DNS Evolution

The choice of UDP as the default transport for the DNS was not a completely unqualified success. On the positive side, the stateless query/response model of UDP has been a good fit to the stateless query/response model of DNS transactions between a client and a server. On the other hand, these same minimal overheads imply that DNS over UDP cannot perform prompt detection of packet loss and cannot efficiently defend itself against various approaches to tampering with the DNS, such as source address spoofing, payload alteration and third-party packet injection. Perhaps most importantly, the way UDP handles large payloads is a problem.

Weekend Reads 071224


The gang’s time from initial access to draining data out of a Veeam server is shockingly fast; after which the attackers went on to deploy actual ransomware in less than a day.


A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users’ inboxes.


The new fireball is the arrival of AI, its widespread acceptance and adoption, and the view that it is now a competitive imperative.


As a follow-up to the post yesterday on native VLANs, there was a question on what would happen to 802.1Q-tagged frames traversing an unmanaged switch.


State-controlled media on Tuesday covered the proceedings of the third China IPv6 Innovation and Development Conference, at which officials revealed that as of May 2024 the Middle Kingdom was home to 794 million users of the protocol, and that 64.56 percent of mobile traffic – plus 21.21 percent of fixed network traffic – is carried on networks that employ it.


In fact, since 2017, Google’s environmental reports show that the company’s electricity use, CO2 emissions, and carbon intensity have soared.


Using DevSecOps helps ensure the right level of security throughout both Continue reading

Terraform for Network Engineers: Part Three

Terraform for Network Engineers: Part Three

If you have not read the previous parts of this series, I recommend you start there.

Terraform for Network Engineers: Part One
Terraform for Network Engineers: Part Two

Welcome back to our journey of exploring Terraform for Network Engineers. In the previous part, we left ourself with a few challenges network engineers face when diving into the world of Terraform. Let's quickly recap those challenges:

  1. Setup Complexity: Are we really expecting network engineers to set up a Terraform project and write HCL code for creating resources on Panorama?
  2. Documentation Dive: Are network engineers supposed to dig into Terraform provider documentation to configure their desired resources?
  3. State File Management: What do we do with the state file? How do we manage it and share it with the team? What if it gets corrupted?

In this part, we'll tackle the first two challenges. We will explore how we can simplify the configuration file and abstract the complexity of the Terraform provider documentation.

Before we dive in, lets decompose the components of a simple Palo Alto Networks security policy configuration. A simple policy is composed of the following components:

  1. Device Group
  2. Source and Destination Zones
  3. Source and Destination Addresses
  4. Services Continue reading

IPB155: Operational Considerations: DHCP vs DHCPv6

What are the operational considerations and differences between DHCP and DHCPv6?  In today’s episode we explore the implications for network management, security, and operational models. We also discuss the challenges of DHCPv6 failover, high availability, complex device tracking and identity management in various environments. Episode Links:  Scott’s Infoblox IPv6 CoE blog post  Introducing DHCPv6 Prefix... Read more »

Application Security report: 2024 update

Over the last twelve months, the Internet security landscape has changed dramatically. Geopolitical uncertainty, coupled with an active 2024 voting season in many countries across the world, has led to a substantial increase in malicious traffic activity across the Internet. In this report, we take a look at Cloudflare’s perspective on Internet application security.

This report is the fourth edition of our Application Security Report and is an official update to our Q2 2023 report. New in this report is a section focused on client-side security within the context of web applications.

Throughout the report we discuss various insights. From a global standpoint, mitigated traffic across the whole network now averages 7%, and WAF and Bot mitigations are the source of over half of that. While DDoS attacks remain the number one attack vector used against web applications, targeted CVE attacks are also worth keeping an eye on, as we have seen exploits as fast as 22 minutes after a proof of concept was released.

Focusing on bots, about a third of all traffic we observe is automated, and of that, the vast majority (93%) is not generated by bots in Cloudflare’s verified list and is potentially malicious.

API traffic Continue reading

Euro 2024’s impact on Internet traffic: a closer look at finalists Spain and England

National team sports unite countries, and football (known as “soccer” in the US) is the world’s most popular sport, boasting approximately 3.5 billion fans globally. The UEFA Euro 2024, running from June 14 to July 14, 2024, significantly impacts Internet traffic across participating European nations. This blog post focuses on the two finalists, Spain and England, and comes after an initial post we published during the first week of the tournament.

