Ron Winward @RonWinward

This is how I feel after an overnight routing cutover that went south but finally worked with 7.2 seconds left in the change window (sound on)

[NEW EPISODE] In the latest Telemetry Now, @JustinRyburn joins me to talk about BGP Flowspec and how it's used to mitigate the effect of a DDoS attack Check it out! kentik.com/telemetrynow/s…

The @FCC is seeking comment on a proposal to require 9 major US service providers to deploy RPKI ROV. (comments are due on July 17) In my post for @kentikinc, I look at the proposal and where the service providers stand with respect to ROV. kentik.com/blog/dissectin…

We are observing a sharp increase of #DDoS in 2024 at @OVHcloud with a new record of 840Mpps received in April. We decided to share few insights in a blog post: blog.ovhcloud.com/the-rise-of-pa…

Last week's (PA)NUG near Philly was great and a wonderful time to see some friends! Thanks Dwight Mohry for hosting and great to see @scottrobohn @andylapteff @Drew_CM & @RonWinward @us_nua @kentikinc Check here for an event near you ---> lnkd.in/gmngfZYe

keyboard_arrow_left Previous keyboard_arrow_right Next

Little known fact - I had been thinking about Slowloris for about 10 years before I finally actually sat down to write it. In the early 90's I had encountered a situation where Apache would die when people would do what I used to call "half-open" attacks where they'd see if they got the first packet (200 or 401) and then close the socket without seeing the rest of the result or sending RST or FIN packets causing Apache to be confused and hang, patiently waiting to finish it's response. Our interprocess communication would lock - something related to dead semaphores, and the whole system would halt and no longer deliver HTTP responses. Every day at around 5PM Japan time, some kid would come home from school and attack us trying to break in. It was annoying, and it never really had a chance of working but it did break our website and cause my phone to start alerting due to the outage... every... single... night... at... 1am. Grr. The solution at the time was simply to block the attackers and build a self-healing solution that would reboot Apache when we detected those hung IPC semaphores. Fairly ugly solution but it worked and was pretty cutting edge for it being the 90's. I also got my first Blackhat talk out of it with subsequent solutions we came up with to hide the responses requiring full HTTP responses to be analyzed before they could close the socket. The talk was "Military Hardening of .htaccess" and was exclusively attended by Chinese speakers and like 3 of my friends - I was speaking opposite Mitnick, I think, so the room was virtually empty. I was also extremely, mind-bendingly, hung-over. I ended up throwing up right before going on stage, like under a minute before, and my head was spinning through the whole talk. The Chinese audience members had a translator and it was making me sick to hear my own translation and I was already having a hard time keeping it together. I cannot believe Blackhat ever gave me a second chance after that mess. Friendly note kids - don't go full Vegas the night before your preso. As you might imagine, after that I was pretty much totally done with the whole idea so I sat on the idea of Slowloris for a decade. Yes, a really really bad hang-over made me uninterested in developing a denial of service tool. It literally made me a little nauseous to think about it. I digress... But it got me thinking that there would be a way to do something similar as an intentionally malicious attack rather than just efficient brute forcing. The way to do that would be to send the packet with the first half of the HTTP headers and then just keep the socket open, never finishing the request. I do wonder how many other exploits are out there where people are sitting on it forever just because they haven't gotten around to writing it yet.

Today In Infosec @todayininfosec

2 years ago

2009: Robert "RSnake" Hansen released the denial of service attack tool, Slowloris. Unlike most DoS tools which flood targets with traffic, it worked by holding connections open by sending partial HTTP requests - a technique described by others as far back as 2005.

2 15 67 100K 18

In RPKI, determining when a #ROA expires is complex. 🤔 In our latest article, #BGP experts @DougMadory and @fastly's @JobSnijders dive deep into the expiration dates embedded inside ROAs and the shorter effective expiration dates used by validators. kentik.com/blog/times-up-…

A major #RPKI ROV deployment milestone has been reached. @DougMadory and @JobSnijders detail: blog.apnic.net/2024/05/08/rpk… @kentikinc

Here's my analysis for @kentikinc cited in today's @WIRED feature story about the Red Sea submarine cable cuts. I looked into the timing and impacts of the loss of SEACOM and AAE-1 (EIG was already down due to a pre-existing cable fault). kentik.com/blog/what-caus…

Kentik provides invaluable insights to businesses for their network traffic, enabling analysis and proactive measures to defend against evolving DDoS threats. 🛡️ #Cybersecurity #NetworkObservability #DDoS kentik.com/blog/understan…

It would appear that AS174 (Cogent) and AS2914 (NTT) have depeered in Europe. Causing a decent latency spike between single homed customers on both sides in Europe. This is not Cogent's first de-peering, their wikipedia page has a mostly complete list en.wikipedia.org/wiki/Cogent_Co…

keyboard_arrow_left Previous keyboard_arrow_right Next

It would appear that Cogent AS174 and NTT AS2914 have de-peered in europe. benjojo.co.uk/u/benjojo/h/vN…

Internet service was cut for multiple Pakistani mobile providers in the hours prior to today's #PakistanElection. According to @kentikinc aggregate NetFlow, Zong (China Mobile Pakistan) and Jazz (Mobilink) stopped carrying traffic between 02:00-04:00 UTC today. We also observed a reduction in traffic for Telenor Pakistan.

Kentik AI was recently featured in Forbes for innovation in network observability. With Kentik AI, you can use Natural Language Query (NLQ) to ask the platform specific questions about your network.💡@kentikinc @Forbes forbes.com/sites/rscottra…

@ECDmike @EtownBlueJays @BlueJaysMLAX @EtownCollege Go Jays!

@EastCoastDyes @BlueJaysMLAX Go Jays!

Another way to look at this incident is that RPKI ROV deployment (specifically the rejection of RPKI-invalid routes) has arrived at a point where a service provider can be knocked offline due to its routes being suddenly rendered RPKI-invalid. #BGP

NANOG @nanog

2 years ago

Guest Blog: Digging into the #OrangeEspaña #Hack w/ @kentikinc @DougMadory This month, #Spain’s second-largest mobile operator, Orange España, experienced a national #outage, spanning multiple hours. nanog.org/stories/indust…

0 4 11 6K 3

Major outages for Azure and Optus, subsea cable cuts and an activation, and BGP/RPKI analysis made 2023 another eventful year on the Internet! Here's my end-of-year post reviewing the analysis @kentikinc published in the past 12 months. Enjoy! kentik.com/blog/a-year-in…

Perfection doesn't exi... Wait—have you seen the cables in our data center? 🤌

Wow! 5 Years in Federal Prison for Defrauding @TeamARIN. The world of ipv4 address space.. 🤯 “through this scheme, Golestan and Micfo obtained the rights to approximately 757,760 IP addresses, with a market value between $9,850,880 and $14,397,440.” arin.net/blog/2023/10/1…