This Week In Net
Presented by: John Graham-Cumming
Originally aired on June 1, 2022 @ 11:30 PM - 12:00 AM EDT
A weekly review of stories affecting the Internet, brought to you by Cloudflare's CTO. We'll look at outages, trends, and new technologies — with special guests to help us explore these topics in greater depth.
Week of June 26, 2020
English
News
Interviews
Transcript (Beta)
and John Graham-Cumming. We're going to start out today with Starlink.
There is a launch of Starlink satellites for today.
It was meant to be yesterday, but the launch was put back. It will bring the total Starlink constellation up to about 600 satellites.
And that's putting Starlink in the position of starting to think about offering service, as there are now quite a lot of satellites actually in space.
You can watch that this evening at 8.18 UTC.
If you want to watch the satellites after they've taken off, it is actually quite possible.
There is a wonderful website, findstarlink.com.
You put in your location and it will give you an estimate of the best time to see the satellites.
I highly recommend doing this. The satellites are in an orbit that will take them over many locations in the world.
And when they're first launched, they're all launched together and they cross the sky like Father Christmas, maybe or something from a Studio Ghibli movie.
And it's well worth looking out for.
They're very visible with the naked eye if the sky is clear. So put in your location, findstarlink.com and find it.
And Starlink itself is now actually asking people on their website to express interest in the service.
You can go to starlink.com, email address, your country, your postal code and submit.
And you'll be put on a mailing list to figure out when service might start.
So if you're the kind of person who likes to adopt things early, starlink.com is the place to go.
If you like watching rocket launches, SpaceX will have it tonight. And if you like looking at the sky, findstarlink.com.
All right, this week is also WWDC 20, Apple's major developer event.
And of course, it's being held virtually this year.
But that hasn't stopped there being a lot of announcements. Obviously, the big announcement was probably that Apple is planning to switch from Intel to ARM based processors, or at least Apple processors, which will have an ARM core.
But there are some tasty things for those of us who are interested in the Internet in terms of security, privacy, and performance.
And so first up is QUIC. Now QUIC, which is now known as HTTP 3, as it's becoming standardized, is something that Cloudflare has supported for a long time.
Back in 2018, we announced preliminary support with a website, Cloudflarequic.com, where people who were building browsers and other tools could test their protocol.
We've done this many times to help progress the Internet by putting online websites or other services that people can test against and implemented protocols as they're being developed.
And then a year later, at birthday week of last year, we announced that we were making it widely available to all of our customers.
Now HTTP 3 is available to everybody. And initially, HTTP 3 was primarily available only in Chrome, because it had come from there, but it gradually spread out to all the other browsers.
And so one of the things that was announced at WWDC this week, is that HTTP 3 will be supported in Safari 14.
And that brings the last real major browser into the HTTP 3 slash QUIC world.
And we'll, I think, see a great increase in adoption by users. Now, if you are using Cloudflare, and you want to support HTTP 3, it's as simple as pressing the HTTP 3 button in the UI, you can go in and turn it on, and then it will be enabled.
And this was defaulted to off for a long time. Eventually, this will get defaulted to on for our customers, as HTTP 3 becomes much more widespread.
And with Safari supporting it, I think it's very, very likely to become very widespread now, as that was the last major browser that didn't, even the curl command line tool supports it.
Next up was WebP. Now WebP is a standard created by Google for images and for image compression.
Most of what goes across the Internet is video and images and compression is really vital to making the Internet work quickly.
And there are many different ways of compressing images.
So JPEGs have one compression technique, PNGs have another, GIFs have another.
And there are some other formats out there, JPEG 2000 from Microsoft, and AVIF, which is something which is coming down the pike and is getting more and more popular.
But WebP has been around for a while, specifically designed by Google for fast loading of images over the web.
And we've supported it for the last four years. Four years ago, David Rag on our team wrote a blog post about our support for WebP.
Cloudflare has a product called Polish, which automatically transforms images, it recompresses them to make them as small as possible, without losing quality, so that websites and apps load quickly.
And we supported WebP as an alternative to the other standard things like JPEGs, PNGs, and GIFs.
And there was a blog post that went out four years ago, which compared the performance in terms of compression, and it was pretty favourable for what we were doing.
So WebP, we've been supporting it since 2016, major browsers have been supporting it, and now Safari 14 will support it.
Again, if you want to use Polish, it's available in the Cloudflare dashboard, you turn it on, you can choose lossy or lossless compression.
And there's a WebP button if you want to support this alternative format.
