Spoofing brings great risk to the internet and very few networks are capable of mitigating attacks, resulting in the internet possibly being centered on a hand full of networks
CloudFlare operates a global anycast content delivery network (CDN) to improve website performance and security. Their network routes web traffic through data centers located around the world, where services like caching, security filtering, and optimizations are applied. Anycast routing allows a client to connect to the closest data center, and if that location fails traffic will automatically reroute to the next closest one. Operating an anycast CDN presents challenges around efficient routing, new market deployments, and troubleshooting unusual routing behaviors between networks. Peering is important for reachability but must be considered economically in each region.
This document discusses New Zealand's position as a content delivery network (CDN) and how it compares globally. Some key points made include:
- Latency matters, with studies showing 25ms reductions leading to 30% more traffic and interactions
- Carrier-neutral data centers that allow interconnection with all providers are important for CDNs but availability varies by country
- New Zealand compares favorably to some countries in terms of peering ratios and prices, but lags behind leading hubs like South Korea and Singapore
- The document advocates for continued IPv6 adoption and expansion of caching through partnerships with Internet service providers
This document discusses open recursive DNS resolvers and the security issues they pose. It notes that while recursive resolvers are meant to cache and deliver DNS queries, many are not properly secured, allowing them to be abused for large reflection attacks. These attacks work by spoofing the source IP address of the victim in queries to open resolvers, which then send much larger responses to the victim, amplifying the attack traffic. The document shows that open resolvers come from networks all over the world and urges securing resolvers by filtering source addresses and disabling insecure recursive features.
- Interconnection between internet networks in regional and secondary markets is often suboptimal, resulting in inefficient routing of traffic that can trombone through primary markets.
- In cities like Tokyo, Dublin, and Singapore, large percentages of traffic from Tier 1 internet providers' peered routes are learned in other countries rather than being exchanged locally.
- The lack of robust local peering harms user experience, network resilience, and regional economic development. While some improvements have been made, more progress is still needed to drive better interconnection in secondary markets.
The document discusses connectivity in the Asian internet market. It notes that connectivity has traditionally been led by local incumbents like NTT in Japan and China Telecom in China. Traffic routing between Asian networks has often been inefficient, requiring detours through other countries or even the US. However, connectivity is improving as networks like NTTcom establish more connections to other Asian carriers. The future of Asian internet connectivity will involve greater regional exchange points, lower IP transit pricing, and better performance to support growing regional content delivery and users.
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...PROIDEA
The document discusses key considerations for peering planning and implementation. It recommends having a blend of transit, public peering, and private peering according to traffic volumes. Specifically, it suggests planning for 20%+ annual traffic growth, including peering as part of the IP traffic growth strategy, understanding the benefits of campus peering over distributed peering models, and expecting private peering traffic to outgrow public peering traffic over the long run. The document uses Equinix as an example, highlighting their large ecosystem of networks that can help lower IP transit costs and support robust public and private peering options.
Internet Noise (A Story About Two Little Subnets - Tom PasekaMyNOG
Tom Paseka from Cloudflare presented on internet noise received on the IP blocks 1.1.1.0/24 and 1.0.0.0/24. He discussed that these blocks receive unwanted traffic such as from misconfigurations and misuse. Traffic levels have increased to 8-13Gbps from previous studies. Legitimate traffic makes up an estimated 7-13% and includes DNS queries. Availability testing found issues with over 30 ISPs null routing or using the blocks internally. Documentation recommends blocks like 192.0.2.0/24 for examples but sometimes they are still misused.
CloudFlare operates a global anycast content delivery network (CDN) to improve website performance and security. Their network routes web traffic through data centers located around the world, where services like caching, security filtering, and optimizations are applied. Anycast routing allows a client to connect to the closest data center, and if that location fails traffic will automatically reroute to the next closest one. Operating an anycast CDN presents challenges around efficient routing, new market deployments, and troubleshooting unusual routing behaviors between networks. Peering is important for reachability but must be considered economically in each region.
This document discusses New Zealand's position as a content delivery network (CDN) and how it compares globally. Some key points made include:
- Latency matters, with studies showing 25ms reductions leading to 30% more traffic and interactions
- Carrier-neutral data centers that allow interconnection with all providers are important for CDNs but availability varies by country
- New Zealand compares favorably to some countries in terms of peering ratios and prices, but lags behind leading hubs like South Korea and Singapore
- The document advocates for continued IPv6 adoption and expansion of caching through partnerships with Internet service providers
This document discusses open recursive DNS resolvers and the security issues they pose. It notes that while recursive resolvers are meant to cache and deliver DNS queries, many are not properly secured, allowing them to be abused for large reflection attacks. These attacks work by spoofing the source IP address of the victim in queries to open resolvers, which then send much larger responses to the victim, amplifying the attack traffic. The document shows that open resolvers come from networks all over the world and urges securing resolvers by filtering source addresses and disabling insecure recursive features.
