Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Network The Internet Communications Privacy Security

1.1.1.1: Cloudflare's New DNS Attracting 'Gigabits Per Second' of Rubbish (zdnet.com) 136

An anonymous reader quotes a report from ZDNet: Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Center (APNIC). The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy. "We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post. "We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.

This discussion has been archived. No new comments can be posted.

1.1.1.1: Cloudflare's New DNS Attracting 'Gigabits Per Second' of Rubbish

Comments Filter:
  • Oh, this was their plan all along. Heh, well, I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...

    • I think a web server running on a low end system is powerful enough to prevent from being Slashdotted today.
      Slashdot hasn't grown at the same rate computing has grown.
      Slashdot has been late posting news articles, compared to other sites who have larger volume, so by the time it gets on slashot, the site has already adjusted for the volume.
      Often most site are on the cloud, so they just request extra bandwidth.

      • I think a web server running on a low end system is powerful enough to prevent from being Slashdotted today.

        There haven't been enough people on slashdot for many years for the slashdot effect to be a thing. Plus as you point out the networks are a lot more robust these days.

        Slashdot hasn't grown at the same rate computing has grown.

        Indeed, slashdot has substantially shrunk to all appearances. This used to be a place where a lot of alpha geeks hung out but slashdot never evolved or got better. Just look at how the average number of comments per article has shrunk over the last decade.

        • by Anonymous Coward

          just look at how the average number of comments per article has shrunk over the last decade.

          Nothing worth commenting on.

          (1) Crap articles
          (2) Reposts of crap articles

        • Just look at how the average number of comments per article has shrunk over the last decade.

          Can you prove that? I'm betting that just the average number of AC's we have per thread now greatly exceeds the number named postings per thread ten or twenty years ago.

          • by jon3k ( 691256 )
            I'm really curious as well. Does slashdot have a proper api that would allow someone to do some analysis on this?

            Also, where did everyone go? Reddit? What subs? Has the very specific nature of subreddits fractured what used to be a large single audience?
            • by Anonymous Coward

              Slashdot doesn't even support fucking unicode, why would you think it has any kind of api?

      • Comment removed based on user account deletion
    • Re: (Score:2, Insightful)

      ... I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...

      Yeah, that stood out to me, too. ... How can you hire a "Chief Scientist" who doesn't understand the basic mechanisms of the environment you're operating within?

      • ... I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...

        Yeah, that stood out to me, too. ... How can you hire a "Chief Scientist" who doesn't understand the basic mechanisms of the environment you're operating within?

        I dunno, that sounds about right for the current political environment in the US. Ideology and Wishy Thinking FTW!

        :-P

        Cheers,

  • Research (Score:4, Interesting)

    by symes ( 835608 ) on Thursday April 05, 2018 @05:30AM (#56385653) Journal

    I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?

    • Wherever it gets published, you can bet you'll have to solve an impossible captcha to get to it.

    • by Anonymous Coward

      The NSA doesnâ(TM)t usually release the results of their studies.

    • Re: (Score:2, Insightful)

      by arth1 ( 260657 )

      I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?

      And when the research will be completed, with the 1.1.1.1 and 1.0.0.1 addresses going back to IANA and no longer serving DNS? I bet that some people bought the hype and thought that these would be perpetual addresses, and not just a research run.

      • Why on earth would the whole /8 revert to IANA? As per the *summary*, even, that whole block is delegated to APNIC.

        A world beyond North America, bizarre I know.

      • I bet that some people bought the hype and thought that these would be perpetual addresses

        What is this concept of a "permanent address" in relation to TCP/IP? It might seem permanent to you, but some of us are actually older than the Internet and view such things as just recent fads. I wouldn't be surprised if the people (*) who write the major networking protocols in use when I die haven't been conceived yet.

        (*) - includes programs, including ones with formal proofing built into the compiler.

