Slashdot Mirror

← Back to Stories (view on slashdot.org)

1.1.1.1: Cloudflare's New DNS Attracting 'Gigabits Per Second' of Rubbish (zdnet.com)

Posted by BeauHD on from the dirty-hacks dept.

An anonymous reader quotes a report from ZDNet: Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Center (APNIC). The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy. "We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post. "We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.

16 of 136 comments (clear)

  1. Research by symes · · Score: 3, Interesting

    I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?

    1. Re:Research by onepoint · · Score: 3, Interesting

      Hi Zocalo,

      I come from a time when we looked at cycles of a process to see what we could do to reduce the cpu's usage ( and all the other steps ), I believe the reason for working in the IPv4 space is similar to that, they are first trying to find out what is going on with the least amount of junk in the system from their end.

      DNS resolving is such a critical issue that the lessons learned in one space, Might ( not will or work ) be transferable to the IPv6 space. So I would think that the processing cycle savings by working in IPv4 space might be a huge ( well my math is rusty so 255 x 254 x 253 = 16386810 in savings per processing cycle ) not a lot but still a small saving.

      Another perspective also brings out the point, that if the junk traffic can be cleaned out ( nulled ), the new savings can be used for better end-user experience. We have a correlated example of this back when hurricane sandy hit. Spam numbers decreased by a noticeable percentage, this would lead to the following assumptions ( but not fact ), Less energy use overall. So testing on the starting platform, finding results, and seeing if it can be brought out to the next level is a good thing for the growth of the 'net'

      of course I could be totally wrong and it was some upper management choice because they did not know better.

      --
      if you see me, smile and say hello.
  2. Experiment? by RadioD00d · · Score: 4, Interesting

    The summary repeatedly calls this an 'experiment' - does that also indicate that at some point, these nameservers will be disabled / changed / removed in the guise of 'science'? Since TANSTAAFL, I find it difficult to believe that even Cloudflare (who makes buckets of money in other ways) is just going to give away this service forever. I know, THEY'RE GATHERING DATA - if you're that concerned about the crap you post on the internet, you either need to re-evaluate your exposure or just cut your ethernet cable entirely....

    1. Re:Experiment? by godrik · · Score: 4, Funny

      you either need to re-evaluate your exposure or just cut your ethernet cable entirely....

      My ethernet cable ? Jeez, this is the 21st century! I'll cut my WiFi cable, thank you very much!

    2. Re:Experiment? by apoc.famine · · Score: 4, Funny

      With a Faraday knife!

      --
      Velociraptor = Distiraptor / Timeraptor
  3. Opaque? by Viol8 · · Score: 3, Insightful

    "yet the details of the way it operates still remains largely opaque"

    Opaque to whom? Not to net admins and other people who understand DNS. If they're hoping Joe Schmoe will understand or care then they've got a long wait.

  4. Re:Everybody gets what they want by Anonymous Coward · · Score: 4, Insightful

    If you are worried about this I would suggest you disconnect from the internet.

  5. Re:Solution to amplification DDoS exists for 18 ye by arglebargle_xiv · · Score: 3, Funny

    Meh. Implementing RFC 3514 is far more useful, you could automatically disconnect all evildoers, not just threaten to disconnect people who may be evil.

  6. Comment removed by account_deleted · · Score: 3, Funny

    Comment removed based on user account deletion

  7. Gigabits per second of rubbish? No shit. by BlacKSacrificE · · Score: 5, Interesting

    There are plenty of examples of people suggesting ping to 1.1.1.1 as a delay in batch scripting. The thought of batches all over the world now failing because people used a kludge method to pause was only slightly more amusing than the thought of all the junk traffic 1.1.1.1 would see as a result.

    For our next amazing trick, we're going to make 555-xxxx a valid number range! Follow the action live at example.com!

    --
    [Sorry, this signature is unavailable in your country/region]
    1. Re:Gigabits per second of rubbish? No shit. by omnichad · · Score: 3, Informative

      ping 1.1.1.1

      Pinging 1.1.1.1 with 32 bytes of data:
      Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
      Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
      Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
      Reply from 1.1.1.1: bytes=32 time=16ms TTL=53

      Maybe your ISP just doesn't route the traffic. That's a fast link. Though Google DNS is 15ms from here.

  8. Re:Solution to amplification DDoS exists for 18 ye by SpzToid · · Score: 4, Funny

    https://en.wikipedia.org/wiki/...

    --
    You can't be ahead of the curve, if you're stuck in a loop.
  9. Re:Everybody gets what they want by DontBeAMoran · · Score: 3, Funny

    Oh yeah? Well, I'll build my own DNS! With blackjack, and hookers!

    --
    #DeleteFacebook
  10. Re:the submitter should train their network-fu by cciechad · · Score: 3, Informative

    Thats been pretty standard in networking for years. Dropping any 0's. Like 10/8 or 8.8/16. Its just a shorthand.

    --
    https://www.fsf.org/associate/support_freedom
  11. FFS by jbmartin6 · · Score: 4, Informative

    The new DNS isn't "attracting" anything. All the traffic to 1.1.1.1 was already there, that's why they put the DNS host on that address. They wanted to experiment with exposing it to tons of crap traffic.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  12. Re:867-5309 by PPH · · Score: 3, Funny

    invoke a better humor response.

    Humor timed out. No route to host.

    --
    Have gnu, will travel.