It's a, it's a, it's a SYN flood: Quick, ditch that packet

Networking nuggets from the week that was


Networks roundup What if all you had to do to block SYN-based denial-of-service attacks was drop the first incoming SYN packet?

That intriguing idea was put forward this week, in this Internet-Draft.

SYN floods are a basic “cheap and cheerful” DDoS – an attacker with a botnet handy gets the machines to send TCP SYN messages (these are the first requests in the handshake that establishes a new TCP connection) to the victim. The target host sends an ACK and waits for the client ACK – which the attacker never sends (a "half-open" connection). Eventually, the incoming SYN flood ties up all server resources.

A pair from South Korea's Soongsil University suggested a server config that ignores the first SYN it gets from a client. If the request is genuine, it'll be retransmitted after a short timeout, but if it's from a bot, it probably won't, argued Sungwon Ahn and Minho Park.

Their "Intentional SYN Drop (ISD)" means the server doesn't allocate resources to the attacker's attempt to maintain half-open connections. It would be implemented with two new entities in TCP: Dropped SYN List (which watches for retransmissions and okays the connection), and SYN-RCVD Timer.

If the system detects that a SYN is a retransmission (in the Dropped SYN List), its state is set to SYN received (SYN_RCVD – at which point the connection is half-open), sends the ACK to the client, and starts the SYN_RCVD timer. If the timer expires, the half-open session is dropped.

Juniper expands threat protection

Juniper Networks this week squeezed out two enhancements to its Juniper Networks Advanced Threat Protection appliances (JATP).

The company has added custom data collectors to the appliances, to improve their ability to pull security data from other sources in the network. This, Juniper said, eliminates the need for time-consuming custom configurations.

Log formats supported by the data collectors include XML, JSON and CSV.

The Gin Palace also tossed a new appliance over the fence: the JATP400, which it said targeted distributed enterprises.

The on-premises JATP400 Appliance is designed to work with existing firewalls to provide security teams a timeline view for quick attack mitigation.

Barefoot puts on the 400Gbps dancing shoes

Barefoot Networks has joined the 400 Gbps Ethernet race, and has names like Cisco and Tencent on board for its latest ASIC.

The company claimed its Tofino 2 doubled the performance of its predecessor with a total switching throughput of 12.8 Tbps.

As with the Tofino, the chip is programmable using the P4 (Programming Protocol-Independent Packet Processors) language, and Barefoot said there are 100 features and applications written for the chip.

The 7nm process used in the Tofino 2 allowed it to deliver 32 ports of 400 Gbps Ethernet on the chip, and 256 ports at 10/25/50 Gbps, and it can be programmed for top-of-rack switching, appliance switching, or service provider router applications.

In-band Network Telemetry (INT) in the P4 spec is supported by Barefoot's enhanced SPRINT, which gathers real-time, per-packet intelligence.

Open Source MANO gets FIVE, which is its sixth release, obviously

The European Telecommunications Standards Institute (ETSI) has emitted Open Source Management and Orchestration (MANO) Release FIVE (yes, rather than 5 or Five, they've decided this is THAT important).

OSM has a new architecture in this release: it's taken a micro-services approach, with an eye to "5G scenarios, distributed and edge deployments", as well as network-as-a-service service.

It also supports 5G network slicing, dynamic inter-data-centre connection config across the WAN, extensions to its service function chaining capabilities, VNF metrics have been added to its monitoring capabilities, and support for physical and hybrid network functions.

ETSI also said there is a new GUI-based network function and service composer, a better dashboard for logs, metrics and alarms, and faster startup.

And yes, we were serious: OS MANO FIVE is the sixth release. The ETSI announcement quoted Telefonica SVP technology and architecture Carlos Garcia to that effect: "With six releases in its two years and a half, OSM has proven to be an extremely agile vehicle for evolving an Information Model and the associated stack to provide Network-as-a-Service in a completely automated fashion."

Linux Foundation emits ONAP, OPNFV releases

The Linux Foundation project's Open Network Automation Platform (ONAP) and Open Platform for Network Function Virtualisation (OPNFV) both got new releases earlier this week.

ONAP Casablanca received a 5G blueprint, offering “the first set of capabilities around PNF integration, edge automation, real-time analytics, network slicing, data modelling, homing, scaling, and network optimisation”, the organisation said.

There are also two new, and simpler, design dashboards, lifecycle controllers added to service orchestrator and its three controllers and expanded service assurance capabilities.

OPNFV Gambia takes the platform's “first step towards continuous delivery”, a process that “allows OPNFV to continuously publish scenario and feature project artifacts that contain the latest upstream code”.

ADTRAN slurps SmartRG

Vancouver-based SmartRG, a developer of connected home software, has been acquired by ADTRAN for an undisclosed sum.

The deal expands ADTRAN's service portfolio, the company said.

SmartRG's portfolio includes cloud management, analytics, home Wi-Fi broadband gateways, and its SmartOS software platform. ADTRAN said SmartOS integration with its own Mosaic will provide "full end-to-end management and orchestration solutions from cloud edge to subscriber edge".

