Security

Short Take: Disaggregating Firewalls

By Russ|April 18th, 2018|Categories: LEFT, SECURITY, SHORT VIDEO|Tags: disaggregation, firewalls|0 Comments

Side Channel Attacks in the Wild: The Smart Home

Side channel attacks are not something most network engineers are familiar with; I provided a brief introduction to the concept over at The Network Collective in this Short Take. If you aren't familiar with the

By Russ|March 19th, 2018|Categories: LEFT, RESEARCH, SECURITY|Tags: security, side channel attacks|Comments Off

Short Take: Side Channel Attacks

In this short take, recently posted over at the Network Collective, I discuss what a side channel attack is, and why they are important.

By Russ|March 13th, 2018|Categories: LEFT, SECURITY, SHORT VIDEO, TECHNOLOGY|Tags: network security, security, side channel attacks|Comments Off

Network Collective: Securing BGP

Yet another protocol episode over at the Network Collective. This time, Nick, Jordan, Eyvonne and I talk about BGP security.

By Russ|February 27th, 2018|Categories: BGP, LEFT, LONG VIDEO, SECURING BGP, SECURITY|Tags: bgp, bgp security, bgpsec, security|Comments Off

On the ‘net: Spectre, Meltdown, and Flexible Scaleout

The recent Meltdown and Spectre attacks illustrate the problematic nature of modern computing systems. While the earlier Rowhammer attack could read or attack one process running in a virtual environment from another process running on

By Russ|February 20th, 2018|Categories: LEFT, NORESHARE, ON THE NET, SECURITY|Tags: hyperconverged systems, meltdown, spectre|Comments Off

Giving the Monkey a Smaller Club

Over at the ACM blog, there is a terrific article about software design that has direct application to network design and architecture. The problem is that once you give a monkey a club, he is

By Russ|January 30th, 2018|Categories: DESIGN, DESIGN MINDSET, LEFT, SECURITY, WRITTEN|Tags: attack surface, mtbm, network design, network security|1 Comment

The Overoptimization Meltdown

In simple terms Meltdown and Spectre are simple vulnerabilities to understand. Imagine a gang of thieves waiting for a stage coach carrying a month's worth of payroll. There are two roads the coach

By Russ|January 15th, 2018|Categories: LEFT, SECURITY, TECHNOLOGY, WRITTEN|Tags: meltdown, spectre, tradeoffs, unintended consequences|1 Comment

Flowspec and RFC1998?

In a recent comment, Dave Raney asked: Russ, I read your latest blog post on BGP. I have been curious about another development. Specifically is there still any work related to using BGP Flowspec in

By Russ|January 4th, 2018|Categories: BGP, DDOS, LEFT, NORESHARE, RESPONSE, WRITTEN|Tags: DDoS, DDoS Open Threat Signaling, dots, flowspec|Comments Off

Meltdown and Spectre (Updated)

Replaced by this page.

By Russ|January 4th, 2018|Categories: LEFT, NORESHARE, SECURITY|Tags: metldown|Comments Off

Several on KRACK

Three articles of interest on the new WiFi KRACK— This is not a crypto bug but a protocol bug (a pretty obvious and trivial protocol bug). When a client connects to the network, the access-point

By Russ|October 26th, 2017|Categories: LEFT, NORESHARE, SECURITY|Comments Off

OneLogin and Password Managers

An interesting incident this last week brings password managers back to the front of the pile— OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it

By Russ|June 6th, 2017|Categories: LEFT, OTHER, REACTION, SECURITY, WRITTEN|Tags: password managers, password protection, security|1 Comment

Reading List: WannaCry and Ransomware

A good bit has been written about the recent WannaCry outbreak over the last few weeks; rather than stringing the best out through Worth Reading posts, I have collected the three best posts on the

By Russ|May 24th, 2017|Categories: LEFT, NORESHARE, SECURITY|Comments Off

Notes on the FCC and Privacy in the US

I've been reading a lot about the repeal of the rules putting the FCC in charge of privacy for access providers in the US recently—a lot of it rising to the level of hysteria and

By Russ|April 11th, 2017|Categories: LEFT, NORESHARE, SECURITY, WRITTEN|Tags: FCC rule change, internet privacy|2 Comments

