Welcome to the Energy Charts

Welcome to the Energy Charts

ENERGY CHARTS
Home
Power
Energy
Emissions
Climate
Prices
Map of power plants
Information
Publishing Notes
Data Protection

Welcome to the Energy Charts
The website for interactive graphs displaying electricity production and spot market prices in Germany

Electricity production in Germany
Electricity production

Installed power in Germany
Installed power

Electricity generation in Germany
Electricity generation

Import and export in Germany/Europe
Import and export

Electricity production and spot market prices in Germany
Spot market prices

Explanations
Explanations

The site allows you to interactively customize the graphs to your own needs: You can select one or more energy sources or switch between graphs with absolute or percent values. The numerical values displayed in the graphs can be viewed in a pop-up window. Furthermore you can choose the time period to be viewed.

A legend on top of each graph shows the available parameters, which are activated by clicking. Open circles in the legend indicate that a parameter (e.g. export) is not shown currently but can be inserted by clicking on it.

Other useful hints for operation can be found next to each chart under »usage tips«.

By making the data available on this website, it is our intent to promote transparent and objective discussions relating to all factors regarding the energy transformation in Germany.

The data is collected from various neutral sources by scientists at the Fraunhofer Institute for Solar Energy Systems ISE and cover the period from 2011 to present.

Follow us on Twitter: Follow @energy_charts

Twitter News-Feed

Terms and conditions of Twitter Inc.

News 2018
Friday, 4. January 2019

Net Public Electricity Generation in Germany in 2018
update: second version
This report presents the data on German net electricity generation for public electricity supply. The figures thus represent the electricity mix that actually comes out of the socket at home and that is consumed in the household or is used to charge electric vehicles publicly. On the German electricity exchange EEX, only net electricity generation is traded and only net figures are measured for cross-border electricity flows.

The Difference between Gross and Net Production
Renewable Energy Sources: Solar and Wind
Renewable Energy Sources: Hydropower and Biomass
Non-renewable Electricity Generation
Export Surplus
Load, Exchange Electricity Prices and Market Value
Version History
For additional slides of our assessment of 2018 visit the Renewable Energy Data page of the Fraunhofer Institute for Solar Energy Systems ISE.

1 TWh = 1 terawatt-hour = 1000 gigawatts-hours (GWh) = 1 million megawatt-hours (MWh) = 1 billion kilowatt-hours (kWh)

Thursday, 03. January 2019

New charts
In addition to the warming strips, there are also the temperatures from 1881 to 2018 as line diagrams for Germany and all federal states available. The fit curves show the long-term trends. Mouse-over shows the tooltips with the values.

The annual sunshine duration and precipitation in Germany is also available in our climate area for annual averages.
Saturday, 22. December 2018

New chart
The Energy Charts now include the warming stripes for Germany and all federal states since 1881. The graphics are interactive and also show the annual temperatures when moving the mouse over the stripes.
Many thanks to Ed Hawkins for this good idea!

Tuesday, 9. October 2018

New chart
The Energy Charts now also offer graphs for Day Ahead and Intraday electricity spot prices in connection with the trading volume in MWh. Weekly, monthly and yearly charts are available.

Friday, 3. August 2018

New chart
The Energy Charts now show the hourly values of the following climate data of DWD for Germany:

wind speed and wind direction of 300 stations
global and diffuse radiation of 26 stations
air temperature and humidity of 500 stations
at climate.

Thursday, 24. May 2018

New features and changes regarding GDPR
The welcome page and the map of power plants have been reworked.
Now you will find all news and and the twitter feed on the startpage giving you a fast overview to all news and interesting topics or events that have been tweeted.

In addition, we have updated our privacy policy in accordance with the requirements of the GDPR.

Saturday, 19. May 2018

New chart
The Energy Charts now include graphs showing the filling levels of pumped storage and seasonal storage power stations in Germany, Austria and Switzerland at Storage filling levels.

Wednesday, 9. May 2018

New charts
At the scatter charts on spot market prices we have added additional charts with

he Day Ahead price of electricity above the sum of wind and solar power.
If wind plus solar power increases by one GW, the price drops by 0.75 Euro/MWh.
with the Day Ahead price of electricity above the residual load (load minus solar minus wind).
If the residual load increases by one GW, the price increases by 1.10 Euro/MWh.

