1.1.1.1: Cloudflare's New DNS Attracting 'Gigabits Per Second' of Rubbish (zdnet.com) 68
An anonymous reader quotes a report from ZDNet: Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Center (APNIC). The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy. "We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post. "We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."
The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.
The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.
now also being slashdotted (Score:1)
Oh, this was their plan all along. Heh, well, I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...
Re: (Score:2)
I think a web server running on a low end system is powerful enough to prevent from being Slashdotted today.
Slashdot hasn't grown at the same rate computing has grown.
Slashdot has been late posting news articles, compared to other sites who have larger volume, so by the time it gets on slashot, the site has already adjusted for the volume.
Often most site are on the cloud, so they just request extra bandwidth.
The slashdot effect hasn't been a thing for years (Score:2)
I think a web server running on a low end system is powerful enough to prevent from being Slashdotted today.
There haven't been enough people on slashdot for many years for the slashdot effect to be a thing. Plus as you point out the networks are a lot more robust these days.
Slashdot hasn't grown at the same rate computing has grown.
Indeed, slashdot has substantially shrunk to all appearances. This used to be a place where a lot of alpha geeks hung out but slashdot never evolved or got better. Just look at how the average number of comments per article has shrunk over the last decade.
Re: (Score:2)
Just look at how the average number of comments per article has shrunk over the last decade.
Can you prove that? I'm betting that just the average number of AC's we have per thread now greatly exceeds the number named postings per thread ten or twenty years ago.
Re: (Score:2)
Also, where did everyone go? Reddit? What subs? Has the very specific nature of subreddits fractured what used to be a large single audience?
Re: (Score:2)
... I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...
Yeah, that stood out to me, too.
... How can you hire a "Chief Scientist" who doesn't understand the basic mechanisms of the environment you're operating within?
Re: (Score:3, Insightful)
If you are worried about this I would suggest you disconnect from the internet.
Re: (Score:1)
Nah, I just download the DNS (Well I get a daily differential) data daily. Using sed and a bash script I update my
/etc/host file So I don't need to use any of that silly DNS stuff.
Re: (Score:2)
Oh yeah? Well, I'll build my own DNS! With blackjack, and hookers!
Re: (Score:2)
Out of honest curiosity, does CloudFlare have a reputation for this type of thing or are you exercising your paranoia about potentialities (which in matters like this is a GOOD thing.)
Research (Score:4, Interesting)
I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?
Re: (Score:3)
Wherever it gets published, you can bet you'll have to solve an impossible captcha to get to it.
Re: (Score:3)
I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?
And when the research will be completed, with the 1.1.1.1 and 1.0.0.1 addresses going back to IANA and no longer serving DNS? I bet that some people bought the hype and thought that these would be perpetual addresses, and not just a research run.
Re: Research (Score:1)
Why on earth would the whole
/8 revert to IANA? As per the *summary*, even, that whole block is delegated to APNIC.
A world beyond North America, bizarre I know.
Re: (Score:2)
Experiment? (Score:3, Interesting)
Re: (Score:2)
you either need to re-evaluate your exposure or just cut your ethernet cable entirely....
My ethernet cable ? Jeez, this is the 21st century! I'll cut my WiFi cable, thank you very much!
Re: (Score:2)
Re: (Score:3)
Re:Solution to amplification DDoS exists for 18 ye (Score:4, Funny)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Opaque? (Score:3)
"yet the details of the way it operates still remains largely opaque"
Opaque to whom? Not to net admins and other people who understand DNS. If they're hoping Joe Schmoe will understand or care then they've got a long wait.
867-5309 (Score:4, Funny)
Re: (Score:3)
Directing traffic at 1.1.1.1 is a little like calling 867-5309.
More like calling 555-1212 than Jenny, I'm afraid.
Gigabits per second of rubbish? No shit. (Score:5, Interesting)
There are plenty [symantec.com] of [schalley.eu] examples [experts-exchange.com] of people suggesting ping to 1.1.1.1 as a delay in batch scripting. The thought of batches all over the world now failing because people used a kludge method to pause was only slightly more amusing than the thought of all the junk traffic 1.1.1.1 would see as a result.
For our next amazing trick, we're going to make 555-xxxx a valid number range! Follow the action live at example.com!
Re: (Score:2)
I was wondering where this traffic was coming from - and why. Here's one place (who knew! yet another reason Windows has been 'bad for tech'
;-), and I'll bet there are others that do something similar.
I wonder if the 'script kiddies' scan 1.x.x.x looking for old wordpress, and default SSH accounts? I'll bet at least some of them do.
I'm left wondering what analysis of this 'spam traffic' is going to tell anyone though. Hopefully they'll publish some of their findings so we can take a peek.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Windoze (pun intended) doesn't have a built-in sleep command for batch files. What fun!
Re: (Score:2)
Re: (Score:1)
I keep seeing people complaining about this breaking batch scripts that ping 1.1.1.1, but Cloudflare isn't responding to ICMP requests as far as I can tell. Just because an IP address is active, doesn't mean that it will respond to a ping.
Re: (Score:2)
ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Maybe your ISP just doesn't route the traffic. That's a fast link. Though Google DNS is 15ms from here.
Re: (Score:2)
I get that the traffic to these specific IP addresses (or ranges) are interesting - but which DNS names resolve to these addresses?
Your question is meaningless; it's like when politicians ask which web links point to https://www.piratebay.se/ [piratebay.se]
Any number of forward DNS entries can point to these two addresses. If you ran the DNS server for sillyexample.com, you could point dns.sillyexample.com or vengeful.foxbats.sillyexample.com to these addresses if you wanted.
But there is no way of knowing who points.
Or are reverse lookups involved?
Neither forward nor reverse DNS is needed for the name servers themselves.
That said, for reverse DNS, just ask the DNS server itself:
1.
Odd coincidency (Score:1)
I recently was setting up a VPN after having set up many VPNs. I've often joked about using non-publicly-used military/government ranges do avoid collisions. I recently set up for a client for one and saw they were using 1.1.1.1 for some things. It does seem to be a choice for routers and dns. I think you'll get it on any easily types "valid" address because people will just think what's the chance of having to be able to access though IP addresses over WAN (IE if it's a few in a billion your break) and if
Re: (Score:2)
Which is weird, since 10.0.0.0/8 is absolutely huge and there are 256 different 192.168.x.0/24 networks to play with.
Re: (Score:2)
FWIW, I wish RFC1918 had included a couple of weird and unappealing "isolated"
/24s which would have gotten less use than 192.168.0.0/16 and 10.0.0.0/8 or even 172.16.0.0 (which seems to be the least used in my experience).
These lone
/24s would be have been ideal to break up for interior interfaces or for use on isolated management networks that can't overlap with other interfaces.
the submitter should train their network-fu (Score:2)
The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use.
I could be wrong, but I'm pretty sure that 1.1.1/24 is not a valid IPv4 address range. IPv4 addresses consist of quadruplets of values. The proper address ranges are 1.1.1.0/24 and 1.0.0.0/24.
Re: (Score:1)
FFS (Score:2)