- Interconnection between internet networks in regional and secondary markets is often suboptimal, resulting in inefficient routing of traffic that can trombone through primary markets.
- In cities like Tokyo, Dublin, and Singapore, large percentages of traffic from Tier 1 internet providers' peered routes are learned in other countries rather than being exchanged locally.
- The lack of robust local peering harms user experience, network resilience, and regional economic development. While some improvements have been made, more progress is still needed to drive better interconnection in secondary markets.
The document discusses connectivity in the Asian internet market. It notes that connectivity has traditionally been led by local incumbents like NTT in Japan and China Telecom in China. Traffic routing between Asian networks has often been inefficient, requiring detours through other countries or even the US. However, connectivity is improving as networks like NTTcom establish more connections to other Asian carriers. The future of Asian internet connectivity will involve greater regional exchange points, lower IP transit pricing, and better performance to support growing regional content delivery and users.
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...PROIDEA
The document discusses key considerations for peering planning and implementation. It recommends having a blend of transit, public peering, and private peering according to traffic volumes. Specifically, it suggests planning for 20%+ annual traffic growth, including peering as part of the IP traffic growth strategy, understanding the benefits of campus peering over distributed peering models, and expecting private peering traffic to outgrow public peering traffic over the long run. The document uses Equinix as an example, highlighting their large ecosystem of networks that can help lower IP transit costs and support robust public and private peering options.
Internet Noise (A Story About Two Little Subnets - Tom PasekaMyNOG
Tom Paseka from Cloudflare presented on internet noise received on the IP blocks 1.1.1.0/24 and 1.0.0.0/24. He discussed that these blocks receive unwanted traffic such as from misconfigurations and misuse. Traffic levels have increased to 8-13Gbps from previous studies. Legitimate traffic makes up an estimated 7-13% and includes DNS queries. Availability testing found issues with over 30 ISPs null routing or using the blocks internally. Documentation recommends blocks like 192.0.2.0/24 for examples but sometimes they are still misused.
Netflix uses its Open Connect content delivery network to stream video content directly to internet service providers. The Open Connect network consists of appliances located within ISP networks that cache Netflix's content. This allows 95% of Netflix's streaming traffic to be served directly from the Open Connect caches, reducing load on upstream networks. The control plane determines the optimal stream for a user, while the data plane serves the cached content through Open Connect during playback. Netflix fills the caches overnight using predictive algorithms to pre-position popular content at locations close to users.
APNIC deployed IPv6 across its network and services over several years using the following approach:
1) APNIC initially used its IPv6 allocation of 2001:DC0:2000::/35 and split it into /48 and /64 subnets for its network. It configured IPv6 routing and DNS services for these subnets.
2) APNIC then deployed IPv6 for its critical services like DNS, web, FTP, mail, and load balancing. This included configuring IPv6 addresses and enabling IPv6 protocols for these services.
3) APNIC later added anycast instances of its DNS services and regional whois service using cloud providers to improve availability. Lessons learned included testing services thoroughly before deployment and monitoring
Netflix Open Connect: Delivering Internet TV to the worldInternet Society
This document discusses Netflix's global streaming services and partnerships with internet service providers (ISPs). Some key points:
- Netflix now serves over 190 countries with over 1 billion hours streamed per month and 81.5 million members globally.
- Netflix partners with ISPs by allowing them to embed Netflix Open Connect appliances (OCAs) within their networks at no cost, in order to directly deliver Netflix content to users and reduce upstream internet traffic.
- There are over 50 global points of presence for OCAs. Requirements for ISPs to participate include having at least 5Gbps of peak traffic and hosting a 1U or 2U OCA appliance within their network.
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPROIDEA
This document discusses Netflix's Open Connect content delivery network (CDN). It provides an overview of Netflix globally and its Open Connect program which allows ISPs to host Netflix content locally using Open Connect appliances provided by Netflix. The appliances store Netflix's content and use adaptive bitrate streaming to provide optimal video quality based on available bandwidth. The document outlines Netflix's peering and hardware requirements for ISPs to participate in Open Connect and benefit their users with faster access to Netflix content.