And at the time when we launched this, it was kind of an alternative format.
But with Safari coming into the fold, it's going to become extremely mainstream across all the browser platforms.
The other announcement that was at WWDC was that Apple is going to support this year, encrypted DNS by within the operating system and within applications.
And this is a huge announcement. And if you've been following what's happened around DNS, you will know that the DNS protocol itself is entirely unencrypted.
And there have been various standards proposed to actually encrypt DNS.
So DNS over TLS, which is called DOT, or DNS over HTTPS, which is sometimes called DOE.
And these two protocols can be used to encrypt DNS from a client from your phone, your laptop, all the way back to a DNS server of your choice.
Most people don't choose their DNS server, it's either assigned by their company, or it's assigned by their ISP.
But with encrypted DNS, it gives you a bit more choice. And one particular browser producer, Mozilla, has been particularly far reaching in this, in providing encrypted DNS within the browser.
But Apple is going much further, not only are they doing it within applications on their platform, but they're doing it within the platform itself.
And there's a video on the WWDC website that explains what they're doing.
But this is a big step up in terms of privacy, because it means that DNS queries, which, if you think about it, are kind of a record of every website and everything you do, because fundamentally, before you go anywhere on the web, or in an app, you have to do a DNS lookup to turn a name like apple.com into an IP address.
And so if you can snoop on DNS, you can learn a lot about someone.
Encrypting it makes that a lot, lot safer. It also prevents DNS queries from being modified.
And one of the strange things about DNS is that it's one of the last unencrypted protocols.
And it's actually very easy to send a response that somebody didn't ask for.
So you go and ask for apple.com, and you get back an IP address that wasn't apple.com.
And that's because it's unencrypted.
So encrypted DNS also provides that protection. And what Apple has done is they have listened to all of the people who were worried about implementation of encrypted DNS, and provided the things they need to be able to control it.
So corporations can control this configuration, using what's called an MDM, the device management for the device and set the DNS server they want.
So they can send it to their corporate DNS, for example, but it could still be encrypted and still be protected.
And that can be very useful, where a company uses DNS internally with some private DNS names.
But they've also integrated it with things like the detection of captive portals, so that when you're trying to log in on a coffee shop with its own Wi Fi, you don't have to worry about somehow encrypted DNS causing confusion.
And so they build a complete platform for doing this. And it can be done within the operating system, or on a per app basis.
And it's also part of the privacy framework for Apple as well, so that you will be able to understand when your requests are encrypted and when they're not.
And if an app wants to use it, you'll be asked if you want to use encrypted DNS.
So I think this is a big step forward.
And we should expect other operating system manufacturers to do the same thing.
But once again, Apple is way ahead here in terms of privacy.
Just talking specifically about browsers, Mozilla Firefox has for a long time been promoting encrypted DNS, so DNS over HTTPS and DoT, and actually partnered with Cloudflare to provide an encrypted DNS service from the Firefox browser into our 1.1.1.1 service.
And in doing so, Mozilla created something called the Trusted Resolver Program, which defines some rules that resolvers have to follow.
So one of the concerns about DNS being over HTTPS was that it might somehow become centralized, and that some centralized organization might be able to then look at the DNS queries you're making and perhaps show you ads, or figure out what you're doing on the Internet.
And so Mozilla wanted to attack this problem, and they set up these rules for resolvers.
And there were two companies that currently provide those resolvers, is Cloudflare.
We had always had a very strong privacy component of our resolver.
In fact, if you go to 1.1.1.1, you can read all about our privacy commitment, so much so that we actually had an auditing company come in and audit that we were actually following what we said we were going to do in keeping people's information private.
So Mozilla worked with us early, and the other one is NextDNS, which also provides a trusted resolver in the Mozilla program.
What's interesting this week is that for the first time, there's an ISP has decided to sign up and be part of it.
And so Comcast in the US has become part of Mozilla's program.
They themselves will be offering an encrypted DNS server, and they will be complying with the data retention and transparency rules that Mozilla puts in place.
And this is very important because one of the concerns about DNS being unencrypted was the amount of information that an ISP might be able to gain just by snooping on what you were doing and what websites you were going to, what you did on the Internet, because of all those unencrypted DNS requests.
Now Comcast, by signing up for Mozilla's program, is making a very strong statement about the privacy of DNS itself.
Just to take a look at that, what happens with DNS over HTTPS is there's an encrypted connection between you, your laptop, your phone, for example, and the DNS resolver.
