1.1.1.1: Cloudflare's New DNS Attracting 'Gigabits Per Second' of Rubbish

An anonymous reader quotes a report from ZDNet: Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Center (APNIC). The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy. "We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post. "We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.

now also being slashdotted

[Narcocide]

Oh, this was their plan all along. Heh, well, I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...

Re:now also being slashdotted

[jellomizer]

I think a web server running on a low end system is powerful enough to prevent from being Slashdotted today.
Slashdot hasn't grown at the same rate computing has grown.
Slashdot has been late posting news articles, compared to other sites who have larger volume, so by the time it gets on slashot, the site has already adjusted for the volume.
Often most site are on the cloud, so they just request extra bandwidth.

Re:now also being slashdotted

[RobertNotBob]

... I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...

Yeah, that stood out to me, too. ... How can you hire a "Chief Scientist" who doesn't understand the basic mechanisms of the environment you're operating within?

Re:now also being slashdotted

Slashdot hasn't grown at the same rate computing has grown

MOAR's Law!!!

Re:now also being slashdotted

[datavirtue]

"Slashdot has been late posting news articles, compared to other sites who have larger volume, so by the time it gets on slashot, the site has already adjusted for the volume." ...and that is fine unless you hang out on the site all day drooling for news.

Re:now also being slashdotted

[datavirtue]

I don't know what to say other than CREIMER is real. I saw him on YouTube.

Research

[symes]

I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?

Re:Research

[Rosco+P.+Coltrane]

Wherever it gets published, you can bet you'll have to solve an impossible captcha to get to it.

Re: Research

The NSA doesnâ(TM)t usually release the results of their studies.

Re:Research

[arth1]

I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?

And when the research will be completed, with the 1.1.1.1 and 1.0.0.1 addresses going back to IANA and no longer serving DNS? I bet that some people bought the hype and thought that these would be perpetual addresses, and not just a research run.

Re: Research

[aleph]

Why on earth would the whole /8 revert to IANA? As per the *summary*, even, that whole block is delegated to APNIC.

A world beyond North America, bizarre I know.

Re:Research

sounds like they aren't cloudfare's to use or to be assigned... as well they shouldn't, and won't be 'permanent'.

the dns service itself from them probably won't be either, unless they have a way to monetize the additional snooping and data gathering of combining dns queries to all that cross-domain tracking they already do via every site that uses cloudfare's services or js/css library cdn. who am i kidding. of course they have. they wouldn't be doing this otherwise... it's all about the user data, not learning about the "mysterious traffic" that this block of addresses gets.

Re:Research

[Zocalo]

The IPs are assigned to APNIC, a RIR, and they are free to assign them to whoever they want that meets their assignment policies, including entitities that are not Headquartered in the APNIC region. There is some debate in high-level networking groups like NANOG about whether those procedures were correctly followed, but that ultimately hinges on whether this is a joint APNIC-Cloudflare research project or a permanent assignment. The former is arguably within APNIC's currently agreed scope for the IPs in question, the latter may have circumvented a few procedures or opportunities for debate.

Ultimately though, the last time these IPs were routed - a partnership between APNIC and Google, they got 50Gb/s of garbage, mostly from things that were designed to use unassigned IPs rather than suitable RFC1918 IPs. There are not exactly very many companies that have the necessary infrastructure to filter out 50Gb/s of crap and still provide a useable service with what remains so, research or not, I can't see many people wanting these IPs anyway and if Cloudflare can make some use of them, good on them. Besides all that, there is also the question of why are people still doing "research" on IPv4 space; wouldn't it be better to be focussing on the brave new world of IPv6 - where's my 2001:2001:: resolver, or some such equivalent?

Re:Research

Probaby by linking to the Cisco manuals on the wayback machine where they used to use 1.1.1.1 as an endpoint in every routing command example

Re:Research

[onepoint]

Hi Zocalo,

I come from a time when we looked at cycles of a process to see what we could do to reduce the cpu's usage ( and all the other steps ), I believe the reason for working in the IPv4 space is similar to that, they are first trying to find out what is going on with the least amount of junk in the system from their end.

