Pull to refresh
283.86

Network technologies *

From Ethernet to IPv6

Show first
Rating limit
Level of difficulty

Q1 2021 DDoS attacks and BGP incidents

Reading time 6 min
Views 1.6K

The year 2021 started on such a high note for Qrator Labs: on January 19, our company celebrated its 10th anniversary. Shortly after, in February, our network mitigated quite an impressive 750 Gbps DDoS attack based on old and well known DNS amplification. Furthermore, there is a constant flow of BGP incidents; some are becoming global routing anomalies. We started reporting in our newly made Twitter account for Qrator.Radar.

Nevertheless, with the first quarter of the year being over, we can take a closer look at DDoS attacks statistics and BGP incidents for January - March 2021.

Read more
Total votes 15: ↑15 and ↓0 +15
Comments 0

2020 Network Security and Availability Report

Reading time 9 min
Views 962

By the beginning of 2021, Qrator Labs filtering network expands to 14 scrubbing centers and a total of 3 Tbps filtering bandwidth capacity, with the San Paolo scrubbing facility fully operational in early 2021;

New partner services fully integrated into Qrator Labs infrastructure and customer dashboard throughout 2020: SolidWall WAF and RuGeeks CDN;

Upgraded filtering logic allows Qrator Labs to serve even bigger infrastructures with full-scale cybersecurity protection and DDoS attacks mitigation;

The newest AMD processors are now widely used by Qrator Labs in packet processing.

DDoS attacks were on the rise during 2020, with the most relentless attacks described as short and overwhelmingly intensive.

However, BGP incidents were an area where it was evident that some change was and still is needed, as there was a significant amount of devastating hijacks and route leaks.

In 2020, we began providing our services in Singapore under a new partnership and opened a new scrubbing center in Dubai, where our fully functioning branch is staffed by the best professionals to serve local customers.

Read more
Total votes 17: ↑17 and ↓0 +17
Comments 0

Top 7 Technology Trends to Look out for in 2021

Reading time 4 min
Views 3.4K

Technology is as adaptable and compatible as mankind; it finds its way through problems and situations. 2020 was one such package of uncertain events that forced businesses to adapt to digital transformation, even to an extent where many companies started to consider the remote work culture to be a beneficiary long-term model. Technological advancements like Hyper automation, AI Security, and Distributed cloud showed how any people-centric idea could rule the digital era. The past year clearly showed the boundless possibilities through which technology can survive or reinvent itself. With all those learnings let's deep-dive and focus on some of the top technology trends to watch out for in 2021.

Read more
Rating 0
Comments 2

Implementing Offline traceroute Tool Using Python

Reading time 30 min
Views 3.9K

Hey everyone! This post was born from a question asked by an IT forum member. The summary of the question looked as follows:


  • There is a set of text files containing routing tables collected from various network devices.
  • Each file represents one device.
  • Device platforms and routing table formats may vary.
  • It is required to analyze a routing path from any device to an arbitrary subnet or host on-demand.
  • Resulting output should contain a list of routing table entries that are used for the routing to the given destination on each hop.

The one who asked a question worked as a TAC engineer. It is often that they collect or receive from the customers some text 'snapshots' of the network state for further offline analysis while troubleshooting the issues. Some automation could really save a lot of time.


I found this task interesting and also applicable to my own needs, so I decided to write a Proof-of-Concept implementation in Python 3 for Cisco IOS, IOS-XE, and ASA routing table format.


In this article, I’ll try to reconstruct the resulting script development process and my considerations behind each step.


Let’s get started.

Read more →
Rating 0
Comments 0

Visualizing Network Topologies: Zero to Hero in Two Days

Reading time 49 min
Views 29K

Hey everyone! This is a follow-up article on a local Cisco Russia DevNet Marathon online event I attended in May 2020. It was a series of educational webinars on network automation followed by daily challenges based on the discussed topics.
On a final day, the participants were challenged to automate a topology analysis and visualization of an arbitrary network segment and, optionally, track and visualize the changes.


The task was definitely not trivial and not widely covered in public blog posts. In this article, I would like to break down my own solution that finally took first place and describe the selected toolset and considerations.

Let's get started.


