CloudFlare DNS Anycast Services lafur Gu mundsson | - PowerPoint PPT Presentation

Dec 25, 2023 •453 likes •545 views

CloudFlare DNS Anycast Services lafur Gu mundsson | olafur@cloudflare.com Network Over 80 locations soon All services over Anycast 2 CloudFlare DNS expertise Deliver DNS answers in fast and reliable manner worldwide

CloudFlare DNS Anycast Services Ólafur Gu ð mundsson | olafur@cloudflare.com
Network Over 80 locations soon • All services over Anycast • 2
CloudFlare DNS expertise Deliver DNS answers in fast and reliable manner • worldwide Extensive experience in absorbing large DDoS attacks • • Multilayer defense architecture • We answer less than 1% of DNS packets, and no-one complains • As most are attack packets Hard to use us as amplifiers • • We block most attack traffic, and DNS packet size is kept under 512 bytes 3
DNS services: RRDNS Highly distributed authoritative server • DNSSEC signing on the fly • Data entered via API/UI replicated to edges in seconds • FAST and reliable • “ANY” suppressed • dig cloudflare.com ANY cloudflare.com. 3788 IN HINFO "Please stop asking for ANY"   "See draft-ietf—dnsop-refuse-any” 4
DNS products: Virtual DNS A proxy authoritative • server We will cache data • requested and answer from edge Intelligent fetching of • answers from origins. No need to update us if • zones added/deleted 5
The cost of staying online? Providers need to capacity plan for attacks • • We have mitigated 5xx Mp/s attacks Attacks evolve all the time • • we see them all 6
The new norm of DNS • Anycast delivery • Defense in depth • DNSSEC on the fly • Smaller answers • No need for 5-13 NS records • RSA needs to be retired (Key sizes 5x bigger than ECDSA) • Suppress ANY dnsperf.com 7

Recommend

Introduction to Cloudflare Jrme Fleury BNIX meeting, Thursday 29th 2016, Brussels. What is

Introduction to Cloudflare Jrme Fleury BNIX meeting, Thursday 29th 2016, Brussels. What is Cloudflare? Cloudflare makes websites faster and safer using our globally distributed network to deliver essential services to any website

525 views • 19 slides

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for http(s)

538 views • 25 slides

Tier-1s break Anycast DNS Zhihao Li, Neil Spring D-Root: 199.7.91.13 111 Anycast

Tier-1s break Anycast DNS Zhihao Li, Neil Spring D-Root: 199.7.91.13 111 Anycast replicas: 19 global (red): advertised without restriction 92 local (black): advertised one hop in BGP Anycast Mental model: Packets sent to

646 views • 29 slides

Four years of Go at CloudFlare John Graham-Cumming CloudFlare You

Four years of Go at CloudFlare John Graham-Cumming CloudFlare You likely use us without knowing it Server Languages 2011 www data request PHP backend pipeline logic Server Languages 2011

972 views • 38 slides

Anycast Routing in OLSR MANETs (A sample deployment) Justin Dean 4 th OLSR Interop Ottawa, CA

Anycast Routing in OLSR MANETs (A sample deployment) Justin Dean 4 th OLSR Interop Ottawa, CA 10/14/08 Anycast definitions Anycast addressing assigning a common IP address to multiple instance of the same service.. 1 Anycast

794 views • 19 slides

.CL anycast switching experiment Sebastian Castro secastro@caida.org secastro@nic.cl CAIDA

.CL anycast switching experiment Sebastian Castro secastro@caida.org secastro@nic.cl CAIDA NIC Chile 8 th CAIDA/WIDE workshop July, 2007 Introduction The anycast technology has been widely deployed in various DNS services around the

291 views • 17 slides

Hidden Linux Metrics with ebpf_exporter Ivan Babrou @ibobrik Performance team @Cloudflare What

Hidden Linux Metrics with ebpf_exporter Ivan Babrou @ibobrik Performance team @Cloudflare What does Cloudflare do CDN Website Optimization DNS Moving content physically Making web fast and up to Cloudflare is the fastest closer to

715 views • 44 slides

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at Cloudflare London DDoS Mitigation Team Enjoy messing with networking and Linux kernel Agenda Cloudflare DDoS mitigation pipeline Iptables and

802 views • 65 slides

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems

Luke Valenta Gabbi Fisher @lukevalenta @gabbifish Systems Engineer, Cloudflare Systems Engineer, Cloudflare Outline 1. HTTPS Interceptors and How to Find Them: Common sources of MITM (Monsters in the Middle). 2. A technique for

701 views • 37 slides

Event-driven network automation and orchestration Tom Strickx UKNOF 40 Cloudflare, London

Event-driven network automation and orchestration Tom Strickx UKNOF 40 Cloudflare, London Manchester, April 2018 1 Tom Strickx Chaos Monkey at Cloudflare (Network software engineer) Contributor at NAPALM Automation

953 views • 51 slides

Anycast census and geolocation AIMS: Workshop on Active Internet Measurements 31 March - 2 April

