Originally aired on July 30, 2020 @ 12:00 AM - 12:30 AM EDT
A weekly review of stories affecting the Internet, brought to you by Cloudflare's CTO. We'll look at outages, trends, and new technologies — with special guests to help us explore these topics in greater depth.
Original Airdate: July 17, 2020 Okay, well, it is 2.30 here in Lisbon. Welcome to This Week in NET, which is my little show about things that have happened in NET. So NET being both Cloudflare, because that's of course our ticket symbol on the New York Stock Exchange, but also in the Internet at large. And in this week's edition, I'm going to talk a little bit about some Internet stuff and some Cloudflare news as well. If there are things you'd like me to cover on This Week in NET, I'd love to hear from you. And you can write in to livestudio at Cloudflare.tv, livestudio at Cloudflare.tv, and those questions will get sent to me, and I can include them in the show. I do this typically on a weekly basis, and it's good to hear about the kind of subjects people would want me to discuss over time. I tried to look back over the previous week in terms of stories that have affected you, or the Internet, or Cloudflare in some interesting way, and I tend to focus on the technical or trends. But nevertheless, send something in, livestudio at Cloudflare.tv, and I will be more than happy to try and answer that. All right. If you've been watching this show and my Monday show, which is Threat Watch, you will know that there has been a very large Internet outage in Ethiopia, which has been lasting for some time. So after the killing of a very popular singer and activist in Ethiopia, there was civil unrest, and the government shut off the Internet. Their reasoning was that there were stories circulating on sort of fake news on social media, and it was important to control the situation. That was their stated reason, and the Internet was shut off. And this was a pretty much a blanket shutdown. Internet usage dropped to about 1% from our perspective of what it had been before. And initially, there were only a small number of government users who seemed to have access to the Internet. Not long after that, some more perhaps central parts of the economy got access to the Internet, so we heard anecdotally that some banks in Addis Ababa and other parts of Ethiopia had access to the Internet, and that actually people were begging friends who worked in those banks to give them access to the Internet. So this is what it kind of looked like when I looked at it the other week. The Internet was, this is traffic from Cloudflare's perspective that we see reaching us from Ethiopia, starting on the 1st of May on the left, going up until the end of June when the murder happened. And you can see that there was fairly consistent, it goes up and down depending on weekends and things that are going on, but there was a fairly consistent use of the Internet happening. And then this dramatic shutdown. And if you look at this graph, there's a couple of things you can see. First of all, this is very dramatic, it went down to about 1% of where it had been before. And you can see for the first couple of days, it was relatively flat. And then there was this little uptick, you kind of see the uptick. And that's what we think is when some of those institutions like banks seem to have got access back to the Internet. And this continued for a long time, this outage. So we've seen outages in many countries around the world, of two, three days, maybe a week, something like that. We also see partial outages. So for example, it's not uncommon to shut off just mobile telephone networks, or just specific applications, like, you know, please shut down all social media, but let everything else work. Or do it regionally. So in a particular area in a country, right now, it's quite widespread in India, in Kashmir, that there are bits that are shut down, or have limited access, rate limiting, or shutdowns. So in Ethiopia, it was really the entire country. Now, the Internet has now actually come back on to a certain extent. So the Internet was essentially off for about two weeks, down there at that 1-2% kind of level. And now mobile, so now fixed line, broadband and dial-up kind of connectivity has been reestablished. So you can see that Internet users come back up again, but it's still nothing like the levels it was before. And that's because mobile Internet access and 4G, 3G type access is still not available in Ethiopia. So that was the picture this morning. I took a look at the data from our perspective. So I think we're back at around 50% of the level that Ethiopia had prior to the shutdown. So a pretty prolonged shutdown. And what we heard from people in Ethiopia who are running businesses that it became necessary, perhaps to either, you know, get a friend who might have access to the Internet to continue doing your work, or maybe even fly to another country to carry on working. So a really prolonged shutdown in Ethiopia, slightly unusual situation. All right. Now I want to talk a little bit about expansion of the Cloudflare network. As you probably know, Cloudflare has a point of presence in 200 cities worldwide. And that covers a very large number of countries. And the idea is, we want to have our service, our hardware close to where the end user is. So if you think about our network, it's really about bringing the Internet to users. And of course, people are all over the world, spread out in different countries, spread out in different regions, in large cities and small locations. And what we try to do is get as close to end users as possible. And that's why we have those 200 cities. And the reason we do that is twofold. One is, it gives us high performance for those end users. You can't beat the speed of light. The speed of light is a problem for anyone doing anything interactive on the Internet. You know, one of the