And that DNS resolver could be pretty much anywhere, particularly when it's a DNS over HTTPS, it's hard to distinguish DNS traffic from the rest of the web, which makes it hard to block, which means that you, the end user, can choose which server you want to use.
So for example, if you choose to use Cloudflare's DNS, all of your requests go over an encrypted connection using the same kind of encryption we use for the web, it's TLS, or sometimes people call that SSL, and that connection could come all the way to Cloudflare, and we're part of their trusted program, and so we comply with the privacy rules of Mozilla, which wasn't hard because we already had those kind of rules, and an eavesdropper or a hacker cannot read what you're doing, cannot understand where you're going, or modify those responses.
Now what Comcast has done is they put an encrypted DNS resolver within their own network, and their own subscribers can connect to that as an alternative.
So this is great, it increases the amount of support there is for encrypted DNS, which is vital, as Apple has done with including it in the operating system, and it also shows the way for other ISPs.
If Comcast can do it, so can everybody else, and I truly hope they will.
If you look at the things that Mozilla asks people who are part of their program, one of them is that they limit the amount of data, and it is not retained for more than 24 hours, and it cannot be sold, shared, or licensed to other people.
So this means that even if you use Comcast resolver, your data stays within Comcast, and does not get used for other purposes, and gets deleted.
So that's a big win. There's also a requirement around transparency, that means that anyone who uses the Mozilla program, in this case Cloudflare, NextDNS, and Comcast, they have to publicly talk about their policy, and make that commitment to users.
And finally, they're not allowed to block or modify DNS requests.
Some ISPs do this, mine in the UK used to do this, if I typed in a DNS, the name wrong, instead of getting an error, I would actually get a friendly page from my ISP telling me, you made a mistake, by the way, here's a bunch of ads, and here's some things you might like to click on.
That's disallowed. The Mozilla policy allows changing DNS requests if it's required by law, but not just because there's some commercial interest in doing so.
So good on you Comcast for signing up for this program. Good on you Mozilla for creating this program.
Now I want to talk a little bit about some things that have gone wrong for some people who like to break into things that Cloudflare protects.
And this is a graveyard of little projects that were trying to beat Cloudflare's bot detection.
So bots, bad bots are a real scourge on the Internet.
They affect anyone who's doing retail, and particularly if they're retailing something which has scarcity.
So think sneakers, a new sneaker comes out, there'll be a bot war to try and buy them all before humans can because the bot users know they can resell those sneakers for much higher values on an auction site afterwards.
So that's bad if you're a person trying to buy some sneakers because they sell out extremely quickly.
If you're an airline, you might find your seats getting bought up by bots.
If you produce any sort of content that's of any value, it's probably getting scraped by bots.
So bot protection has been a big part of Cloudflare from the very beginning.
And there's been a little cottage industry of projects, mostly open source, trying to break that.
And you'll see people updating them as fast as they can, trying to figure out new ways to get through our bot detection.
To give you a sense of the scale of this, if you look at our systems internally, which is a mixture of machine learning, heuristics, and behavioral analysis, we can see the amount of bot traffic there is on the Internet.
And it's pretty stunning.
Something like 37% of the traffic we see is from bots that are up to no good.
A small sliver is from good bots. So things like the Google search bot, which is building the search index.
That's important. A bot from Facebook, which is checking a web page, and it'll be included in the news feed, for example.
But a large chunk of traffic is bad.
And for anyone actually who's doing retail, or who's doing something which has valuable content, that percentage will be even higher.
So we actually block these bots using a bunch of different techniques. We have quite a sophisticated amount of machine learning going on to understand the behavior of good and bad HTTP agents, i.e.
your web browser, if you're using it, versus a bot on the Internet.
We have heuristics over time, which we've built up, and we have behavioral analysis.
So we're able to detect whether something is good or bad.
And there's been, over time, a little back and forth with this cottage industry of people who have been building these bot detectors.
Well, recently, because we've been making many, many changes, and because the machine learning algorithms are now able to use all of the traffic that Cloudflare sees.
So when you come to a Cloudflare website, a machine learning algorithm will check to see if you're a bot or not, and let you through.
You've never noticed this, because you're not a bot.
But we're able to learn from that, and protect all of our customers against the bot menace.
And so what's been happening, if you go on to GitHub, is you'll find various projects where, well, rest in peace.
So this particular project said, I'm giving up.
It no longer works, and it's no longer supported. Another one said, well played, Cloudflare.
It's not feasible for me to keep trying to do this. It's over, and I'm giving up.
This particular one, they just archived the project and stopped updating it.
