APNIC Senior R&D Scientist George Michaelson and Yoshinobu Matzusaki present on the operational trends accompanying worldwide deployment of public DNS service 1.1.1.1 at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018APNIC
APNIC Senior R&D Scientist George Michaelson presents on a rDNS outage APNIC experienced in May 2018 at the DNS Day session at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
Rolling the Root Zone DNSSEC Key Signing Key, by Edward Lewis.
A presentation given at APNIC 42's DNS and INR Security session on Monday, 3 October 2016.
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
APNIC Chief Scientist Geoff Huston presents on why using larger keys for RSA in the context of DNSSEC impairs the robustness of DNSSEC validation for the signed name at DNS-OARC 36, held online from 29 to 30 November 2021.
APNIC Chief Scientist Geoff Huston briefly explains DNSSEC and the role of the KSK, and the way in which we can measure the possible impact of this planned roll.
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018APNIC
APNIC Senior R&D Scientist George Michaelson presents on a rDNS outage APNIC experienced in May 2018 at the DNS Day session at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
Rolling the Root Zone DNSSEC Key Signing Key, by Edward Lewis.
A presentation given at APNIC 42's DNS and INR Security session on Monday, 3 October 2016.
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
APNIC Chief Scientist Geoff Huston presents on why using larger keys for RSA in the context of DNSSEC impairs the robustness of DNSSEC validation for the signed name at DNS-OARC 36, held online from 29 to 30 November 2021.
APNIC Chief Scientist Geoff Huston briefly explains DNSSEC and the role of the KSK, and the way in which we can measure the possible impact of this planned roll.
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
APNIC Director General, Paul Wilson, talks about APNIC's support of updates to BIND to implement caching of NSEC responses to reduce root server query load.
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
On-demand recording: https://www.nginx.com/resources/webinars/rate-limiting-nginx/
Learn how to mitigate DDoS and password-guessing attacks by limiting the number of HTTP requests a user can make in a given period of time.
This webinar will teach you how to:
* How to protect application servers from being overwhelmed with request limits
* About the burst and no‑delay features for minimizing delay while handling large bursts of user requests
* How to use the map and geo blocks to impose different rate limits on different HTTP user requests
* About using the limit_req_log_level directive to set logging levels for rate‑limiting events
About the webinar
A delay of even a few seconds for a screen to render is interpreted by many users as a breakdown in the experience. There are many reasons for these breakdowns in the user experience, one of which is DDoS attacks which tie up your system’s resources.
Rate limiting is a powerful feature of NGINX that can mitigate DDoS attacks, which would otherwise overload your servers and hinder application performance. In this webinar, we’ll cover basic concepts as well as advanced configuration. We will finish with a live demo that shows NGINX rate limiting in action.
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIsNagios
Janice Singh's presentation on Real World Uses for Nagios APIs.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
APNIC Chief Scientist Geoff Huston presents on work Labs is doing to whetehr results from experiments performed at lower levels of the DNS hierarchy would also apply to the root zone.
Delivering High Performance Websites with NGINXNGINX, Inc.
NGINX Plus is an easy-to-install, proven software solution to deliver your sites and applications through state-of-the-art intelligent load balancing and high performance acceleration. Improve your servers’ performance, scalability, and reliability with application delivery from NGINX Plus.
NGINX Plus significantly increases application performance during periods of high load with its caching, HTTP connection processing, and efficient offloading of traffic from slow networks. NGINX Plus offers enterprise application load balancing, sophisticated health checks, and more, to balance workloads and avoid user-visible errors.
Check out this webinar to:
* Learn why web performance matters more than ever, in the face of growing application complexity and traffic volumes
* Get the lowdown on the performance challenges of HTTP, and why the real world is so different to a development environment
* Understand why NGINX and NGINX Plus are such popular solutions for mitigating these problems and restoring peak performance
* Look at some real-world deployment examples of accelerating traffic in complex scenarios
GoSF: Decoupling Services from IP networks with NATSwallyqs
In this talk, we’ll demonstrate how to radically simplify your deployment with NATS, through location transparency, using multiple communication patterns, isolated communication contexts, distributed security, and zero configuration application failover. You’ll learn core NATS features like publish/subscribe, load-balanced queue subscribers, request/response, as well as some of its more recent security features such as securing streams and services with permissions, account isolation and NATS keys (NKEYS, ed25519 based), and decentralized auth via JSON Web Tokens (JWTs) by showing the internals of a decentralized Slack-like demo application.
