Rolling With The Punches: Shifting Attack Tactics & Dropping Packets Faster & Cheaper At The Edge
On Cloudflare’s 8th birthday in 2017, we announced free unmetered DDoS Protection as part of all of our plans, regardless if you’re an independent blogger using WordPress on Cloudflare's Free plan or part of a large enterprise operating global network infrastructures. Our DDoS protection covers attack vectors on Layers 3-7; whether highly distributed and volumetric (rate-intensive) or small and sneaky. We protect over 26 million Internet properties, and at this scale, identifying small and sneaky DDoS attacks can be challenging, especially at L7. In this post, we discuss this challenge along with trends that we’ve seen, interesting DDoS attacks, and how we’ve responded to them so that you don’t have to worry.
Let’s Talk Trends
When analyzing attacks on the Cloudflare network, we’ve seen a steady decline in the proportion of L3/L4 DDoS attacks that exceed a rate of 30 Gbps in recent months. From September 2019 to March 2020, attacks peaking over 30 Gbps decreased by 82%, and in March 2020, more than 95% of all network-layer DDoS attacks peaked below 30 Gbps. Over the same time period, the average size of a DDoS attack has also steadily decreased by 53%, to just 11.88 Gbps. Yet, very large Continue reading
Video: Networks Are (Not) Secure
It’s amazing how many people still believe in Security Fairy (the mythical entity that makes your application magically secure), fueling the whole industry of security researchers who happily create excruciatingly detailed talks of how you can use whatever security oversight to wreak havoc (even when the limitations of a technology are clearly spelled out in an RFC).
In the Networks Are Not Secure (part of How Networks Really Work webinar) I described why we should never rely on network infrastructure to provide security, but have to implement it higher up in the application stack.
You need Free ipSpace.net Subscription to watch the video, and the Standard ipSpace.net Subscription to register for upcoming live sessions.
Topology Dependent LFA
Fast convergence after failures has always been an important part of ISP network design.
When a failure is detected, it takes a while until the routing protocol propagates new information throughout the network and all routers update their FIB. …
SAP Girds for COVID-19 Related Uncertainty
The vendor said the update assumes the demand environment continues to deteriorate through Q2...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
BiB093: Declare A K8s Stack With Spectro Cloud
Spectro Cloud is Kubernetes management. But...that's really oversimplifying it, especially with the hundreds of offerings that have something to with Kubernetes management or KaaS. If I'm being more precise, Spectro Cloud is about managing an entire infrastructure stack that's built around Kubernetes.BiB093: Declare A K8s Stack With Spectro Cloud
Spectro Cloud is Kubernetes management. But...that's really oversimplifying it, especially with the hundreds of offerings that have something to with Kubernetes management or KaaS. If I'm being more precise, Spectro Cloud is about managing an entire infrastructure stack that's built around Kubernetes.
The post BiB093: Declare A K8s Stack With Spectro Cloud appeared first on Packet Pushers.
Daily Roundup: Cisco Swipes Back at VMware SD-WAN Claim
Cisco swiped back at VMware's SD-WAN claim; McAfee beefed up its SASE with browser isolation; and...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
The Greatest Asset to Open Source is Community
"Closed limited resources and ideas can never compete with something that is open to the world –...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Load balancer with BGP and UCMP
Uniform load distribution to anycast servers using BGP bandwidth community and unequal cost multipath forwarding
Scalable modern applications are deployed as clusters of server instances and load balancers are needed to distribute client requests across server instances. In order to ensure positive user experience an application needs to be always responsive and no instance should get bogged down with overload.
Sophisticated load balancing solutions help but often involve expensive and proprietary components. These also are additional point of failure requiring maintenance and are often overkill for most use cases.
Here is one solution to this complex problem that can achieve spreading client requests evenly across application servers with network switches running Cumulus Linux. All this is achieved without adding any additional device or component.
The case in point is that the user has a large number of anycast services running in a multipod Clos network. The number of service endpoints can dynamically change and user expectation is that service endpoints get uniformly loaded.
This solution works well for both cases, one where Clos fabric is Layer-3 only network and another where we have Evpn vxlan overlay network. Care must be taken though to select switch hardware that can support overlay Continue reading
Why Is So Much Internet Traffic Leaving Pakistan?