Anycast census and geolocation AIMS: Workshop on Active Internet Measurements 31 March - 2 April 2015 Cicalese Danilo Jordan Auge Diana Joumblatt Dario Rossi Timur Friedman Here is where the anycast instances are Demo: goo.gl/Ff8gdQ 12

338 views • 19 slides

Characterizing IPv4 Anycast Adoptjon and Deployment Dario Rossi Professor

Characterizing IPv4 Anycast Adoptjon and Deployment Dario Rossi Professor dario.rossi@telecom-paristech.fr htup://www.enst.fr/~drossi/anycast Joint work with D.Cicalese, J. Auge, D. Joumblatu and T. Friedman Talk Teaser A seminal work [4] at

748 views • 50 slides

F root anycast: What, why and how Joo Damas ISC Overview What is a root server? What is

F root anycast: What, why and how Joo Damas ISC Overview What is a root server? What is F? What is anycast? F root anycast. Why? How does ISC do it? What is f.root-servers.net? One the Internets official DNS root servers

456 views • 24 slides

Anycast in The Cloud 22.10.18 Brett Carr Agenda Introduction Short history of our

Anycast in The Cloud 22.10.18 Brett Carr Agenda Introduction Short history of our DNS Infrastructure Expansion and Cloud choices Anycast in the cloud, simple/cost effective Problems dont give me no problems

251 views • 14 slides

Two days in The Life of The DNS Anycast Root Servers Ziqian Liu Beijing Jiaotong Univeristy

Two days in The Life of The DNS Anycast Root Servers Ziqian Liu Beijing Jiaotong Univeristy Bradley Huffaker, Marina Fomenkov Nevil Brownlee, and kc claffy CAIDA PAM2007 Outline DNS root servers DNS anycast in root servers Data

289 views • 26 slides

SAND Project Self-managing Anycast Networks for the DNS ICANN 55 TechDay 7 March, 2016 Ricardo

SAND Project Self-managing Anycast Networks for the DNS ICANN 55 TechDay 7 March, 2016 Ricardo de O. Schmidt SAND Project Bring autonomous management to anycast DNS M onitoring: system health, reachability, performance, resilience... A

308 views • 14 slides

Towards a global IP Anycast service Hitesh Ballani, Paul Francis Cornell University ACM SIGCOMM

Towards a global IP Anycast service Hitesh Ballani, Paul Francis Cornell University ACM SIGCOMM 2005 What is IP Anycast? One-to-Any communication with no changes to Internet routing IP Address IP Address 2.1.1.1 2.1.1.1 Robust and

1.25k views • 65 slides

How Cloudflare analyzes >1m DNS queries per second Tom Arnfeld (and Marek Vavrusa ) 3M

How Cloudflare analyzes >1m DNS queries per second Tom Arnfeld (and Marek Vavrusa ) 3M DNS queries/second >10% 100+ Internet requests everyday Data centers globally 2.5B 6M+ Monthly unique visitors 5M+ websites, apps &

619 views • 39 slides

Internet Anycast: Performance, Problems and Potential Zhihao Li , Dave Levin, Neil Spring, Bobby

Internet Anycast: Performance, Problems and Potential Zhihao Li , Dave Levin, Neil Spring, Bobby Bhattacharjee University of Maryland 1 Anycast is increasingly used DNS root servers: All 13 DNS root servers Open DNS resolvers:

672 views • 33 slides

choose your region: Earth; Cloudflare Workers hi, im @ag_dubs performance accessibility

QConSF 2019 choose your region: Earth; Cloudflare Workers hi, im @ag_dubs performance accessibility infrastructure how the internet works? how the internet could work? javascripts journey JavaScript (1995) Wasm (2017) HTML

1.97k views • 155 slides

On the Use of Anycast in DNS Sa nde e p Sa ra t Jo hns Ho pkins Unive rsity Va sile io s Pa ppa

On the Use of Anycast in DNS Sa nde e p Sa ra t Jo hns Ho pkins Unive rsity Va sile io s Pa ppa s UCL A Andre a s T e rzis Jo hns Ho pkins Unive rsity http:/ / hinrg .c s.jhu.e du/ Background Wha t is Anyc a st? Clie nt tra nspa

770 views • 12 slides

Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com

Adding new DNSSEC algorithms: reality check lafur Gu mundsson olafur at CloudFlare dot com Disclaimer: we have done this First major DNSSEC user of ECDSA P256 Working on getting others to support it ICANN Registration model is

981 views • 9 slides

Tunnel Broker Using IPv4 Anycast Xin LIU lx@ns.6test.edu.cn August 2003 Outline Transition

Tunnel Broker Using IPv4 Anycast Xin LIU lx@ns.6test.edu.cn August 2003 Outline Transition from IPv4 to IPv6 Typical Tunnel Broker Tunnel Broker Utilizing IPv4 Anycast From IPv4 to IPv6 IPv6 = Internet Protocol Version 6

722 views • 14 slides