Presentation at Networkshop46.
Putting the "network" in Networkshop46, this session contains the lessons we've learned over the past year in operating campus networks. What has gone wrong, what has gone right, and wondering how it ever worked in the first place.
Construction, disruption and fibre moves, by Mark Franklin, University of Sheffield.
IPv6 @ the STFC, by Philip Garrad, Science and Technology Facilities Council (STFC).
Reprocuring a large campus network, part one, by Sam Wilson, University of Edinburgh.
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)NGINX, Inc.
On demand recording: https://www.nginx.com/resources/webinars/modsecurity-and-nginx-tuning-the-owasp-core-rule-set-emea/
In this webinar we discuss how to install the OWASP Core Rule Set (CRS) with NGINX and ModSecurity, as well as how to tune it. The CRS protects against many types of attack, including SQL Injection (SQLi), Local File Inclusion (LFI), and Remote Code Execution (RCE). Watch this webinar to learn:
- How to install the OWASP Core Rule Set (CRS) with ModSecurity
- About the types of attacks the CRS blocks, such SQLi, RFI, and LFI
- How to tune the CRS to minimize false positives
- What it looks like when ModSecurity blocks an attack (in a live demo), and how to interpret the audit log
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
The focus of this webinar will be to take a deeper look into this local name-resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS.
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
APNIC Director General, Paul Wilson, talks about APNIC's support of updates to BIND to implement caching of NSEC responses to reduce root server query load.
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
On-demand recording: https://www.nginx.com/resources/webinars/rate-limiting-nginx/
Learn how to mitigate DDoS and password-guessing attacks by limiting the number of HTTP requests a user can make in a given period of time.
This webinar will teach you how to:
* How to protect application servers from being overwhelmed with request limits
* About the burst and no‑delay features for minimizing delay while handling large bursts of user requests
* How to use the map and geo blocks to impose different rate limits on different HTTP user requests
* About using the limit_req_log_level directive to set logging levels for rate‑limiting events
About the webinar
A delay of even a few seconds for a screen to render is interpreted by many users as a breakdown in the experience. There are many reasons for these breakdowns in the user experience, one of which is DDoS attacks which tie up your system’s resources.
Rate limiting is a powerful feature of NGINX that can mitigate DDoS attacks, which would otherwise overload your servers and hinder application performance. In this webinar, we’ll cover basic concepts as well as advanced configuration. We will finish with a live demo that shows NGINX rate limiting in action.
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIsNagios
Janice Singh's presentation on Real World Uses for Nagios APIs.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
APNIC Chief Scientist Geoff Huston presents on work Labs is doing to whetehr results from experiments performed at lower levels of the DNS hierarchy would also apply to the root zone.
Delivering High Performance Websites with NGINXNGINX, Inc.
NGINX Plus is an easy-to-install, proven software solution to deliver your sites and applications through state-of-the-art intelligent load balancing and high performance acceleration. Improve your servers’ performance, scalability, and reliability with application delivery from NGINX Plus.
NGINX Plus significantly increases application performance during periods of high load with its caching, HTTP connection processing, and efficient offloading of traffic from slow networks. NGINX Plus offers enterprise application load balancing, sophisticated health checks, and more, to balance workloads and avoid user-visible errors.
Check out this webinar to:
* Learn why web performance matters more than ever, in the face of growing application complexity and traffic volumes
* Get the lowdown on the performance challenges of HTTP, and why the real world is so different to a development environment
* Understand why NGINX and NGINX Plus are such popular solutions for mitigating these problems and restoring peak performance
* Look at some real-world deployment examples of accelerating traffic in complex scenarios
GoSF: Decoupling Services from IP networks with NATSwallyqs
In this talk, we’ll demonstrate how to radically simplify your deployment with NATS, through location transparency, using multiple communication patterns, isolated communication contexts, distributed security, and zero configuration application failover. You’ll learn core NATS features like publish/subscribe, load-balanced queue subscribers, request/response, as well as some of its more recent security features such as securing streams and services with permissions, account isolation and NATS keys (NKEYS, ed25519 based), and decentralized auth via JSON Web Tokens (JWTs) by showing the internals of a decentralized Slack-like demo application.
