APNIC Cheif Scientist Geoff Huston presents 'Measuring ATR' at IETF 101 on what happens when DNS servers sending large responses do a new trick to try and get around roadblocks for large responses.
APNIC Chief Scientist Geoff Huston presented on Measuring ATR, which is a hybrid response to problems around the handling of large UDP packets and IP fragmentation at RIPE 76 in Marseille, France, from 14 to 18 May 2018.
APNIC Chief Scientist Geoff Huston presented on TCP and BBR at RIPE 76 in Marseille, France, calling for more research and testing of TCP experiments and scalibility of BBR in the face of important unsolved problems and unknowns.
Initially presented at Software Architecture Conference in Boston, MA on 3/18/15.
Distributed systems are complex beasts. Breaking your application into multiple services introduces new types of errors, cascading failures, and CAP theorem limitations. Unfortunately, your uptime and sanity both suffer. This session will focus on various tactics and learnings from Lucid Software's migration to a service oriented architecture.
APNIC Chief Scientist Geoff Huston presents on work Labs is doing to whetehr results from experiments performed at lower levels of the DNS hierarchy would also apply to the root zone.
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
APNIC Chief Scientist Geoff Huston presented on Measuring ATR, which is a hybrid response to problems around the handling of large UDP packets and IP fragmentation at RIPE 76 in Marseille, France, from 14 to 18 May 2018.
APNIC Chief Scientist Geoff Huston presented on TCP and BBR at RIPE 76 in Marseille, France, calling for more research and testing of TCP experiments and scalibility of BBR in the face of important unsolved problems and unknowns.
Initially presented at Software Architecture Conference in Boston, MA on 3/18/15.
Distributed systems are complex beasts. Breaking your application into multiple services introduces new types of errors, cascading failures, and CAP theorem limitations. Unfortunately, your uptime and sanity both suffer. This session will focus on various tactics and learnings from Lucid Software's migration to a service oriented architecture.
APNIC Chief Scientist Geoff Huston presents on work Labs is doing to whetehr results from experiments performed at lower levels of the DNS hierarchy would also apply to the root zone.
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
APNIC Chief Scientist Geoff Huston presented on the various approached used by root servers to deliver large DNS responses at the DNS-OARC 26 in Madrid from 15 to 16 May 2017.
Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022
In this session, Tony will cover some tips, tricks and info covering HTTP baselining for troubleshooting, planning and security.
Specifically, Tony will discuss the following topics.
* HTTP items to document from within your packets
* HTTP commands
* What about proxies?
* Protocol forcing
* Looking for credentials
* Leveraging Wireshark for reporting, etc.
Again, this is a live episode so don't miss the rare opportunity to ask questions and make comments either before or during the show.
1. Cover common Network terminology
2. Provide an overview of how networks can have positive and negative impacts to our solution.
3. Highlight differences between onsites and hosted servers.
4. Tools that can be used for both validation and troubleshooting with common use cases.
Improving HDFS Availability with Hadoop RPC Quality of ServiceMing Ma
Heavy users monopolizing cluster resources is a frequent cause of slowdown for others. With only one namenode and thousands of datanodes, any poorly written application is a potential distributed denial-of-service attack on namenode. In this talk, you will learn how to prevent slowdown from heavy users and poorly-written applications by enabling IPC Quality of Service (QoS), a new feature in Hadoop 2.6+. On Twitter’s and eBay’s production clusters, we’ve seen response times of 500 milliseconds with QoS off drop to 10 milliseconds with QoS on during heavy usage. We’ll cover how IPC QoS works and share our experience on how to tune performance.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Chief Scientist Geoff Huston presented on the various approached used by root servers to deliver large DNS responses at the DNS-OARC 26 in Madrid from 15 to 16 May 2017.
Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022
In this session, Tony will cover some tips, tricks and info covering HTTP baselining for troubleshooting, planning and security.
Specifically, Tony will discuss the following topics.
* HTTP items to document from within your packets
* HTTP commands
* What about proxies?
* Protocol forcing
* Looking for credentials
* Leveraging Wireshark for reporting, etc.