Peering Asia 2021v: Little-known IXPs in Asia PacificAPNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng presents on less well known IXPs in the region and the important role they play in their economies.
Abitcool - A vast array of small-scale service providers with gigabit access,...APNIC
Abitcool - A vast array of small-scale service providers with gigabit access, by Tony Hain. A presentation given at APNIC 38 during the APOPS 3 session.
Akamai provides a global content delivery network (CDN) that serves over 2 trillion requests daily across 200,000 servers in over 130 countries. The presentation discusses peering with Akamai, traffic engineering techniques like route announcements and filtering, and issues to avoid like inconsistent or incomplete route announcements that could impact traffic delivery.
This document provides a summary of a final report analyzing Netflix's content distribution network architecture. It describes Netflix's growth from 1999 to becoming a leading video streaming service. The report analyzes Netflix's deployment of Amazon Web Services cloud computing and its own content delivery network called Open Connect. It also examines Netflix's traffic flow, use of content distribution networks, and strategies for efficiently streaming video at large scale. The document aims to understand Netflix's current architecture and discuss possibilities for further optimizing its CDN and video delivery.
- 22% of visible DNS resolvers are capable of making IPv6 queries, but 35% of DNS queries are actually passed to these resolvers, indicating more widespread IPv6 support.
- The top IPv6-capable resolvers are operated by companies like Google, AT&T, and Comcast, serving over 60% of queries.
- IPv6 DNS responses have a high success rate (96%) when response sizes are kept below the typical 1500 byte MTU to avoid fragmentation issues.
High Speed Fiber Services and Challenges to the Core Network by Seiichi KawamuraMyNOG
BIGLOBE faces challenges in scaling their network to support increasing demand for high-speed services from their 3 million broadband customers. Rapid traffic growth stresses their core network and metro connections. Efficiently handling streaming video, which comprises 30% of traffic, is difficult. Improving peering relationships and developing an open peering ecosystem in Japan helps alleviate these issues. BIGLOBE is working on automation, measurement tools, and network evolution to manage costs and provide high quality internet experiences as demands continue rising.
The document discusses traffic engineering for content delivery networks (CDNs). It describes how CDNs like Akamai use DNS-based mapping to direct users to the optimal edge server based on their location. This allows Akamai to serve over 30 terabits per second of traffic daily to over 2 trillion requests from its global network of over 189,000 servers. However, because CDNs operate as independent clusters without a private backbone, standard BGP techniques often do not work as expected to influence traffic patterns. The document provides examples of how traffic from ISPs may shift locations within 24 hours as the CDN mapping system reacts to routing changes. Effective traffic engineering requires coordination between the CDN and ISPs.
Tutorial: Using GoBGP as an IXP connecting routerShu Sugimoto
- Show you how GoBGP can be used as a software router in conjunction with quagga
- (Tutorial) Walk through the setup of IXP connecting router using GoBGP
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
APNIC Training and Technical Assistance Manager Nurul Islam discusses the design options for IPv6 in a broadband access network and the impact that IoT will have on this in order to support future growth at CommunicAsia 2017.
How Data Center Traffic is Changing Your Network by KC LimMyNOG
This document discusses how data center traffic is changing networks and outlines key trends driving growth in the data center interconnect market. It notes that global data center IP traffic and storage capacity are growing significantly each year. It also discusses the various participants in the data center ecosystem like cloud/internet providers, carriers, and data center operators. The document advocates for disaggregated, open line systems that use multi-vendor components to provide more flexibility and reduce costs compared to traditional integrated DWDM network solutions. It provides examples of how an open line system could be deployed over existing ROADM networks from vendors like Ciena, Cyan, Juniper and BTI.
TWNOG 3.0: Stories of IXP development and the way forwardAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives some examples of regional IXP development and what the future holds at TWNOG 3.0 in Taipei from 20 to 21 June 2019.
This document discusses ElasticISP, a concept for running an ISP on virtualized network functions in the cloud. The key points are:
1. ElasticISP aims to make it cheaper and faster to start an ISP by eliminating the need for physical networking hardware and deploying all functions like routing, firewalls, and LNS virtually in the cloud.
2. This allows an ISP to start for around $15k with minimal capital expenditure, and to easily scale network capacity and functions by adding more virtual instances as needed.