Presentation at Networkshop46.
Putting the "network" in Networkshop46, this session contains the lessons we've learned over the past year in operating campus networks. What has gone wrong, what has gone right, and wondering how it ever worked in the first place.
Construction, disruption and fibre moves, by Mark Franklin, University of Sheffield.
IPv6 @ the STFC, by Philip Garrad, Science and Technology Facilities Council (STFC).
Reprocuring a large campus network, part one, by Sam Wilson, University of Edinburgh.
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)NGINX, Inc.
On demand recording: https://www.nginx.com/resources/webinars/modsecurity-and-nginx-tuning-the-owasp-core-rule-set-emea/
In this webinar we discuss how to install the OWASP Core Rule Set (CRS) with NGINX and ModSecurity, as well as how to tune it. The CRS protects against many types of attack, including SQL Injection (SQLi), Local File Inclusion (LFI), and Remote Code Execution (RCE). Watch this webinar to learn:
- How to install the OWASP Core Rule Set (CRS) with ModSecurity
- About the types of attacks the CRS blocks, such SQLi, RFI, and LFI
- How to tune the CRS to minimize false positives
- What it looks like when ModSecurity blocks an attack (in a live demo), and how to interpret the audit log
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
The focus of this webinar will be to take a deeper look into this local name-resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS.
How to send DNS over anything encryptedMen and Mice
Today, nearly all DNS queries are send unencrypted. This makes DNS vulnerable to eavesdropping by someone with access to the network. The DNS-Privacy group (DPRIVE) inside the Internet Engineering Task Force (IETF), as well as people outside the IETF, are working on new transport protocols to encrypt DNS traffic between DNS clients and resolver.
* DNS over TLS (RFC 7858)
* DNS over DTLS (RFC 8094)
* DNS over HTTP(S) (ID-draft)
* DNS over QUIC (ID-draft)
* DNS over DNSCrypt (outside IETF)
* DNS over TOR (outside IETF)
In this webinar, we will explain the protocols available or discussed inside and outside the IETF, and give some example configurations on how to use this new privacy protocols today.
Hadoop Meetup Jan 2019 - Overview of OzoneErik Krogen
A presentation by Anu Engineer of Cloudera regarding the state of the Ozone subproject. He covers a brief introduction of what Ozone is, and where it's headed.
This is taken from the Apache Hadoop Contributors Meetup on January 30, hosted by LinkedIn in Mountain View.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
Ведущий: Пол Викси
Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.
DANE: The Future of Transport Layer Security (TLS)
Dan York (Internet Society)
If you connect to a “secure” server using TLS/SSL (such as a web server, email server or xmpp server), how do you know you are using the correct certificate? With DNSSEC now being deployed, a new protocol has emerged called “DANE” (“DNS-Based Authentication of Named Entities“), which allows you to securely specify exactly which TLS/SSL certificate an application should use to connect to your site. DANE has great potential to make the Internet much more secure by marrying the strong integrity protection of DNSSEC with the confidentiality of SSL/TLS certificates. In this session, we will explain how DANE works and how you can use it to secure your websites, email, XMPP, VoIP, and other web services.
1) To show you how to spot an Aspera opportunity ! 2) To outline the Aspera portfolio (Sales overview not technical) 3) To look at the Aspera opportunity from Sharepoint 4) Summary / Q and A / Close – But interaction is welcomed throughout.. 5) But before all of that…. This… 2 AGENDA AND OBJECTIVES
APNIC Chief Scientist, Geoff Huston, gives a presentation on DOH and the changing nature of the DNS as infrastructure at NZNOG 2020 in Christchurch, New Zealand, from 28 to 31 January 2020.