DNS resolving is such a critical issue that the lessons learned in one space, Might ( not will or work ) be transferable to the IPv6 space. So I would think that the processing cycle savings by working in IPv4 space might be a huge ( well my math is rusty so 255 x 254 x 253 = 16386810 in savings per processing cycle ) not a lot but still a small saving.

Another perspective also brings out the point, that if the junk traffic can be cleaned out ( nulled ), the new savings can be used for better end-user experience. We have a correlated example of this back when hurricane sandy hit. Spam numbers decreased by a noticeable percentage, this would lead to the following assumptions ( but not fact ), Less energy use overall. So testing on the starting platform, finding results, and seeing if it can be brought out to the next level is a good thing for the growth of the 'net'

of course I could be totally wrong and it was some upper management choice because they did not know better.

Re: Research

[houghi]

It will be published by their marketing team when the outcome us in their favour. Just as almost all research.

Re:Research

[Killall+-9+Bash]

Or for windows bat files....

REM wait 10 seconds
ping 1.1.1.1 -n 10 > nul

I often use 1.1.1.1 as a "garbage" IP address. Anyone using that address should expect to get flooded with pings.

Re: Research

[Brockmire]

Fucking fail. Use 127.0.0.1. You deserve it if you did this for sleeping.

Re:Research

[F.Ultra]

So "timeout /t 10 /nobreak > NUL" was not cool enough I guess.

Re:Research

[Zocalo]

Similar era here; cycles counted and the innermost of a deep nest of loops was usually a good place to start as even one less processor cycle could be removed you could often improve things considerably when you multiplied it all out, although I don't think that's it since there are a few competing DNS engines, which all hopefully pretty well optimised in their core code already at this point (feature bloat aside), and presumably Cloudflare is only going to be running one of them. Realistically, I'm only seeing two options here - Cloudflare coming to some kind of "arrangement" with APNIC for some memorable IP addresses for DNS (one of the few times you do need to memorise them, so that counts) to compete with Google, Quad9, etc. in the alternative DNS service provider space as a new revenue stream, hence people getting upset about the sudden repurposing of what they saw as IPs reserved for reseach use. The second, and I suspect more likely scenario given Cloudflare's DDoS protection services, is that they were fully aware they were going to be getting tens of Gb/s of junk traffic and wanted to do what could be some genuinely useful work on protected DNS services from DDoS attacks in a live environment, since the traffic patterns are likely "good enough". That does still make sense to be done in the IPv4 space since that's where the IRL garbage traffic is and, as you say, any lessons learnt should hopefully translate over to the IPv6 stack easily enough.

Re:Research

So I would think that the processing cycle savings by working in IPv4 space might be a huge ( well my math is rusty so 255 x 254 x 253 = 16386810 in savings per processing cycle ) not a lot but still a small saving.

I have no idea what is meant by your numbers. "Processing cycles saved"??? Doing what? And where do 255, 254, and 253 come from? Since the smallest unit of work in a CPU is a cycle, 16,386,810 cycles is A LOT of processing. Even on a 3ghz CPU, that represents 5.5ms of work. Taking 5ms to respond to a DNS request is forever. The full round trip, from the time wireshark on my desktop sees the packet leave to the time it sees the response packet is ~270us. That includes all fixed delays like Ethernet frame serialization, switching fowarding, context switching on both client and server.

My firewall can process about 8,000 packets in 5.5ms. That includes checking rules, routing tables, forwarding, NAT, and traffic shaping.

Re:Research

[onepoint]

I suspect you are correct in thinking of protection of the DNS or a website when under attack. You might appreciate this https://twitter.com/olesovhcom... 2 years ago someone got hit with an attack, 1.1 T not G but T. being able to shield one's self from these types of attacks might be ok.

Now a funny thing about junk traffic, it's a good place to learn what to filter out, I look forward to a cleaner system over the next 10 years ( when I owned an ISP back in 2000 we were fighting the same battle and no one cared. it takes a $$$ for people to react to these things

Have a good day

Re:Research

[RockDoctor]

I bet that some people bought the hype and thought that these would be perpetual addresses

What is this concept of a "permanent address" in relation to TCP/IP? It might seem permanent to you, but some of us are actually older than the Internet and view such things as just recent fads. I wouldn't be surprised if the people (*) who write the major networking protocols in use when I die haven't been conceived yet.

(*) - includes programs, including ones with formal proofing built into the compiler.