3. The document reviews ElasticISP concepts and architectures, including examples of logical and physical network designs using virtual routers, firewalls, and other functions deployed in public
This document discusses how content delivery networks (CDNs) like Akamai use DNS to route users to optimal servers based on their location. It explains that while this works well when users use their ISP's DNS, third-party DNS resolvers like Google DNS make accurate mapping difficult since the CDN only sees the resolver IP, not the user's. The document then introduces EDNS0 client-subnet, an extension that allows resolvers to include the user's IP prefix in queries, enabling more precise mapping by CDNs. It addresses privacy, security and implementation considerations, and shows how the technique improves performance for OpenDNS users in India.
Secure & authentication By Lai HIEU - eXo SEAThuy_Dang
- The document discusses secure communication and authentication, covering topics like digital certificates, public key infrastructure (PKI), TLS/SSL, Java security architecture, and eXo platform implementation.
- It provides an overview of TLS/SSL and how it is based on public key cryptography. Digital certificates are used to bind a public key with an identity to authenticate parties.
- PKI utilizes public/private key pairs to facilitate secure exchange of information between two parties like in the example conversation between Nobita and Doraemon.
KINX Peering Forum - A Brief Overview of Regulation of InterconnectionTom Paseka
A Brief Overview of Regulation of Interconnection with a focus on changes to regulations in Korea, their "IX Policy", changes and what could happen after implementation of this law
Netflix uses its Open Connect content delivery network to stream video content directly to internet service providers. The Open Connect network consists of appliances located within ISP networks that cache Netflix's content. This allows 95% of Netflix's streaming traffic to be served directly from the Open Connect caches, reducing load on upstream networks. The control plane determines the optimal stream for a user, while the data plane serves the cached content through Open Connect during playback. Netflix fills the caches overnight using predictive algorithms to pre-position popular content at locations close to users.
APNIC deployed IPv6 across its network and services over several years using the following approach:
1) APNIC initially used its IPv6 allocation of 2001:DC0:2000::/35 and split it into /48 and /64 subnets for its network. It configured IPv6 routing and DNS services for these subnets.
2) APNIC then deployed IPv6 for its critical services like DNS, web, FTP, mail, and load balancing. This included configuring IPv6 addresses and enabling IPv6 protocols for these services.
3) APNIC later added anycast instances of its DNS services and regional whois service using cloud providers to improve availability. Lessons learned included testing services thoroughly before deployment and monitoring
Netflix Open Connect: Delivering Internet TV to the worldInternet Society
This document discusses Netflix's global streaming services and partnerships with internet service providers (ISPs). Some key points:
- Netflix now serves over 190 countries with over 1 billion hours streamed per month and 81.5 million members globally.
- Netflix partners with ISPs by allowing them to embed Netflix Open Connect appliances (OCAs) within their networks at no cost, in order to directly deliver Netflix content to users and reduce upstream internet traffic.
- There are over 50 global points of presence for OCAs. Requirements for ISPs to participate include having at least 5Gbps of peak traffic and hosting a 1U or 2U OCA appliance within their network.
PLNOG16: Netflix Open Connect is the Netflix proprietary CDN, Nina BargisenPROIDEA
This document discusses Netflix's Open Connect content delivery network (CDN). It provides an overview of Netflix globally and its Open Connect program which allows ISPs to host Netflix content locally using Open Connect appliances provided by Netflix. The appliances store Netflix's content and use adaptive bitrate streaming to provide optimal video quality based on available bandwidth. The document outlines Netflix's peering and hardware requirements for ISPs to participate in Open Connect and benefit their users with faster access to Netflix content.
Peering Asia 2021v: Little-known IXPs in Asia PacificAPNIC
APNIC Infrastructure and Development Director Che-Hoo Cheng presents on less well known IXPs in the region and the important role they play in their economies.
Abitcool - A vast array of small-scale service providers with gigabit access,...APNIC
Abitcool - A vast array of small-scale service providers with gigabit access, by Tony Hain. A presentation given at APNIC 38 during the APOPS 3 session.
Akamai provides a global content delivery network (CDN) that serves over 2 trillion requests daily across 200,000 servers in over 130 countries. The presentation discusses peering with Akamai, traffic engineering techniques like route announcements and filtering, and issues to avoid like inconsistent or incomplete route announcements that could impact traffic delivery.
This document provides a summary of a final report analyzing Netflix's content distribution network architecture. It describes Netflix's growth from 1999 to becoming a leading video streaming service. The report analyzes Netflix's deployment of Amazon Web Services cloud computing and its own content delivery network called Open Connect. It also examines Netflix's traffic flow, use of content distribution networks, and strategies for efficiently streaming video at large scale. The document aims to understand Netflix's current architecture and discuss possibilities for further optimizing its CDN and video delivery.