reasons why, if you're walking down the street, you can stream music onto your phone across a mobile phone connection or even a video. But when you go on the web, it seems slow. It's because those two things use the Internet in a different way. That streaming is essentially a one way transaction. The music or the video is coming to your device. And so as bandwidth has gone up, the number of bits you can do per second, then so has the ability to do things like music and video on your mobile phone. And equally at home, you can do things with faster connections. But the speed of light has not changed. And so the issue is that if you do something interactive, like you use an app to call an Uber or you go on a website, there's a back and forth with the website giving this information. Is there a car available? If it's an app, where is the car right now? And those back and forth incur the cost of the speed of light. And even though the speed of light seems absolutely enormous, it really is not that large for the purposes of anything interactive. And the size of the planet we're on means that some locations, particularly here we have Australia and New Zealand, have slow Internet for anything that's outside the country because they are distant. Now, luckily, Australia has a plan to deal with this. Australia is actually drifting northward. And at some point, we'll get faster Internet speeds because we'll get closer to the rest of the world. But speed of light, fundamentally, how do you how do you deal with it? You bring service to everywhere. So we had 200 cities worldwide. And we continue to build out this network because there are populations that are underserved by a network. And we want to be as close as we can to those users. The other thing is about being close to users, we can stop attacks where they start, particularly DDoS attacks, the first D in DDoS is distributed, that means it comes from many places around the world. And if you think about a DDoS attack, coming from all over the world from the botnet, and attacking a particular server or website or API or mail server or whatever, you want to stop that traffic early. If you can stop it early, then it won't get to the target and the target won't be overwhelmed. It's much easier to stop many, many small attacks than one large one when it reaches its final destination. So by having servers all over the world, when a distributed denial of service attack starts, our servers around the world can block it. And essentially, the size of the attack is spread out across the network, and the network itself is stronger than a single location would be. So we didn't have scrubbing centers, we have 200 locations worldwide, where we have servers, and that's what we do. So those two things are really, really fantastic. And the other thing that happens when you bring faster Internet people, especially more interactive Internet, is they use the Internet more. And if you just think about this from your own perspective, if you go to a website, for example, that is very slow to respond, then you don't do as much on that website. For example, if it's an e commerce website, you don't look at as many pages, you don't make a decision, perhaps about what you want to buy. And so typically, when we drop servers into a country, we actually see utilization from that country go up, because people can now do more on the Internet. So having given that introduction, let's talk about the network as it currently stands. Sorry, I think I've got a Oh, sorry, I've missed a slide. One of the things you might want to know is how you know what net what one of our points of presence you are connecting to. And actually, there's three really interesting ways to do that I'm going to show you depending on the way in which you'd like to operate. So one way is to go to our speed test website. So copper has a speed test website, speed.Cloudflare.com. And it will test the performance of your network. And I ran it slightly earlier on today sitting at home here in Lisbon. And I got, you know, under 100 megabits per second, because I was sitting outside on Wi Fi a little bit far away from my router. So pretty good, though, and pretty good latency of seven milliseconds. And if you look at the map down on the bottom left, you can see that I was connected to servers in Lisbon. So this will show you the nearest servers you're connecting to, and you will know then what you're connecting to. And it can give you a lot more detail. If you want to go to speed .Cloudflare.com, you can find out a lot more about the speed of your connection, the latency, how it works on the load, jitter, all those kind of things. So speed .Cloudflare.com is one way to figure out what server you're nearest to. Another way if you're into that is to go and use curl. So every website that uses Cloudflare has a special URL attached to it, which is cdncgi slash trace. And this is a piece of debugging functionality, which can give you information. We often ask our customers, give us a trace, and we can figure out where you are. And so you can do this. I did it with my website, jdc .org, which is on Cloudflare. And I just curled it. Obviously, you can do this in a browser, too. And it prints out a bunch of information. So you can actually see in there, the colo is LIS. LIS is Lisbon. We use the three-letter airport codes for those locations. The servers aren't actually in the airport, but it gives you a sense of where they are. So that's in Lisbon. You can also see some other stuff. It geo-located me to Portugal, the PT there. You can see what I was doing, which is I was using TLS 1.2. That's what curl had built into it. It was using HTTP 2 for the connections. And warp, so Cloudflare's un-VPN product, the VPN, for people who don't know what a VPN is, was switched off. And that's because I was doing this on my laptop, and I wasn't using a warp client on my laptop. Warp is