Slashdot Mirror

← Back to Stories (view on slashdot.org)

1.1.1.1: Cloudflare's New DNS Attracting 'Gigabits Per Second' of Rubbish (zdnet.com)

Posted by BeauHD on from the dirty-hacks dept.

An anonymous reader quotes a report from ZDNet: Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Center (APNIC). The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy. "We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post. "We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.

30 of 136 comments (clear)

  1. Research by symes · · Score: 3, Interesting

    I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?

    1. Re:Research by Rosco+P.+Coltrane · · Score: 2

      Wherever it gets published, you can bet you'll have to solve an impossible captcha to get to it.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re: Research by aleph · · Score: 2

      Why on earth would the whole /8 revert to IANA? As per the *summary*, even, that whole block is delegated to APNIC.

      A world beyond North America, bizarre I know.

    3. Re:Research by Zocalo · · Score: 2

      The IPs are assigned to APNIC, a RIR, and they are free to assign them to whoever they want that meets their assignment policies, including entitities that are not Headquartered in the APNIC region. There is some debate in high-level networking groups like NANOG about whether those procedures were correctly followed, but that ultimately hinges on whether this is a joint APNIC-Cloudflare research project or a permanent assignment. The former is arguably within APNIC's currently agreed scope for the IPs in question, the latter may have circumvented a few procedures or opportunities for debate.

      Ultimately though, the last time these IPs were routed - a partnership between APNIC and Google, they got 50Gb/s of garbage, mostly from things that were designed to use unassigned IPs rather than suitable RFC1918 IPs. There are not exactly very many companies that have the necessary infrastructure to filter out 50Gb/s of crap and still provide a useable service with what remains so, research or not, I can't see many people wanting these IPs anyway and if Cloudflare can make some use of them, good on them. Besides all that, there is also the question of why are people still doing "research" on IPv4 space; wouldn't it be better to be focussing on the brave new world of IPv6 - where's my 2001:2001:: resolver, or some such equivalent?

      --
      UNIX? They're not even circumcised! Savages!
    4. Re:Research by onepoint · · Score: 3, Interesting

      Hi Zocalo,

      I come from a time when we looked at cycles of a process to see what we could do to reduce the cpu's usage ( and all the other steps ), I believe the reason for working in the IPv4 space is similar to that, they are first trying to find out what is going on with the least amount of junk in the system from their end.

      DNS resolving is such a critical issue that the lessons learned in one space, Might ( not will or work ) be transferable to the IPv6 space. So I would think that the processing cycle savings by working in IPv4 space might be a huge ( well my math is rusty so 255 x 254 x 253 = 16386810 in savings per processing cycle ) not a lot but still a small saving.

      Another perspective also brings out the point, that if the junk traffic can be cleaned out ( nulled ), the new savings can be used for better end-user experience. We have a correlated example of this back when hurricane sandy hit. Spam numbers decreased by a noticeable percentage, this would lead to the following assumptions ( but not fact ), Less energy use overall. So testing on the starting platform, finding results, and seeing if it can be brought out to the next level is a good thing for the growth of the 'net'

      of course I could be totally wrong and it was some upper management choice because they did not know better.

      --
      if you see me, smile and say hello.
    5. Re:Research by Killall+-9+Bash · · Score: 2
      Or for windows bat files....

      REM wait 10 seconds
      ping 1.1.1.1 -n 10 > nul

      I often use 1.1.1.1 as a "garbage" IP address. Anyone using that address should expect to get flooded with pings.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  2. Experiment? by RadioD00d · · Score: 4, Interesting

    The summary repeatedly calls this an 'experiment' - does that also indicate that at some point, these nameservers will be disabled / changed / removed in the guise of 'science'? Since TANSTAAFL, I find it difficult to believe that even Cloudflare (who makes buckets of money in other ways) is just going to give away this service forever. I know, THEY'RE GATHERING DATA - if you're that concerned about the crap you post on the internet, you either need to re-evaluate your exposure or just cut your ethernet cable entirely....

    1. Re:Experiment? by godrik · · Score: 4, Funny

      you either need to re-evaluate your exposure or just cut your ethernet cable entirely....

      My ethernet cable ? Jeez, this is the 21st century! I'll cut my WiFi cable, thank you very much!

    2. Re:Experiment? by lfourrier · · Score: 2

      Don't forget that all Google "products" are just experiments, valid only as long as they find benefit in them.

    3. Re:Experiment? by apoc.famine · · Score: 4, Funny

      With a Faraday knife!

      --
      Velociraptor = Distiraptor / Timeraptor
    4. Re:Experiment? by Tulsa_Time · · Score: 2

      "The research relationship is set to run for at least five years, after which it may be renewed and APNIC will consider permanently allocating the 1.1.1.1 IP address – along with 1.0.0.1 – to Cloudflare."

      --
      5 out of 6 people enjoy Russian Roulette & 6 out of 7 Dwarfs are not Happy
  3. Opaque? by Viol8 · · Score: 3, Insightful

    "yet the details of the way it operates still remains largely opaque"

    Opaque to whom? Not to net admins and other people who understand DNS. If they're hoping Joe Schmoe will understand or care then they've got a long wait.