Tuesday, 8. May 2018

Power generation in Germany – assessment of 2017
update: fourth version
This report presents data on German net electricity generation for public power supply. The numbers thus represent the electricity mix that actually is consumed in the households or with which even electric vehicles are charged. Only the net electricity generation is traded on the German electricity exchange EEX and only net figures are measured for cross-border electricity flows.

Difference between gross and net production
Renewable energy: solar and wind
Renewable energy: hydropower and biomass
Non-renewable generation
Export surplus
Version History
For additional slides of our assessment of 2017 visit the Renewable Energy Data page of the Fraunhofer Institute for Solar Energy Systems ISE.

1 TWh = 1 terawatt-hour = 1000 gigawatts-hours (GWh) = 1 million megawatt-hours (MWh) = 1 billion kilowatt-hours (kWh)

Friday, 4. May 2018

New charts
The Energy Charts now offer scatter charts on spot market prices with

the price of electricity above the wind power.
Without wind power, the average price is 47.74 Euro/MWh.
If the wind power increases by one GW, the price drops by 0.91 Euro/MWh.
the price of electricity above the solar power.
Without solar power, the average price is 41.71 Euro/MWh.
If the solar power increases by one GW, the price drops by 0.58 Euro/MWh.
the price of electricity above the load.
If the load increases by one GW, the price increases by 0.82 Euro/MWh.

Friday, 13. April 2018

New chart features
The Energy Charts now also show the planned power production of conventional power plants and the forecast for wind and solar under “all sources” at electricity production in Germany.
This feature was requested in the user survey.

Wednesday, 21. March 2018

Thank-you very much! We are overwhelmed by your support!
Over the past four weeks, more than 1600 users of the Energy Charts responded to our questionnaire. Many thanks for your feedback and the many comments and ideas. In the following weeks, we will evaluate the responses and work on new functionalities and improvements in order to make the Energy Charts more understandable and informative and more fitting to your needs. Stay in touch!

Wednesday, 21. February 2018

For a Better Understanding of the Energy Transition: Fraunhofer ISE Interviews Users of the Energy Charts
The Energy Charts, compiled by the Fraunhofer Institute for Solar Energy Systems ISE, are the most detailed database for energy and market data on power generation in Germany and thus an important source for journalists and decision-makers. The interpretation of the data and graphics, however, is to some extent complex. A current project of Fraunhofer ISE is to improve the display of data and graphics in order to make them easier to use for journalists. Other users of the site will also profit from these improvements.

Monday, 5. February 2018

New chart features
The energy charts now also show hourly values over one whole year at electricity production in Germany. Just select the empty field in “month” and “week”.
Attention! Depending on the source you select, the browser must display more than 100.000 values. This can take up to a minute.

News archive

DNS Servers You Should Have Memorized

DNS Servers You Should Have Memorized

danielmiessler

DNS Servers You Should Have Memorized
The latest DNS server IPs are easier to remember and offer privacy and filtering functionality
By DANIEL MIESSLER in TECHNOLOGY

PUBLISHED: JANUARY 27, 2019

, DNS Servers You Should Have Memorized

If you’re a programmer, a systems administrator, or really any type of IT worker, you probably have your favorite go-to IP addresses for troubleshooting. And if you’re like me, you’ve probably been using the same ones for years.

Such IPs can be used for:

Testing ping connectivity
Checking DNS resolution using dig or nslookup
Updating a system’s permanent DNS settings
Most DNS servers allow you to ping them.

I like using DNS servers for this because you can use them for both connectivity and name resolution testing, and for the longest time I used the Google DNS servers:

8.8.8.8
8.8.4.4

…but they don’t have any filtering enabled, and in recent years I’ve become less thrilled about sending Google all my DNS queries.

Cisco bought OpenDNS, which is where Umbrella came from.

Alternatives to Google DNS
At some point I switched to using Cisco’s Umbrella servers because they do URL filtering for you. They maintain a list of dangerous URLs and block them automatically for you, which can help protect from malware.