another way you can figure out what Cloudflare data center you're connected to. So you can go into warp. So if you have warp on your phone, you can go to warp, and you can click on the hamburger menu at the top, and it will take you to settings. And under settings, there's advanced. And under advanced, there's diagnostics. And within diagnostics, it tells you a bunch of information, what protocols you're using, how much data you've used. And again, you can see the colo. So you can do all of those things to figure out how you're connected. One of the fun things to do with warp is to connect using your mobile phone carrier versus Wi-Fi and discover where you end up. Now, with most of us not roaming because we can't travel because of COVID-19, we won't see some of the interesting things. But for example, here in Portugal, if I use my phone with a UK SIM card, then it turns out that my colo will either be in London or Manchester. So my Internet is actually going all the way back to the UK before connecting to the Internet, which is a surprising thing about how mobile telephones work. And if I use Wi-Fi, then I get connected to Lisbon. So you can actually have some fun with warp to see where your mobile phone carrier actually connects to the Internet. And it probably isn't very close to where you are physically. All right, let's go back to the Cloudflare network. So this is a map as it stands today of all of the cities in which we have servers. And as you can see, they are all over the world. If you overlaid on top of this where the population in the world is, you would see that we are very close to where the population is. There are some areas where we need to build out. So a little bit more in South America, some more in West Africa and Asian Africa in general. And you may know that we announced a partnership with JD.com some time ago to build out a very large number of data centers inside China, because about a third of the Internet's users are in China. But we are where the people are. And we announced this week that we have added six new locations, bringing five new countries onto the map, which actually pushes Cloudflare over into the 100 countries where we have servers. And given that there are only a couple of hundred recognized countries in the world, we're really covering where everybody is. The other thing not to forget is that Cloudflare also provides an edge computing or serverless platform called Workers. And because of the architecture of our network, where everything is uniform, every one of these locations runs that workers code. And that means if somebody deploys an application on Workers, it will run in all 200 plus cities around the world in 100 countries around the world, making it really, really fast to execute. And there's a great blog post on the Cloudflare blog today about doing server -side rendering for web applications using the edge using Cloudflare Workers around the world. I commend you to that article. It's really interesting about how you can do that. And this is really the new architectural things. Okay, so six cities around the world. Let's take a look at where they are. So this is a new country for us, Suriname is a new country for us. And we're in the capital, Paramaribo. And this graph shows you something interesting. This is comparing us against three of our large CDN competitors. And it's comparing the 50th percentile response time in milliseconds. So how long it takes to get to an asset on those different devices. And you can pretty clearly see where the line at the bottom. When we turned up that data center in Paramaribo, you can see the latency dropped from well, what everybody was getting, which is sort of 100 to 130 milliseconds, right down to about 20 milliseconds. And that means that users in Suriname have got a much, much faster Internet for anything that's on Cloudflare, which as you know, is a huge percentage of the web and Internet applications in general. But what were the five more? Okay, so there's one here, which we really already had a data center. So in Malaysia, in Johor Bahru, we've added a second data center. This is the second largest city in Malaysia. We see Malaysia has a very large population. And we're now covering that population by being in other cities as we do around the world. We don't just have one location in the country, which makes sense. But you can have a look. So in Vientiane in Laos, Laos has a very big 4G mobile infrastructure. People are accessing the Internet mostly via mobile. Now they're getting it through Cloudflare data center there. In Tegucigalpa in Honduras in the capital. Honduras is actually one of the countries with the lowest use of the Internet, something like about 41% of people have Internet access in Honduras in Central America. But we're bringing access to them. And hopefully that will increase utilization. As I said before, once you use something, once you put a service in a country, Internet gets faster, people tend to use it more. In Africa, jumping over the African continent in Liberia, in the capital Monrovia, we now have a data center handling the population there. And finally in Brunei in Bandar Seri Begawan, we also have a location. So in Brunei being, I think it's the second country by size, the smallest country by size in Southeast Asia after Singapore. So covering the world now with more than 100 countries, more than 200 cities around the world. And we continue to grow. This isn't by no means done in bringing the Internet, the fast and local Internet to everybody we can around the world. Okay. Let's just change tacks and go down under. And by down under, I don't mean to Australia and New Zealand, I mean to Antarctica. So right now in Antarctica, it is the winter time. And during the winter, the population of Antarctica drops quite a lot because many of the research stations there have some of their staff leave, but not all of them. There