Another one said, well, you know, it's getting much harder to get through this.
And then someone said, no, no, I know how to do it. And then, oh, edits.
No, actually, that doesn't work either. One thing that's quite common is you see people thinking that they've got through, and only to find five minutes later that they haven't.
The reason for that is the machine learning algorithms are learning against the attackers.
This one here, well, this one says, we're hoping for the future that if I try to use this stealth plugin, maybe I'll get somewhere.
I wouldn't bet it, mate. The funnest one is a project run by a chap who goes by the name Venomous, who runs a project.
And things have got a little bit heated over there, because it's got very complicated to update it.
He was updating it as an open source project, and finally decided that it was much, too much work to keep doing it as open source, and it should become a paid project.
And what's bad for Venomous is that many of his open source customers are really up in arms about this, because they were, well, I guess they were expecting someone else to do the work for them.
But as you see, bots are a menace, and they've been causing trouble.
And Cloudflare's bot detection is, well, it's burying a lot of projects that hope to break into it.
Now, I'm going to jump over to Togo in West Africa, because there's a bit of news about Internet blocking in Togo that's come out this week.
So back in 2017, September the 5th, the Internet went offline in Togo.
The government blocked social media networks, and they heavily rate limited traffic.
And we saw that's what this graph was showing. It was showing Monday, Tuesday, which the top two graphs, that was what the traffic looked like in Togo.
And on the Wednesday, on the 6th, you can see the traffic sort of goes down, and it shouldn't go like that.
And that was because the government had made this decision.
Well, three years later, there has been a court case brought about this.
So in West Africa, there's an organization called the Economic Community of West African States, ECOWAS.
And this brings together a bunch of countries within West Africa.
And as part of it, there is a court which covers this region. And a case was brought before this court, arguing that this Internet shutdown in Togo was a violation of human rights, and also arguing that it had a huge economic damage, because people couldn't work, because they couldn't get access to the Internet, to information.
And yesterday, this case came before the court, and this was the actual docket number.
And the court agreed that this should not have been done.
It imposed a fine, a relatively small fine, about US$4,000 to be given to the organizations that brought the court case.
But it also stated that countries should not do this.
So this is obviously written in French, the court decision was in French.
But it's saying that the court is asking that the authorities in Togo, do whatever is necessary to make sure this does not happen again, that the Internet does not get shut down.
And this is a very important move, because we see around the world, Internet shutdowns happening in countries for political reasons, sometimes because elections are happening, sometimes because there's unrest, sometimes because there are examinations happening, and there's an attempt to stop cheating.
But, you know, the Internet has become extremely important to all of us, particularly during the COVID-19 pandemic, and keeping it on is really important.
So pretty interesting that three years on, after a court case was brought, the local court in that region decided that no, this was wrong, and the Internet needs to stay on.
And finally, a bit of DDoS news. So earlier on this week, there was some news out of a couple of companies about DDoS activity that was particularly large.
In general, DDoS activity tends to be continuous and fairly small.
It's a bit like the spam problem.
There's a continuous barrage of spam, it gets filtered out by good spam filters.
And in the case of DDoS, there's a barrage of DDoS going on all the time.
And if you have a DDoS mitigation service, like say Cloudflare, then you don't see it because it gets dropped.
But occasionally, there are really big DDoS and these things make the news a little bit.
And so actually earlier on, Akamai, legacy CDN vendors, said they had mitigated a 1.44 terabit per second attack.
And that was pretty big. In the past, the biggest known one publicly was 1.3 terabits per second against GitHub, and then 1.7 terabits per second against an unnamed company.
So 1.44 was a pretty good data rate. And that's enough to clog pretty much any pipes you might have out there.
Well, not to be outdone, Amazon said, oh, 1.44 terabits per second.
Fascinating, because we mitigated a 2.3 terabits per second.
So everyone was saying, hey, mine is bigger than yours. And this was back in February.
And Amazon put out some information about it. And it's worth reading the details.
It's interesting what happened. Well, not to be outdone, Akamai said, really?
2.3 terabits per second? Fascinating, because we just mitigated, earlier this week, 809 million packets per second.
Now, stop for a moment.
The two other numbers were in terabits per second, which is the bandwidth that was being used.
So enough to clog any size Internet pipe. But there's another important number when it comes to DDoS, and that's packets per second.
And the reason packets per second is significant is that when a packet hits equipment on the network, particularly Internet routers and switches, it has to be processed.
And if you can get the packet rate up, even if you don't get the gigabits per second up, then you can cause a problem.