Re: Research

[Killall+-9+Bash]

No. you want an address that doesn't respond, and you set the timeout to 1 second. You fucking fail. And what exactly am I getting that I deserve? I'm not the idiot using 1.1.1.1

Experiment?

[RadioD00d]

The summary repeatedly calls this an 'experiment' - does that also indicate that at some point, these nameservers will be disabled / changed / removed in the guise of 'science'? Since TANSTAAFL, I find it difficult to believe that even Cloudflare (who makes buckets of money in other ways) is just going to give away this service forever. I know, THEY'RE GATHERING DATA - if you're that concerned about the crap you post on the internet, you either need to re-evaluate your exposure or just cut your ethernet cable entirely....

Re:Experiment?

[godrik]

you either need to re-evaluate your exposure or just cut your ethernet cable entirely....

My ethernet cable ? Jeez, this is the 21st century! I'll cut my WiFi cable, thank you very much!

Re:Experiment?

[lfourrier]

Don't forget that all Google "products" are just experiments, valid only as long as they find benefit in them.

Re:Experiment?

[apoc.famine]

With a Faraday knife!

Re:Experiment?

[Tulsa_Time]

"The research relationship is set to run for at least five years, after which it may be renewed and APNIC will consider permanently allocating the 1.1.1.1 IP address – along with 1.0.0.1 – to Cloudflare."

Re:Experiment?

[freeze128]

Don't bother cutting your WiFi cable... I'll do it for you... with a JAMMER! I bet you wish you had an ethernet cable *NOW*.

Re:Experiment?

[gbjbaanb]

or, the give the jammer its proper name - next door's stupidly configured TV streaming box.

Solution to amplification DDoS exists for 18 years

Implement RFC 2827 and disconnect all peers who refuse to implement it - or refuse to disconnect peers who refuse to implement it.

Yes, might be messy for a little while.

These addresses should probably be blackholed

Traffic to these addresses should be dropped at the earliest router possible. The 1.1.1.1 in particular is going to attract all sorts of traffic generated by systems configured with dummy IP addresses. Those tens of gigabits are going to increase the load on internet backbones, only to be dropped in the end. Cloudflare just needs to use some better IP addresses for the DNS service.

Re:These addresses should probably be blackholed

I think you've got that ass-backwards. 1.0.0/24 and 1.1.1/24 are not internal IP subnets like 10/8 and 192.168/16, they're public subnets. Nobody else should be using addresses in the 1.0.0/24 and 1.1.1/24 subnets and those that are using them are violating routing guidelines.

Re:These addresses should probably be blackholed

They are being used as dummy addresses. Dogma doesn't override reality.

Opaque?

[Viol8]

"yet the details of the way it operates still remains largely opaque"

Opaque to whom? Not to net admins and other people who understand DNS. If they're hoping Joe Schmoe will understand or care then they've got a long wait.

Re:Opaque?

Virologists and Biologists to Epidemiologists.

Re:Opaque?

Agreed - as soon as I try explain it to someone their eyes gloss over, they don't care (or I suck at explaining it, or both).

Re:Everybody gets what they want

If you are worried about this I would suggest you disconnect from the internet.

Re: Solution to amplification DDoS exists for 18 y

BCP 38.

It needs to be mandated globally.

Re:Solution to amplification DDoS exists for 18 ye

[arglebargle_xiv]

Meh. Implementing RFC 3514 is far more useful, you could automatically disconnect all evildoers, not just threaten to disconnect people who may be evil.

How about

generating automatic blacklist from the trash traffic and publishing it online for public consumption?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Gigabits per second of rubbish? No shit.

[BlacKSacrificE]

There are plenty of examples of people suggesting ping to 1.1.1.1 as a delay in batch scripting. The thought of batches all over the world now failing because people used a kludge method to pause was only slightly more amusing than the thought of all the junk traffic 1.1.1.1 would see as a result.

For our next amazing trick, we're going to make 555-xxxx a valid number range! Follow the action live at example.com!

Re:Gigabits per second of rubbish? No shit.

[coofercat]

I was wondering where this traffic was coming from - and why. Here's one place (who knew! yet another reason Windows has been 'bad for tech' ;-), and I'll bet there are others that do something similar.

