Welcome:
Login
|
Sign Up
|
About CircleID
Follow:
|
|
|
The recent NANOG 61 meeting was a pretty typical NANOG meeting, with a plenary stream, some interest group sessions, and an ARIN Public Policy session. The meeting attracted some 898 registered attendees, which was the biggest NANOG to date. No doubt the 70 registrations from Microsoft helped in this number, as the location for NANOG 61 was in Bellevue, Washington State, but even so the interest in NANOG continues to grow... more
Keynote speaker, and noted security industry commentator, Bruce Schneier (Co3 Systems ) set the tone for the two days with a discussion on how humans name things and the shortcomings of computers in doing the same. Names require context, he observed, and "computers are really bad at this" because "everything defaults to global." Referring to the potential that new gTLDs could conflict with internal names in installed systems, he commented, "It would be great if we could go back 20 years and say 'Don't do that'," but concluded that policymakers have to work with DNS the way it is today. more
By design, the Internet core is stupid, and the edge is smart. This design decision has enabled the Internet's wildcat growth, since without complexity the core can grow at the speed of demand. On the downside, the decision to put all smartness at the edge means we're at the mercy of scale when it comes to the quality of the Internet's aggregate traffic load. Not all device and software builders have the skills - and the quality assurance budgets - that something the size of the Internet deserves. more
Most people, even seasoned IT professionals, don't give DNS (the Domain Name System) the attention it deserves. As TCP/IP has become the dominant networking protocol, so has the use of DNS... Due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don't spend much time worrying about it. This can be a huge mistake! more
Google has received a lot of press regarding their Project Shield announcement at the Google Ideas Summit. The effort is being applauded as a milestone in social consciousness. While on the surface the endeavor appears admirable, the long-term impact of the service may manifest more than Google had hoped for. Project Shield is an invite-only service that combines Google's DDoS mitigation technology and Page Speed service... more
This post follows an earlier post about DNS amplification attacks being observed around the world. DNS Amplification Attacks are occurring regularly and even though they aren't generating headlines targets have to deal with floods of traffic and ISP infrastructure is needlessly stressed -- load balancers fail, network links get saturated, and servers get overloaded. And far more intense attacks can be launched at any time. more
One of the most prominent denial of service attacks in recent months was one that occurred in March 2013 between Cloudflare and Spamhaus... How did the attackers generate such massive volumes of attack traffic? The answer lies in the Domain Name System (DNS). The attackers asked about domain names, and the DNS system answered. Something we all do all of the time of the Internet. So how can a conventional activity of translating a domain name into an IP address be turned into a massive attack? more
When the domain name system (DNS) was first designed, security was an afterthought. Threats simply weren't a consideration at a time when merely carrying out a function - routing Internet users to websites - was the core objective. As the weaknesses of the protocol became evident, engineers began to apply a patchwork of fixes. After several decades, it is now apparent that this reactive approach to DNS security has caused some unintended consequences and challenges. more
This week bank costumers of The Netherlands were shocked when they realised that online banking may not be as safe as they thought. Perhaps some were surprised to hear that what they think is money, is nothing but digits, something that does not exist. Their money only exist because we all act as if it exists and accept transactions between each other aided by software run by banks, if they haven't outsourced that function. more
Three vectors were exploited in the recent DDoS attack against Spamhaus: 1) Amplification of DNS queries through the use of DNSSEC signed data; 2) Spoofed source addresses due to lack of ingress filtering (BCP-38) on originating networks; 3) Utilisation of multiple open DNS resolvers While. 1) is unavoidable simply due to the additional data that DNSSEC produces, and 2) "should" be practised as part of any provider's network configuration, it is 3) that requires "you and I" ensure that systems are adequately configured. more
Last year there was a "threat" by anonymous group to black out Internet by using DNS Reflection/Amplification attack against the Internet DNS Root servers. I even wrote a little article about it: "End of the world/Internet". In the article I was questioning if this was even possible and what was needed as general interest and curiosity. Well, looking at the "stophaus" attack last week, we are getting some answers. more
If you haven't been reading the news of late, venerable anti-spam service Spamhaus has been the target of a sustained, record-setting Distributed Denial-of-Service (DDoS) attack over the past couple of weeks... Of course, bad guys are always mad at Spamhaus, and so they had a pretty robust set-up to begin with, but whoever was behind this attack was able to muster some huge resources, heretofore never seen in intensity, and it had some impact, on the Spamhaus website, and to a limited degree, on the behind-the-scenes services that Spamhaus uses to distribute their data to their customers. more
Well... Maybe not the world, but the Internet it seems. According to a Pastebin letter, Anonymous announced they will black-out Internet on 31st of March. They even explained how to do it by attacking the DNS Root Servers on Internet using a reflected amplification attack. If this is successful, the root DNS servers will become unresponsive and cannot handle any other requests... more
The Microsoft action against 3322.org, a Chinese company, started with the news that computers were infected during the production phase. Stepping away from the controversy surrounding the approach, there are important lessons that cyber security officials and upper management, deciding on the level of and budget for cyber security in organisations should learn and take into account. I'm writing this contribution from a premise: China uses the fact that most IT devices are built in China to its advantage. Allow me to start with an account from personal memory to set the stage. more
Today I released a report on 'National cyber crime and online threats reporting centres. A study into national and international cooperation'. Mitigating online threats and the subsequent enforcing of violations of laws often involves many different organisations and countries. Many countries are presently engaged in erecting national centres aimed at reporting cyber crime, spam or botnet mitigation. more
A World-Renowned Source for Internet Developments. Serving Since 2002.