SmartOS also supports the emerging Virtual CPE market, where a "bare bones" unit is deployed in the customer with advanced functions like firewals running in the service provider cloud.

SmartRG founder and CEO Jeff McInnis, the rest of the company's management team, and all staff are to be retained after the acquisition completes.

Arm, Telco Systems extend partnership

SDN/NVF and networking provider Telco Systems has announced it will work with Arm to jointly develop a Neoverse-based universal CPE (uCPE) offering.

The device will be based on Telco Systems' Arm-optimised NFVTime operating system, providing a uCPE MANO engine for zero-touch provision, deployment, and services lifecycle management. ®

Similar topics


Other stories you might like

  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • Alcatel-Lucent Enterprise adds Wi-Fi 6E to 'premium' access points
    Company claims standard will improve performance in dense environments

    Alcatel-Lucent Enterprise is the latest networking outfit to add Wi-Fi 6E capability to its hardware, opening up access to the less congested 6GHz spectrum for business users.

    The France-based company just revealed the OmniAccess Stellar 14xx series of wireless access points, which are set for availability from this September. Alcatel-Lucent Enterprise said its first Wi-Fi 6E device will be a high-end "premium" Access Point and will be followed by a mid-range product by the end of the year.

    Wi-Fi 6E is compatible with the Wi-Fi 6 standard, but adds the ability to use channels in the 6GHz portion of the spectrum, a feature that will be built into the upcoming Wi-Fi 7 standard from the start. This enables users to reduce network contention, or so the argument goes, as the 6GHz portion of the spectrum is less congested with other traffic than the existing 2.4GHz and 5GHz frequencies used for Wi-Fi access.

    Continue reading
  • Cloudflare explains how it managed to break the internet
    'Network engineers walked over each other's changes'

    A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

    The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

    "The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

    Continue reading
  • AWS buys before it tries with quantum networking center
    Fundamental problems of qubit physics aside, the cloud giant thinks it can help

    Nothing in the quantum hardware world is fully cooked yet, but quantum computing is quite a bit further along than quantum networking – an esoteric but potentially significant technology area, particularly for ultra-secure transactions. Amazon Web Services is among those working to bring quantum connectivity from the lab to the real world. 

    Short of developing its own quantum processors, AWS has created an ecosystem around existing quantum devices and tools via its Braket (no, that's not a typo) service. While these bits and pieces focus on compute, the tech giant has turned its gaze to quantum networking.

    Alongside its Center for Quantum Computing, which it launched in late 2021, AWS has announced the launch of its Center for Quantum Networking. The latter is grandly working to solve "fundamental scientific and engineering challenges and to develop new hardware, software, and applications for quantum networks," the internet souk declared.

    Continue reading
  • UK police to spend tens of millions on legacy comms network kit
    More evidence of where that half-a-billion-a-year cost of Emergency Services Network delay is going

    The UK's police service is set to spend up to £50 million ($62.7 million) buying hardware and software for a legacy communication network that was planned to become obsolete in 2019.

    The Home Office had planned to replace the Airwave secure emergency communication system, which launched in 2000, with a more advanced Emergency Services Network by the close of the decade. However, the legacy network has seen its life extended as its replacement was beset with delays. The ESN is expected to go live in 2026.

    In a procurement notice, the Police Digital Service (PDS) said it was looking for up to three suppliers of Terrestrial Trunked Radio (TETRA) Encryption Algorithm 2 (TEA2) compatible radio devices – including handheld, desktop, and mobile terminals – as well as software, accessories, services, and maintenance for use on the UK Airwave system.

    Continue reading
  • Wireless kit hit by supply chain woes in Q1, China lockdowns blamed
    Backlogs reportedly 10 to 15 times greater than they were pre-pandemic

    The Wireless LAN market was battered by a choppy supply chain in the first quarter of 2022 and lockdowns in China are compounding the problem, according to analysis by Dell'Oro Group.

    Many organizations have scheduled network upgrades, but supply is not able to keep pace with demand and backlogs are reportedly 10 to 15 times greater than they were pre-pandemic.

    Several manufacturers have cited components from second and third-tier suppliers as the cause of the bottleneck, Dell'Oro said, which means that the problem may not be a shortage of Wi-Fi silicon, but rather of secondary components that are nevertheless necessary to make a complete product.

    Continue reading
  • IT downtime not itself going down, power failures most common cause
    2022 in a nutshell: Missing SLAs, failing to meet customer expectations

    Infrastructure operators are struggling to reduce the rate of IT outages despite improving technology and strong investment in this area.

    The Uptime Institute's 2022 Outage Analysis Report says that progress toward reducing downtime has been mixed. Investment in cloud technologies and distributed resiliency has helped to reduce the impact of site-level failures, for example, but has also added complexity. A growing number of incidents are being attributed to network, software or systems issues because of this intricacy.

    The authors make it clear that critical IT systems are far more reliable than they once were, thanks to many decades of improvement. However, data covering 2021 and 2022 indicates that unscheduled downtime is continuing at a rate that is not significantly reduced from previous years.

    Continue reading

Biting the hand that feeds IT © 1998–2022