I wonder if the 'script kiddies' scan 1.x.x.x looking for old wordpress, and default SSH accounts? I'll bet at least some of them do.

I'm left wondering what analysis of this 'spam traffic' is going to tell anyone though. Hopefully they'll publish some of their findings so we can take a peek.

Re:Gigabits per second of rubbish? No shit.

[deadweight]

The sleep command was too hard? Sleep 10 gives you a 10 second delay and so on.

Re:Gigabits per second of rubbish? No shit.

Additionally, 1.1.1.1 is the default virtual address for the Cisco wireless portal on their wireless controllers.

Re:Gigabits per second of rubbish? No shit.

Windoze (pun intended) doesn't have a built-in sleep command for batch files. What fun!

Re:Gigabits per second of rubbish? No shit.

The sleep command didn't exist last time I needed it.

- Though neither did ping, as we were running NetBEUI at the time.

Re:Gigabits per second of rubbish? No shit.

[The+MAZZTer]

For the rare occasion where I write a batch file like that I use 127.255.255.255... it always fails by timing out (so you can specify a timeout to control batch delay) and it only uses the localhost virtual network adapter so you're not spamming over the LAN or internet.

Re: Gigabits per second of rubbish? No shit.

Ya, you post that one every story about this, and we still don't care.
The two IP scopes used by Cloudfare are Research scopes and are not guaranteed to be routed, and are treated similar to RFC1918 by many companies.

Re:Gigabits per second of rubbish? No shit.

I keep seeing people complaining about this breaking batch scripts that ping 1.1.1.1, but Cloudflare isn't responding to ICMP requests as far as I can tell. Just because an IP address is active, doesn't mean that it will respond to a ping.

Re:Gigabits per second of rubbish? No shit.

Since windows 7 / Server 2008+ it does, the TIMEOUT command, doesn't help if you have to use the script on order environments, but still...

Re:Gigabits per second of rubbish? No shit.

[omnichad]

ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53

Maybe your ISP just doesn't route the traffic. That's a fast link. Though Google DNS is 15ms from here.

Re:Gigabits per second of rubbish? No shit.

[Zocalo]

There's also a lot coming from captive portals that use 1.1.1.1 as a login/logout gateway IP, including some turnkey solutions provided by the likes of Cisco that are heavily deployed in providing free WiFi services to things like the hospitality trade. Yeah, they could (and should!) have used RFC1918 IPs as the default configuration for this, just like your home router tends to default to 192.168.1.1, but for whatever reason decided to default to 1.1.1.1 instead. Since that (fairly obviously) is highly unlikely to conflict with anything already on the network, guess what got deployed in the live environment?

Re:Gigabits per second of rubbish? No shit.

The 555-xxxx phone number range has been valid in a lot of area codes for some time now. There are a number of services and people with numbers in that prefix.

Re:Gigabits per second of rubbish? No shit.

Use the CHOICE command with a timeout starting with DOS 6.0.

https://en.wikipedia.org/wiki/Choice_(command)

RRK

Re:Gigabits per second of rubbish? No shit.

[DamnOregonian]

I'm a network engineer, so I am not remotely justifying what I'm about to describe. I'm the chief engineer on several large residential fiber to the home deployments, and as such get to play around a lot in not-off-the-shelf CPE equipment. You'd be amazed how much I see 1.1.1.1 used. It confused me for a while, but now I get it. If you need an RFC1918 address that you're basically guaranteed no user or ISP back end configuration will overlap with- guess what.

The current equipment I'm working on (and have just discovered a *massive* vulnerability in) use 1.1.1.0/30 for communications between the main Broadcom SOC and a quantenna 5ghz wlan SOC.

Re:Gigabits per second of rubbish? No shit.

[DamnOregonian]

That's a fast link.

Na. It's anycast. Your ping is dependent upon how close you are to the closest node. Being I peer with cloudflare at the SIX, i'm very close to my closest node.

[x@x ~]$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 x (x.x.x.x) 0.232 ms 0.313 ms 0.371 ms
2 x (x.x.x.x) 0.295 ms 0.381 ms 0.466 ms
3 x (x.x.x.x) 27.807 ms 27.894 ms 28.005 ms
4 six.as13335.com (206.81.81.10) 0.293 ms 0.292 ms 0.292 ms
5 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 0.212 ms 0.213 ms 0.246 ms

Re:Gigabits per second of rubbish? No shit.