So Cloudflare will be mitigating large hundreds of gigabits per second, something terabits per second attacks, but also attacks with very high data rates of packets per second.
So in this Akamai attack, these were one byte packets plus the header, but 809 million packets per second, which is enough to hurt most networking equipment, even if the gigabits per second on it didn't come enough to clog the pipe.
So when you think about DDoS, there are really two ways to hurt a network equipment.
One is just sheer volume, that's going to be in terabits per second.
And the other one is many, many, many packets per second, which overwhelm the processors within the routers and switches that are trying to deal with the traffic.
So hopefully this trend doesn't continue, but we have seen over this year, a few big attacks against providers.
One thing you can do is look for a provider that will handle these attacks for you for free.
The last thing you should be doing is paying for attack traffic like this.
And that is one of the reasons why Cloudflare created an unlimited mitigation service, which we launched a few years ago so that our customers are protected.
So even if they get terabits per second or millions of packets per second, they're not being charged for that attack traffic.
And that is it for this week in NET.
Thank you very much for watching. I'll be back next week with more on what has happened in the network.
I hope you stay safe online, encrypt your DNS, stay safe from DDoS attacks, and I'll see you next week.
Bye. Hi, we're Cloudflare.
We're building one of the world's largest global cloud networks to help make the Internet more secure, faster, and more reliable.
Meet our customer, Neto.
The thing that used to keep me up at night was security. Cloudflare helps to mitigate a lot of those fears.
It actually is the frontline for our platform and actually looks after pretty much all of the security as well as helping us on the cost side as well.
As one of Australia's leading e-commerce platforms, Neto powers the shopping experience for thousands of online retailers.
My name is Justin Hennessy. I'm the VP of Engineering at Neto. Neto is one of the biggest e-commerce platforms in Australia.
Our platform receives between 85 and 90 million requests per day.
We have about 2,800 merchants on our platform, single shop owners who are just trying to sell online, all the way up to quite large organizations who do multi -warehouse sales.
In the landscape that we are now in, with cyber crime being as high as it is, the threats that hit our platform on a daily basis, it's really important to have both internal expertise and really good relationships with technology partners.
Neto first came to Cloudflare to streamline the process of securing its merchant sites.
Using Cloudflare's SSL for SaaS, Neto automatically provisions and manages security certificates across thousands of its customers' vanity domains.
SSL for SaaS is essentially the primary driver why we moved to Cloudflare.
We have a very complex onboarding process and part of that is issuing certificates to customers.
Cloudflare allowed us to make that a completely automated one-click process.
Anybody in the business could onboard and go live with a customer.
Soon, Neto found additional opportunities to leverage Cloudflare's platform for enhanced security, performance and reliability.
The two major things that we've really embarked on this year around workers and AI bot management.
Cloudflare bot management is something that we've just recently turned on.
In its first day, we were able to block 2.4 million requests and obviously that has a pretty significant cost effect over time.
Cloudflare Workers is actually quite an exciting piece of technology.
It's really allowed us to be quite creative about how we solve different problems.
I would definitely recommend Cloudflare as a technology vendor because I believe they offer the full gamut of products.
You can start very small and then you can grow into their feature sets.
With customers like Neto and over 25 million other Internet properties that trust Cloudflare with their security and performance, we're making the Internet fast, secure and reliable for everyone.
Cloudflare, helping build a better Internet. What is a bot?
A bot is a software application that operates on a network. Bots are programmed to automatically perform certain tasks.
Bots can be good or bad.
Good bots conduct useful tasks like indexing content for search engines, detecting copyright infringement and providing customer service.
Bad bots conduct malicious tasks like generating fraudulent clicks, scraping content, spreading spam and carrying out cyber attacks.
Whether they're helpful or harmful, most bots are automated to imitate and perform simple human behavior on the web at a much faster rate than an actual human user.
For example, search engines use bots to constantly crawl web pages and index content for search, a process that would take an astronomical amount of time for any human user to execute.
What is a WAF?
A WAF is a security system that uses a set of rules to filter and monitor HTTP traffic between web applications and the Internet.
Just as a toll booth allows paying customers to drive across a toll road and prevents non -paying customers from accessing the roadway, network traffic must pass through a firewall before it is allowed to reach the server.
WAFs use adaptable policies to defend vulnerabilities in a web application, allowing for easy policy modification and faster responses to new attack vectors.
By quickly adjusting their policies to address new threats, WAFs protect against cyber attacks like cross -site forgery, file inclusion, cross-site scripting and SQL injection.
you
