This Week in Net: From DDoS attacks in Australia to helping protect personal information in the cloud
Presented by: João Tomé, John Graham-Cumming
Originally aired on August 28, 2023 @ 10:00 PM - 10:30 PM EDT
Welcome to our weekly review of stories from our blog and other sources, covering a range of topics from product announcements, tools and features to disruptions on the Internet. João Tomé is joined by our CTO, John Graham-Cumming.
In this week's program, we “travel” to Australia to talk about recent DDoS attacks on Australian university websites, and threaten more attacks (that includes some suggestions). We also talk about Cloudflare’s commitment to the 2023 Summit for Democracy that is happening in Washington D.C.. Europe’s GDPR regulation is also present when we go over how we are helping protect personal information in the cloud, all across the world. We also go technical, explaining the many faces of our Oxy framework and its importance in powering Cloudflare services and products. We also do a “show and tell” with our R2 Pricing Calculator , that compares our object storage prices with AWS S3.
In the Around NET end of the show segment, we have Sofia Cardita, based in Lisbon and a clinical psychologist turn engineer from our Radar team. She will talk about our new URL scan tool .
Hello everyone and welcome to This Week in Net. It's the March 31st, 2023 edition. Yes, we're already in April almost.
And I'm João Tomé, based in Lisbon, Portugal. And with me, I have, as usual, our CTO, John Graham-Cumming.
Hello, John, how are you?
Hello, good afternoon. How are you? I'm good. Or morning, or whatever. Yes, depending on where you are, it might not be afternoon.
Yes, it might be the middle of the night.
This week, we have a few blog posts ranging in a few different topics from GDPR in Europe, personal data concerns, to even, for example, DDoS attacks in Australia in this case, but also IP packets, something more technical.
Let's talk about Auxy.
Yeah, where should we start? Should we start down under? Where should we start?
Go down under. I think so. That's a good approach. All right, you want to bring up that blog post and show everybody what we've got.
We're talking about why you're doing that.
This particular blog post is about a spate of attacks in Australia, particularly against university websites, from a loosely formed group that calls itself Kilnet and another one called Anonymous Sudan, who are, I think, broadly supporting the Russian war effort in Ukraine by attacking things.
In particular, during this week, we've seen a bunch of attacks against education, particularly in Australia, or pretty much DDoS attacks, typical kind of stuff that Cloudflare protects against.
Just interesting that these pro-Russian sympathizers have decided to go after Australian educational and actually sort of the day before against aviation websites in Australia.
Perhaps not super unusual kind of stuff.
We see DDoS stuff happen all the time. Obviously, if you're a Cloudflare customer, you're protected.
We have some advice in here about if you're a Cloudflare paid customer, there are additional bits of functionality you can turn to help protect against these times of attacks.
The attack sizes themselves are not huge, but of course, they are damaging, even though they're not things that make newspaper headlines.
We've offered unlimited, unmetered DDoS protection for a long time, many years, and it applies in this case too.
If you're in an attack industry in Australia and you're a paying customer of Cloudflare, there's much of other things you can do that are very specific to your website, but fight against bots, specific firewall rules, specific DDoS rules.
There's a bunch of stuff you can do.
Also, I think perhaps the most interesting thing is you can get DDoS alerts.
If you are being attacked, you will know about it. That may be worthwhile for your organization.
True. One of the things that I'm always interested about this area, which is an area I often go to in terms of trends, what we're showing usually in this chart in particular is blocked attacks.
Usually, these are mitigations, that's what we call them, that were not successful.
In some situations, it shows a trend that sometimes is on the news, other times it's not, because it was stopped in time.
We've had a different set of examples, even from customers that weren't aware that they had a major attack to their websites.
Those alerts also help them understand what happened, even in terms of perception.
I think they're great.
One of the things that's interesting, and you make a good point, that there are many DDoS attacks that don't make the news.
These things happen 24 hours a day, seven days a week around the world.
Sometimes, if you go to a website and it's not working, it may not be that they have a problem, it may be that they've been knocked off by a DDoS attack, because these things are so common.