    • Comment removed based on user account deletion
  • Experiment? (Score:4, Interesting)

    by RadioD00d ( 714469 ) on Thursday April 05, 2018 @05:36AM (#56385663)
    The summary repeatedly calls this an 'experiment' - does that also indicate that at some point, these nameservers will be disabled / changed / removed in the guise of 'science'? Since TANSTAAFL, I find it difficult to believe that even Cloudflare (who makes buckets of money in other ways) is just going to give away this service forever. I know, THEY'RE GATHERING DATA - if you're that concerned about the crap you post on the internet, you either need to re-evaluate your exposure or just cut your ethernet cable entirely....
  • Opaque? (Score:4, Insightful)

    by Viol8 ( 599362 ) on Thursday April 05, 2018 @05:56AM (#56385693) Homepage

    "yet the details of the way it operates still remains largely opaque"

    Opaque to whom? Not to net admins and other people who understand DNS. If they're hoping Joe Schmoe will understand or care then they've got a long wait.

  • by account_deleted ( 4530225 ) on Thursday April 05, 2018 @06:28AM (#56385753)
    Comment removed based on user account deletion
  • by BlacKSacrificE ( 1089327 ) on Thursday April 05, 2018 @06:35AM (#56385767)

    There are plenty [symantec.com] of [schalley.eu] examples [experts-exchange.com] of people suggesting ping to 1.1.1.1 as a delay in batch scripting. The thought of batches all over the world now failing because people used a kludge method to pause was only slightly more amusing than the thought of all the junk traffic 1.1.1.1 would see as a result.

    For our next amazing trick, we're going to make 555-xxxx a valid number range! Follow the action live at example.com!

    • I was wondering where this traffic was coming from - and why. Here's one place (who knew! yet another reason Windows has been 'bad for tech' ;-), and I'll bet there are others that do something similar.

      I wonder if the 'script kiddies' scan 1.x.x.x looking for old wordpress, and default SSH accounts? I'll bet at least some of them do.

      I'm left wondering what analysis of this 'spam traffic' is going to tell anyone though. Hopefully they'll publish some of their findings so we can take a peek.

      • by Zocalo ( 252965 )
        There's also a lot coming from captive portals that use 1.1.1.1 as a login/logout gateway IP, including some turnkey solutions provided by the likes of Cisco that are heavily deployed in providing free WiFi services to things like the hospitality trade. Yeah, they could (and should!) have used RFC1918 IPs as the default configuration for this, just like your home router tends to default to 192.168.1.1, but for whatever reason decided to default to 1.1.1.1 instead. Since that (fairly obviously) is highly u
        • I'm a network engineer, so I am not remotely justifying what I'm about to describe. I'm the chief engineer on several large residential fiber to the home deployments, and as such get to play around a lot in not-off-the-shelf CPE equipment. You'd be amazed how much I see 1.1.1.1 used. It confused me for a while, but now I get it. If you need an RFC1918 address that you're basically guaranteed no user or ISP back end configuration will overlap with- guess what.

          The current equipment I'm working on (and have
    • The sleep command was too hard? Sleep 10 gives you a 10 second delay and so on.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Windoze (pun intended) doesn't have a built-in sleep command for batch files. What fun!

        • by Anonymous Coward

          Since windows 7 / Server 2008+ it does, the TIMEOUT command, doesn't help if you have to use the script on order environments, but still...

          • by Anonymous Coward

            Use the CHOICE command with a timeout starting with DOS 6.0.

            https://en.wikipedia.org/wiki/Choice_(command)

            RRK

    • For the rare occasion where I write a batch file like that I use 127.255.255.255... it always fails by timing out (so you can specify a timeout to control batch delay) and it only uses the localhost virtual network adapter so you're not spamming over the LAN or internet.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I keep seeing people complaining about this breaking batch scripts that ping 1.1.1.1, but Cloudflare isn't responding to ICMP requests as far as I can tell. Just because an IP address is active, doesn't mean that it will respond to a ping.