208.67.222.222
208.67.220.220

The OpenDNS servers are great, but I always have to look them up. Then, a few years ago, a new set of DNS servers came out that focused not only on speed and functionality, but also memorability.

One of the first easy-to-remember options with filtering that came out was IBM’s Quad 9—which as you might expect has an IP address of four nines:

9.9.9.9

I figured they were being overwhelmed at launch time, or their filtering wasn’t tweaked yet.

I tried to use Quad9 one for a bit when it first came out, but found it a bit slow. I imagine they have probably fixed that by now, but more on performance below.

Enter CloudFlare
, DNS Servers You Should Have Memorized

So with Google, Cisco, and IBM providing interesting options with various functionality, we then saw CloudFlare enter the arena.

But rather than provide filtering, they instead focused on privacy.

Some other recursive DNS services may claim that their services are secure because they support DNSSEC. While this is a good security practice, users of these services are ironically not protected from the DNS companies themselves. Many of these companies collect data from their DNS customers to use for commercial purposes. Alternatively, 1.1.1.1 does not mine any user data. Logs are kept for 24 hours for debugging purposes, then they are purged.

CloudFlare Website

And perhaps coolest of all for me was their memorability rating, which is basically flawless:

1.0.0.1 abbreviates to 1.1, so you can literally test by typing ping 1.1.

1.1.1.1
1.0.0.1

How cool is that?

So with them they’re not filtering your URLs, but they are consciously avoiding logging or tracking you in any way, which is excellent.

Norton ConnectSafe DNS
Norton also has a public DNS service, which has an interesting feature of multiple levels of URL content filtering.

Block malicious and fraudulent sites
199.85.126.10
199.85.127.10

Block sexual content
199.85.126.20
199.85.127.20

Block mature content of many types
199.85.126.30
199.85.127.30

My recommendation
Performance also matters here, and that will vary based on where you are, but in recent testing I found all of these options to be fairly responsive.

To me it comes down to this:

If you care about privacy and speed and maximum memorability, I recommend CloudFlare:
1.1.1.1
1.0.0.1

I find the filtering claims by both companies to be too opaque for my tastes, with both of them feeling like borderline marketing to be honest.

If you want URL filtering I recommend Quad9 over Umbrella simply because it’s easier to remember and seems to focus on having multiple threat intelligence sources.
9.9.9.9

And if you want multiple levels of URL filtering, you can go with the Norton offering, but I think I personally prefer to just use Quad9 for that and be done with it. But I think Norton is still a cool option for like protecting an entire school or something by forcing their DNS through the strictest option.
Summary
Final answer—if pressed—here are the two I recommend you remember.

For speed and privacy: 1.1.1.1
For filtering: 9.9.9.9
TWITTER
FACEBOOK
LINKEDIN
REDDIT
MAIL
Daniel Miessler
About The Author
Daniel Miessler is a cybersecurity expert and author of The Real Internet of Things, based in San Francisco, California. Specializing in IoT and Application Security, he has 20 years of experience helping companies from early-stage startups to the Global 100. Daniel currently works at a leading tech company in the Bay Area, leads the OWASP Internet of Things Security Project, and can be found writing about the intersection of security, technology, and humanity.
LEARN MORE ► CONTACT THE AUTHOR 📧

Every Sunday I put out a list of the most interesting stories in infosec, technology, and humans. Over 20K subscribers.

EMAIL ADDRESS

Related Content
a dns primer
my response to sam harris on the apple encryption debate
10 ways to test your website performance
60 information security interview questions [2019 update]
unsupervised learning: no. 67
google
a summary of new nmap features from blackhat/defcon 2008
Most Popular Content
content overview
most popular
recommended
my tutorial series
the unsupervised learning podcast
the concepts page
my idea collection
my book summaries

COLOPHON PRIVACY SHARE
© Daniel Miessler 1999-2019

Load XDP programs using the ip (iproute2) command

Load XDP programs using the ip (iproute2) command

To make Medium work, we log user data and share it with processors. To use Medium, you must agree to our Privacy Policy, including cookie policy.
Homepage
Load XDP programs using the ip (iproute2) command
Go to the profile of Lorenzo Fontana
Lorenzo Fontana
Oct 8, 2018
Nota bene: If you don’t even know what XDP is, continue reading I will explain it later.