I think you meant foo.com

Re:Gigabits per second of rubbish? No shit.

[omnichad]

Well yeah, but that is what makes it a fast link. I haven't tested performance on Google's DNS lately, but Cloudflare might be worth trying out for DNS even if it's a potentially unroutable IP from some places.

Re:Gigabits per second of rubbish? No shit.

[DamnOregonian]

Oh, you meant fast as in RTT fast... My bad. I thought you meant "throughput" fast. (wide pipe vs. short pipe)
That's my bad.

Re:Gigabits per second of rubbish? No shit.

[DamnOregonian]

Also- it works fine for DNS. We've been playing with it for a little bit.
It's in the global BGP tables, so you're going to be able to access it basically anywhere, except possibly a few networks operated by morons, or behind equipment that made the unfortunate choice of using 1.1.1.0 a management prefix internally.

Re:Gigabits per second of rubbish? No shit.

[fizzer06]

People have written sleep utilities in compiled languages for use in batch files.

Re:Gigabits per second of rubbish? No shit.

[Mozai]

> for our next amazing trick
in North America, {areacode}-555-1212 will connect you to directory assistance for that areacode's subset of phone numbers.

Re:Gigabits per second of rubbish? No shit.

[omnichad]

Bandwidth isn't exactly important for DNS queries, but latency is.

Re:Gigabits per second of rubbish? No shit.

[DamnOregonian]

It's not important at all for DNS queries. It's important for DNS servers. I run 8 authoritative nameservers. You know what's worse than 100ms of latency? 40% packet loss because you don't have the bandwidth to handle the queries.

Typically, when someone says, That's a fast link. they're referring to bandwidth. I see that you were not ;)

Re:Gigabits per second of rubbish? No shit.

[omnichad]

If you're getting 40% packet loss, the ping times would be higher or intermittent. It's still a better metric for the end user for DNS than bandwidth.

Sure, typically fast link means something else - but we have context here.

Re:Gigabits per second of rubbish? No shit.

[DamnOregonian]

If you're getting 40% packet loss, the ping times would be higher

That's dependent on the amount of buffer bloat you have. Ideally, no, the ping times won't be different.

or intermittent

Absolutely- like missing 40% of the time....................

It's still a better metric for the end user for DNS than bandwidth.

End user? Yes. Though again, you're going to notice a saturated link long before you notice an extra 40ms of latency in DNS RTT.

Sure, typically fast link means something else - but we have context here.

I'd argue incorrect, or at best highly unorthodox usage, even given the context. Full disclosure, I am a network engineer. I do this for a living. My DNS infrastructure hosts 12285 domains, and I'm the head engineer for an AS with approximately 8000 customers. I'm not talking out of my ass.

Re:Gigabits per second of rubbish? No shit.

[Szeraax]

Because I can:

ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=4ms TTL=61
Reply from 1.1.1.1: bytes=32 time=3ms TTL=61
Reply from 1.1.1.1: bytes=32 time=3ms TTL=61
Reply from 1.1.1.1: bytes=32 time=4ms TTL=61

Viva la fiber!

ps, google is around 45ms for ping, but i've seen it as low as 20ms for stretches.

Re: Gigabits per second of rubbish? No shit.

[Brockmire]

My VPS's get sub 1ms ping times. It gets lonely and loud living in a datacenter, though.

Re:Gigabits per second of rubbish? No shit.

[DamnOregonian]

For the sake of being informative, google is also ever so slightly faster from here, as well.
[x@x ~]$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 x (x.x.x.x) 0.290 ms 0.334 ms 0.405 ms
2 x (x.x.x.x) 0.314 ms 0.385 ms 0.468 ms
3 x (x.x.x.x) 0.419 ms 0.506 ms 0.584 ms
4 six.sea01.google.com (206.81.80.17) 0.315 ms 0.339 ms 0.357 ms
5 108.170.245.113 (108.170.245.113) 0.262 ms
- 108.170.245.97 (108.170.245.97) 1.307 ms
- 108.170.245.113 (108.170.245.113) 0.275 ms
6 108.170.237.189 (108.170.237.189) 0.230 ms
- 209.85.250.19 (209.85.250.19) 0.667 ms
- 209.85.246.219 (209.85.246.219) 0.668 ms
7 google-public-dns-a.google.com (8.8.8.8) 0.172 ms 0.188 ms 0.192 ms

Realistically, I think their anycast node just responds quicker. I doubt there's any difference in latency across the pipe.