A contemporary network service heavily depends on domain name system operating normally. Yet, often issues and caveats of typical DNS setup are being overlooked. DNS (like BGP before) is expected to "just work" everywhere, however, just as BGP, this is a complex protocol and a complex solution where a lot of things could go wrong in multiple ways under different circumstances. This talk is supposed to provide some assistance both in maintaining your own DNS infrastructure and in relying on service providers doing this.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
1. 1.1.1.0/24
A report from the (anycast)
trenches
ggm@apnic.net
With thanks to {martin,olafur}@cloudflare.com
2. Overview
• Background “we knew this was coming”
• Final /8 process
• Tainted blocks testing: AARNet and Google
• Failed APNIC policy attempt: reserved to labs
• The cloudflare proposal
• How is it going (cloudflare material)
• Where to from here?
3. We were going
to run out in 2006
We definitely
changed pace
People got
a bit keen
PANIC ?
The dregs ….
Address policy
Probably bought
10 years.
We didn’t succeed
In using the 10 years
To deploy IPv6.
Address policy in five lines (and one curve)
4. We knew this was coming..
• BGP the movie
• Rundown prediction models from APNIC & others
• 2008-2010 emerging final /8 policy proposals in all RIR.
• Forseeable sometime between 2010 and 2012, we’d need to plan for end of
supply in IPv4 from IANA
• “Awkward” /8 assignments: Leo Vegoda (IANA) September 2007
• Mentions 1.0.0.0/8 5.0.0.0/8 and 42.0.0.0/8 (APNIC got 1 and 42. Ripe got 5)
• https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-
contents-37/103-awkward.html
• https://www.icann.org/news/blog/selecting-which-8-to-allocate-to-an-rir
• Avoid pain for AfriNIC and LacNIC: give them preferential access to untainted blocks
• Random assignment of tainted blocks to APNIC, ARIN & RIPE NCC (otherwise in line with
address policy, rundown planning)
5. Lets talk about 1.0.0.0/8 specifically
• 1.0.0.0/8 (1/8) reserved by IANA, since 1981.
• used unofficially as example addresses, default configuration parameters or
pseudo-private address space.
• 1.1.1.0/24 is used by Intel bladecenters internally for communication with its
blades.
• Used by MacDonalds for free WiFi, Swisshotels and others, in documentation
for configuration examples of products
• And see later for what CloudFlare have uncovered for continuing uses
• Status changed in IANA from ”reserved” to “unallocated” in 2008
• Predictions about runout were within foreseeable timeframe
6. 1.0.0.0/8 Assigned to APNIC January 2010
• Tested by APNIC across 2010 with a range of partners
• RIPE NCC announcing more specifics
• see 50 mbit/second, floods IX links
• https://labs.ripe.net/Members/franz/content-pollution-18
• MERIT peak burst 860 Mbps
• Audio data, traffic levels unlike other tested netblocks in the ‘awkward’ set
• https://www.merit.edu/wp-content/uploads/2018/01/1.0.0.08.pdf
• Google/YouTube
• traffic levels of around 150 Mbps mainly comprising UDP (cannot easily be constrained) 80Mbps in 1.1.0.0/16
• Peaks over 800Mbps
• AARNet
• Five sub-ranges identified for hold-back:
• 1.0.0.0/24 10+ Mbps
• 1.1.1.0/24 80+ Mbps
• 1.2.3.0/24 10+ Mbps
• 1.4.0.0/24 10+ Mbps
• 1.10.10.0/24 3+ Mbps
• http://www.potaroo.net/studies/1slash8/1slash8.pdf
7. Final /8 policy implications
• IANA exhausted its IPv4 free pool (3 February 2011)
• From apnic’s web pages:
• https://www.apnic.net/community/ipv4-exhaustion/graphical-information/
On 15 April 2011, the APNIC pool reached the last /8 of
available IPv4 addresses, triggering the Final /8 policy.
:
:
Quarantined blocks will be released to the Available pool
when their routability and usability problems are minimized.
