October 2016 Summaries
7 posts from Cloudflare
Filter
Month:
Year:
Post Summaries
Back to Blog
On October 27, 2016, popular DNS service Dyn suffered three waves of DDoS attacks that affected users worldwide, including some Cloudflare customers. The Domain Name System (DNS) is responsible for converting human-readable domain names to IP addresses for websites. During the Dyn outage, Cloudflare's internal DNS query error rate spiked in two periods. China was largely unaffected due to different caching configurations within its data centers. In response to the incident, Cloudflare is making changes to its internal DNS infrastructure to improve performance during major provider issues or outages. The company is also testing and rolling out a 'serve stale while revalidating' feature to mitigate the impact of similar events for customers using CNAME records from third-party providers.
Oct 27, 2016
1,607 words in the original blog post.
Cloudflare's architecture is designed to withstand large-scale DDoS attacks, unlike legacy DNS and DDoS mitigation services that rely on expensive boxes and bandwidth. Instead of using dedicated mitigation hardware, Cloudflare uses software that distributes load geographically across its network of servers. This approach allows the company to cost-effectively continue investing in its network and efficiently handle large attacks by spreading the load across thousands of servers. Additionally, since every core in every server can help mitigate attacks, each new data center improves the ability to stop attacks near their source.
Oct 26, 2016
1,596 words in the original blog post.
On October 21, 2016, a large-scale Denial-of-Service (DoS) attack targeted Dyn DNS, potentially affecting websites using both Cloudflare and Dyn services. The issue arises when CNAME records pointing to a zone hosted on Dyn fail, causing website unavailability and presenting a "1001" error message. Some popular platforms that rely on Dyn include GitHub Pages, Heroku, Shopify, and AWS. A possible workaround is updating Cloudflare DNS records from CNAMEs to A/AAAA records specifying the origin IP of the website. However, this may cause loss of functionality if different origin IP addresses are used based on geographical location. Customers with a CNAME setup where the main zone is hosted on Dyn might also be affected and can consider making Cloudflare their authoritative DNS provider by contacting support. The Cloudflare status page and support system may be impacted due to being hosted on third parties.
Oct 21, 2016
287 words in the original blog post.
The text discusses the importance of Initialization Vectors (IVs) or nonces in encryption schemes. IVs provide non-determinism to make duplicate encrypted messages indistinguishable from each other. They are usually not secret and are distributed prepended to the ciphertext since they are necessary for decryption. The text also covers how different versions of TLS handle nonces, including RC4, CBC in TLS 1.0, TLS 1.1, TLS 1.2 GCM, and TLS 1.3. It concludes by discussing the importance of Nonce Reuse Resistance to mitigate adverse consequences when the same nonce is reused or is predictable.
Oct 12, 2016
1,051 words in the original blog post.
Recent DDoS attacks against web applications are showing new trends in their methods, with attackers switching to large L7 (HTTP) attacks instead of traditional volumetric L3/4 attacks like SYN floods and NTP/DNS reflection. These L7 attacks aim to knock web applications offline by consuming server resources through actual HTTP requests. Two recent examples of such attacks were analyzed, one peaking at 1.75 million HTTP requests per second (1 Mrps) and the other generating significant inbound bandwidth of up to 360 Gbps. The source of these attacks appears to be Internet-of-Things devices like connected cameras and Network Attached Storage systems. As more IoT devices are added to the internet, it is likely that they will become unwilling participants in future DDoS attacks.
Oct 11, 2016
1,255 words in the original blog post.
On October 6th, 2016, Cloudflare announced the expansion of its Virtual DNS offering with two new features for enhanced reliability: Serve Stale and DNS Rate Limiting. The company has developed the necessary tooling, infrastructure, and expertise to handle large-scale DNS networks over the past six years. Virtual DNS serves as a protective layer in front of an organization's DNS infrastructure, mitigating DDoS attacks and providing a strong caching system across 100 global data centers. Serve Stale allows Virtual DNS to answer queries on behalf of an organization when their nameservers are down by serving stale answers from cache. DNS Rate Limiting helps control the traffic hitting an organization's network, allowing them to configure a threshold for the number of queries per second that Virtual DNS should send through to their DNS servers. These features aim to provide additional layers of reliability and protection for organizations running DNS infrastructure.
Oct 06, 2016
357 words in the original blog post.
Cloudflare has certified with the U.S. Department of Commerce for the new EU-U.S. Privacy Shield framework, a mechanism by which European companies can transfer personal data to their counterparts in the United States. The certification demonstrates Cloudflare's commitment to further protecting the security and privacy of its customers. The Privacy Shield expands upon the former U.S.-EU Safe Harbor, improving and bolstering privacy protections for Europeans with respect to the handling of their personal data. As a security company, Cloudflare takes customer trust and safety seriously and has strengthened internal processes and controls to meet the new heightened requirements mandated by the European Commission.
Oct 01, 2016
444 words in the original blog post.