- 22% of visible DNS resolvers are capable of making IPv6 queries, but 35% of DNS queries are actually passed to these resolvers, indicating more widespread IPv6 support.
- The top IPv6-capable resolvers are operated by companies like Google, AT&T, and Comcast, serving over 60% of queries.
- IPv6 DNS responses have a high success rate (96%) when response sizes are kept below the typical 1500 byte MTU to avoid fragmentation issues.
High Speed Fiber Services and Challenges to the Core Network by Seiichi KawamuraMyNOG
BIGLOBE faces challenges in scaling their network to support increasing demand for high-speed services from their 3 million broadband customers. Rapid traffic growth stresses their core network and metro connections. Efficiently handling streaming video, which comprises 30% of traffic, is difficult. Improving peering relationships and developing an open peering ecosystem in Japan helps alleviate these issues. BIGLOBE is working on automation, measurement tools, and network evolution to manage costs and provide high quality internet experiences as demands continue rising.
The document discusses traffic engineering for content delivery networks (CDNs). It describes how CDNs like Akamai use DNS-based mapping to direct users to the optimal edge server based on their location. This allows Akamai to serve over 30 terabits per second of traffic daily to over 2 trillion requests from its global network of over 189,000 servers. However, because CDNs operate as independent clusters without a private backbone, standard BGP techniques often do not work as expected to influence traffic patterns. The document provides examples of how traffic from ISPs may shift locations within 24 hours as the CDN mapping system reacts to routing changes. Effective traffic engineering requires coordination between the CDN and ISPs.
Tutorial: Using GoBGP as an IXP connecting routerShu Sugimoto
- Show you how GoBGP can be used as a software router in conjunction with quagga
- (Tutorial) Walk through the setup of IXP connecting router using GoBGP
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
APNIC Training and Technical Assistance Manager Nurul Islam discusses the design options for IPv6 in a broadband access network and the impact that IoT will have on this in order to support future growth at CommunicAsia 2017.
How Data Center Traffic is Changing Your Network by KC LimMyNOG
This document discusses how data center traffic is changing networks and outlines key trends driving growth in the data center interconnect market. It notes that global data center IP traffic and storage capacity are growing significantly each year. It also discusses the various participants in the data center ecosystem like cloud/internet providers, carriers, and data center operators. The document advocates for disaggregated, open line systems that use multi-vendor components to provide more flexibility and reduce costs compared to traditional integrated DWDM network solutions. It provides examples of how an open line system could be deployed over existing ROADM networks from vendors like Ciena, Cyan, Juniper and BTI.
TWNOG 3.0: Stories of IXP development and the way forwardAPNIC
APNIC Infrastructure & Development Director Che-Hoo Cheng gives some examples of regional IXP development and what the future holds at TWNOG 3.0 in Taipei from 20 to 21 June 2019.
This document discusses ElasticISP, a concept for running an ISP on virtualized network functions in the cloud. The key points are:
1. ElasticISP aims to make it cheaper and faster to start an ISP by eliminating the need for physical networking hardware and deploying all functions like routing, firewalls, and LNS virtually in the cloud.
2. This allows an ISP to start for around $15k with minimal capital expenditure, and to easily scale network capacity and functions by adding more virtual instances as needed.
3. The document reviews ElasticISP concepts and architectures, including examples of logical and physical network designs using virtual routers, firewalls, and other functions deployed in public
This document discusses how content delivery networks (CDNs) like Akamai use DNS to route users to optimal servers based on their location. It explains that while this works well when users use their ISP's DNS, third-party DNS resolvers like Google DNS make accurate mapping difficult since the CDN only sees the resolver IP, not the user's. The document then introduces EDNS0 client-subnet, an extension that allows resolvers to include the user's IP prefix in queries, enabling more precise mapping by CDNs. It addresses privacy, security and implementation considerations, and shows how the technique improves performance for OpenDNS users in India.
Secure & authentication By Lai HIEU - eXo SEAThuy_Dang
- The document discusses secure communication and authentication, covering topics like digital certificates, public key infrastructure (PKI), TLS/SSL, Java security architecture, and eXo platform implementation.
- It provides an overview of TLS/SSL and how it is based on public key cryptography. Digital certificates are used to bind a public key with an identity to authenticate parties.
- PKI utilizes public/private key pairs to facilitate secure exchange of information between two parties like in the example conversation between Nobita and Doraemon.