My journey
Past week I was working on a piece of software that needed the ability to define some custom network paths to route HTTP traffic to multiple destinations based on rules defined on a data store.

During the first phase, I had the opportunity to go through different ideas, and since my end result needed to be very fast and able to handle high throughput, in my mind there was only one thing “XDP”.
I already used XDP in the past working at a similar project and my knowledge about eBPF was already good enough that my team agreed this was crazy and thus we decided we should try.

I’m aware of, and I usually use iovisor/bcc or libbpf directly, but this time, I wanted something I can use to validate some ideas first, debug some of that code and only later include my program in a more complete project.

Even if usually pay a lot of attention to LKML, lwn.net and in general, to relevant projects in this area like Cilium I didn’t know that the ip command was able to load XDP programs since last week when I was lucky enough to be in man 8 ip-link looking for something else and I found it! However, using it in that way wasn’t really straightforward (for me) and I had to spend quite some time to put all the pieces together so I decided to write this walkthrough.

Wait wait wait.. What is XDP?
From the iovisor.org website:

XDP or eXpress Data Path provides a high performance, programmable network data path in the Linux kernel as part of the IO Visor Project. XDP provides bare metal packet processing at the lowest point in the software stack which makes it ideal for speed without compromising programmability. Furthermore, new functions can be implemented dynamically with the integrated fast path without kernel modification.
Cool, so XDP is a way to hook our eBPF programs very close to the network stack in order to do packets processing, encapsulation, de-encapsulation, get metrics etc..

The important thing you need to know is that you can write a program, that gets loaded into the kernel as if it was a module but that can be loaded without modifying it.

This kind program is called an eBPF program and is compiled to run against a special VM residing in the kernel that verifies and then executes those programs in a way that they cannot harm the running system.

Note that eBPF programs are not Turing complete, you can’t write loops for example.

You can look at the diagram below to visualize how the loading of eBPF programs works.

eBPF load diagram
Said all of that, XDP programs are a specialized kind of eBPF programs with the additional capability to go lower level than kernel space by accessing driver space to act directly on packets.

So if we wanted to visualize the same diagram from an XDP point of view it will look like this.

In most cases, however your hardware may not support XDP so you will still be able to load XDP programs using the xdpgeneric driver so you will still get the improvements of doing this lower level but not as with a network card that supports offloading network processing to it instead of doing that stuff on your CPU(s).

If this is still very unclear you can read more about XDP here.

What can I do with XDP?
This depends on how much imagination you have, some examples can be:

Monitoring of the network packet flow by populating a map back to the userspace, look at this example if you need inspiration;
Writing your own custom ingress/egress firewall like in the examples here;
Rewrite packet destinations, packets re-routing;
Packet inspection, security tools based on packets flowing;
Let’s try to load a program.
Requirements:
You will need a Linux machine with Kernel > 4.8 with clang (llvm ≥ 3.7) , iproute2 and docker installed.
Docker is not needed to run XDP programs but it is used here because of three reasons:

Docker by default creates bridged network interfaces on the host and on the container when you create a new container. Sick! I can point my XDP program to one of the bridged interfaces on the host.
Since it creates network namespaces, I can access them again using the ip command, since we are talking about that command here, this is a bonus for this post for me.
I can run a web server featuring cats, the real force that powers the internet, and then I can then block traffic using XDP without asking you to compile, install or run anything else.
Step 0: Create a docker container that can accept some HTTP traffic
So, let’s run caturday, we are not exposing the 8080 port for a reason!

# docker run –name httptest -d fntlnz/caturday
Step 1: Discover the ip address and network interface for httptest
Obtain the network namespace file descriptor from docker

# sandkey=$(docker inspect httptest -f “{{.NetworkSettings.SandboxKey}}”)
Prepare the network namespace to be inspected with the ip command so that we can look at its network interfaces without using docker exec .This also allows us to use any program we have in our root mount namespace against the container’s network. This is needed because the image we used fntlnz/caturday does not contain iproute2.

