8 Tips for a Successful Network Migration

I have done many network migrations over the years. Now a days it’s a more rare event but this weekend we migrated some Core switches with very little down time. What are some of the things that you should do to maximize the odds of a successful migration?

Plan

If your migration went successful without planning, that doesn’t mean you are smart, just lucky. Every migration requires planning. What steps are involved in the migration? How do you validate each step? Who needs to be involved in the migration? Who needs to validate services when the migration is done? What are the criteria for a successful migration? How much time do you need to perform the migration? At what point do roll back? What are the steps involved in rolling back?

A migration plan can have varying levels of detail. I’ve worked with some very critical networks where we have had to describe each and every step in detail including every command that is involved in the migration. This takes a lot of time but you can’t cut corners when you are working with networks that can affect people’s health and lives.

Prepare

Prepare as much as you can. This Continue reading

Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack

Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack
Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack

Earlier this week, Cloudflare automatically detected and mitigated a DDoS attack that peaked just below 2 Tbps — the largest we’ve seen to date. This was a multi-vector attack combining DNS amplification attacks and UDP floods. The entire attack lasted just one minute. The attack was launched from approximately 15,000 bots running a variant of the original Mirai code on IoT devices and unpatched GitLab instances.

Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack
DDoS attack peaking just below 2 Tbps‌‌

Network-layer DDoS attacks increased by 44%

Last quarter, we saw multiple terabit-strong DDoS attacks and this attack continues this trend of increased attack intensity. Another key finding from our Q3 DDoS Trends report was that network-layer DDoS attacks actually increased by 44% quarter-over-quarter. While the fourth quarter is not over yet, we have, again, seen multiple terabit-strong attacks that targeted Cloudflare customers.

Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack
DDoS attacks peaking at 1-1.4 Tbps

How did Cloudflare mitigate this attack?

To begin with, our systems constantly analyze traffic samples “out-of-path” which allows us to asynchronously detect DDoS attacks without causing latency or impacting performance. Once the attack traffic was detected (within sub-seconds), our systems generated a real-time signature that surgically matched against the attack patterns to mitigate the attack without impacting Continue reading

Interesting: What’s Wrong with Bitcoin

I read tons of articles debunking the blockchain hype, and the stupidity of waisting CPU cycles and electricity on calculating meaningless hashes; here’s a totally different take on the subject by Avery Pennarun (an update written ten years later).

TL&DR: Bitcoin is a return to gold standard, and people who know more about economy than GPUs and hash functions have figured out that’s a bad idea long time ago.

Read more …

Arista Adds New Hyperscale, Enterprise Switches To Its 400G Portfolio

Arista Networks announced four new switches in its 400G portfolio. Two are aimed at the hyperscale/cloud crowd, and two are intended for enterprise data centers. The new switches promise greater port density than previous generations, and better power efficiency. The hyperscale switches are built around Broadcom’s Tomahawk-4 silicon, which delivers 25.6Tbps of throughput. They include […]

The post Arista Adds New Hyperscale, Enterprise Switches To Its 400G Portfolio appeared first on Packet Pushers.

Fixing Recent Validation Vulnerabilities in OctoRPKI

Fixing Recent Validation Vulnerabilities in OctoRPKI

A number of vulnerabilities in Resource Public Key Infrastructure (RPKI) validation software were disclosed in a recent NCSC advisory, discovered by researchers from the University of Twente. These attacks abuse a set of assumptions that are common across multiple RPKI implementations, and some of these issues were discovered within OctoRPKI. More details about the disclosed vulnerabilities can be found in this RIPE labs article written by one of the researchers. In response, we published a new release of OctoRPKI, v1.4.0, to address and remediate these vulnerabilities.

Cloudflare customers do not have to take any action to protect themselves from these newly discovered vulnerabilities, and no Cloudflare customer data was ever at risk.

We have not seen any attempted exploitation of these vulnerabilities described in the advisory. We use OctoRPKI to perform Border Gateway Protocol (BGP) route validation so that our routers know where to direct IP packets at Layer 3 of the TCP/IP stack. TLS provides additional security at the TCP layer to ensure the integrity and confidentiality of customer data going over the Internet in the event of BGP hijacking.

RPKI and the discovered vulnerabilities

Resource Public Key Infrastructure (RPKI) is a cryptographic method of Continue reading

Nvidia jumps into Zero Trust

Nvidia has announced a Zero Trust platform built around its BlueField data-processing units and Nvidia software.Zero Trust is an architecture that verifies every user and device that tries to access the network and enforces strict access control and identity management that limits authorized users to accessing only those resources they need to do their jobs.[Get regularly scheduled insights by signing up for Network World newsletters.] “You cannot just rely on the firewall on the outside, you have to assume that any application or any user inside your data center is a bad actor,” said Manuvir Das, head of enterprise computing at Nvidia. “Zero Trust basically just refers to the fact that you can't trust any application or user because there are bad actors.”To read this article in full, please click here

Nvidia jumps into Zero Trust

Nvidia has announced a Zero Trust platform built around its BlueField data-processing units and Nvidia software.Zero Trust is an architecture that verifies every user and device that tries to access the network and enforces strict access control and identity management that limits authorized users to accessing only those resources they need to do their jobs.[Get regularly scheduled insights by signing up for Network World newsletters.] “You cannot just rely on the firewall on the outside, you have to assume that any application or any user inside your data center is a bad actor,” said Manuvir Das, head of enterprise computing at Nvidia. “Zero Trust basically just refers to the fact that you can't trust any application or user because there are bad actors.”To read this article in full, please click here

AMD Gets Inside Facebook’s Latest – And Most Powerful – Microserver

Sometimes, you do put new wine in old bottles. This is what it looks like Meta – well, really its Facebook social network group – is doing as it adds a microserver node based on a custom AMD “Milan” Epyc 7003 processor to its datacenter infrastructure.

AMD Gets Inside Facebook’s Latest – And Most Powerful – Microserver was written by Timothy Prickett Morgan at The Next Platform.

Heavy Networking 606: Dealing With DNS And Domain Name Abuse

The DNS Abuse Institute is a community effort to develop solutions to DNS-related problems including malware, botnets, phishing, pharming, and spam. On today's show we speak with its Director, Graeme Bunton, about the institute and its work, and the challenges of dealing with malicious actors that exploit DNS and domain names.

The post Heavy Networking 606: Dealing With DNS And Domain Name Abuse appeared first on Packet Pushers.

Weekend Reads 111221


We’ve had too many face-palm-worthy incidents of organizations hearing “hey, I found your data in a world readable S3 bucket” or finding a supposedly “test” server exposed that had production data in it.


Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns.


2021 has already been a banner year for cybercriminals — the record-largest ransomware payment of $40 million was made by an insurance company this year. And the attacks won’t stop.


In the 2021 Domain Security Report, we analyzed the trend of domain security adoption with respect to the type of domain registrar used, and found that 57% of Global 2000 organizations use consumer-grade registrars with limited protection against domain and DNS hijacking, distributed denial of service (DDoS), man-in-the-middle attacks (MitM), or DNS cache poisoning.


When it comes to cybersecurity, risks are omnipresent. Whether it is a bank dealing with financial transactions or medical providers handling the personal data of patients, cybersecurity threats are unavoidable. The only way to efficiently combat these threats is to understand them.


‘Functional, Continue reading

1 640 641 642 643 644 3,856