are people who overwinter in various bases for various countries in Antarctica. And nobody lives full time in Antarctica. It's in fact not permitted to have your actual home address be Antarctica, but there are many scientists working there from different countries around the world. And how they get Internet is really quite complicated. One of the things that you might think is, well, surely satellites are the answer if it's difficult to get there. Unfortunately, if you imagine the globe spinning and the equator, most of the satellites that would handle Internet access for a place like Antarctica are geostationary. That means they're above the equator and they only have a certain angle they can see around the world. And Antarctica being on the bottom is really pretty much out of view of those satellites. So you do have some satellites in special locations, but satellite coverage in Antarctica is really difficult. Nevertheless, it is used. There are of course ships that have mobile access on them that also get access. But to give you an idea, McMurdo station, which is the US polar Antarctic survey, they have a station with essentially what's the size of a little town, a few thousand people in the summer, and they have a single Internet connection, which runs something like 20 megabits per second. So here I am in the luxury of Lisbon with a gigabit connection, and there's essentially the entire population of a small town relying on this one connection in the US one, and other countries have similar issues with access. So obviously access to the Internet is very controlled and throttled, and so people can't just download lots of Netflix streams because that would stop the work that's going on there. But as I said, the population of Antarctica actually reduces during the winter, and the winter is now, and actually towards the end of March, a lot of people leave, and there's the crews that prepare to overwinter on the continent. And you can actually see that in our data now. I have a graph here which shows what happens with Internet access. So this is requests hitting Cloudflare sites since the beginning of the year that are geolocated to Antarctica. Now this is a bit of a complicated topic because not everything in the geolocation database that is in Antarctica is marked as Antarctica, because some of the locations that get Internet access via satellite will look like they're coming from where their satellite provider is. So this data has to be taken with a little bit of a pinch of salt, but it gives you a sense that towards the end of March, when a lot of people leave Antarctica, the Internet use drops quite dramatically. Having said that, the Internet use is not large, you know, with only sort of tens of megabits of connectivity and Internet uses, but it's not very large. But nevertheless, you can kind of see the human impact on things. And I'll update this when summer returns in Antarctica, and we should see this go up again. If anyone on Antarctica is streaming this or watching it or knows someone there, I would love to talk to somebody about Internet access in Antarctica and perhaps get them on one of my shows or do a text interview if that's more appropriate, given the Internet access that you have. And that's it for this week in NET. So as I said at the beginning of the show, if you have ideas about what you'd like me to talk about, livestudio.Cloudflare.tv is the right place to go, and I'll happily answer your questions or include things in the show. If there's a story that I missed this week, please write in because there's a lot happening. There are many things I didn't cover. So for example, we had the quite dramatic hack of Twitter, which is still really something that's playing out. I thought about talking about it on the show, but until I think we have a conclusion for exactly how it happened, it's not something we're going to talk about. But it's an interesting thing. There's also been a number of CVEs, new attack types against different types of hardware that the WAF and Cloudflare is protecting. And I'm going to talk about some of those on Monday in Threat Watch. But this is John Graham coming. Thank you very much for watching. This is This Week in NET. I hope you have a good weekend. Transcribed by https://otter.ai https://otter .ai Cloudflare Gateway protects offices, homes, and corporate networks from malware and other security threats without sacrificing performance. Gateway provides a secure DNS resolver and filtering service that inspects and logs all DNS queries to apply policies that either block or allow the request. This video will show you how to get started with Cloudflare Gateway by configuring a location, creating a policy, and using that policy to block security threats. To get started, navigate to the Cloudflare Gateway dashboard at dash.teams.Cloudflare .com. If you don't have a Cloudflare account, you can sign up and the browser will redirect you back to the Gateway Overview page. Now, let's configure a location. A location is typically a physical location, like your home, office, store, or a data center that you'd like to protect. For this demo, let's call our location aus-1. Gateway should automatically detect your IP address, which allows Gateway to know which requests are coming from your location or network. Now, let's configure the DNS resolvers. To take full advantage of Cloudflare Gateway, you should change your router settings to the Gateway IP addresses. For this demo, I'm only going to use the IP addresses that Gateway assigns. Now, let's configure the DNS resolvers. To do this on a Mac, go to your laptop's system preferences, click Network, then Advanced, and navigate to the DNS tab. You'll see your existing Internet provider's DNS server IP address here. Add in the IP addresses from the Gateway dashboard by clicking the plus sign. If your network supports IPv6, make sure to add the