It's just notable that Killnet and Anonymous Sudan decided to target specifically Australia this time around.
Anyway, that's the news of DDoS this week. Exactly.
Like you were saying, it's one of those situations that it's an old type of attack, but it's very easy to do.
It's still pretty much current, even if there's other attacks happening at the same time.
It's always one of the things that hackers use, because it's easy, right?
It seems relatively easy. It's kind of vandalism, basically.
Yes, but it does have real world effects when you can't get to a website or a service you need to use isn't accessible.
Exactly. We also had more policy types of blog posts this week.
Should we go to one of those? Why don't we go to the Summit for Democracy?
That sounds like something we should talk about.
This is in DC. This was in DC this week, and a bunch of countries supported this.
The mission here is to strengthen democratic governance and human rights around the world.
The reason we are involved in this is that the Internet is fundamentally part of our lives and part of the democratic process with information, with some places voting, and how you figure out where you might vote.
There are some specific areas I think that Cloudflare wants to play a role.
If you scroll down here, we actually talk about these, and I think they're worth talking about.
First of all, to step back, one of the things Cloudflare has done, in a way, is democratize access to good security, and actually good performance, but good security for things put on the Internet.
If you go back 12 years ago, when Cloudflare was getting going, being secure on the Internet was expensive and complicated.
There was a real difference between the big companies like Amazon or Google, who had great security, and everybody else who was playing catch up.
Part of the idea of Cloudflare is that we would make security available either for free or for a very, very reasonable price.
We have a $20 a month time plan and things like that.
We've done that. We made SSL free. We made deals mitigation free. That was one of the things we've just been talking about.
What's next? One of the what's next is post-quantum cryptography.
There is a world coming in which we will have workable quantum computers.
If you don't know what that is, a quantum computer operates in a fundamentally different way than a classical computer, which is highly deterministic in a way.
A quantum computer allows it to, rather than having simple states of zero and one and things like that inside, it allows us to have a fuzzy state where some things are indeterminate.
The real benefit of these computers is they allow us to solve some what are called hard computer science problems in a reasonable amount of time.
Typically, hard problems are hard to do in any reasonable amount of time.
The one that people are perhaps familiar with sometimes is the traveling salesman problem, which is if a salesman has to visit a number of cities around the world, what is the optimal order in which to visit them?
Actually, as you add the number of cities, that problem gets harder and harder to solve.
Quantum computers allow us to solve some of these problems. One of the problems they allow us to solve is cryptography.
Cryptography fundamentally relies on us, in some sense, believing that there are some algorithms which are hard to solve on computers.
We typically don't have proof that they are hard.
We just know that they appear to be hard. I know that sounds really weird, but for some of these algorithms, some things we know are hard, some things we believe are hard.
In particular, in cryptography, factorizations of numbers and discrete logarithm problems are believed to be hard.
Well, unfortunately, quantum computers make that no longer hard.
That means that cryptography we use today that you and I rely on, we all rely on for banking on the Internet, private communications, is vulnerable.
We discussed this actually last week a little bit.
We did. The double whammy of this is that what we're speaking about here is if there's a quantum computer that our communications are vulnerable, the double whammy is that if somebody is recording Internet traffic right now, a large adversary, a big government somewhere, once a computer comes along with this quantum, they might be able to go back and decrypt things that were said in the past.
We want to roll out what's called post -quantum cryptography.
These are new algorithms that are safe against any post -quantum computer.
We have decided to include this for free in every plan.
One of the things that we've seen happen in the industry is people are starting to charge.
If you want to have the latest, you have to pay a lot for post-quantum.
We fundamentally believe this is a mistake. Everybody needs this right of their communications being private.
We are this year rolling out post-quantum cryptography.
All plans include all communications between Cloudflare and websites, between Cloudflare and companies, between Cloudflare and users internally at Cloudflare will be post -quantum.
That's the first commitment in the democracy. The standards are NIST has produced those standards.
We are now implementing those things. We were very involved in the standardization process.
There's a bunch of commitments here that in a sense are related to that, but are a little bit more general, right?