Again, this is a live episode so don't miss the rare opportunity to ask questions and make comments either before or during the show.
1. Cover common Network terminology
2. Provide an overview of how networks can have positive and negative impacts to our solution.
3. Highlight differences between onsites and hosted servers.
4. Tools that can be used for both validation and troubleshooting with common use cases.
Improving HDFS Availability with Hadoop RPC Quality of ServiceMing Ma
Heavy users monopolizing cluster resources is a frequent cause of slowdown for others. With only one namenode and thousands of datanodes, any poorly written application is a potential distributed denial-of-service attack on namenode. In this talk, you will learn how to prevent slowdown from heavy users and poorly-written applications by enabling IPC Quality of Service (QoS), a new feature in Hadoop 2.6+. On Twitter’s and eBay’s production clusters, we’ve seen response times of 500 milliseconds with QoS off drop to 10 milliseconds with QoS on during heavy usage. We’ll cover how IPC QoS works and share our experience on how to tune performance.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Lao Digital Week 2024: It's time to deploy IPv6APNIC
APNIC Development Director Che-Hoo Cheng presents on the importance of deploying IPv6 at the Lao Digital Week 2024, held in Vientiane, Lao PDR from 10 to 14 January 2024.
APNIC Chief Scientist Geoff Huston presents on the increasing adoption of privacy-related mechanisms that obscure how the network can observe user traffic at AINTEC 2023, held in Bangkok, Thailand from 12 to 14 December 2023.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
3. The Internet has a problem …
• Instead of evolving to be more flexible and more capable, it appears
that the Internet’s transport is becoming more ossified and more
inflexible in certain aspects
• One of the major issues here is the handling of large IP packets and IP
level packet fragmentation
• We are seeing a number of end-to-end paths on the network that no
longer support the carriage of fragmented IP datagrams
• We are concerned that this number might be getting larger, not
smaller
4. The Internet has a problem …
• What about the DNS?
• One application that is making increasing use of large UDP packets is the DNS
• This is generally associated with DNSSEC-signed responses (such as “dig
+dnssec DNSKEY org”) but large DNS responses can be generated in other
ways as well (such as “dig . ANY”)
• In the DNS we appear to be relying on the successful transmission of
fragmented UDP packets, but at the same time we see an increasing problem
with the coherence in network and host handling of fragmented IP packets,
particularly in IPv6
5. Changing the DNS?
• But don’t large DNS transactions use TCP anyway?
• In the original DNS specification only small (smaller than 512 octets)
responses are passed across UDP.
• Larger DNS responses are truncated and the truncation is intended to trigger
the client to re-query using TCP
• EDNS(0) allowed a client to signal a larger truncation size threshold, and
assumes that fragmented DNS is mostly reliable
• But what if it’s not that reliable?
6. What is “ATR”?
• It stands for “Additional Truncated Response”
Internet draft: draft-song-atr-large-resp-00
September 2017
Linjian (Davey) Song, Beijing Internet Institute
• It’s a hybrid response to noted problems in IPv4 and IPv6 over
handling of large UDP packets and IP fragmentation
• ATR adds an additional response packet to ‘trail’ a fragmented UDP
response
• The additional response is just the original query with the Truncated
bit set, and the sender delays this additional response packet by 10ms
7. The Intention of ATR
Today:
• If the client cannot receive large truncated responses then it will need
to timeout from the original query,
• Then re-query using more resolvers,
• Timeout on these queries
• Then re-query using a 512 octet EDNS(0) UDP buffersize
• Then get a truncated response
• Then re-query using TCP
8. The Intention of ATR
Today:
• If the client cannot receive large truncated responses then it will need
to timeout from the original query,
• Then re-query using more resolvers,
• Timeout on these queries
• Then requery using a 512 octet EDNS(0) UDP buffersize
• Then get a truncated response
• Then requery using TCP
within a few ms
ATR
9. The Intention of ATR
• When a UDP DNS response is fragmented by the server, then the
server will also send a delayed truncated UDP DNS response
The delay is proposed to be 10ms
• If the DNS client receives and reassembles the fragmented UDP
response the ensuing truncated response will be ignored
• If the fragmented response is lost due to fragmentation loss, then the
client will receive the short truncated response
• The truncation setting is intended to trigger the client to re-query
using TCP
12. ATR Operation
UDP DNS Query
UDP DNS Response
(Fragmented)
UDP DNS Response
(Truncated)
10ms
Client Server
13. ATR Operation
UDP DNS Query
UDP DNS Response
(Fragmented)
UDP DNS Response
(Truncated)
