
Cloudflare's new DNS attracting 'gigabits per second' of rubbish - sohkamyung
https://www.zdnet.com/article/1-1-1-1-cloudflares-new-dns-attracting-gigabits-per-second-of-rubbish/
======
ChuckMcM
I've seen some of the papers where people look at big chunks of unused address
space and watch the probes etc. It is really quite amazing. Once I screwed
myself royally by accidentally turning RIP on for the upstream side of my
router (connected to the cable modem) and it advertised 192.168/16 which
Comcast accepted and started routing random stuff from the local exchange to
my router. It was pretty funny talking to their NOC staff who was mad at me
for advertising the route but I pointed out it was pretty stupid of them to
accept routes like that from their edge nodes. What if I had sent them a BGP
route for China, then what would they have done? (Don't try that at home kids
unless you don't want to use your network for a while)

~~~
dannyw
Wow I’m surprised. That is such a low barrier to doing your own BGP hijackig.

~~~
godzillabrennus
It's even easier to steal a phone number.

Lots of phone companies still just approve a port if you send them the
required paperwork to initiate a port. That means with zero verification from
the account holder a number can vanish from your account.

~~~
aviv
Worse. Some very large carriers don't even look at the supporting
documentation (bill, LOA) submitted with port orders unless there's a
rejection from the losing carrier and they want to double check the address
entered or something. Hijacking numbers is crazy simple. Same for hijacking
the SMS functionality of any number in the US (voice traffic remains
untouched). In about 10 minutes you can start receiving SMS directed towards
any number you want, and also be able to send out texts originating from that
number. Anyone who relies on SMS for any type of authentication should stop.

~~~
threeseed
> Anyone who relies on SMS for any type of authentication should stop

Err. That's pretty much every implementation of 2FA around the world.

Why isn't this more well known ?

~~~
notzorbo3
The beauty of it is cases like Google's. They have this bizarre 2FA security-
theater Google Authenticator thing, but then nearly force everyone to have
their phonenumber as a "backup device".

Guess what the send you when you forget your 2FA or password? Yep, an SMS. So
out the door goes the _whole_ point of 2FA. Your three factors (account name /
email address + password + Google Authenticator) have now been reduced to one
factor: your email address.

I can rent a mobile tower in Malaysia or some other asian country, advertise
your phonenumber as roaming there for about €10/h and start intercepting all
your shit. Or just get your telco's inept service dept to forward your number
somewhere else.

Lessons here:

1\. Even the giants get it wrong. 2\. There _is_ _no_ _security_ anywhere in
the tech world. Literally _everything_ is broken. Your electronic car locks /
starter system, your phone, your internet, everything is horribly horribly
horribly broken beyond any imagining, even for hyper-tech savvy people. 3\.
Remove your phonenumber as a backup device from your google account and
_never_ use it as a backup device every again.

~~~
karlshea
Once you add another factor you can remove SMS from your Google account. I’ve
done it with all of mine.

Edit: Oh, you said that.

------
skrause
A German podcaster who has been working on networks for decades once said that
he owns a large chunk of public IP addresses in the 192.68.0.0/16 subnet and
it's impossible for him to use it because once he activates it he basically
gets a DDOS of misdirected traffic. So many misconfigured networks out
there...

~~~
jsjohnst
I solidly feel it’s a cop out for an ISP to not filter their traffic to block
spoofed IPs. In my eyes, there’s zero legitimate reason that this guy should
get flooded, but alas, our industry gets lazier and more careless each year.

~~~
walrus01
There is no spoofing involved there. We're talking about typos of 192.168
(private space) typed as 192.68 which is "real" space. It is not like ISPs are
leaking rfc1918 IP space.

~~~
jsjohnst
Very true that it is a typo, which I had noticed, and thanks for calling out.
Still doesn’t invalidate my point though. My theory is that a lot of that
traffic is likely coming from spoofed IPs as I doubt there would be
substantial _sustained_ legitimate, but improperly directed, traffic. My guess
is a lot of it is shoddily written malicious traffic.

~~~
bradknowles
Google for “BCP 38”.

This pain has been known for many, many years.

~~~
jsjohnst
I don’t need to Google it, I’m well aware. Part of why I said what I did.

------
LogicX
I worked with my ISP, htcinc.net to fix routing to 1.1.1.1 this week -- Not
sure how they had their core router mis-configured, but it was dropping the
traffic.

~~~
walrus01
Most likely had an old copied-pasted bogon filter in place for a huge chunk of
previously unannounced APNIC IP space.