• Pre-exhaustion testing implemented by labs, 2009-2011
• Tainted ranges identified and held back
• Too much traffic inbound, to make acceptable for routine distribution
8. What to do with 1.1.1.0/24 and 1.0.0.0/24
• Many competing requests: CNNIC, Microsoft
• Rejected at OPM on the floor (or failed to reach consensus on the ML)
• 26 January 2014 Labs (GIH) proposes retain for research
• 30 April 2014 endorsed by APNIC EC.
• 7 May 2014 implemented as policy. Blocks marked in WHOIS to Labs.
• Labs holds the block, continues assessments with Google, AARNet.
• Provide strong signal of “background traffic” levels. Remain infeasibly tainted
for routine use
• Enter Cloudflare..
9. August 2017 request from Cloudflare
• Cloudflare contacted us asking to enter a research relationship with these
ranges
• Can they explore sinking this load in their global anycast, and offering public DNS?
• No implied right to assignment
• Blocks remain in the control of Labs, under address policy
• Future/continuing use has to be understood to be bound by address policy
• Strong privacy drivers for service (from Cloudflare)
• No sharing of endpoint IP, queried domains, No data taken from core DNS system
• Simple APIs for bulk data information: volumes, origin-AS type information
• March 2018, Registry records updated, LOA published
• April 1 2018 Cloudflare announce services in BGP
11. DNS resolver, 1.1.1.1, is served by
Cloudflare’s Global Anycast
Network.
Announced April 1st 2018
Our mission: to help build a better Internet.
We use 1.1.1.1 and 1.0.0.1 (easy to remember) for our resolver.
Addresses provided to Cloudflare by APNIC for both joint research and this service.
We focused on privacy!
We knew we would spend a lot of time cleaning up the global Internet to make 1.1.1.1
work!
https://blog.cloudflare.com/announcing-1111/
https://blog.cloudflare.com/dns-resolver-1-1-1-1/
12. APNIC Labs and Cloudflare
APNIC is allocated 1.0.0.0/8 by
IANA in January 2010
https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-research-agreement-with-cloudflare/
13. 151+
Data centers globally
The Cloudflare network (DNS, DDoS, CDN, WAF, more)
151+
DNS resolver locations
151+
DNS authoritative locations
15. DNS and privacy!
DNS itself is a 35-year-old protocol (and it's showing its age). It was never designed with
privacy or security in mind.
DNS inherently is unencrypted so it leaks data to anyone who's monitoring your network
connection.
We focused on privacy:
● Query Minimization RFC7816
● Aggressive negative answers RFC8198
● No Client Subnet on queries
● DNS-over-TLS (Transport Layer Security) RFC7858
● DNS-over-HTTPS protocol DoH (draft-ietf-doh-dns-over-https)
In 2014, we decided to enable
https encryption for free for all
our customers (we doubled the
size of the encrypted web).
In 2017, we made DDoS mitigation
free & unmetered across all our
plans.
16. ● DNS is chatty, very chatty!
● Resolver can reduce the information leaked to intermediary DNS servers
○ The root, TLDs, and secondary zones
● Resolver only sends just enough of the name for the authority to tell the resolver
where to ask the next question.
DNS Query Minimization
QNAME contains too much
information.
.
COM
CLOUDFLARE.COM
RESOLVER
www.cloudflare.co
mwww.cloudflare.co
mwww.cloudflare.co
m .
COM
CLOUDFLARE.COM
RESOLVER
com
cloudflare
www
With Query
Minimization:
17. DNS Aggressive Negative Answer
● Fewer lookups to authorities (in particular the root zone)
● Use the existing resolvers negative cache
○ Negative (or non-existent) information kept around for a period of time
● For zones signed with DNSSEC with the NSEC records in cache:
○ Resolver can figure out if the requested name does NOT exist without doing
any further queries
○ If you type wwwwwww dot something and then wwww dot something, the
second query could well be answered with a very quick “no” (NXDOMAIN in
the DNS world)
● Aggressive negative caching works only with DNSSEC signed zones, which includes
both the root and ~1,400 out of 1,544 TLDs
QNAME contains too much
information.