# mkdir -p /var/run/netns
# ln -s $sandkey /var/run/netns/httpserver
Don’t worry too much about that symlink, it will go away at next reboot. Now, let’s show the interfaces inside the container:

# ip netns exec httpserver ip a
Output

1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
71: eth0@if72: mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
The IP address is 172.17.0.2.

Our interface eth0 in the container has id 71 and is in pair with if72 so the ID in the host machine is just 72, let’s get the interface name in the host machine.

# ip a | grep 72:
Cool, the name is right there:

72: vethcaf7146@if71: mtu 1500 qdisc noqueue master docker0 state UP group default
So I have,

IP: 172.17.0.2
Interface name on the host: vethcaf7146
Step 2: Generate some traffic to go to the interface we just created with the container httptest
For this purpose, we can use hping3 or the browser or even curl. In this case I will be using hping3 because it continuously sends traffic to the interface and I can see how this changes after loading my XDP program.

# hping3 172.17.0.2 –fast
In another terminal open tcpdump to see the packet flow.

# tcpdump -i vethcaf7146
vethcaf7146 is the name of the interface we found at step 2.

Step 3: Compile an XDP program using clang
Let’s take this XDP program as an example (there’s a more complete example later!)

#include
int main() {
return XDP_DROP;
}
Compile it with:

$ clang -O2 -target bpf -c dropper.c -o dropper.o
Once loaded, this program drops every packet sent to the interface. If you change XDP_DROP with XDP_TX the packets will be sent back to the direction where they came from and you then change it to XDP_PASS, the packets will just continue flowing.

XDP_TX can also be used to transmit the packet to another destination if used after modifying the packet’s destination address, mac address and TCP checksum for example.

Step 4: Load the dropper.o program
At the previous step, we compiled dropper.o from dropper.c. We can now use the ip command to load the program into the kernel.

# ip link set dev vethcaf7146 xdp obj dropper.o sec .text
The careful reader may have noticed that we are using the xdp flag in the previous command. That flag means that the kernel will do its best to load the XDP program on the network card as native. However not all the network cards support native XDP programs with hardware offloads, in that case, the kernel disables that.

Hardware offloads happen when the network driver is attached to a network card that can process the networking work defined in the XDP program so that the server’s CPU doesn’t have to do that.

In case you already know your card supports XDP you can use xdpdrv, if you know that It doesn’t you can use xdpgeneric .

Step 5: Test with traffic and unload
At this point, after loading the program you will notice that your tcpdump started at Step 3 will stop receiving traffic because of the drop.

You can now stop the XDP program by unloading it

# ip link set dev vethcaf7146 xdp off
Step 6: Drop only UDP packets
For the very simple use case we had (drop everything) we didn’t need to access the xdp_md struct to get the context of the current packet flow, but now, since we want to selectively drop specific packets we need to do that.

In order to do that, however, we need to declare a function that has xdp_md *ctx as the first argument, to do that we need to use a different section than .text when loading our program, let’s see the program below:

Wow, a lot changed here!
First, we have a macro that allows us to map a section name to specific symbols, then we use that macro in SEC(“dropper_main”) to point the section name dropper_main to the dropper function where we accept the xdp_md struct pointer. After that, there’s some boilerplate to extract the Ethernet frame from which we can then extract the information related to the packet like the protocol in this case that we use to check the protocol and drop all the UDP packets (line 26).

Let’s compile it!

$ clang -O2 -target bpf -c udp.c -o udp.o
And now we can verify the symbol table with objdump to see if our section is there.

objdump -t udp.o
udp.o: file format elf64-little
SYMBOL TABLE:
0000000000000050 l dropper_main 0000000000000000 LBB0_3
0000000000000000 g license 0000000000000000 _license
0000000000000000 g dropper_main 0000000000000000 dropper
Cool, let’s load the function using the section dropper_main always on the same interface we used before vethcaf7146.

# ip link set dev vethcaf7146 xdp obj udp.o sec dropper_main
Nice! So let’s now try to do a DNS query from the container to verify if UDP packets are being dropped:

# ip netns exec httpserver dig github.com
This should give nothing right now and dig will be stuck for a while before exiting because there’s our XDP program that is dropping packets.

