It's a, it's a, it's a SYN flood: Quick, ditch that packet
Networking nuggets from the week that was
Networks roundup What if all you had to do to block SYN-based denial-of-service attacks was drop the first incoming SYN packet?
That intriguing idea was put forward this week, in this Internet-Draft.
SYN floods are a basic “cheap and cheerful” DDoS – an attacker with a botnet handy gets the machines to send TCP SYN messages (these are the first requests in the handshake that establishes a new TCP connection) to the victim. The target host sends an ACK and waits for the client ACK – which the attacker never sends (a "half-open" connection). Eventually, the incoming SYN flood ties up all server resources.
A pair from South Korea's Soongsil University suggested a server config that ignores the first SYN it gets from a client. If the request is genuine, it'll be retransmitted after a short timeout, but if it's from a bot, it probably won't, argued Sungwon Ahn and Minho Park.
Their "Intentional SYN Drop (ISD)" means the server doesn't allocate resources to the attacker's attempt to maintain half-open connections. It would be implemented with two new entities in TCP: Dropped SYN List (which watches for retransmissions and okays the connection), and SYN-RCVD Timer.
If the system detects that a SYN is a retransmission (in the Dropped SYN List), its state is set to SYN received (SYN_RCVD – at which point the connection is half-open), sends the ACK to the client, and starts the SYN_RCVD timer. If the timer expires, the half-open session is dropped.
Juniper expands threat protection
Juniper Networks this week squeezed out two enhancements to its Juniper Networks Advanced Threat Protection appliances (JATP).
The company has added custom data collectors to the appliances, to improve their ability to pull security data from other sources in the network. This, Juniper said, eliminates the need for time-consuming custom configurations.
Log formats supported by the data collectors include XML, JSON and CSV.
The Gin Palace also tossed a new appliance over the fence: the JATP400, which it said targeted distributed enterprises.
The on-premises JATP400 Appliance is designed to work with existing firewalls to provide security teams a timeline view for quick attack mitigation.
Barefoot puts on the 400Gbps dancing shoes
Barefoot Networks has joined the 400 Gbps Ethernet race, and has names like Cisco and Tencent on board for its latest ASIC.
The company claimed its Tofino 2 doubled the performance of its predecessor with a total switching throughput of 12.8 Tbps.
As with the Tofino, the chip is programmable using the P4 (Programming Protocol-Independent Packet Processors) language, and Barefoot said there are 100 features and applications written for the chip.
The 7nm process used in the Tofino 2 allowed it to deliver 32 ports of 400 Gbps Ethernet on the chip, and 256 ports at 10/25/50 Gbps, and it can be programmed for top-of-rack switching, appliance switching, or service provider router applications.
In-band Network Telemetry (INT) in the P4 spec is supported by Barefoot's enhanced SPRINT, which gathers real-time, per-packet intelligence.
Open Source MANO gets FIVE, which is its sixth release, obviously
The European Telecommunications Standards Institute (ETSI) has emitted Open Source Management and Orchestration (MANO) Release FIVE (yes, rather than 5 or Five, they've decided this is THAT important).
OSM has a new architecture in this release: it's taken a micro-services approach, with an eye to "5G scenarios, distributed and edge deployments", as well as network-as-a-service service.
It also supports 5G network slicing, dynamic inter-data-centre connection config across the WAN, extensions to its service function chaining capabilities, VNF metrics have been added to its monitoring capabilities, and support for physical and hybrid network functions.
ETSI also said there is a new GUI-based network function and service composer, a better dashboard for logs, metrics and alarms, and faster startup.
And yes, we were serious: OS MANO FIVE is the sixth release. The ETSI announcement quoted Telefonica SVP technology and architecture Carlos Garcia to that effect: "With six releases in its two years and a half, OSM has proven to be an extremely agile vehicle for evolving an Information Model and the associated stack to provide Network-as-a-Service in a completely automated fashion."
Linux Foundation emits ONAP, OPNFV releases
The Linux Foundation project's Open Network Automation Platform (ONAP) and Open Platform for Network Function Virtualisation (OPNFV) both got new releases earlier this week.
ONAP Casablanca received a 5G blueprint, offering “the first set of capabilities around PNF integration, edge automation, real-time analytics, network slicing, data modelling, homing, scaling, and network optimisation”, the organisation said.
There are also two new, and simpler, design dashboards, lifecycle controllers added to service orchestrator and its three controllers and expanded service assurance capabilities.
OPNFV Gambia takes the platform's “first step towards continuous delivery”, a process that “allows OPNFV to continuously publish scenario and feature project artifacts that contain the latest upstream code”.
ADTRAN slurps SmartRG
Vancouver-based SmartRG, a developer of connected home software, has been acquired by ADTRAN for an undisclosed sum.
The deal expands ADTRAN's service portfolio, the company said.
SmartRG's portfolio includes cloud management, analytics, home Wi-Fi broadband gateways, and its SmartOS software platform. ADTRAN said SmartOS integration with its own Mosaic will provide "full end-to-end management and orchestration solutions from cloud edge to subscriber edge".
SmartOS also supports the emerging Virtual CPE market, where a "bare bones" unit is deployed in the customer with advanced functions like firewals running in the service provider cloud.
SmartRG founder and CEO Jeff McInnis, the rest of the company's management team, and all staff are to be retained after the acquisition completes.
Arm, Telco Systems extend partnership
SDN/NVF and networking provider Telco Systems has announced it will work with Arm to jointly develop a Neoverse-based universal CPE (uCPE) offering.
The device will be based on Telco Systems' Arm-optimised NFVTime operating system, providing a uCPE MANO engine for zero-touch provision, deployment, and services lifecycle management. ®
Sponsored: Becoming a Pragmatic Security Leader