This article appeared first on the APNIC website.
At the recent SANOG meeting held in my homeland, Pakistan, I wanted to provide the local community with some insights into the importance of Internet exchanges (IXs), specifically the need to host content locally.
Knowing that data is king among network operators, I set up a virtual machine as soon as I arrived to collect information on several key metrics, including latency and the hosting location of .pk domains. Needless to say, the results were surprising.
How long does it take to connect to public Domain Name System (DNS) services?
First, I tested for latency, specifically the time it takes to PING three of the most popular public DNS services: Cloudflare DNS (1.1.1.1), Google Public DNS (8.8.8.8), and Quad9 (9.9.9.9). PING is not the best way to test DNS but this is for reachability purpose only.
Before leaving my home in Sydney, Australia, I did the same to offer a comparison. As you can see from the results in Figure 1, all were below 1ms.
The results for Pakistan were Continue reading
Nokia Expands RAN Portfolio, Releases DSS
All of the new RAN gear is running on chipsets from Nokia’s ReefShark portfolio, including new...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
IBM Touts AI Cure to Secure Supply Woes
“No company can afford not to have a multi-dimensional, dynamic supply strategy that is capable...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Hyperscalers Set The Pace For 800G Ethernet
The hyperscalers and the largest public clouds have been on the front end of each successive network bandwidth wave for more than a decade, and it only stands to reason that they, rather than the IEEE, would want to drive the standards for faster Ethernet networks. …
Hyperscalers Set The Pace For 800G Ethernet was written by Timothy Prickett Morgan at The Next Platform.
Free Google Book: Building Secure and Reliable Systems
Google added another book into their excellent SRE series: Building Secure and Reliable Systems. It's free to download, so don't be shy.
It's not short: 557 pages and 21 chapters! So what's it about? In short it's about "reliability through the lens of security."
In long, Ana Oprea, one of the authors, gave a good overview. anaoprea:
There are multiple questions about what this book is about, who it's for and what might be relevant for me. We recommend going through the Preface to get answers to these questions. Copy/pasting a few paragraphs: "In this book we talk generally about systems, which is a conceptual way of thinking about the groups of components that cooperate to perform some function.
We wanted to write a book that focuses on integrating security and reliability directly into the software and system lifecycle, both to highlight technologies and practices that protect systems and keep them reliable, and to illustrate how those practices interact with each other.
We’d like to explicitly acknowledge that some of the strategies this book recommends require infrastructure support that simply may not exist where you’re currently working.
Because security and reliability are everyone’s responsibility, we’re Continue reading
Cloning Remote Linux Machines
I would like to share the second version (1.1) of the Bash script backup_images-1.1.sh which you can use for cloning disks of remote Linux machines. The script reads IP addresses of the hosts from a file and copy the disks with dd command over SSH connection. The disks are stored on a local machine, compressed […]Continue reading...
Internship Experience: Cryptography Engineer
Back in the summer of 2017 I was an intern at Cloudflare. During the scholastic year I was a graduate student working on automorphic forms and computational Langlands at Berkeley: a part of number theory with deep connections to representation theory, aimed at uncovering some of the deepest facts about number fields. I had also gotten involved in Internet standardization and security research, but much more on the applied side.
While I had published papers in computer security and had coded for my dissertation, building and deploying new protocols to production systems was going to be new. Going from the academic environment of little day to day supervision to the industrial one of more direction; from greenfield code that would only ever be run by one person to large projects that had to be understandable by a team; from goals measured in years or even decades, to goals measured in days, weeks, or quarters; these transitions would present some challenges.
Cloudflare at that stage was a very different company from what it is now. Entire products and offices simply did not exist. Argo, now a mainstay of our offering for sophisticated companies, was slowly emerging. Access, which Continue reading
NetDevOps Automation with REST API
Andrea Dainese added REST (Web) API to his Automation for Cisco NetDevOps article. You might love his explanation of the screen scraping methods used by legacy implementations. He was too polite to throw around any names, but I could immediately think of NETCONF or RESTCONF implementation on Cisco IOS.