18. Client Subnet == Bad privacy
Client Subnet: RFC7871/Experimental
● Used for traffic engineering when queries come from open resolvers or large
resolver clusters
○ addr/netmask ⇒ fine grain “location” /24 commonly used
○ Bad for resolvers as it kills cache hit ratio
○ Resolver cache implementations got more complex
● Suggestions to use it to track devices behind a NAT
Not using ECS degrades performance in some cases
Fine grain steering vs course steering
Where should traffic steering actually happen?
● DNS
● Applications via referrals ?
What is acceptable scope for NetMask ?
CS option frequently included on
all queries ⇒
Massive data leak
How to find the right balance?
19. TLS (Transport Layer Security) is the basis of https encryption.
● DNS-over-TLS (RFC7858) is simply a DNS request(s) wrapped by TLS.
● DNS-over-HTTPS (draft-ietf-doh-dns-over-http) is DNS queries via an HTTPS request.
**
Resolver, 1.1.1.1 now provides both - at scale!
● Mozilla Trusted Recursive Resolver
○ Cloudflare listed
DNS-over-TLS / DNS-over-HTTPS
DNSSEC ensures integrity of data
between resolver and
authoritative server, it doesn’t
protect privacy of that data!
Specifically, DNSSEC doesn’t
protect the privacy of the “last
mile”.
** https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
20. ● We don’t store client IP addresses never, ever!
● We only use query names for things that improve DNS resolver performance.
● After obfuscation, APNIC research gets access to data (under our joint agreement).
● Cloudflare never stores any information in logs that identifies end user.
○ All log records are deleted within 24 hours.
● We will continue to abide by our privacy policy and ensure that no user data is sold
to advertisers or used to target consumers.
Data Policy
All log records deleted within 24
hours
24. Sadly, user “Samsonite801” will never be able to use 1.1.1.1 DNS resolver!
1.1.1.1 polluted space
Hard to explain “assigned” vs
“private”
https://www.linuxquestions.org/questions/linux-networking-3/why-doesn%27t-everyone-use-1-1-1-x-or-1-1-x-x-or-
1-x-x-x-addresses-in-their-lans-4175563056/
25. 1.1.1.1 polluted space (the edge)
Many CPE routers use 1.1.1.1 for captive portals or configuration screens
● Pace (Arris) 5268
● D-Link DMG-6661
● Technicolor C2100T
● Calix GigaCenter ---- fixed 2018/Jun/12 thanks to a USER
● Nomadix (model(s) unknown)
● Xerox Phaser MFP
Deployed in the millions globally
Millions of CPE boxes globally
26. 1.1.1.1 polluted space (backbones)
Many backbones seem to have 1.1.1.1 backholed or used - for no real reason
We committed to fixing this by using our measurements to track down, contact and correct
these inconsistencies. Here’s a partial list of successfully cleaned backbones!
● Airtel, BHTelecom, Beirut-IX, Comcast, Fastweb, ITC, Kazakhtelecom, LG Telecom,
Level(3), Liquid Telecom, MTN, Omantel, Rostelecom, SFR, SKBB, Sonatel, STC, Tata,
Telecom Italia, Telenor, Telus, Turk Telekom, Turkcell, Voo, XS4ALL, Ziggo
● Many more ...
Thank you backbones. You have helped the Internet improve.
Why do backbones use this route?
Good question!
27. ● 1.1.1.1 (1.1.1.0/30) was in use internally within Sonatel
○ This isn’t unusual - (see previous slides)
○ Prevents end-users from accessing resolver at 1.1.1.1
○ However, 1.0.0.1 is available - hence resolver always worked
● This is repeated in many countries and telcos
1.1.1.1 fixed in Senegal
Fixed!
Fixing 1.1.1.1, one network at a
time!
28. ● Thanks to the RIPE Atlas probes and thousands of tests
○ Tested ISPs globally for access to 1.1.1.1 (and 1.0.0.1)
○ Sent many emails to many NOCs **
Measuring availability
RIPE Atlas to the rescue!
Null-routes
CPE installed in ISP
…
Suddenly an open FTP server
** https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/
34. 1.1.1.0/24 bursts and patterns
10+ Gbps of noise!