Yes, those are sort of more general from the overall kind of summit subjective.
If you look at ours, one is post-quantum cryptography.
I think it's important that this be just included by default so that people have the best communication.
The other one is one you know very well about, which is we publish a lot of data about the Internet's performance.
In particular, when it doesn't work at all through Cloudflare radar.
We actually provide alerts and data to organizations like Access Now, Internet Society, Uni, et cetera, so that people can understand this.
We have sent an observatory of the Internet through our network, which is truly global.
We're going to continue providing that information to those organizations so they can understand when those things happen and also better document when the Internet is being disabled or is unavailable in a country or a region, because sometimes it's within an area of a country.
You see that perhaps in the north of India, where there'll be shutdowns in Kashmir.
In some regions, especially in India, it's really frequent to those shutdowns.
That's right. In other countries, you see, for example, in Iran, you might not see the whole Internet being shut off, but you might see blocking of particular services or during particular times of day.
In Iran, we saw there was an Internet curfew happening. Exactly, back in September and October.
The third commitment is around working with society on Internet protocols, and in particular ones that are privacy enhancing.
We've done a lot around this, encrypted DNS, encrypted client hello to make HTTP better.
We really believe this goes hand in hand with the post-quantum side of things, which is that Internet protocols should be essentially private by default.
We're going to work to make sure that that happens.
One of the ways we do that is by us implementing them.
We are so large that if we make them widely available, that makes a real difference.
Makes sense. Also, there's the parting to make the summit a success, given that it involves a lot of different countries and organizations in a sense.
Yes. We're part of that. That happened this past week. Look for those commitments to turn into actions by us, alerts to access now, post -quantum cryptography, better privacy enhancing protocols.
The four objectives, I think, why not just stating them because of the audio audience, countering the misuse of technology, fighting corruption, protecting civic space, and advancing labor rights.
It's a very large scale of objectives of the summit in a sense. Absolutely.
We have a few more things from this week from the blog. Where to go next? Let's talk about GDPR and the EU cloud code.
Obviously, we've talked a little bit about privacy enhancing protocols and keeping DNS private and things like that.
There's also this EU cloud code of conduct, which validates that we're complying with GDPR.
Also, the idea of this is to really strengthen trust in cloud services.
We all use cloud services all the time. Look at you and me, we're using Zoom to talk to each other, which is in many ways a cloud service.
We use Google Docs all the time to exchange things. I think part of what Cloudflare really believes in is protecting the privacy of personal information across the world.
We have all sorts of tools that allow people to do that, to decide where cryptographic keys go, decide where the data goes.
The EU cloud code of conduct is really like a compliance mark that says we have demonstrated our compliance with GDPR, which means we are protecting personal data across our cloud and, in fact, in our case, all across the world.
I think it's great that we have these things that people can have confidence in using services.
I would urge others to look for that compliance mark if they're choosing a service where they might be putting private data.
And those are really important things as legislation, regulation in this case, but also as a use case for other parts of the world, because regulation is becoming a very important part of how companies have to deal in the cloud area.
Other places in the world use these types of examples in terms of protecting the cloud situation, right?
Well, that's right.
This particular one is very much an EU-focused code related to GDPR, which is EU-focused.
But I think we're seeing that across the world, countries and governments are putting in place different sorts of legislation to protect or regulate the use of their citizens' private information.
So I'm really happy that we're part of the EU Cloud Code of Conduct.
And I think we're going to see over the next five years, privacy on the Internet is a huge thing for companies in terms of how they protect data, how they use cloud services, how they implement things.
And I think Kavler has been at the forefront of making encryption available, keeping things private, state-of-the-art.
We just talked about post-quantum crypto.
I mean, we're absolutely on top of this stuff. So it's great that we have this compliance mark to go along with that so people can be confident in how we operate.
And as you can see, a huge list of our products that are covered by this.
And so great to see. And I think we will continue to look for these kinds of compliance marks around the world so that we can demonstrate to people how seriously we take privacy.
And so look for more of it. Exactly. And this blog post has a bunch of things that people can explore in that way also to download actually information.