Re:Gigabits per second of rubbish? No shit.

[DamnOregonian]

There are plenty [symantec.com] of [schalley.eu] examples [experts-exchange.com] of people suggesting ping to 1.1.1.1 as a delay in batch scripting.

That is literally one of the dumbest fucking things I've ever heard. And from symantec, no less. Terrible.

Re: Gigabits per second of rubbish? No shit.

[Szeraax]

#I'mInTheBasementDungeonOfMyHouse #StillLonely #TheTwinsAreCryingUpstairs

There, I made some comments to keep you company.

Re:Gigabits per second of rubbish? No shit.

[oddtodd]

I've been using it for a couple days and it's orders of magnitude better than AT&T DNS servers.

Re: Gigabits per second of rubbish? No shit.

Uhmm. So the timeout wouldnâ(TM)t matter because the localhost would respond to any IP address in the 127.0.0.0 Network. Unless your computer is really slow at responding I call BS

Re: Gigabits per second of rubbish? No shit.

Thatâ(TM)s supposed to be close? Iâ(TM)m six hops away from Comcast residential.

Re: Gigabits per second of rubbish? No shit.

[DamnOregonian]

That's obscenely close. Comcast likely has much of its internal networking from the customer to the edge obscured via MPLS or other transport mechanisms. Your 6 hops don't complete in *zero*.246ms.

Re:Gigabits per second of rubbish? No shit.

[Bengie]

I second DamnOregonian. I was testing a 1Gb DOS against my 150Mb connection, and I was getting 85% loss with 20-40ms pings to my ISP. Bufferbloat, fix it.

Re:Gigabits per second of rubbish? No shit.

You still have a tiny penis.

$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=0.322 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=0.352 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=0.334 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=59 time=0.309 ms

Re:Solution to amplification DDoS exists for 18 ye

[SpzToid]

https://en.wikipedia.org/wiki/...

What is the DNS part of this?

I get that the traffic to these specific IP addresses (or ranges) are interesting - but which DNS names resolve to these addresses? Or are reverse lookups involved?

Re:What is the DNS part of this?

[arth1]

I get that the traffic to these specific IP addresses (or ranges) are interesting - but which DNS names resolve to these addresses?

Your question is meaningless; it's like when politicians ask which web links point to https://www.piratebay.se/

Any number of forward DNS entries can point to these two addresses. If you ran the DNS server for sillyexample.com, you could point dns.sillyexample.com or vengeful.foxbats.sillyexample.com to these addresses if you wanted.
But there is no way of knowing who points.

Or are reverse lookups involved?

Neither forward nor reverse DNS is needed for the name servers themselves.
That said, for reverse DNS, just ask the DNS server itself:

1.0.0.1.in-addr.arpa name = 1dot1dot1dot1.cloudflare-dns.com.
1.1.1.1.in-addr.arpa name = 1dot1dot1dot1.cloudflare-dns.com.

I.e. both point to the same name. They would work just fine without a reverse pointer to a name too.

Re: What is the DNS part of this?

I would like to know more about those fox bats, please.

Re:What is the DNS part of this?

Fox bats eat fruit and feed on nectar. I expect they are quite pacifistic. Your example is not valid because it contains an oxymoron.

Re:What is the DNS part of this?

[cascadingstylesheet]

Your question is meaningless;

You mean he's not even wrong??

Ah, I've been waiting so long to use that awesome geeky putdown! It works; I feel all superior and everything!!

Re:What is the DNS part of this?

[DamnOregonian]

Does their frugivorism preclude their having a desire for vengeance?

Re:Everybody gets what they want

[jellomizer]

Nah, I just download the DNS (Well I get a daily differential) data daily. Using sed and a bash script I update my /etc/host file So I don't need to use any of that silly DNS stuff.

The slashdot effect hasn't been a thing for years

[sjbe]

I think a web server running on a low end system is powerful enough to prevent from being Slashdotted today.