● Two increases:
○ 5 Gbps → 8 Gbps between 16:00 → 17:15 UTC
○ 8 Gbps → 12.5 Gbps between 17:15 → 23:00 UTC
○ Mostly on 1.1.1.7, 1.1.1.8, 1.1.1.9, and 1.1.1.10
■ Destination port 80
■ Increase from China
■ No particular difference on source IP/net
● Short bursts:
○ Only on 1.1.1.1 between 01:00 → 02:00 UTC for a few minutes
○ 1 Gbps → 10 Gbps
○ UDP traffic source port 123 (NTP) and port 11211 (memcached)
■ Misconfigured network devices?
35. 1.1.1.0/24 bursts and patterns
10+ Gbps of noise!
● Also DHCP spikes from Macau
○ Bursts to 40 Mbps
● How many packets per second on UDP 53 (before launching)
36. 1.1.1.0/24 what changed?
10+ Gbps of noise!
● Presentation from 10 years ago at NANOG49 **
○ “iperf traffic to 1.2.3.4 is roughly 10 Mbps of traffic from less than a 100
unique sources”
● 2018: we still see iperf traffic (port 5000/5001)
○ Around 10-20 times the traffic
** https://www.nanog.org/meetings/nanog49/presentations/Monday/karir-1slash8.pdf
Merit, APNIC, University of Michigan
We estimate legitimate traffic to be around 7-13%
40. Traffic goes where ?
Measured from Ripe Atlas
probes
Old Tunnels never die
Date 1.0.0.1 1.1.1.1 Test #
Mar/28 8.3% 14.7% 4.8% 16.7%
May/16 0.4% 3.0% 0.2% 3.4%
Jun/21 1.2% 4.2% 1.5% 5.0%
Not all go to same location Reachability issues persist
41. Measuring availability (via pings)
Resolver reachability
Green - All working
Red = 1.1.1.1 fails
Pink = 1.0.0.1 fails
Purple = both fail
Early August/2018
Hilbert curves are cool!
46. 1.1.1.0/24 leaks happen
● The heavy use of 1.1.1.1 in networks (running BGP) trigger route leaks
● Cloudflare has a signed RPKI ROA for both 1.0.0.0/24 & 1.1.1.0/24
○ RPKI signed - but doesn’t (yet) stop route leaks
● The 29 May 2018 leak was ~60 seconds in length
○ It lasted longer on twitter
● This must stop; not just for this route, but on all routes!
Prefix: 1.1.1.0/24
Country code: AU
Origin AS: 13335
Origin AS Name: Cloudflare Inc
RPKI status: ROA validation successful
Route leaks need to stop!
48. Speed (prefill)
We prefill all caches based on popular domains in a region
● Why: To improve perceived speed and availability
● Popular domains should always be cached
● What is popular?
rsdns-
writer
QS
rsdns-
poller
Alexa 1M
Umbrella 1M
Majestic 1M
Resolve
r
Resolve
r
49. Speed (backend multicast)
Multicasted cache data across machines within the same data center
● Why: Cache hit ratio goes down with the network size
● Cache hit ratio is everything
● Basically a pub-sub
● Consistent latency
Resolve
r
Resolve
r
Resolve
r
Resolve
r
Resolve
r
Resolve
r
53. Summary
● Easy to remember IP addresses
● Support for DOH (DNS over HTTPS) and DNS over TLS
● Cleaning up routing and CPE devices
● Did I mention it’s fast?
Setting up the resolver:
https://1.1.1.1/
54. Where to from here?
• The blocks are clearly still very tainted
• Cloudflare continue to sink huge amounts of unrequested, unquenchable traffic
• Remediation is more than theoretically possible, but its not free
• Labour costs to help ISPs
• Those code dependencies embedded in systems in the CPE..
• We’re talking two /24. Impact on overall IPv4 availability is low
• Public DNS services are now quite popular
• Google pDNS
• IBM/PCH 9.9.9.9 “cleanfeed”
• CloudFlare 1.1.1.1 has high adoption rate
• Continuance with renewal unless clear policy drivers dictate otherwise
• APNIC Labs does not propose a change at this time