      • by omnichad ( 1198475 ) on Thursday April 05, 2018 @08:02AM (#56386057) Homepage

        ping 1.1.1.1

        Pinging 1.1.1.1 with 32 bytes of data:
        Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
        Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
        Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
        Reply from 1.1.1.1: bytes=32 time=16ms TTL=53

        Maybe your ISP just doesn't route the traffic. That's a fast link. Though Google DNS is 15ms from here.

        • That's a fast link.

          Na. It's anycast. Your ping is dependent upon how close you are to the closest node. Being I peer with cloudflare at the SIX, i'm very close to my closest node.

          [x@x ~]$ traceroute 1.1.1.1
          traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
          1 x (x.x.x.x) 0.232 ms 0.313 ms 0.371 ms
          2 x (x.x.x.x) 0.295 ms 0.381 ms 0.466 ms
          3 x (x.x.x.x) 27.807 ms 27.894 ms 28.005 ms
          4 six.as13335.com (206.81.81.10) 0.293 ms 0.292 ms 0.292 ms
          5 1dot1dot1dot1.cloudflare-dns.com (1.1.1.1) 0.212

          • Well yeah, but that is what makes it a fast link. I haven't tested performance on Google's DNS lately, but Cloudflare might be worth trying out for DNS even if it's a potentially unroutable IP from some places.

            • Oh, you meant fast as in RTT fast... My bad. I thought you meant "throughput" fast. (wide pipe vs. short pipe)
              That's my bad.
              • Bandwidth isn't exactly important for DNS queries, but latency is.

                • It's not important at all for DNS queries. It's important for DNS servers. I run 8 authoritative nameservers. You know what's worse than 100ms of latency? 40% packet loss because you don't have the bandwidth to handle the queries.

                  Typically, when someone says, That's a fast link. they're referring to bandwidth. I see that you were not ;)
                  • If you're getting 40% packet loss, the ping times would be higher or intermittent. It's still a better metric for the end user for DNS than bandwidth.

                    Sure, typically fast link means something else - but we have context here.

                    • If you're getting 40% packet loss, the ping times would be higher

                      That's dependent on the amount of buffer bloat you have. Ideally, no, the ping times won't be different.

                      or intermittent

                      Absolutely- like missing 40% of the time....................

                      It's still a better metric for the end user for DNS than bandwidth.

                      End user? Yes. Though again, you're going to notice a saturated link long before you notice an extra 40ms of latency in DNS RTT.

                      Sure, typically fast link means something else - but we have context here.

                      I'd argue incorrect, or at best highly unorthodox usage, even given the context. Full disclosure, I am a network engineer. I do this for a living. My DNS infrastructure hosts 12285 domains, and I'm the head engineer for

                    • by Bengie ( 1121981 )
                      I second DamnOregonian. I was testing a 1Gb DOS against my 150Mb connection, and I was getting 85% loss with 20-40ms pings to my ISP. Bufferbloat, fix it.
            • Also- it works fine for DNS. We've been playing with it for a little bit.
              It's in the global BGP tables, so you're going to be able to access it basically anywhere, except possibly a few networks operated by morons, or behind equipment that made the unfortunate choice of using 1.1.1.0 a management prefix internally.
              • by oddtodd ( 125924 )

                I've been using it for a couple days and it's orders of magnitude better than AT&T DNS servers.

        • Because I can:

          ping 1.1.1.1

          Pinging 1.1.1.1 with 32 bytes of data:
          Reply from 1.1.1.1: bytes=32 time=4ms TTL=61
          Reply from 1.1.1.1: bytes=32 time=3ms TTL=61
          Reply from 1.1.1.1: bytes=32 time=3ms TTL=61
          Reply from 1.1.1.1: bytes=32 time=4ms TTL=61

          Viva la fiber!

          ps, google is around 45ms for ping, but i've seen it as low as 20ms for stretches.