------
jedberg
> AT&T Gigapower using 1.1.1.1 on an internal interface on at least one model
> of router-gateway, the Pace 5268AC

Yup. I can't use 1.1.1.1 because my AT&T router is responding to it.

~~~
constantlm
"Whatever just use 1.1.1.1! Nobody will ever use that address!"

~~~
lucb1e
Because 10.1.1.1 is so hard to type or remember and is totally not a private
range which is perfect for the purpose.

~~~
DonHopkins
My router goes to 11.1.1.1.

~~~
ams6110
Spinal tap?

~~~
samstave
This is networking, so its 'Spinal Vampire Tap'

~~~
logfromblammo
Backbone Tap. The cover band by NSA employees. They play in venues, inside
other venues, that don't officially exist.

------
ccakes
Houston has run a study on the traffic being directed towards 1/8 before.

[http://www.potaroo.net/studies/1slash8/1slash8.html](http://www.potaroo.net/studies/1slash8/1slash8.html)

~~~
walrus01
Very interesting how the volume of shit traffic to /24s which were not in the
"typical" example/documentation ranges like 1.1.1.0/24 was much lower. When
they announced the whole /8 and plotted the traffic only a few /24 receive
huge volumes of shit, while others receive (relatively) little, like 8Mbps.

------
z3t4
I used to play a game where each kingdom had an address (kingdom:island) if
you where on kingdom one on island one (1:1) you would get attacked all the
time no matter how much defense you had. If you landed on 1:1 you where
basically doomed.

~~~
AdamTReineke
Utopia, right?

~~~
dkersten
Oh man, I remember this too. A friend of mine ended up leader of a huuuuuge
alliance for a number of years back in 2004 or so and a few years ago I had a
few sit down meetings with the current owners of the game when I was doing an
analytics startup. (AFAIK the game is still running)

------
Reason077
I noticed an issue with several public WiFi hotspots after setting 1.1.1.1 as
my primary DNS:

The login/"landing" page when connecting to these hotspots would not load.
Changing back to 8.8.8.8 fixed the problem.

~~~
icebraining
That means they're intercepting requests to 8.8.8.8 (even if only before
login), probably because of its popularity. It's a shame we still have to use
these hacks to login; there's a solution for that in RFC7710 (which sends the
captive portal information in DHCP), but who knows if and when it'll be
adopted by most hotspots.

[https://tools.ietf.org/html/rfc7710](https://tools.ietf.org/html/rfc7710)

~~~
lucb1e
> That means they're intercepting requests to 8.8.8.8

No, it means their hotspot uses 1.1.1.1 as internal IP. I've seen this in a
bunch of places.

~~~
brazzledazzle
Cisco gear is probably the biggest culprit in my experience.

------
wielebny
So, the traffic is being sniffed and analyzed, and that service was advertised
as privacy-oriented?

~~~
eastdakota
DNS traffic, no. Random garbage traffic misdirected to 1.1.1.1, APNIC is
studying.

~~~
cpeterso
Does all this garbage traffic affect the performance of Cloudflare's servers?
There must be some cost (performance and $$$) to filter this traffic. Was that
a consideration when deciding whether to use 1.1.1.1 instead of some other IP
address? :)

~~~
eastdakota
No. We have a lot of capacity. A lot.

~~~
walrus01
For ordinary singlehomed users who don't get the "a lot". As an example
cloudflare has 40Gbps of capacity to the SIX in Seattle. I would guess that
they also have direct, at minimum, 10Gbps PNI peering sessions with other huge
ISPs in the Pacific Northwest which never see the SIX fabric. So probably add
another 20 individual 10GbE circuits at bare minimum to that 40 figure. All of
which helps spread the traffic load out rather than shoving it all down a few
pipes.

~~~
pyvpx
[https://peeringdb.com/net/4224](https://peeringdb.com/net/4224)

that's just the public stuff!

~~~
walrus01
For huge entities like this and other top 5 CDNs it makes me wonder how many
full time staff positions are dedicated to buying rack space, power and
crossconnect in major colo facilities worldwide. How many contract law
experts, telecom real estate analysts, etc. That before you even get into
things like experts in Japanese contract law. Just for rack, power and
facilities at layer one of the osi model before any networking happens.

------
milkmiruku
Previously (February 2010);

"As part of an effort to de-bogonise this newly allocated address space, RIPE,
in cooperation with APNIC, made some test advertisements to the global BGP
table for several prefixes with 1.0.0.0/8\. Specifically, these networks
included 1.1.1.0/24 and 1.2.3.0/24\. Why these networks? Because they contain
the novel (and illegal) IPv4 addresses 1.1.1.1 and 1.2.3.4, of course.

