Rolling With The Punches: Shifting Attack Tactics & Dropping Packets Faster & Cheaper At The Edge

Rolling With The Punches: Shifting Attack Tactics & Dropping Packets Faster & Cheaper At The Edge
Rolling With The Punches: Shifting Attack Tactics & Dropping Packets Faster & Cheaper At The Edge

On Cloudflare’s 8th birthday in 2017, we announced free unmetered DDoS Protection as part of all of our plans, regardless if you’re an independent blogger using WordPress on Cloudflare's Free plan or part of a large enterprise operating global network infrastructures. Our DDoS protection covers attack vectors on Layers 3-7; whether highly distributed and volumetric (rate-intensive) or small and sneaky. We protect over 26 million Internet properties, and at this scale, identifying small and sneaky DDoS attacks can be challenging, especially at L7. In this post, we discuss this challenge along with trends that we’ve seen, interesting DDoS attacks, and how we’ve responded to them so that you don’t have to worry.

When analyzing attacks on the Cloudflare network, we’ve seen a steady decline in the proportion of L3/L4 DDoS attacks that exceed a rate of 30 Gbps in recent months. From September 2019 to March 2020, attacks peaking over 30 Gbps decreased by 82%, and in March 2020, more than 95% of all network-layer DDoS attacks peaked below 30 Gbps. Over the same time period, the average size of a DDoS attack has also steadily decreased by 53%, to just 11.88 Gbps. Yet, very large Continue reading

Video: Networks Are (Not) Secure

It’s amazing how many people still believe in Security Fairy (the mythical entity that makes your application magically secure), fueling the whole industry of security researchers who happily create excruciatingly detailed talks of how you can use whatever security oversight to wreak havoc (even when the limitations of a technology are clearly spelled out in an RFC).

In the Networks Are Not Secure (part of How Networks Really Work webinar) I described why we should never rely on network infrastructure to provide security, but have to implement it higher up in the application stack.

Watch the video
You need Free ipSpace.net Subscription to watch the video, and the Standard ipSpace.net Subscription to register for upcoming live sessions.

Topology Dependent LFA

Fast convergence after failures has always been an important part of ISP network design.

 

When a failure is detected, it takes a while until the routing protocol propagates new information throughout the network and all routers update their FIB. …

SAP Girds for COVID-19 Related Uncertainty

The vendor said the update assumes the demand environment continues to deteriorate through Q2...

Read More »

© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.

Dragonfly Brings Peer-to-Peer Image Sharing to Kubernetes

Dragonfly, a peer-to-peer image and file-sharing technology developed by Cloud Native Computing Foundation. The software provides a way to quickly distribute images across large cloud native deployments, eliminating the dependency on a single registry to distribute all the copies of an image. “Dragonfly is one of the backbone technologies for container platforms within Alibaba’s ecosystem, supporting billions of application deliveries each year, and in use by many enterprise customers around the world,” said Dragonfly in 2015, originally to ease file distribution. By 2017, when it was adopted to share containers within Kubernetes environments, it was being used by the Chinese cloud service to share 3.4PB each month. It was originally accepted into the OCI (Open Container Initiative). It can work with CNCF’s Prometheus and display them on a Helm can be used to install Dragonfly within a Kubernetes cluster. Project maintainers come from Alibaba, ByteDance, eBay, and Meitu. Overall it has 67 contributors from 21 organizations. It has been downloaded over 100,000 times from Docker Hub and has massed 6,000 GitHub stars. Learn more about Dragonfly, visit liggraphy from 

Daily Roundup: Cisco Swipes Back at VMware SD-WAN Claim

Cisco swiped back at VMware's SD-WAN claim; McAfee beefed up its SASE with browser isolation; and...

Read More »

© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.

The Greatest Asset to Open Source is Community

"Closed limited resources and ideas can never compete with something that is open to the world –...

Read More »

© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.

Load balancer with BGP and UCMP

Uniform load distribution to anycast servers using BGP bandwidth community and unequal cost multipath forwarding

Scalable modern applications are deployed as clusters of server instances and load balancers are needed to distribute client requests across server instances. In order to ensure positive user experience an application needs to be always responsive and no instance should get bogged down with overload.

Sophisticated load balancing solutions help but often involve expensive and proprietary components. These also are additional point of failure requiring maintenance and are often overkill for most use cases.

Here is one solution to this complex problem that can achieve spreading client requests evenly across application servers with network switches running Cumulus Linux. All this is achieved without adding any additional device or component.

The case in point is that the user has a large number of anycast services running in a multipod Clos network. The number of service endpoints can dynamically change and user expectation is that service endpoints get uniformly loaded.

This solution works well for both cases, one where Clos fabric is Layer-3 only network and another where we have Evpn vxlan overlay network. Care must be taken though to select switch hardware that can support overlay Continue reading

Why Is So Much Internet Traffic Leaving Pakistan?

This article appeared first on the APNIC website.