So those who are interested in this area, and I think most companies today are, even for regulation purposes, they can browse through our blog.
Even we have the certification and compliance resources here available. Yeah. Actually, there's an interesting thing here.
Now you bring up the Trust Hub, which shows the certifications we have.
If you scroll down, I mean, we have a large number of other certifications.
So obviously, there are things that are related to the security of data.
So like PCI DSS, which is credit card information. There is some of the ISO standards.
There is SOC, which is around security of our systems.
But then there is also now some privacy-related things. So the new EU cloud code of conduct, but also parts of ISO 2701 are involved around the handling of private data.
In the US, we have FedRAMP Moderate. So if you're a government organization, you can use Cloudflare.
In Germany, we have the standardization from the BSI, et cetera.
So if you have to comply with particular standards or interested in how Cloudflare complies with different standards, here's the information here.
I particularly like the W3C one on the left there, which is about accessibility.
We made an enormous effort to make sure that our website, our dashboard is up to the standards of accessibility so that people who are not as able-bodied as you and I can use our products.
There's a very nice blog post actually in the past about how we did this and the work it involved.
So hopefully, that makes our products accessible to anybody.
Given our scale, I think that's extremely important because we have such a large number of users around the world.
Exactly.
In this way, we don't leave anyone behind in the sense of accessibility to users.
Where should we go next? Should we go to IP packets? Yeah, let's go nerdy.
Let's go nerdy. We've done a lot of compliance, people being attacked.
All right. So Oxy is a proxy framework. That's where the name comes from.
And so Cloudflare has... Well, you can read there's an introductory blog post about Oxy, but it is a framework for creating proxies written in Rust, which is used by a lot of Cloudflare services.
So we obviously proxy a lot of data through us, both what's called forward and reverse.
Reverse is where we sit in front of, say, an API or a website, and we become the website in the sense we pass the data through.
You, as the end user, go to the website and you get proxied to the real website or from cache.
A forward proxy is the opposite way around, which is that you go to a proxy in order to access the Internet.
So you might do this in a company.
A company might have a gateway, which is a proxy, or you might use a product yourself in the home, for example.
We need to do this sort of stuff because we have a bunch of services that are taking data in and have to forward it to other places.
And we need an enormous amount of flexibility. The reason we need an enormous amount of flexibility is unlike, say, an HTTP gateway in a business, we are handling all sorts of different traffic.
So Cloudflare Warp, which is our sort of un-VPN, is handling any type of traffic, right?
So that needs to be able to pass traffic through.
And so proxy allows us to build arbitrary proxy services for our different services.
And what's interesting about it is it handles all sorts of protocols in a very neat way.
So it handles things at the IP level, UDP, TCP, and then HTTP and above, right?
So you can look at the protocols. And this particular blog post is describing how we deal with this rather complicated scenario, which is because most proxies are aimed at a particular layer.
You might have a TCP proxy that's going to take a TCP connection and then turn it into another TCP connection on the other side.
Or you might have an HTTP proxy, like NGINX being used as a reverse proxy, for example.
And here, we actually are able to walk up and down the stack and say, oh, well, this is an IP connection.
Well, it's actually TCP.
Well, actually, it's HTTP. So we're going to deal with it in a different way.
And so this particular blog post talks about how this works and also how we do that by going from IP packets themselves and then figuring out what's inside those IP packets that allow people to themselves write configuration, which allows them to build the proxy they need.
So this is a whole sequence of blog posts. There are tons of them.
If you're interested in this particular piece of software that we use, that has really changed a lot of how we do stuff at Cloudflare.
Well worth reading. True. And there's this diagram that shows the overall picture.
And this reminds me, just yesterday, we had in our Lisbon office, Portugal office, let's say.
We can say Lisbon office because we were in the Lisbon office, but it's the Portugal team.
For those that don't know, Cloudflare has 250 people in Portugal.
220 or so of them are in Lisbon and the rest are spread around the country because we are hiring all over Portugal.
87 openings right now. So yes, you were saying in the Lisbon office of the Portugal team.
