of our work is simple: we use marketing to connect customers with financial services. For people who are experiencing a particular financial challenge, Envoy provides informative videos, money management tools, and other resources. Along the way, we bring customers through an online experience, so we can better understand their needs and educate them on their options. With that information, we check our database of highly vetted partners to see which programs may be useful, and then match them up with the best company to serve them.

As you can imagine, it’s important for us to responsibly match engaged customers to the right financial services. Envoy develops its own brands that guide customers throughout the process. We spend our own advertising dollars, work purely on a performance basis, and choose partners we know will do right Continue reading

Announcing Friendly Bots

When someone mentions bots on the Internet, what’s your first reaction?

It’s probably negative. Most of us conjure up memories of CAPTCHAs, stolen passwords, or some other pain caused by bad bots.

But the truth is, there are plenty of well-behaved bots on the Internet. These include Google’s search crawler and Stripe’s payment bot. At Cloudflare, we manually “verify” good bots, so they don’t get blocked. Our customers can choose to allowlist any bot that is verified. Unfortunately, new bots are popping up faster than we can verify them. So today we’re announcing a solution: Friendly Bots.

Let’s begin with some background.

How does a bot get verified?

We often find good bots via our public form. Anyone can submit a bot, but we prefer that bot operators complete the form to provide us with the information we need. We ask for some standard bits of information: your bot’s name, its public documentation, and its user agent (or regex). Then, we ask for information that will help us validate your bot. There are four common methods:

IP list
Send us a list of IP addresses used by your bot. This doesn’t have to be a static list — you can Continue reading

Introducing Advanced Rate Limiting

Still relying solely on IP firewalling? It’s time to change that.

While the IP address might still be one of the core technologies allowing networks to function, its value for security is long gone. IPs are rarely static; nowadays, mobile operators use carrier-grade network address translation (CGNAT) to share the same IP amongst thousands of individual devices or users. Bots then carry out distributed attacks with low request volume from different IPs to elude throttling. Furthermore, many countries consider IP addresses to be personal data, and it would be a great advancement for privacy if a replacement could be found for elements of security that currently rely on IP addresses to function. A product that is affected by this trend is rate limiting.

Rate limiting is designed to stop requests from overloading a server. It relies on rules. A rate limiting rule is defined by a filter (which typically is a path, like /login) and the maximum number of requests allowed from each user over a period of time. When this threshold is exceeded, an action is triggered (usually a block) for subsequent requests from the same user for a period of time (known as a timeout). Traditional throttling Continue reading

What is hyperconvergence?

Hyperconvergence is an IT framework that combines storage, computing and networking into a single system in an effort to reduce data center complexity and increase scalability.Hyperconverged platforms include a hypervisor for virtualized computing, software-defined storage, and virtualized networking. They typically run on standard, off-the-shelf servers and multiple nodes can be clustered to create pools of shared compute and storage resources, designed for convenient consumption.The use of commodity hardware, supported by a single vendor, yields an infrastructure that's designed to be more flexible and simpler to manage than traditional enterprise storage infrastructure. For IT leaders who are embarking on data center modernization projects, hyperconvergence can provide the agility of public cloud infrastructure without relinquishing control of hardware on their own premises.To read this article in full, please click here

BGP Anycast Best Practices & Configurations

The post BGP Anycast Best Practices & Configurations appeared first on Noction.

Hub-and-Spoke VPLS: Revenge of LDP

In the Segment Routing vs LDP in Hub-and-Spoke Networks blog post I explained why you could get into interesting scaling issues when running MPLS with LDP in a large hub-and-spoke network, and how you can use Segment Routing (MPLS edition) to simplify your design.

Now imagine you’d like to offer VPLS services between hubs and spokes, and happen to be using equipment that uses targeted LDP sessions to signal pseudowires. Guess what happens next…

Hub-and-Spoke VPLS: Revenge of LDP

Now imagine you’d like to offer VPLS services between hubs and spokes, and happen to be using equipment that uses targeted LDP sessions to signal pseudowires. Guess what happens next…

On findingballoons in data center networks micro-detection using adaptive ➰ feedback loops ♻

Using #SRLinux for flexible decentralized DDoS attack detection #SecDevOps

A distributed problem (“attack”) may require a distributed solution (source)

Distributed Denial of Service (DDoS) attacks continue to be a major problem for many network operators and their customers. As in most networking problems, the key issue is scale: Attackers are able to mount an amplified attack using many (N) sources to send large (M) payloads to a single (1) target server, causing link and CPU saturation and system overload

N*M >> 1 ~> overloaded system(s) and unhappy customers

Much like security in general, solving DDoS attacks is a continuous process, not a one-time product or solution deployment. While most operators have deployed DDoS mitigation solutions, there will — unfortunately — always come a time where the current solution falls short, and something else or more is needed.