At the recent SANOG meeting held in my homeland, Pakistan, I wanted to provide the local community with some insights into the importance of Internet exchanges (IXs), specifically the need to host content locally.

Knowing that data is king among network operators, I set up a virtual machine as soon as I arrived to collect information on several key metrics, including latency and the hosting location of .pk domains. Needless to say, the results were surprising.

How long does it take to connect to public Domain Name System (DNS) services?

First, I tested for latency, specifically the time it takes to PING three of the most popular public DNS services: Cloudflare DNS (1.1.1.1), Google Public DNS (8.8.8.8), and Quad9 (9.9.9.9). PING is not the best way to test DNS but this is for reachability purpose only.

Before leaving my home in Sydney, Australia, I did the same to offer a comparison. As you can see from the results in Figure 1, all were below 1ms.

Figure 1: Latency measurements to connect to public DNS services in Sydney, Australia

The results for Pakistan were Continue reading

Nokia Expands RAN Portfolio, Releases DSS

All of the new RAN gear is running on chipsets from Nokia’s ReefShark portfolio, including new...

Read More »

© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.

IBM Touts AI Cure to Secure Supply Woes

“No company can afford not to have a multi-dimensional, dynamic supply strategy that is capable...

Read More »

© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.

SaltStack’s CTO on Pandemics, the End of Empires and Software’s Future

It is too early to determine to what extent our lives will change in the future once the Coronavirus pandemic has run its full course. However, in the software industry, some possible outcomes are beginning to emerge, including consolidation and the potential for great changes to take place — both good and bad. As a harbinger of what may come, SaltStack, a leading automation network infrastructure provider, evoked historical examples of pandemics and plagues in the past. He discussed what changes they wrought on ancient Egypt, the Roman Empire and the Renaissance era, while drawing parallels with the software industry. Patch also shared with The New Stack in this Q&A how software engineers’ lives have hardly changed, the folly of forcing workers to come to the office when they really do not need to and his observations of network infrastructure saturation in the wake of the

Free Google Book: Building Secure and Reliable Systems

 

Google added another book into their excellent SRE series: Building Secure and Reliable Systems. It's free to download, so don't be shy. 

It's not short: 557 pages and 21 chapters! So what's it about? In short it's about "reliability through the lens of security."

In long, Ana Oprea, one of the authors, gave a good overview. anaoprea:

There are multiple questions about what this book is about, who it's for and what might be relevant for me. We recommend going through the Preface to get answers to these questions. Copy/pasting a few paragraphs: "In this book we talk generally about systems, which is a conceptual way of thinking about the groups of components that cooperate to perform some function.

We wanted to write a book that focuses on integrating security and reliability directly into the software and system lifecycle, both to highlight technologies and practices that protect systems and keep them reliable, and to illustrate how those practices interact with each other.

We’d like to explicitly acknowledge that some of the strategies this book recommends require infrastructure support that simply may not exist where you’re currently working.

Because security and reliability are everyone’s responsibility, we’re Continue reading

Cloning Remote Linux Machines

I would like to share the second version (1.1) of the Bash script backup_images-1.1.sh which you can use for cloning disks of remote Linux machines. The script reads IP addresses of the hosts from a file and copy the disks with dd command over SSH connection. The disks are stored on a local machine, compressed […]
Continue reading...

Internship Experience: Cryptography Engineer

Internship Experience: Cryptography Engineer
Internship Experience: Cryptography Engineer

Back in the summer of 2017 I was an intern at Cloudflare. During the scholastic year I was a graduate student working on automorphic forms and computational Langlands at Berkeley: a part of number theory with deep connections to representation theory, aimed at uncovering some of the deepest facts about number fields. I had also gotten involved in Internet standardization and security research, but much more on the applied side.

While I had published papers in computer security and had coded for my dissertation, building and deploying new protocols to production systems was going to be new. Going from the academic environment of little day to day supervision to the industrial one of more direction; from greenfield code that would only ever be run by one person to large projects that had to be understandable by a team; from goals measured in years or even decades, to goals measured in days, weeks, or quarters; these transitions would present some challenges.

Cloudflare at that stage was a very different company from what it is now. Entire products and offices simply did not exist. Argo, now a mainstay of our offering for sophisticated companies, was slowly emerging. Access, which Continue reading

Schneider Electric launches cooling for edge devices

Schneider Electric has introduced a system for cooling individual server racks in remote and edge locations that aren’t well suited for traditional data-center cooling schemes.Uniflair Rack Mounted Cooling is a split system consisting of the air conditioning unit that goes in the cabinet and a fan that vents hot air from the cabinet to the outside. The external unit can be up to 20 meters away and up to five meters above or below the cooling unit.[Get regularly scheduled insights by signing up for Network World newsletters.] The 5U, Freon-based air-conditioner unit blows cool air up the front of the cabinet where it is sucked into the servers by their front fans and absorbs heat generated by the servers. The hot air is expelled out the back and drawn down, cooled, and recirculated upwards.To read this article in full, please click here

1 983 984 985 986 987 3,841