10ms
Client Server
TCP Query and Response
14. What could possibly go wrong?
• Network level packet re-ordering may cause the shorter truncated
response packet to overtake the fragmented response, causing an
inflated TCP load, and the potential for TCP loss to be triggered
• Not every client DNS system supports using TCP to emit queries
15. ATR and Resolver Behaviour
Can’t Receive
Fragmented UDP
Can’t Use TCP
How big are each of these pools?
What proportion of users are impacted?
ATR will help
ATR won’t be of use, but it
shouldn’t matter
ATR won’t help
16. Measuring within the DNS
Query 1: a.b.example.com? to ns.example.com
Answer 1: NS nsb.z.example.com
<discover name servers for z.example.com>
Query 2: nsb.z.example.com to z.example.com
Answer 2: 192.0.2.1
Query 3: a.b.example.com to 192.0.2.1
Answer 3: 10.0.0.1
Query 3 depends on the resolver
successfully receiving answer 2
17. Experiment Details
• Use 6 tests:
• 2 tests use ATR responses – one is DNS over IPv4, the other is DNS over IPv6
• 2 tests use only truncated responses – IPv4 and IPv6
• 2 tests use large fragmented UDP responses - IPv4 and IPv6
• Use a technique of delegation without glue records (glueless) to
perform the measurement entirely within the DNS
• Performed 55M experiments
18. Looking at Resolvers
We are looking at resolvers who were passed “Answer 2” to see if they
queried “Query 3”
Protocol Resolvers ATR Large UDP TCP
IPv4 113,087 71.2% 60.1% 79.4%
IPv6 20,878 55.4% 50.0% 55.1%
19. Looking at Resolvers
We are looking at resolvers who were passed “Answer 2” to see if they
queried “Query 3”
Protocol Resolvers Fail ATR Fail Large UDP Fail TCP
IPv4 113,087 28.8% 39.9% 20.6%
IPv6 20,878 44.6% 50.0% 44.9%
Inversely, lets report on the FAILURE rate of resolvers
20. Seriously?
• More than one third of the ”visible” IPv4 resolvers are incapable of
receiving a large fragmented packet
• And one half of the ”visible” IPv6 resolvers are incapable of receiving
a large fragmented packet
21. ASNs of IPv4 Resolvers that do not followup
when given a large UDP Response – Top 10
ASN Use Exp AS Name CC
AS9644 0.78% 447,019 SK Telecom KR
AS701 0.70% 400,798 UUNET - MCI Communications Services US
AS17853 0.62% 357,335 LGTELECOM KR
AS4766 0.59% 340,334 Korea Telecom KR
AS4134 0.47% 267,995 CHINANET-BACKBONE CN
AS31034 0.47% 267,478 ARUBA-ASN IT
AS3786 0.39% 225,296 DACOM Corporation KR
AS36692 0.38% 217,306 OPENDNS - OpenDNS US
AS3215 0.33% 189,810 Orange FR
AS812 0.30% 169,699 ROGERS COMMUNICATIONS CA
22. ASNs of IPv6 Resolvers that do not followup
when given a large UDP Response – Top 10
ASN Use Exp AS Name CC
AS15169 40.60% 10,006,596 Google US
AS5650 0.90% 221,493 Frontier Communications US
AS36692 0.84% 206,143 OpenDNS US
AS812 0.78% 193,073 Rogers Communications Canada CA
AS20057 0.46% 114,440 AT&T Mobility LLC US
AS3352 0.38% 92,925 TELEFONICA_DE_ESPANA ES
AS852 0.35% 85,043 TELUS Communications Inc. CA
AS55644 0.32% 80,032 Idea Cellular Limited IN