Read more →
Total votes 2: ↑2 and ↓0 +2
Comments 0

Linux Switchdev the Mellanox way

Reading time 7 min
Views 2.7K
This is a transcription of a talk that was presented at CSNOG 2020 — video is at the end of the page



Greetings! My name is Alexander Zubkov. I work at Qrator Labs, where we protect our customers against DDoS attacks and provide BGP analytics.

We started using Mellanox switches around 2 or 3 years ago. At the time we got acquainted with Switchdev in Linux and today I want to share with you our experience.
Total votes 18: ↑18 and ↓0 +18
Comments 0

The 2020 National Internet Segment Reliability Research

Reading time 9 min
Views 9.4K

The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Most of the time, the most critical AS in the region is the dominant ISP on the market, but not always.

As the number of alternate routes between AS’s increases (and do not forget that the Internet stands for “interconnected network” — and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are from the beginning more important than others, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.

The global connectivity of any given AS, regardless of whether it is an international giant or regional player, depends on the quantity and quality of its path to Tier-1 ISPs.

Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will be maintained all the time. For many ISPs at all “tiers”, losing connection to just one Tier-1 peer would likely render them unreachable from some parts of the world.
Read more →
Total votes 26: ↑26 and ↓0 +26
Comments 0

How Can AI & Data Science Help to Fight the Coronavirus?

Reading time 4 min
Views 1.4K
image

Do you know AI can save us from a worldwide pandemic?

Yeah, it's true. Our global researchers have touted these two buzzing technologies can provide a substantial social benefit to this worldwide health crisis.

Before I begin, I would like to take this moment to say THANK YOU to all our COVID-19 Warriors standing on the frontline and working day and night for us. We can’t thank them enough. Our healthcare staff, police, scientist, security guards, and sweepers. Their contribution is overwhelming and commendable ?

Discovering a drug for any medicine demands the joint efforts of the world's brightest minds. The process is notoriously long, complicated, and expensive. And that's how health experts are involved in searching COVID-19 medicine. In the midst of such a crisis, artificial intelligence solutions are offering a new hope that a cure might appear faster with it.
Read more →
Total votes 3: ↑3 and ↓0 +3
Comments 0

Looking back at 3 months of the global traffic shapeshifting

Reading time 9 min
Views 3.2K
image
There would be no TL;DR in this article, sorry.

Those have been three months that genuinely changed the world. An entire lifeline passed from February, 1, when the coronavirus pandemics just started to spread outside of China and European countries were about to react, to April, 30, when nations were locked down in quarantine measures almost all over the entire world. We want to take a look at the repercussions, cyclic nature of the reaction and, of course, provide DDoS attacks and BGP incidents overview on a timeframe of three months.

In general, there seems to be an objective pattern in almost every country’s shift into the quarantine lockdown.
Read more →
Total votes 27: ↑27 and ↓0 +27
Comments 0

This is how you deal with route leaks

Reading time 2 min
Views 2.7K
That, we must say, is the unique story so far.

Here’s the beginning: for approximately an hour, starting at 19:28 UTC on April 1, 2020, the largest Russian ISP — Rostelecom (AS12389) — was announcing prefixes belonging to prominent internet players: Akamai, Cloudflare, Hetzner, Digital Ocean, Amazon AWS, and other famous names.

Before the issue was resolved, paths between the largest cloud networks were somewhat disrupted — the Internet blinked. The route leak was distributed quite well through Rascom (AS20764), then Cogent (AS174) and in a couple of minutes through Level3 (AS3356) to the world. The issue suddenly became bad enough that it saturated the route decision-making process for a few Tier-1 ISPs.

It looked like this:

image

With that:

image
Read more →
Total votes 22: ↑22 and ↓0 +22
Comments 0

Datacenter TCP explained

Reading time 2 min
Views 3.8K
Modern networking contains a number of improvements over the basic TCP/IP stack. One of this, particularly useful inside datacenter was developed by Microsoft Research in 2010 and called, surprisingly, DataCenter TCP (DCTCP).