KINX Peering Forum - A Brief Overview of Regulation of InterconnectionTom Paseka
A Brief Overview of Regulation of Interconnection with a focus on changes to regulations in Korea, their "IX Policy", changes and what could happen after implementation of this law
1) The document discusses DNS spoofing techniques including DNS cache poisoning, DNS ID spoofing, and exploiting the birthday paradox.
2) It describes two versions of a DNS ID spoofing tool called dnsspoof.py that either targets a specific victim or all victims on the network.
3) Examples are given using the Scapy Python library to build and sniff packets to demonstrate how the DNS spoofing tools could be implemented.
Spoofing involves falsifying data to masquerade as another user or system. There are several types of spoofing attacks:
IP spoofing involves altering packet source IP addresses to hide the identity of the actual source. URL and referrer spoofing tricks users into thinking they are visiting legitimate sites when they are actually being directed to fake sites controlled by attackers. Caller ID spoofing allows callers to hide their real numbers. Email address spoofing modifies email headers to make emails appear to be from someone other than the actual sender. Spoofing techniques are commonly used by hackers and spammers to conceal their identities and gain illegitimate access.
IP spoofing is a technique used to disguise the originating IP address of a packet. It works by forging the source IP address field in the IP header of a packet. Attackers use IP spoofing to conduct denial-of-service attacks, bypass firewall rules, and mask their identity. The document discusses how IP spoofing works, the different types of attackers that use it, and some preventative measures like packet filtering and firewalls that can help mitigate the risks.
The document discusses the emerging threat of cyber terrorism and how terrorists can use internet-based attacks to cause widespread disruption and damage. It notes that cyber terrorism allows attackers to remain anonymous, has no boundaries, and costs little to perpetrate. Common cyber attack methods include hacking, introducing viruses, website defacing, and denial-of-service attacks. Examples of past cyber terrorist incidents like the 9/11 attacks, 2008 Ahmedabad bombings, and 2008 Mumbai attacks are described. The document emphasizes the importance of prevention through maintaining security software and being cautious online to avoid becoming victims of cyber terrorism.
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
IP ServerOne is a Malaysian data center provider that manages over 4500 physical servers across 5 data centers. They experience 2-5 DDoS attacks per day, mostly ranging from 4.5-8.9 Gbps. To detect attacks, they use netflow to monitor traffic patterns and flag abnormal packet rates to single IPs. When an attack is detected, traffic is rerouted to on-premise filtering devices in less than 90 seconds to scrub attacks while allowing legitimate traffic. IP ServerOne advocates a hybrid mitigation approach using their own infrastructure alongside cloud-based protection.
This document discusses using BGP Flowspec for DDoS mitigation. It provides an overview of legacy DDoS mitigation methods, describes how BGP Flowspec works by distributing flow specifications using BGP, and gives examples of how it can be used for inter-domain and intra-domain DDoS mitigation as well as with a scrubbing center. It also discusses vendor support, advantages over previous methods, potential issues, real world deployments, and the current state and future of BGP Flowspec.
Infoblox - turning DNS from security target to security toolJisc
This document discusses how DNS has historically been exploited by malicious actors but can now be used as a security tool through techniques like Response Policy Zones (RPZs) and passive DNS. It explains how RPZs allow DNS servers to redirect or refuse queries based on policies. Passive DNS involves collecting DNS response data that can reveal suspicious activity patterns. Together, RPZs and passive DNS enable network administrators to leverage DNS to mitigate threats rather than just be complicit in attacks.
This document discusses the evolution of data center networking from 2007 to present day. It describes how earlier networks were static with clear divisions between teams, while modern networks are more dynamic with blurred lines between developers and operations. It outlines projects within DC/OS like Mesos-DNS, Minuteman, and Lashup that provide service discovery, load balancing, and a distributed control plane to manage today's complex networks and microservices applications. Future plans include improved security, quality of service, and potential rewriting of operating systems to enable zero-overhead network functions virtualization.
DDoS Attacks in 2017: Beyond Packet FilteringQrator Labs
This document discusses the evolution of DDoS attacks beyond simple packet filtering. It notes that modern attacks use TCP connections and HTTPS to exhaust server resources, and that effective defenses require deep packet inspection, behavioral analysis, and correlation across networks. However, implementing these defenses is very expensive. As a result, best effort mitigation services cannot guarantee service level agreements, forcing networks to protect themselves individually in an every-man-for-himself environment. The future of DDoS defense remains unclear.