#DevSecOps: Shortening feedback loops

Feedback loops (credit: Peter Phaal / Tim Cochran)

Back in 2011 Peter Phaal wrote a blog about “Delay and stability”. Even though more than a decade has passed since, one can easily see how triggers like AWS outages haven’t changed — these points remain relevant and valid today:
✅ Measurement(observability) plays a critical role in data centers; it is the
foundation for automation (more on this Continue reading

Four Tips for Optimum Cloud Services Expense Management

Cloud bill management lets you see opportunities to better manage or eliminate some expenses and to recognize where your cloud investments are providing the best returns.

IDC MarketScape positions Cloudflare as a Leader among worldwide Commercial CDN providers

We are thrilled to announce that Cloudflare has been positioned in the Leaders category in the IDC MarketScape: Worldwide Commercial CDN 2022 Vendor Assessment(doc #US47652821, March 2022).

You can download a complimentary copy here.

The IDC MarketScape evaluated 10 CDN vendors based on their current capabilities and future strategies for delivering Commercial CDN services. Cloudflare is recognized as a Leader.

At Cloudflare, we release products at a dizzying pace. When we talk to our customers, we hear again and again that they appreciate Cloudflare for our relentless innovation. In 2021 alone, over the course of seven Innovation Weeks, we launched a diverse set of products and services that made our customers’ experiences on the Internet even faster, more secure, more reliable, and more private.

We leverage economies of scale and network effects to innovate at a fast pace. Of course, there’s more to our secret sauce than our pace of innovation. In the report, IDC notes that Cloudflare is “a highly innovative vendor and continues to invest in its competencies to support advanced technologies such as virtualization, serverless, AI/ML, IoT, HTTP3, 5G and (mobile) edge computing.” In addition, IDC also recognizes Cloudflare for its “integrated SASE offering (that) Continue reading

Full Stack Journey 064: Should You Embrace Chaos Engineering?

Maybe you've heard of chaos engineering, and you're curious about what it is. This episode will help you understand! Joining Scott for the Full Stack Journey is Cwen (Chengwen) Yin, a co-founder of the Chaos Mesh project. We define chaos engineering, discuss what it's supposed to accomplish, cover the major components of Chaos Mesh, and more.

Full Stack Journey 064: Should You Embrace Chaos Engineering?

The post Full Stack Journey 064: Should You Embrace Chaos Engineering? appeared first on Packet Pushers.

Juniper upgrades its intent-based software to embrace edge deployments

Juniper Networks has added features to it’s Apstra intent-based networking software it says will help customers secure and support smaller data centers at distributed edge networks. The Apstra software keeps a real-time repository of configuration, telemetry, and validation information to ensure the network is doing what IT teams want it to do.The software includes automation to provide consistent network and security policies for workloads across physical and virtual infrastructures. In addition, its baked-in analytics performs regular network checks to safeguard configurations. To read this article in full, please click here

Juniper upgrades its intent-based software to embrace edge deployments

Unified Cloud Networking Changes the Game

Today we announced our Unified Cloud Networking vision, the industry’s first Unified Cloud Fabric solution and our partnership with NVIDIA. This truly changes the game for cloud network operators.

Last week I made the case that cloud networking needs a new vision in order to meet two strategic goals shared by cloud operators:

Transform cloud networks to become as agile, highly available and simple to operate as the hyperscale public clouds.
Move rapidly toward a new, more highly distributed networking and zero-trust security architecture to address increasing cybersecurity risks.

Just as importantly, we need new solutions to overcome the obstacles that prevent operators from achieving those goals, i.e. fragmented networks and incomplete solutions for security, automation and visibility.

Today, I outline how we have created the vision and solutions to overcome those obstacles and meet those goals. In a companion blog, Alessandro Barbieri dives deeper into the challenges we are addressing and how we are turning the vision into reality.

Introducing the Unified Cloud Networking Vision

Unified Cloud Networking solutions build on the Unified Cloud Fabric (the next generation of our proven Adaptive Cloud Fabric) to unify networks across multiple dimensions – switches and servers, overlay and underlay Continue reading

Pluribus Unified Cloud Networking: What, Why, How

Today, in partnership with NVIDIA, Pluribus launched the Unified Cloud Networking architecture aiming to transform the way CSPs, telcos and enterprises build and operate cloud networks with radical operational simplification, distributed security services integrated into the network, and significantly lower total cost of ownership (TCO) compared to existing solutions.

In this blog I discuss the networking and security challenges cloud operators are facing, and then describe how the Pluribus Unified Cloud Fabric addresses these challenges with a holistic approach to cloud networking including both the switching fabric and the compute virtualization fabric. I then explain how the Pluribus Netvisor® ONE network operating system (OS) integrates with the NVIDIA® Bluefield® data processing unit (DPU) hardware architecture to deliver a Unified Cloud Fabric across any workload environment (including ESXi, Hyper-V, Xen, KVM, bare metal, and Kubernetes), provide a zero-trust administration model between compute and network, and radically simplify the networking stack running on the server OS with better overall performance and lower TCO. Finally, I review the initial set of use cases Pluribus is delivering with the Early Field Trial (EFT) program starting next month.

The State of Cloud Networking: A Tale of Many Fabrics

Outside the largest public cloud providers, with Continue reading

« Previous 1 … 504 505 506 507 508 … 3,793 Next »