Exactly. We had the Women in Tech event that I attended yesterday.
And one of the things that was mentioned there by one of our product managers, Rita Kozlov, was that she learned more about the Internet looking at our blog and in examples like this, like seeing deep dives and interesting stuff, how the Internet works.
Some of these blog posts like this one shows you, in a sense, how all of these networks and codes and complexity works.
One of the things I really hope is that people, even if you're not a Cloudflare customer or work at Cloudflare or anything like that, I hope that our blog is super educational.
And for something like Oxy, one of the great values in this is you can read it and say, okay, that's how Cloudflare solved this problem.
That's interesting. And you may decide not to do it that way, or maybe this is an inspirational thing.
But yes, a big part of what we do, I mean, you'll know that I'm always telling people when we write the blog, our goal is educate, educate, educate, like tell people something, tell people something, make them come away smarter.
And so hopefully we do that. And in this case, yes, this is part of a big set of blog posts about Oxy.
Exactly. This week, we also published a tweet about the Ramadan that started last week, March 22nd.
And in this case, it's mostly related to a human thing that is human patterns change the Internet.
And Ramadan is a very specific celebration. And because of that, it has very specific moments, like after the sunset is when people can eat.
And there's the Iftar, the first meal after sunset. And one of the interesting things that we noticed actually, and we did the blog post, this blog post I'm tagging here is from last year, how the Ramadan shows up in Internet trends, is how the Internet traffic drops when there's those moments.
And we show a few charts here.
That's right, you can, what's interesting about these, these charts is that in contrast to, say, a normal day, when there is a there is a kind of a pattern of up and down is, you know, it's not quite a sine wave, but it's quite a smooth kind of thing.
And one of the one of the ways in which human activity shows up on the Internet is the sort of discontinuities where something very, very dramatic happens.
And, you know, we saw that during lockdown within in the UK, if you remember with the clapping for tapping for the helpers kind of thing where people stopped to clap and all that kind of stuff.
And the interesting thing on this chart is you can, these dips in Turkey are not there at the beginning of the chart, because Ramadan hasn't started.
And then when Ramadan starts, you have these dips.
And this is, you know, you have, as you say, the Iftar where people are, you know, breaking the fast and the sun has gone down and they are, they are, you know, eating at that point.
And so you really, you really see that over time.
And we will, we will even see, because this is sunset related over the, over the entirety of Ramadan, that shifts slightly as the sunset, you know, shifts itself.
And actually, I remember if you zoom in on some of our charts, I think we did this in the blog post last year, you can also see the morning prayer and meal as well, where people are, people are stopping as well.
Actually, in this chart, you can see a bump, a bump.
There it is. It's, it's around 4-5am.
And for example, in that bump means that traffic was 74% higher at that time, like before sunrise, because people were waking up earlier to eat.
Yeah, there you go.
So you see this changing, changing pattern in the Internet and the time to stop and pray and to eat.
And yeah, again, similarly around the world in countries with very large Muslim populations.
So yes, Ramadan definitely shows up on the Internet.
And we will, you know, we'll continue looking at these trends, different, different human celebrations, different activities over the year on radar.Cloudflare.com.
Exactly, they're around. Before we go, we launched I think a few weeks ago, a calculator that it's all about object storage.
So those who have websites and have, have need to put data, for example, videos and all that, we have a calculator, a calculator that gives you like a pricing aspect of it, right?
Well, yeah, so Cloudflare R2 is an object storage system compatible with AWS S3.
And the big difference is that unlike S3, you do not pay for egress, you do not pay to get your data out.
So one of the things that happens with S3 is you store lots of data in it, and then you actually want to read something out of it, you actually pay to read it.
And we think this is egregious. And so we, you know, we decided to, you know, make this, make this available, this calculator, so that you can see the how much you're saving.
Because the thing about S3 is, you know, it's relatively cheap to store stuff as is R2.
If you're, you know, locked in forever, it's sort of the Hotel California storage systems, right?
You know, you can check out, but you can never leave.
And so, yeah, we fundamentally changed this. And it's quite stunning.