DCTCP is a set of modification to TCP, targeting to fulfill two properties:
1. Improve latency for latency-sensitive small messages
2. Not to decrease the throughput for throughput-sensitive big flows
Read more →
Total votes 6: ↑6 and ↓0 +6
Comments 0

PKI Decentralization: Proposed Approaches to Security Improvement

Reading time 7 min
Views 2.5K
The practical means of applying public key cryptography to secure network communications were introduced by Loren Kohnfelder in his MIT S.B. (BSCSE) thesis written in May 1978. After that, the public key infrastructure (PKI) has gone through several iterations of changes and updates, but it still preserves its traditional methodology. PKI requires implicit trust from a single entity or entities chain called a certificate authority (CA). This approach has led to a breakdown in confidence. However, through the years, having one root entity to control the way public key certificates are issued has shown that it can cause major complications with transparency and security.

In this article, we will once again dive deeper into the problems of PKI and consider the solutions being developed that can overcome existing shortcomings.
Read more →
Total votes 3: ↑3 and ↓0 +3
Comments 0

DPKI: Addressing the Disadvantages of Centralized PKI by Means of Blockchain

Reading time 15 min
Views 2.9K


Digital certificates are one of the most commonly known auxiliary tools that help protect data across public networks. However, the key disadvantage of this technology is also commonly known: users are forced to implicitly trust certification authorities which issue digital certificates. Andrey Chmora, Technology and Innovations Director at ENCRY, suggested a new approach for building a Public Key Infrastructure (PKI) to eliminate the existing disadvantages using the distributed ledger (blockchain) technology.
Let's begin with the basics.
Read more →
Total votes 4: ↑3 and ↓1 +2
Comments 0

2019 National Internet Segments Reliability Research & Report

Reading time 9 min
Views 3.5K


This report explains how the outage of a single AS can affect the connectivity of the impacted region with the rest of the world, especially when it is the dominant ISP on the market. Internet connectivity at the network level is driven by interaction between autonomous systems (AS’s). As the number of alternate routes between AS’s increases, so goes the fault-resistance and stability of the internet across the network. Although some paths inevitably become more important than others, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust system.

The global connectivity of any AS, regardless of whether it is a minor provider or an international giant, depends on the quantity and quality of its paths to Tier-1 ISPs. Usually, Tier-1 implies an international company offering global IP transit service over connections to other Tier-1 providers. But there is no guarantee that such connectivity will be maintained. Only the market can motivate them to peer with other Tier-1’s to deliver the highest quality service. Is that enough? We explore this question in the IPv6 section below. For many ISPs at all levels, losing connection to just one Tier-1 peer would likely render them unreachable in some parts of the world.

Measuring Internet Reliability


Let’s examine a case where an AS experiences significant network degradation. We want to answer the following question: “How many AS’s in the region would lose connectivity with Tier-1 operators and their global availability along with it?”
Read more →
Total votes 37: ↑36 and ↓1 +35
Comments 2

Qrator filtering network configuration delivery system

Reading time 6 min
Views 1.3K


TL;DR: Client-server architecture of our internal configuration management tool, QControl.
At its basement, there’s a two-layered transport protocol working with gzip-compressed messages without decompression between endpoints. Distributed routers and endpoints receive the configuration updates, and the protocol itself makes it possible to install intermediary localized relays. It is based on a differential backup (“recent-stable,” explained further) design and employs JMESpath query language and Jinja templating for configuration rendering.

Qrator Labs operates on and maintains a globally distributed mitigation network. Our network is anycast, based on announcing our subnets via BGP. Being a BGP anycast network physically located in several regions across the Earth makes it possible for us to process and filter illegitimate traffic closer to the Internet backbone — Tier-1 operators.

On the other hand, being a geographically distributed network bears its difficulties. Communication between the network points-of-presence (PoP) is essential for a security provider to have a coherent configuration for all network nodes and update it in a timely and cohesive manner. So to provide the best possible service for customers, we had to find a way to synchronize the configuration data between different continents reliably.
In the beginning, there was the Word… which quickly became communication protocol in need of an upgrade.
Read more →
Total votes 24: ↑23 and ↓1 +22
Comments 0

Legacy Outage

Reading time 3 min
Views 2.5K
Two days ago, May 5 of the year 2019 we saw a peculiar BGP outage, affecting autonomous systems in the customer cone of one very specific AS with the number 721.