Distributed Denial of Service Open Threat Signaling (DOTS)

When the inevitable 2AM call happens—"our network is under attack"—what do you do? After running through the OODA loop (1, 2, 3, 4), used communities to distribute the attack as much as possible, mitigated the

By Russ|April 3rd, 2017|Categories: DDOS, LEFT, STANDARDS, TECHNOLOGY, WRITTEN|Tags: DDoS, ddos mitigation, distributed denial of service, dots, IETF, ietf dots, internet engineering task force|Comments Off

Don’t Leave Features Lying Around

Many years ago, when multicast was still a "thing" everyone expected to spread throughout the Internet itself, a lot of work went into specifying not only IP multicast control planes, but also IP multicast control

By Russ|March 27th, 2017|Categories: LEFT, RESEARCH, ROUTING, SECURITY, STANDARDS, WRITTEN|Tags: DDoS, IGMP DDOS, removing features|Comments Off

Into the Gray Zone: Considering Active Defense

Most engineers focus on purely technical mechanisms for defending against various kinds of cyber attacks, including "the old magic bullet," the firewall. The game of cannons and walls is over, however, and the

By Russ|February 28th, 2017|Categories: LEFT, RESEARCH, SECURITY, WRITTEN|Tags: network security|Comments Off

Reaction; Do we really need a new Internet?

The other day several of us were gathered in a conference room on the 17th floor of the LinkedIn building in San Francisco, looking out of the windows as we discussed some various technical matters.

By Russ|February 20th, 2017|Categories: CULTURE, LEFT, REACTION, SECURITY, WRITTEN|Tags: IETF, the broken internet|4 Comments

Blocking a DDoS Upstream

In the first post on DDoS, I considered some mechanisms to disperse an attack across multiple edges (I actually plan to return to this topic with further thoughts in a future post). The second post

By Russ|February 13th, 2017|Categories: BGP, DDOS, SECURITY, TECHNOLOGY|Tags: DDoS, distributed denial of service|1 Comment

Mitigating DDoS

Your first line of defense to any DDoS, at least on the network side, should be to disperse the traffic across as many resources as you can. Basic math implies that if you

By Russ|February 6th, 2017|Categories: BGP, DDOS, DESIGN, LEFT, SECURITY, WRITTEN|Tags: Countering DDoS attacks, DDoS, ddos mitigation, distribute denial of service|Comments Off

Dispersing a DDoS: Initial thoughts on DDoS protection

Distributed Denial of Service is a big deal—huge pools of Internet of Things (IoT) devices, such as security cameras, are compromised by botnets and being used for large scale DDoS attacks. What are

By Russ|January 23rd, 2017|Categories: BGP, DDOS, DESIGN, LEFT, SECURITY, WRITTEN|Tags: Absorbing DDoS attacks, DDoS, distribute denial of service|Comments Off

Traffic Pattern Attacks: A Real Threat

Assume, for a moment, that you have a configuration something like this— Some host, A, is sending queries to, and receiving responses from, a database at C. An observer, B, has access to the packets

By Russ|December 5th, 2016|Categories: LEFT, RESEARCH, SECURITY, WRITTEN|Tags: access pattern attack, security|Comments Off

On the ‘net: BGP Security, LACNOG 26

BGP security: where we are now, where we are going, as presented at LACNOG 26 in November of 2016.

By Russ|November 29th, 2016|Categories: BGP, LEFT, ON THE NET, SECURITY|Tags: bgp security, LACNOG|Comments Off

Reactive Malicious Domain Detection (ENTRADA)

One interesting trend of the last year or two is the rising use of data analytics and ANI (Artificial Narrow Intelligence) in solving network engineering problems. Several ideas (and/or solutions) were presented this year at

By Russ|November 15th, 2016|Categories: LEFT, RESEARCH, SECURITY, WRITTEN|Tags: DNS, security|Comments Off

Reaction: DevOps and Security

Over at TechBeacon, my friend Chris Romeo has an article up about DevOps and security. It's interesting to me because this is actually an area I'd never thought about before, even though it makes sense.