If you're storing a lot of data, and you need to get access to it, R2 is a lot, lot cheaper.
Does this impact also like videos, if you have like a video storage, and people are watching those videos, so you're having a lot of success, you're so happy, because the videos are having a lot of success.
But then you'll have to pay a bunch of money because you had success, right?
Yes, yes. And you know, this reminds me of the situation with mobile phones.
If you remember when mobile phones came along, you got the mobile phones, and you were almost penalized for using it, right?
Because as soon as you called someone, it cost a lot of money.
And then, you know, started moving to flat pricing, right? We would pay a certain amount, and lots of calls are included.
Well, you know, we don't think you should be penalized for using the service.
We will charge you to store the data, we'll keep the data for you, but you can egress for free.
So, this is just gives you a sense of how much cheaper it is to use R2 than S3.
Exactly. You don't need to feel preoccupied, because you're having a lot of success in a video, in any of those aspects.
And we know from talking to customers that actually, they use a lot of AWS services that it turns out when they look into their bill that the S3 egress charges are a huge part of, you know, what they're spending money on for.
And if you think about it, I mean, Amazon has got very good connectivity to the Internet.
Why are you being charged for this thing as if you're consuming something which you're not really consuming?
Before we go, we still have a blog post that is coming out today.
Do you want to give some highlights there? So, there is a blog post coming out, which is around how we upgrade one of the oldest components of Cloudflare.
So, Cloudflare was originally built almost entirely around Nginx as a reverse proxy.
And over time, we have moved more and more away from Nginx.
In fact, one of my first jobs at Cloudflare was getting rid of at least two Nginx instances.
But there's still a little bit of it around. And actually, one of the sort of core services inside Cloudflare, inside all these proxies, Oxy and Pingora, and all this kind of stuff, there is a thing called Nginx FL for frontline, which contains business logic.
And it's a critical component. And there's a very interesting blog post about how we upgrade it.
Because upgrading that thing when you're running a system at our scale, and you don't want to lose any performance, or you don't want to lose any connections, is quite challenging.
So, at some point, Nginx FL itself will disappear.
And there's an internal project that will replace it with yet another thing whose name will no doubt be revealed at some point.
But in the meantime, we have to operate this old and critical component and keep it up to date.
So, yeah, great. Hopefully, that will come out later today, and you'll be able to read all about it.
More nerdy deep dives, in this case, into how you keep this critical and old Nginx infrastructure running.
That's a good one to be watching.
Thank you so much. That's our time. John, have a good week.
Great. Thank you very much. Yeah, have a good weekend. And if you're watching this some other time, have a good week, I guess.
So, see you all. Bye. That's a wrap.
Before we go, we have our new segment called Around Ned.
And in this case, we won't go far.
We go to Lisbon, Portugal, to hear from Sofia Kerdita. She's a systems engineer from our Cloudflare radar team.
And she's based, of course, here in Lisbon.
She actually has a very interesting story. She started as a clinical psychologist and then became an engineer.
So, let's hear from Sofia. Hi, I'm Sofia.
I'm a backend engineer working at Cloudflare. I was born in Lisbon, and I'm working out of Lisbon.
Currently, I'm in the radar team. We built a website which, using all of Cloudflare's traffic, it showcases Internet trends, both worldwide and per country, like global Internet traffic, tax data, DNS data, and stuff like that, where we can see, for example, how different events affect Internet usage.
One, for example, one study we did was on how COVID affected Internet usage worldwide.
And currently, even more currently, I'm working in... That's a church.
I'm working in Cloudflare's URL scanner, which is a tool where we analyze a given website to see if it's safe to visit or not, and also what technologies it uses, which I think is really cool because sometimes you don't really know if a site is safe to visit or not, and you can use our tool to actually check it out first before actually visiting it, which I think is a really useful tool.
And yeah, so other stuff I like to do. I really like playing tennis. It's really de-stressful and it's fun.
And my current new favorite thing, not so new, but yeah, is my puppy, which is Amelia.
And yeah, here she is. She's super awesome, and she's super fun to be with.
And that's it.