There haven't been enough people on slashdot for many years for the slashdot effect to be a thing. Plus as you point out the networks are a lot more robust these days.

Slashdot hasn't grown at the same rate computing has grown.

Indeed, slashdot has substantially shrunk to all appearances. This used to be a place where a lot of alpha geeks hung out but slashdot never evolved or got better. Just look at how the average number of comments per article has shrunk over the last decade.

Re:867-5309

[arth1]

Directing traffic at 1.1.1.1 is a little like calling 867-5309.

More like calling 555-1212 than Jenny, I'm afraid.

Odd coincidency

I recently was setting up a VPN after having set up many VPNs. I've often joked about using non-publicly-used military/government ranges do avoid collisions. I recently set up for a client for one and saw they were using 1.1.1.1 for some things. It does seem to be a choice for routers and dns. I think you'll get it on any easily types "valid" address because people will just think what's the chance of having to be able to access though IP addresses over WAN (IE if it's a few in a billion your break) and if it happens they can shift it to 1.1.1.2. Unfortunately a lot of people operate like that rather than according to the spec.

Re:Odd coincidency

[omnichad]

Which is weird, since 10.0.0.0/8 is absolutely huge and there are 256 different 192.168.x.0/24 networks to play with.

Re: Odd coincidency

Whatâ(TM)s wrong with 203.0.113/24?

Re:Odd coincidency

[swb]

FWIW, I wish RFC1918 had included a couple of weird and unappealing "isolated" /24s which would have gotten less use than 192.168.0.0/16 and 10.0.0.0/8 or even 172.16.0.0 (which seems to be the least used in my experience).

These lone /24s would be have been ideal to break up for interior interfaces or for use on isolated management networks that can't overlap with other interfaces.

Re:Odd coincidency

[Bert64]

The overlap (and exhaustion in very large businesses) of RFC1918 address space is yet another reason to use ipv6...
You can use part of your own globally routable address space for internal use, and as its your own allocated address space noone else should be using it for anything.

Re:Odd coincidency

[DamnOregonian]

Link-local addresses exist for this reason. 169.254.0.0/16.
It's used for IPv4 zeroconf communications, but that's just an application of it. It's purpose is for non-routed link-local communications.

Re:Everybody gets what they want

[Assmasher]

Out of honest curiosity, does CloudFlare have a reputation for this type of thing or are you exercising your paranoia about potentialities (which in matters like this is a GOOD thing.)

Re:The slashdot effect hasn't been a thing for yea

just look at how the average number of comments per article has shrunk over the last decade.

Nothing worth commenting on.

(1) Crap articles
(2) Reposts of crap articles

the submitter should train their network-fu

[moronoxyd]

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use.

I could be wrong, but I'm pretty sure that 1.1.1/24 is not a valid IPv4 address range. IPv4 addresses consist of quadruplets of values. The proper address ranges are 1.1.1.0/24 and 1.0.0.0/24.

Re:the submitter should train their network-fu

[cciechad]

Thats been pretty standard in networking for years. Dropping any 0's. Like 10/8 or 8.8/16. Its just a shorthand.

Re:the submitter should train their network-fu

It's true the correct syntax includes the network address, but there's no ambiguity in this case.

Re:the submitter should train their network-fu

You won't pass a Network+ exam with that attitude.

Re:the submitter should train their network-fu

[DamnOregonian]

Heh. In the network engineering industry, dropping the host address zeros is common practice when talking about prefixes.

Re:Everybody gets what they want

[DontBeAMoran]

Oh yeah? Well, I'll build my own DNS! With blackjack, and hookers!

Cloudflare is not the solution to secure DNS

Cloudflare started its life with seeding from NSA and CIA as a honeypot used for nefarious purposes. Trusting this business to be the solution to private and secure DNS is complete madness. The solution must be within DNSSEC, out of the hands of American agencies and companies.

Re:The slashdot effect hasn't been a thing for yea

[Rob+Lister]

Just look at how the average number of comments per article has shrunk over the last decade.

Can you prove that? I'm betting that just the average number of AC's we have per thread now greatly exceeds the number named postings per thread ten or twenty years ago.