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
The document discusses DDoS attacks in an IPv6 world and how CloudFlare provides an automatic IPv6 gateway. It notes that many security tools still lack IPv6 support, which could impede the ability to identify and filter attacks over IPv6. The document outlines some IPv6 attacks CloudFlare has seen, such as DNS cache-busted query attacks, and how botnets can unintentionally send attack traffic over IPv6 if the target has an AAAA record. It emphasizes that security practices need to be equal for both IPv4 and IPv6 to prevent future IPv6-based attacks.
This document discusses the history and development of container networking and service discovery solutions. It describes how Mesosphere developed DC/OS to provide networking features like load balancing and service discovery using Erlang microservices including Spartan, Minuteman, and Lashup. Spartan provides high availability DNS, Minuteman provides distributed load balancing, and Lashup uses HyParView to maintain global network state across the cluster. The document outlines how these services were developed to enable dynamic container networking and service discovery.
DDosMon A Global DDoS Monitoring Project by Yiming Gong.
A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.
The document discusses threats to DNS security and solutions to mitigate those threats. It describes how distributed denial of service (DDoS) attacks target name servers and use name servers to amplify attacks. It then discusses solutions such as monitoring DNS traffic levels and top queriers, using anycast to distribute queries to the closest name server, and response rate limiting to reduce amplification effects. It also covers threats like cache poisoning and malware propagation and solutions like DNSSEC and response policy zones.
The document discusses how Cloudflare mitigated a 300Gbps DDoS attack targeting Spamhaus. Initially, a 75Gbps attack was filtered using DNS amplification techniques. Later, attackers directly targeted Cloudflare's infrastructure, reaching over 300Gbps. Cloudflare disabled ports and worked with exchange points and peers to filter routes and IP spaces. Proper infrastructure numbering, ACLs, upstream filtering, and not announcing exchange IP spaces are recommended to mitigate large DDoS attacks.
Building the Glue for Service Discovery & Load Balancing MicroservicesSargun Dhillon
One of the challenges that comes from deploying multi-tiered distributed systems, or microservices, atop a dynamic scheduler is the introduction of new problems surrounding load balancing. There are some inherent challenges in building a load balancer that's meant to operate in a highly available way, without any single points of failure. In this talk, Sargun Dhillon will walk through the distributed load balancing mechanism that he built for Mesos. This service discovery mechanism is meant to have the same kinds of features, api, and availability that existed in legacy, statically partitioned environments. The purpose of this is to ease the transition, and remove some of the largest road blocks in moving applications over to modern datacenters. In addition, he will speak to why he built it as opposed to other alternatives for service discovery and load balancing such as using Zookeeper, and the challenges that came from it. We built a library called Lashup that has a membership protocol, a multicast layer, failure detector, and CRDT key/value store. This has allowed us to build applications that orchestrate Mesos clusters with great ease.
Discover the Power of ThousandEyes on Your Meraki MXThousandEyes
ThousandEyes provides network and application monitoring capabilities that can be deployed on Meraki MX devices. The ThousandEyes Enterprise Agent runs on Meraki MX routers and generates synthetic test traffic to monitor business critical SaaS applications and services. It analyzes thousands of data points to provide detailed path visualization and correlated insights. Deploying ThousandEyes on Meraki MX allows monitoring of applications accessible over direct internet access or through Meraki AutoVPN, complementing metrics from Meraki Insights with more comprehensive monitoring, troubleshooting and visibility capabilities.
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahnullowaspmumbai
Malware Command and Control: Evasion Tactics and Techniques
Malware is designed to perform malicious actions without catching attention of the user. Malware Authors keep on developing new ideas to stay undetected by security technologies. In order to remain undetected, communication channels between attacker and malware needs to be stealthy and evolving. Making Command and control with attacker to receive on demand commands is an essential phase of the Cyber Kill Chain.
As a result, we are observing continuous advancement into communication channel for Malware Command and control.
In this session, we will try to cover some of the advanced techniques used by Malwares nowadays to communicate with it's command and control.
Malware Command and Control: Evasion Tactics and Techniques
Malware is designed to perform malicious actions without catching attention of the user. Malware Authors keep on developing new ideas to stay undetected by security technologies. In order to remain undetected, communication channels between attacker and malware needs to be stealthy and evolving. Making Command and control with attacker to receive on demand commands is an essential phase of the Cyber Kill Chain.
As a result, we are observing continuous advancement into communication channel for Malware Command and control.
In this session, we will try to cover some of the advanced techniques used by Malwares nowadays to communicate with it's command and control.