By Russ|October 25th, 2016|Categories: CULTURE, LEFT, REACTION, SECURITY, WRITTEN|Tags: devops, devops security, security|Comments Off

Split Tunnel Insecurities

I really dislike corporate VPNs that don't allow split tunneling—disconnecting from the VPN to print on a local printer, or access a local network attached drive, puts a real crimp in productivity. In the case

By Russ|June 29th, 2016|Categories: LEFT, NORESHARE, SECURITY, WRITTEN|Tags: IPv6, IPv6 security, security|2 Comments

On differential privacy

Over the past several weeks, there's been a lot of talk about something called "differential privacy." What does this mean, how does it work, and... Is it really going to be effective? The basic concept

By Russ|June 22nd, 2016|Categories: LEFT, SECURITY, WRITTEN|Tags: differential privacy, privacy|Comments Off

DNS Cookies and DDoS Attacks

DDoS attacks, particularly for ransom—essentially, "give me some bitcoin, or we'll attack your server(s) and bring you down," seem to be on the rise. While ransom attacks rarely actually materialize, the threat of DDoS overall

By Russ|June 16th, 2016|Categories: DDOS, LEFT, NORESHARE, SECURITY, TECHNOLOGY, WRITTEN|Tags: DDoS, ddos mitigation, DNS|2 Comments

BGP Security and SPAM

Spam might seem like an annoyance in the US and other areas where bandwidth is paid for by the access rate—and what does spam have to do with BGP security? In many areas of the

By Russ|May 24th, 2016|Categories: BGP, LEFT, RESEARCH, SECURITY, WRITTEN|Tags: bgp security, route hijacks|Comments Off

Thinking about side channel attacks

When Cyrus wanted to capture Babylon, he attacked the river that flows through the city, drying it out and then sending his army under the walls through the river entrance and exit points. In a

By Russ|May 17th, 2016|Categories: LEFT, SECURITY, WRITTEN|Tags: security, side channel attacks|Comments Off

Securing BGP: A Case Study

What would it take to secure BGP? Let’s begin where any engineering problem should begin: what problem are we trying to solve? This series of posts walks through a wide range of technical and business

By Russ|May 13th, 2016|Categories: BGP, LEFT, SECURING BGP, SECURITY, WRITTEN|Tags: bgp security|Comments Off

Securing BGP: A Case Study (10)

The next proposed (and actually already partially operational) system on our list is the Router Public Key Infrastructure (RPKI) system, which is described in RFC7115 (and a host of additional drafts and RFCs). The RPKI

By Russ|May 9th, 2016|Categories: BGP, LEFT, SECURING BGP, SECURITY, WRITTEN|Tags: bgp security, RPKI|1 Comment

Securing BGP: A Case Study (9)

There are a number of systems that have been proposed to validate (or secure) the path in BGP. To finish off this series on BGP as a case study, I only want to look at

By Russ|May 2nd, 2016|Categories: BGP, LEFT, SECURING BGP, SECURITY, WRITTEN|Tags: bgp security, bgpsec|Comments Off

Securing BGP: A Case Study (8)

Throughout the last several months, I've been building a set of posts examining securing BGP as a sort of case study around protocol and/or system design. The point of this series of posts isn't to

By Russ|April 25th, 2016|Categories: BGP, LEFT, NORESHARE, SECURING BGP, SECURITY, WRITTEN|Tags: bgp, bgp security, internet security, security|1 Comment

Securing BGP: A Case Study (7)

In the last post on this series on securing BGP, I considered a couple of extra questions around business problems that relate to BGP. This time, I want to consider the problem of convergence speed

By Russ|April 18th, 2016|Categories: BGP, LEFT, NORESHARE, SECURING BGP, SECURITY, WRITTEN|Tags: bgp, bgp security, security|Comments Off

Securing BGP: A Case Study (6)

In my last post on securing BGP, I said— Here I’m going to discuss the problem of a centralized versus distributed database to carry the information needed to secure BGP. There are actually, again, two

By Russ|April 4th, 2016|Categories: BGP, LEFT, NORESHARE, SECURING BGP, SECURITY, WRITTEN|Tags: bgp security|Comments Off

Rethinking BGP path validation (part 2)

This is the second post in the two part series on BGP path validation over on the LinkedIn Engineering blog. We left off last time after having described the eight operational requirements that must be

By Russ|March 24th, 2016|Categories: BGP, LEFT, NORESHARE, ON THE NET, SECURITY, WRITTEN|Comments Off

Should We Stop Encryption? Can We?