        • For the sake of being informative, google is also ever so slightly faster from here, as well.
          [x@x ~]$ traceroute 8.8.8.8
          traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
          1 x (x.x.x.x) 0.290 ms 0.334 ms 0.405 ms
          2 x (x.x.x.x) 0.314 ms 0.385 ms 0.468 ms
          3 x (x.x.x.x) 0.419 ms 0.506 ms 0.584 ms
          4 six.sea01.google.com (206.81.80.17) 0.315 ms 0.339 ms 0.357 ms
          5 108.170.245.113 (108.170.245.113) 0.262 ms
          - 108.170.245.97 (108.170.245.97) 1.307 ms
          - 108.170.245.113 (10
    • Comment removed based on user account deletion
    • by Mozai ( 3547 )
      > for our next amazing trick
      in North America, {areacode}-555-1212 will connect you to directory assistance for that areacode's subset of phone numbers.
    • There are plenty [symantec.com] of [schalley.eu] examples [experts-exchange.com] of people suggesting ping to 1.1.1.1 as a delay in batch scripting.

      That is literally one of the dumbest fucking things I've ever heard. And from symantec, no less. Terrible.

  • by Anonymous Coward

    I recently was setting up a VPN after having set up many VPNs. I've often joked about using non-publicly-used military/government ranges do avoid collisions. I recently set up for a client for one and saw they were using 1.1.1.1 for some things. It does seem to be a choice for routers and dns. I think you'll get it on any easily types "valid" address because people will just think what's the chance of having to be able to access though IP addresses over WAN (IE if it's a few in a billion your break) and if

    • Which is weird, since 10.0.0.0/8 is absolutely huge and there are 256 different 192.168.x.0/24 networks to play with.

      • by swb ( 14022 )

        FWIW, I wish RFC1918 had included a couple of weird and unappealing "isolated" /24s which would have gotten less use than 192.168.0.0/16 and 10.0.0.0/8 or even 172.16.0.0 (which seems to be the least used in my experience).

        These lone /24s would be have been ideal to break up for interior interfaces or for use on isolated management networks that can't overlap with other interfaces.

        • by Bert64 ( 520050 )

          The overlap (and exhaustion in very large businesses) of RFC1918 address space is yet another reason to use ipv6...
          You can use part of your own globally routable address space for internal use, and as its your own allocated address space noone else should be using it for anything.

        • Link-local addresses exist for this reason. 169.254.0.0/16.
          It's used for IPv4 zeroconf communications, but that's just an application of it. It's purpose is for non-routed link-local communications.
  • The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use.

    I could be wrong, but I'm pretty sure that 1.1.1/24 is not a valid IPv4 address range. IPv4 addresses consist of quadruplets of values. The proper address ranges are 1.1.1.0/24 and 1.0.0.0/24.

    • Re: (Score:3, Informative)

      by cciechad ( 602504 )
      Thats been pretty standard in networking for years. Dropping any 0's. Like 10/8 or 8.8/16. Its just a shorthand.
    • Heh. In the network engineering industry, dropping the host address zeros is common practice when talking about prefixes.
  • Cloudflare started its life with seeding from NSA and CIA as a honeypot used for nefarious purposes. Trusting this business to be the solution to private and secure DNS is complete madness. The solution must be within DNSSEC, out of the hands of American agencies and companies.

  • FFS (Score:5, Informative)

    by jbmartin6 ( 1232050 ) on Thursday April 05, 2018 @08:49AM (#56386361)
    The new DNS isn't "attracting" anything. All the traffic to 1.1.1.1 was already there, that's why they put the DNS host on that address. They wanted to experiment with exposing it to tons of crap traffic.
    • Technically if there was no route to 1.1.1.1 before since it wasn't in the BGB tables, they are now attracting it like a magnet.
      It will no longer follow default routes until it has nowhere to go... there is now a destination.

    • Oh it's absolutely attracting it.
      Prior to 1.1.1.0/24 becoming a global routed prefix again, that traffic was blackholed in every individual AS.
      Now that cloudflare is announcing that block to me, we are routing that traffic to them. There really isn't any more accurate way of putting it other than that they are attracting it.
  • There goes my Skynet's comms strategy :(

"The C Programming Language -- A language which combines the flexibility of assembly language with the power of assembly language."

Working...