FFS

[jbmartin6]

The new DNS isn't "attracting" anything. All the traffic to 1.1.1.1 was already there, that's why they put the DNS host on that address. They wanted to experiment with exposing it to tons of crap traffic.

Re:FFS

[jaymemaurice]

Technically if there was no route to 1.1.1.1 before since it wasn't in the BGB tables, they are now attracting it like a magnet.
It will no longer follow default routes until it has nowhere to go... there is now a destination.

Re:FFS

[jbmartin6]

Touché, although at best that's a strange attractor.

Re:FFS

[DamnOregonian]

Oh it's absolutely attracting it.
Prior to 1.1.1.0/24 becoming a global routed prefix again, that traffic was blackholed in every individual AS.
Now that cloudflare is announcing that block to me, we are routing that traffic to them. There really isn't any more accurate way of putting it other than that they are attracting it.

Re:FFS

yeah, it seems like this was traffic that would be dead-ended asap, but now will traverse to their servers, which is maybe a little annoying for those providing those links. It's not really clear from the article whether this was expected by those doing the DNS experiment or not. I don't think the DNS experiment really needs this special IP, so the question is whether this downside is big enough that they should just use a normal IP.

Re:Everybody gets what they want

shh, you'll summon it!

Re:The slashdot effect hasn't been a thing for yea

[jon3k]

I'm really curious as well. Does slashdot have a proper api that would allow someone to do some analysis on this?

Also, where did everyone go? Reddit? What subs? Has the very specific nature of subreddits fractured what used to be a large single audience?

Re: The slashdot effect hasn't been a thing for ye

#1 crap articles
#2 dupes of crap articles

Re:The slashdot effect hasn't been a thing for yea

Slashdot doesn't even support fucking unicode, why would you think it has any kind of api?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Everybody gets what they want

Doubtful. He seems to be staying away lately. Probably because he finally realized that every time he chimed in he would get schooled and end up looking like an ass. Either that or whipslash finally put in place some blocking of him and he is now frantically trying to find a way to post.

Re:867-5309

[PPH]

invoke a better humor response.

Humor timed out. No route to host.

Opaque?-Patterns in the noise.

I think he's talking about macroscopic behavior.* Better if they could extend this geographically to other roots to see what DNS does worldwide.

*DNS traditionally hasn't been instrumented. Just tailored as a service.

Re:Everybody gets what they want

[ckaminski]

If it's Free, it's going to be used to gather data from you and then resell for value.

Period.

Even if it's not free, odds are your data is going to be aggregated and sold.

It may be anonymized to some extent, but get a large enough sample of data from enough sources and you can be deanonymized.

Re: "Chief Scientist" who doesn't understand...

[zooblethorpe]

... I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...

Yeah, that stood out to me, too. ... How can you hire a "Chief Scientist" who doesn't understand the basic mechanisms of the environment you're operating within?

I dunno, that sounds about right for the current political environment in the US. Ideology and Wishy Thinking FTW!

:-P

Cheers,

Nooo my SkyNet!!!

[Julz]

There goes my Skynet's comms strategy :(

Re:Everybody gets what they want

[Assmasher]

I thought they were a 'freemium' model; ergo, they don't need to make money off their free customers...

Re:Everybody gets what they want

It looks like you're explaining why you think the users will be surveilled. I think he was asking more about whether or not Cloudflare has a reputation for doing things like that. Are you saying that this is the first move in beginning such a reputation?

Re:Solution to amplification DDoS exists for 18 ye

As you're no doubt aware, RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, is primarily designed to prevent TCP SYN flood attacks. It is less beneficial for ICMP and UDP flood attacks.

Ignoring zone transfers the majority of DNS traffic, especially the problematic DNS Amplification Attacks, use the UDP protocol not the TCP protocol.

Re: Everybody gets what they want

What if we want our daily reminder about how good the hosts file is?

Re:Everybody gets what they want

If anything, CloudFlare are a bit too uptight about privacy and security. They refused to cooperate with law enforcement over sites hiding behind their services on many, many occasions. They've had 1 or 2 minor data leaks due to improper caching and have been really good about explaining the causes, breadth and impacts.

Their T&Cs and services agreements prevent them from legally monetising the activity of sites they serve. Apparently they can support all the free services off the back of their paying customers without much effort.