It's not like they're asking for a back door for every device. If the world goes dark through encryption, we'll be back to the wild west! After all, if it were your daughter who had

By Russ|March 22nd, 2016|Categories: GOVERNANCE, LEFT, SECURITY, WRITTEN|Tags: encryption, privacy, security|Comments Off

Reaction: More Encryption is Bad?

This week I was peacefully reading the March 9th issue of ACM Queue when I received a bit of a surprise. It seems someone actually buys the "blame the victim" game, arguing that governments are

By Russ|March 15th, 2016|Categories: LEFT, REACTION, SECURITY, TECHNOLOGY, WRITTEN|4 Comments

Securing BGP: A Case Study (4)

In part 1 of this series, I looked at the general problem of securing BGP, and ended by asking three questions. In part 2 and part 3, I considered the third question: what can we

By Russ|February 22nd, 2016|Categories: BGP, LEFT, ROUTING, SECURING BGP, SECURITY, WRITTEN|Tags: bgp security, bgp security case study|Comments Off

Rethinking Path Validation

https://www.youtube.com/watch?v=x9akH7TpZ5c&feature=youtu.be This is my talk on BGP security from the latest NANOG. Some of the questions I discuss in this talk, and some of the solutions, interact with the series I currently have running on

By Russ|February 17th, 2016|Categories: BGP, LEFT, NORESHARE, ON THE NET, ROUTING, SECURING BGP, SECURITY, TECHNOLOGY, WRITTEN|2 Comments

Securing BGP: A Case Study (3)

To recap (or rather, as they used to say in old television shows, "last time on 'net Work..."), this series is looking at BGP security as an exercise (or case study) in understanding how to

By Russ|February 15th, 2016|Categories: BGP, LEFT, ROUTING, SECURING BGP, SECURITY, WRITTEN|Tags: bgp security, engineering case study|Comments Off

Securing BGP: A Case Study (2)

In part 1 of this series, I pointed out that there are three interesting questions we can ask about BGP security. The third question I outlined there was this: What is it we can actually

By Russ|February 1st, 2016|Categories: BGP, LEFT, ROUTING, SECURING BGP, SECURITY, WRITTEN|Tags: bgp security, case studies, engineering case study|2 Comments

Securing BGP: A Case Study (1)

What would it take to secure BGP? Let's begin where any engineering problem should begin: what problem are we trying to solve? In this network—in any collection of BGP autonomous systems—there are three sorts of

By Russ|January 25th, 2016|Categories: BGP, LEFT, ROUTING, SECURING BGP, SECURITY, WRITTEN|Tags: bgp security|2 Comments

Anonymity isn’t a bug

Despite the bad rap it sometimes gets, anonymity – and anonymity technology – is used all the time by everyday people. Think about it: just walking in a park without being recorded or observed or

By Russ|November 17th, 2015|Categories: CULTURE, LEFT, SECURITY, WRITTEN|Tags: anonymity, privacy|Comments Off

Castle versus Cannon: It’s time to rethink security

In case you're confused about the modern state of security, let me give you a short lesson. Your network is pictured to the left. When I first started working on networks in the USAF we

By Russ|November 16th, 2015|Categories: LEFT, SECURITY, WRITTEN|Comments Off

Information wants to be protected: Security as a mindset

I was teaching a class last week and mentioned something about privacy to the students. One of them shot back, "you're paranoid." And again, at a meeting with some folks about missionaries, and how best

By Russ|September 14th, 2015|Categories: CULTURE, LEFT, SECURITY, WRITTEN|Tags: information security, privacy, security|1 Comment

Understanding Rowhammer

As I learned in my early days in electronics, every wire is an antenna. This means that a signal in any wire, given enough power, can be transmitted, and that same signal, in an adjacent

By Russ|July 31st, 2015|Categories: LEFT, SECURITY, TECHNOLOGY, WRITTEN|Tags: rowhammer, security|Comments Off