AS3320 0.25% 61,938 DTAG Internet service provider operations DE
AS4761 0.24% 60,019 INDOSAT-INP-AP INDOSAT Internet Network Provider ID
23. ASNs of IPv4 Resolvers that do not followup in TCP
when given a truncated UDP Response – Top 10
ASN Use Exp AS Name CC
AS9299 0.55% 252,653 Philippine Long Distance Telephone PH
AS24560 0.34% 155,908 Bharti Airtel IN
AS3352 0.29% 132,924 TELEFONICA_DE_ESPANA ES
AS9498 0.19% 84,754 BHARTI Airtel IN
AS9121 0.14% 61,879 TTNET TR
AS23944 0.13% 58,102 SKYBroadband PH
AS9644 0.11% 51,750 SK Telecom KR
AS24499 0.11% 51,108 Telenor Pakistan PK
AS3215 0.10% 43,614 Orange FR
AS23700 0.09% 39,697 Fastnet ID
24. ASNs of IPv6 Resolvers that do not followup in TCP
when given a truncated UDP Response – Top 10
ASN Use Exp AS Name CC
AS15169 4.15% 961,287 Google US
AS21928 1.72% 399,129 T-Mobile USA US
AS7922 1.57% 364,596 Comcast Cable US
AS3352 0.54% 126,146 TELEFONICA_DE_ESPANA ES
AS22773 0.38% 87,723 Cox Communications Inc. US
AS55644 0.35% 80,844 Idea Cellular Limited IN
AS20115 0.31% 71,831 Charter Communications US
AS20057 0.30% 70,518 AT&T Mobility US
AS6713 0.20% 46,196 IAM-AS MA
AS8151 0.20% 45,754 Uninet S.A. de C.V. MX
25. What’s the impact?
• Failure in the DNS is often masked by having multiple resolvers in the
clients local configuration
• And the distribution of users to visible recursive resolvers is heavily
skewed (10,000 resolvers by IP address handle the DNSqueries of
more than 90% of end users)
• So to assess the impact lets look at the results by counting user level
success / failure to resolve these glueless names
26. Looking at Users
• Rather than looking at individual resolvers being able to pose
Question 3, lets count:
• A “success” if any resolver can query Question 3 on behalf of the
user
• A “failure” is recorded when no resolver generates a query to
Question 3
27. Looking at Users - Failure Rates
IPv4
UDP Frag: 12.5%
TCP: 4.0%
ATR 3.9%
IPv6
UDP Frag: 20.8%
TCP: 8.4%
ATR 6.5%
These loss rates are expressed as an estimated percentage of users,
28. ATR and Resolver Behaviour – IPv4
Can’t Receive
Fragmented UDP
Can’t Use TCP
ATR will help
ATR won’t be of use, but it
shouldn’t matter
ATR won’t help
12.5% 4.0%
8.6% 3.9% 0.1%
29. ATR and Resolver Behaviour – IPv4 IPv6
Can’t Receive
Fragmented UDP
Can’t Use TCP
ATR will help
ATR won’t be of use, but it
shouldn’t matter
ATR won’t help
12.5% 4.0%
20.8%
14.3% 6.5% 1.9%
8.4%
8.6% 3.9% 0.1%
30. Net Change in User Failure Rates
IPv4
Fragged UDP Loss: 12.5%
ATR Loss Rate: 3.9%
IPv6
Fragged UDP Loss: 20.5%
ATR Loss Rate: 6.5%
31. ATR Assessment
• Is this level of benefit worth the additional server and traffic load
when sending large responses?
• Is this load smaller than resolver hunting in response to packet drop?
• It the faster fallback to TCP for large responses a significant benefit?
• Is 10ms ATR delay too short? Would a longer gap reduce response
reordering? Do we care?
• Do we have any better ideas about how to cope with large responses
in the DNS?