  4. Re:Everybody gets what they want by Anonymous Coward · · Score: 4, Insightful

    If you are worried about this I would suggest you disconnect from the internet.

  5. Re:Solution to amplification DDoS exists for 18 ye by arglebargle_xiv · · Score: 3, Funny

    Meh. Implementing RFC 3514 is far more useful, you could automatically disconnect all evildoers, not just threaten to disconnect people who may be evil.

  6. Comment removed by account_deleted · · Score: 3, Funny

    Comment removed based on user account deletion

  7. Gigabits per second of rubbish? No shit. by BlacKSacrificE · · Score: 5, Interesting

    There are plenty of examples of people suggesting ping to 1.1.1.1 as a delay in batch scripting. The thought of batches all over the world now failing because people used a kludge method to pause was only slightly more amusing than the thought of all the junk traffic 1.1.1.1 would see as a result.

    For our next amazing trick, we're going to make 555-xxxx a valid number range! Follow the action live at example.com!

    --
    [Sorry, this signature is unavailable in your country/region]
    1. Re:Gigabits per second of rubbish? No shit. by Anonymous Coward · · Score: 2, Insightful

      Windoze (pun intended) doesn't have a built-in sleep command for batch files. What fun!

    2. Re:Gigabits per second of rubbish? No shit. by Anonymous Coward · · Score: 2, Insightful

      I keep seeing people complaining about this breaking batch scripts that ping 1.1.1.1, but Cloudflare isn't responding to ICMP requests as far as I can tell. Just because an IP address is active, doesn't mean that it will respond to a ping.

    3. Re:Gigabits per second of rubbish? No shit. by omnichad · · Score: 3, Informative

      ping 1.1.1.1

      Pinging 1.1.1.1 with 32 bytes of data:
      Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
      Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
      Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
      Reply from 1.1.1.1: bytes=32 time=16ms TTL=53

      Maybe your ISP just doesn't route the traffic. That's a fast link. Though Google DNS is 15ms from here.

    4. Re:Gigabits per second of rubbish? No shit. by DamnOregonian · · Score: 2

      That's a fast link.

      Na. It's anycast. Your ping is dependent upon how close you are to the closest node. Being I peer with cloudflare at the SIX, i'm very close to my closest node.

      [x@x ~]$ traceroute 1.1.1.1
      traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
      1 x (x.x.x.x) 0.232 ms 0.313 ms 0.371 ms
      2 x (x.x.x.x) 0.295 ms 0.381 ms 0.466 ms
      3 x (x.x.x.x) 27.807 ms 27.894 ms 28.005 ms
      4 six.as13335.com (206.81.81.10) 0.293 ms 0.292 ms 0.292 ms
      5 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 0.212 ms 0.213 ms 0.246 ms

    5. Re:Gigabits per second of rubbish? No shit. by DamnOregonian · · Score: 2

      Also- it works fine for DNS. We've been playing with it for a little bit.
      It's in the global BGP tables, so you're going to be able to access it basically anywhere, except possibly a few networks operated by morons, or behind equipment that made the unfortunate choice of using 1.1.1.0 a management prefix internally.

  8. Re:Solution to amplification DDoS exists for 18 ye by SpzToid · · Score: 4, Funny

    https://en.wikipedia.org/wiki/...

    --
    You can't be ahead of the curve, if you're stuck in a loop.
  9. Re:867-5309 by arth1 · · Score: 2

    Directing traffic at 1.1.1.1 is a little like calling 867-5309.

    More like calling 555-1212 than Jenny, I'm afraid.

  10. Re:Everybody gets what they want by Assmasher · · Score: 2

    Out of honest curiosity, does CloudFlare have a reputation for this type of thing or are you exercising your paranoia about potentialities (which in matters like this is a GOOD thing.)

    --
    Loading...
  11. Re:Everybody gets what they want by DontBeAMoran · · Score: 3, Funny

    Oh yeah? Well, I'll build my own DNS! With blackjack, and hookers!

    --
    #DeleteFacebook
  12. Re:the submitter should train their network-fu by cciechad · · Score: 3, Informative

    Thats been pretty standard in networking for years. Dropping any 0's. Like 10/8 or 8.8/16. Its just a shorthand.

    --
    https://www.fsf.org/associate/support_freedom
  13. FFS by jbmartin6 · · Score: 4, Informative

    The new DNS isn't "attracting" anything. All the traffic to 1.1.1.1 was already there, that's why they put the DNS host on that address. They wanted to experiment with exposing it to tons of crap traffic.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  14. Re:The slashdot effect hasn't been a thing for yea by jon3k · · Score: 2

    I'm really curious as well. Does slashdot have a proper api that would allow someone to do some analysis on this?

    Also, where did everyone go? Reddit? What subs? Has the very specific nature of subreddits fractured what used to be a large single audience?

  15. Re:867-5309 by PPH · · Score: 3, Funny

    invoke a better humor response.

    Humor timed out. No route to host.

    --
    Have gnu, will travel.
  16. Re:Odd coincidency by Bert64 · · Score: 2

    The overlap (and exhaustion in very large businesses) of RFC1918 address space is yet another reason to use ipv6...
    You can use part of your own globally routable address space for internal use, and as its your own allocated address space noone else should be using it for anything.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!