Analyzing traffic patterns reveals distinct high-level trends. Spain saw the most significant drops in Internet traffic during games against major teams and former champions such as Italy (the defending champion), Germany, and France. In contrast, England’s games had crucial moments towards the end, leading to the largest traffic reductions in the UK, especially during the knockout stages.

For context, as previously mentioned, football games like the Super Bowl, differ from other events such as elections. When major teams or national squads play, especially in matches that captivate many viewers, Internet traffic often drops. This is particularly true if the game is broadcast on a national TV channel. During such broadcasts, people tend to focus more on their TV sets, relying on the traditional broadcast signal Continue reading

Detecting Mismatched Native VLANs

Many people have seen the message logged to their switch about a mismatched native VLAN on a trunk, but how is it detected? There are two methods of detecting mismatched native VLAN on a trunk link:

  • CDP.
  • STP when using a Per-VLAN flavor such as PVST+ or RPVST+.

To demonstrate how this happens, I will setup a very simple topology in CML with two switches connected by a trunk link as seen below:

At this point only the following has been configured on the trunk link:

interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 negotiation auto

Now, let’s take a look at the PDUs being generated, CDP and STP. For CDP we can see the following in Wireshark:

Frame 31: 354 bytes on wire (2832 bits), 354 bytes captured (2832 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Cisco Discovery Protocol
    Version: 2
    TTL: 180 seconds
    Checksum: 0x474d [correct]
    [Checksum Status: Good]
    Device ID: SW2
    Software Version
    Platform: Cisco 
    Addresses
    Port ID: GigabitEthernet0/0
    Capabilities
    VTP Management Domain: 
    Native VLAN: 1
        Type: Native VLAN (0x000a)
        Length: 6
        Native VLAN: 1
    Duplex: Full
    Trust Bitmap: 0x00
    Untrusted port CoS: 0x00
    Management Addresses

Notice that the native VLAN is signaled and that it Continue reading

Again: What Exactly Is MPLS?

Brad Casemore published an interesting analysis explaining why Cisco should accept being a mature company with mature products (yeah, you have to subscribe to view it). I always loved reading his articles, but unfortunately, this time, he briefly ventured into the “I don’t think this word means what you think it means” territory:

MPLS worked – and it still works – but it provided optimal value in an earlier time when the center of gravity was not the cloud. The cloud challenged the efficacy of MPLS, and it wasn’t long before SD-WAN, cloud connects, and interconnects […] represented an implacable threat to a status quo that had once seemed unassailable.

The second part of the paragraph is (almost) true, but it had nothing to do with MPLS.

Read more …

Using ngrok in Production: Not Just for Testing Anymore

The biggest challenge in serving digital services across vast, global networks is enabling those services to communicate with each other securely. Securing the endpoints is often not nearly as daunting as securing the routes between them. If you’ve ever used ngrok to generate an ad hoc secure tunnel so that services and browsers can contact your application even when hosted on localhost, you’ve probably asked yourself whether it would be possible to deliver your production apps and APIs in the same frictionless manner. If you’re staging an API for testing on your dev team’s network or even your personal laptop, ngrok gives you a way to

Cloudflare Zaraz adds support for server-side rendering of X and Instagram embeds

We are thrilled to announce Cloudflare Zaraz support of server-side rendering of embeds, featuring two Managed Components: X and Instagram. You can now use Cloudflare Zaraz to effortlessly embed posts from X or Instagram on your website in a performant, privacy-preserving, and secure way. Many traditional tag managers or customer data platforms rely heavily on third-party JavaScript and cookies to embed content, leading to concerns about privacy and performance. In contrast, we designed our solution to work without loading any third-party JavaScript or cookies, and furthermore to completely eliminate communication between the browser and third-party servers.

Starting today, you can use Cloudflare Zaraz not only for server-side data reporting to conventional marketing and analytics tools but also for server-side content rendering on your website. We are excited to pave the way with tools that enhance security, protect user privacy, and improve performance. Take a look at it:

Embed social media content without sacrificing security and speed

Since social media platforms emerged, we have become more and more familiar with seeing posts being embedded on websites, from showcasing user testimonials on product pages to featuring posts from reporters and politicians in news articles or blogs. Traditionally, this process has involved integrating Continue reading

1 84 85 86 87 88 3,800