Right at the beginning, we need to outline a couple of details for our readers:

  1. All Autonomous System Numbers under 1000 are called “lower ASNs,” as they are the first autonomous systems on the Internet, registered by IANA in the early days (the late 80’s) of the global network. Today they mostly represent government departments and organizations, that were somehow involved in Internet research and creation in 70-90s.
  2. Our readers should remember, that the Internet became public only after the United States’ Department of Defense, which funded the initial ARPANET, handed it over to the Defense Communication Agency and, later in 1981, connected it to the CSNET with the TCP (RFC675)/IP (RFC791) over X.25. A couple of years later, in 1986, NSF swapped the CSNET in favor of NSFNET, which grew so fast it made possible ARPANET decommission by 1990.
  3. IANA was established in 1988, and supposedly at that time, existing ASNs were registered by the RIRs. It is no surprise that the organization that funded the initial research and creation of the ARPANET, further transferring it to another department because of its operational size and growth, only after diversifying it into 4 different networks (Wiki mentions MILNET, NIPRNET, SIPRNET and JWICS, above which the military-only NIPRNET did not have controlled security gateways to the public Internet).
Read more →
Total votes 18: ↑17 and ↓1 +16
Comments 0

TLS 1.3 enabled, and why you should do the same

Reading time 4 min
Views 1.6K


As we wrote in the 2018-2019 Interconnected Networks Issues and Availability Report at the beginning of this year, TLS 1.3 arrival is inevitable. Some time ago we successfully deployed the 1.3 version of the Transport Layer Security protocol. After gathering and analyzing the data, we are now ready to highlight the most exciting parts of this transition.

As IETF TLS Working Group Chairs wrote in the article:
“In short, TLS 1.3 is poised to provide a foundation for a more secure and efficient Internet over the next 20 years and beyond.”

TLS 1.3 has arrived after 10 years of development. Qrator Labs, as well as the IT industry overall, watched the development process closely from the initial draft through each of the 28 versions while a balanced and manageable protocol was maturing that we are ready to support in 2019. The support is already evident among the market, and we want to keep pace in implementing this robust, proven security protocol.

Eric Rescorla, the lone author of TLS 1.3 and the Firefox CTO, told The Register that:
“It's a drop-in replacement for TLS 1.2, uses the same keys and certificates, and clients and servers can automatically negotiate TLS 1.3 when they both support it,” he said. “There's pretty good library support already, and Chrome and Firefox both have TLS 1.3 on by default.”
Read more →
Total votes 23: ↑22 and ↓1 +21
Comments 0

Free Wireguard VPN service on AWS

Reading time 9 min
Views 63K

Free Wireguard VPN service on AWS


The reasoning


The increase of Internet censorship by authoritarian regimes expands the blockage of useful internet resources making impossible the use of the WEB and in essence violates the fundamental right to freedom of opinion and expression enshrined in the Universal Declaration of Human Rights.


Article 19
Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

The following is the detailed 6 steps instruction for non-IT people to deploy free* VPN service upon Wireguard technology in Amazon Web Services (AWS) cloud infrastructure, using a 12 months free account, on an Instance (virtual machine) run by Ubuntu Server 18.04 LTS.


I tried to make this walkthrough as friendly as possible to people far from IT. The only thing required is assiduity in repeating the steps described below.

Read more →
Total votes 3: ↑3 and ↓0 +3
Comments 0

Bad news, everyone! New hijack attack in the wild

Reading time 9 min
Views 5.4K
On March 13, a proposal for the RIPE anti-abuse working group was submitted, stating that a BGP hijacking event should be treated as a policy violation. In case of acceptance, if you are an ISP attacked with the hijack, you could submit a special request where you might expose such an autonomous system. If there is enough confirming evidence for an expert group, then such a LIR would be considered an adverse party and further punished. There were some arguments against this proposal.

With this article, we want to show an example of the attack where not only the true attacker was under the question, but the whole list of affected prefixes. Moreover, it again raises concerns about the possible motives for the future attack of this type.
Read more →
Total votes 21: ↑20 and ↓1 +19
Comments 0

Authors' contribution