IPv6 address here as well. Click OK, then Apply. Now, my laptop is sending all of its DNS queries to Gateway's DNS resolvers. To complete the location setup, navigate back to the Cloudflare Gateway dashboard and click Complete Setup. After configuring your first location, you'll see the Gateway Overview page. Here, you can view your location's requests and if they were allowed or blocked. After the initial setup, the graph may take a few minutes to show data. While we're waiting on the data to populate, let's confirm that our location was properly configured. It looks like our location is properly configured, but as you can see, there's no policy assigned. Let's create one. Create a policy and apply it to your location to protect your network from Internet security threats like malware and phishing. The policy will control what the user can or cannot access while connected to your location. To create a policy, click Policies, then Create a Policy. For the purposes of this demo, I'm going to create a policy that blocks malware and social media. Let's call this No Malware or Social Media. We'll assign it to our location by clicking here. Here, you can enable a blocked page, which will show if a user attempts to access a page that's been blocked. Let's enable it, then click Preview to see what a blocked page would look like. Let's disable it for now. You can also enable Safe Search, which allows Cloudflare to automatically filter content based on the same restrictions that large search engines use to protect users from explicit content. Now, let's identify what security threats we want Cloudflare Gateway to protect against. Gateway allows you to block all security threats listed here with one click, which include malware, phishing, and spam. Let's just block malware for now, then move on to the content categories. Gateway allows you to block certain content categories. Since we want to block social media with this policy, click Society and Lifestyle, then Social Networks. If you'd like to allow or block a specific domain, you can do that in the Allow Block tab. Let's enter chatgoogle.com to ensure that it's blocked and click Add Domain. Now that the policy has been configured, let's click Add Policy. The policy will propagate throughout the Cloudflare network in a few seconds. So in the meantime, let's check out the Gateway Activity Log. The Activity Log is where you can see all the requests to your configured location. You can also see what content categories the requests were associated with. This request was associated with content servers and information technology content categories. It was an HTTPS request created from the AUS-1 location and was allowed as it didn't trigger the policy. Now, let's test our policy to make sure that it works properly. Let's test the social media portion of our policy by attempting to navigate to Twitter. Shortly after hitting Enter, you'll see an error page indicating that Twitter cannot be reached. Cloudflare Gateway has successfully intercepted the request and blocked the page accordingly. During this Cloudflare Gateway walkthrough, you saw how to configure a location, create a policy, and use that policy to block Internet security threats. To learn more about Cloudflare Gateway, navigate to teams.Cloudflare.com backslash gateway. Hi, we're Cloudflare. We're building one of the world's largest global cloud networks to help make the Internet faster, more secure, and more reliable. Meet our customer, HubSpot. They're building software products that transform the way businesses market and sell online. My name is Keri Muntz, and I'm the Director of Engineering for the Platform Infrastructure Teams here at HubSpot. Our customers are sales and marketing professionals. They just need to know that we've got this. We knew that the way that HubSpot was growing and scaling, we needed to be able to do this without having to hire an army of people to manage this. That's why HubSpot turned to Cloudflare. Our job was to make sure that HubSpot, and all of HubSpot's customers, could get the latest encryption quickly and easily. We were trying to optimize SSL issuance and onboarding for tens of thousands of customer domains. Previously, because of the difficulties we were having with our old process, we had about 5% of customers SSL-enabled. And with the release of version 68 of Chrome, it became quickly apparent that we needed to get more customers onto HTTPS very quickly to avoid insecure browsing warnings. With Cloudflare, we just did it, and it was easier than we expected. Performance is also crucial to HubSpot, which leverages the deep customization and technical capabilities enabled by Cloudflare. What Cloudflare gives us is a lot of knobs and dials to configure exactly how we want to cache content at the edge, and that results in a better experience, a faster experience for customers. Cloudflare actually understands the Internet. We were able to turn on TLS 1.3 with zero round -trip time with the click of a button. There's a lot of technology behind that. Another pillar of HubSpot's experience with Cloudflare has been customer support. The support with Cloudflare is great. It feels like we're working with another HubSpot team. They really seem to care. They take things seriously. I've filed cases and gotten responses back in under a minute. The quality of the responses is just night and day difference. Cloudflare has been fantastic. It was really an exciting, amazing time to see when you have teams working very closely together, HubSpot on one side and Cloudflare on the other side, on this mission to solve for your customers' problems, which is their businesses. It really was magic. With customers like HubSpot and over 10 million other domains that trust Cloudflare with their security and performance, we're making the Internet fast, secure, and reliable for everyone. Cloudflare. Helping build a better Internet.