This document discusses the growing threat of DDoS attacks fueled by insecure IoT devices. It provides statistics showing a rise in the size and frequency of DDoS attacks in 2016. Specifically, it notes a peak attack of 579Gbps in 2016 compared to 335Gbps in 2015. It also details characteristics of the powerful Mirai botnet, which has been used to launch major attacks exceeding 600Gbps. Finally, it offers best practices for organizations to help mitigate risks from DDoS attacks, such as deploying multi-layered protection and implementing anti-spoofing mechanisms.
DNS Protection safeguards Incapsula clients’ DNS servers, while also accelerating DNS responses.
Infrastructure Protection, enabled by the addition of a GRE tunneling onboarding option, widen Incapsula's security perimeter - allowing it to protect entire subnets, secure all network elements and inspect all TCP/UDP communication.
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
APNIC Senior R&D Scientist George Michaelson and Yoshinobu Matzusaki present on the operational trends accompanying worldwide deployment of public DNS service 1.1.1.1 at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...Tanya Denisyuk
С начала атак на блог Брайана Кребса прошла, по меркам IT-индустрии, уже целая вечность (месяц), и самое время изучить ситуацию и сделать из неё полезные выводы. 22 октября на площадке HighLoad Dev Conf мы проанализируем и обсудим:
- Что изменилось на рынке DDoS-атак в 2016 году;
- Каковы обстоятельства атаки, обрушившей Akamai и Google, что привело к этому и как от этого защититься;
- Как ситуация будет развиваться дальше.
The document discusses threats to DNS security and solutions. It describes how distributed denial of service (DDoS) attacks target name servers and use them to amplify attacks. Monitoring DNS traffic volumes and top clients can help detect attacks. Deploying anycast routing and response rate limiting makes attacks less effective by load balancing queries across multiple servers.
Similar to DDoS And Spoofing, a risk to the decentralized internet (20)
The document discusses Cloudflare's globally distributed network and how the concept of "the edge" is evolving. Some key points:
- Cloudflare operates over 155 network points of presence in more than 72 countries, handling over 600 billion web requests and 100 billion DNS requests daily.
- The edge used to refer to client-server relationships but now refers to distributed, peer-to-peer, and serverless architectures enabled by technologies like edge computing and 5G.
- This shifting edge has implications for network design and security, requiring approaches like mesh networks, automation, and lightweight compute at the network boundaries.
- Cloudflare aims to deploy its edge infrastructure within 10 milliseconds of all internet users.
Spoofing is a growing problem on the Internet. More spoofed attacks keep occurring over new mediums, DNS, NTP, SNMP etc. Detecting the source of these attacks is challenging, however is often hard or impossible to trace back. This talk covers some of the challenges and views the detection of some spoofed packets.
Interconnection landscape in Asia - TPIX Peering Forum 2017Tom Paseka
The document summarizes interconnection landscapes in Asia. It finds that open markets like Hong Kong, Singapore, and Japan have strong interconnection ecosystems due to less regulation and open policies, leading to better user experience, more competition, corporate competitiveness, and innovation. By contrast, South Korea and Taiwan are lagging behind with more restrictive policies, high barriers to entry, and dominance by major players that limit competition and growth. The document calls for regulators in Taiwan specifically to address the overly dominant position of one major player and ensure no anti-competitive behavior.
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
Netconf can be used for automating peering configuration by programmatically generating and pushing XML configuration templates. This avoids manual configuration which is prone to human error. Basic scripts can pull peer details from sources like PeeringDB and generate configuration for groups like BGP neighbors, then use Netconf handlers to validate and push the changes. More advanced automation could integrate peering workflow and status monitoring. Netconf provides an API to generate validated configuration at scale for peering automation compared to traditional manual methods.
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapTom Paseka
The document discusses bridging the gap between IPv4 and IPv6. It notes that while some networks still need to upgrade to support IPv6, the main issue is lack of IPv6-enabled content. Content delivery networks (CDNs) that can translate between IPv4 and IPv6 are presented as an "easy way out" that allows websites and applications to reach more users before fully upgrading their platforms. However, full native IPv6 support is still encouraged. The document concludes by urging all network participants to do their part in transitioning to IPv6 now rather than waiting for the future.
This document discusses Flowspec, a mechanism for filtering traffic flows using BGP. It can be used to easily rate limit or discard traffic based on attributes like source/destination addresses and ports. The document provides sample configuration examples and notes some limitations like lack of SNMP support for counters. It also shows graphs of attacks detected and mitigated using Flowspec rules.
The document discusses two different network architectures and how they handle large data attacks. A unicast architecture sees each 10G attack saturate the uplinks and overload the server, while an anycast architecture spreads a larger 20G attack across multiple clusters, keeping any one location from being overloaded.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.