"Shortly after announcing the routes to the world, RIPE's RIS was flooded with
over 50 Mbps of traffic destined for what is still an unallocated network; it
should not appear on the global Internet."

* [http://packetlife.net/blog/2010/feb/5/ripe-plays-with-1-0-0-...](http://packetlife.net/blog/2010/feb/5/ripe-plays-with-1-0-0-0-network-apnic-allocation)

------
Sami_Lehtinen
If your ISP doesn't support IPv6, just try sending RA packets upstream and see
what happens. If they're doing it wrong using blacklist instead of whitelist,
then it might well leak. It's good to notice, that this doesn't affect IPv4
networking in any way.

~~~
executesorder66
I'm not a networking guy, but I'd like to try this. Can you explain how you
would do it? (which tools, or a link to some docs would be nice)

~~~
Sami_Lehtinen
Using radvd [1] is the easiest way with Linux. Or you can get it done using
ICS on Windows. Personally I used burner laptop, with live distribution and
runned radvd. Or if you like details, you can use Python Scapy on Linux to
send RA packets. [1]
[http://www.litech.org/radvd/](http://www.litech.org/radvd/)

~~~
executesorder66
Thanks. I'm on Linux, so I'll check out radvd.

------
0xfeba
> "Some folk, without any material to justify it, started configuring 1.1.1.1.
> Now, I can start using your IP address, I suppose, but we're both going to
> have a problem," Huston told ZDNet, laughing.

Ha, I was using 1.1.1.0/24 as my local intranet as an expirement with dnsmasq
a few years back. I got scolded for it, rightly so, but I figured as no-one
was using 1.1.1.0/24 at the time it was OK.

I see I am not the only one who did so.

~~~
ericfrederich
Who scolded you for it? Wouldn't that just mis-route legitimate traffic to
1.1.1.0/24 locally instead of to the internet?... but you probably had no
legitimate traffic there anyway, right?

~~~
0xfeba
Who? I don't remember. Someone on HN/reddit. It was a mild scolding in the
same vein as in the article.

And yes, that's what it would do. And no, I didn't. Made it easier to type in
IPS, that's for sure.

~~~
ericfrederich
Oh, okay... I thought it was your ISP or something. That is why I was
wondering how anyone would even notice.

------
knodi
Get a better ISP.

------
icedchai
Using 1.1.1.0/24 for a DNS service was a bad idea. Now all this garbage
traffic is being routed. (Before, it would just be dropped closer to the
edge.)

~~~
joshstrange
That was part of the reason they used it. They partnered with the company that
owned it and wanted to study the junk but couldn't handle the traffic.
Cloudflare got 1.1.1.1 for DNS use and helped handle the junk traffic so they
could study it.

------
RobertRoberts
Awesome, the worlds biggest honeypot? There is literally a finite amount of
bandwidth in the existance, let Cloudflare have as much cruft as it wants.

~~~
walrus01
I have no idea where you get the idea there is a finite amount of bandwidth
available. It is not coal or molybdenum. ISPs are continually being expanded.

~~~
cjg
Just because it is expanding, doesn't mean it isn't finite.

The current bandwidth is finite. The future bandwidth is finite. Even if we
use all the resources available to us, expanding at the speed of light to
capture those resources, it's still finite.

~~~
walrus01
From a pure physics perspective, yes. But do take the time to familiarize
yourself with the many THz of bandwidth that is available in one singlemode
strand, and how many coherent modulated, 400GbE links can fit in a typical
dwdm bandplan.

The internet is continually expanding at OSI layer 1. It is a construction
project. The bandwidth is growing faster than our ability to fill it.

------
jakobegger
From a marketing point of view, I think it was a brilliant move from
Cloudflare to get the 1.1.1.1 address. Clearly better than 8.8.8.8!

But from a user perspective, why couldn't they have just let that address
be... So many things are going to break just because Cloudflare wants a pretty
IP. Sure, the things that break were using a hack, but in my opinion that
doesn't automatically make it okay to break it.

Now I'm just waiting for a startup to launch a Stack Overflow competitor on
example.com...

~~~
klez
example.com (and other example.*) is reserved for documentation purposes, i.e.
you can't buy it.

~~~
jakobegger
Just like 1.1.1.1 used to be null routed?

~~~
duggan
Not exactly; example.com and .org are reserved in RFC 2606[1]. 1.1.1.1 is not
listed in the special use RFC[2], it's just an address previously unused by
APNIC.

[1]:
[https://tools.ietf.org/html/rfc2606](https://tools.ietf.org/html/rfc2606)

[2]:
[https://tools.ietf.org/html/rfc5735](https://tools.ietf.org/html/rfc5735)