Now we can unload that program and our DNS queries will be there again

sh-4.4# dig github.com
; <> DiG 9.13.3 <> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49708
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;github.com. IN A
;; ANSWER SECTION:
github.com. 59 IN A 192.30.253.112
github.com. 59 IN A 192.30.253.113
;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 07 23:10:53 CEST 2018
;; MSG SIZE rcvd: 71
Conclusions
When I first approached eBPF and XDP one year ago I was very scared and my brain was telling sentences like

I’m not going to learn this you fool!! ~ My brain, circa June 2017
However, after some initial pain and some months thinking about it I really enjoyed working on this stuff.

But! As always I’m still in the process of learning stuff and this topic is very exciting and still very very obscure for me that I will surely try to do more stuff with this low-level unicorn.

I hope you will enjoy working with XDP as much as I did and I hope my post here helped you going forward with your journey, as writing it did with mine.

I love this! ~ My brain, circa October 2018
Following, some references for you.

References
https://github.com/iovisor/bpf-docs

https://www.kernel.org/doc/html/latest/networking/af_xdp.html
https://cilium.readthedocs.io/en/latest/bpf/
https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html?highlight=XDP
https://www.netdevconf.org/2.1/slides/apr6/bertin_Netdev-XDP.pdf
Thanks for reading! You can find me on Twitter and on GitHub.

Ocean Beach some weeks ago, that week we had an hackathon at InfluxData HQ where I had some interesting conversations with my colleagues about this topic. Thanks Leonardo Di Donato, Chris Goller, Greg Linton and Jeff Welding.
NetworkingLinuxProgramming
Go to the profile of Lorenzo Fontana
Lorenzo Fontana
Interested in: distributed systems, software defined networking, performances, scalability and system programming. SRE at @InfluxDB — Leenux on the Desktop

Also tagged Programming
Goodbye, Object Oriented Programming
Go to the profile of Charles Scalfani
Charles Scalfani
Related reads
Kubernetes logs analysis with Elassandra, Fluent-Bit and Kibana
Go to the profile of Vincent Royer
Vincent Royer
Also tagged Programming
The React Handbook
Go to the profile of Flavio Copes
Flavio Copes
Responses
Applause from Lorenzo Fontana (author)
Go to the profile of Bhaskar Chowdhury
Bhaskar Chowdhury
Oct 9, 2018
Good one …very well written and explained Lorenzo!! thanks, man.

How to drop 10 million packets per second

How to drop 10 million packets per second

How to drop 10 million packets per second
Marek Majkowski 2018-07-06
Internally our DDoS mitigation team is sometimes called “the packet droppers”. When other teams build exciting products to do smart things with the traffic that passes through our network, we take joy in discovering novel ways of discarding it.

38464589350_d00908ee98_b

CC BY-SA 2.0 image by Brian Evans

Being able to quickly discard packets is very important to withstand DDoS attacks.

Dropping packets hitting our servers, as simple as it sounds, can be done on multiple layers. Each technique has its advantages and limitations. In this blog post we’ll review all the techniques we tried thus far.

Test bench
To illustrate the relative performance of the methods we’ll show some numbers. The benchmarks are synthetic, so take the numbers with a grain of salt. We’ll use one of our Intel servers, with a 10Gbps network card. The hardware details aren’t too important, since the tests are prepared to show the operating system, not hardware, limitations.

Our testing setup is prepared as follows:

We transmit a large number of tiny UDP packets, reaching 14Mpps (millions packets per second).

This traffic is directed towards a single CPU on a target server.

We measure the number of packets handled by the kernel on that one CPU.

We’re not trying to maximize userspace application speed, nor packet throughput – instead, we’re trying to specifically show kernel bottlenecks.

The synthetic traffic is prepared to put maximum stress on conntrack – it uses random source IP and port fields. Tcpdump will show it like this:

$ tcpdump -ni vlan100 -c 10 -t udp and dst port 1234
IP 198.18.40.55.32059 > 198.18.0.12.1234: UDP, length 16
IP 198.18.51.16.30852 > 198.18.0.12.1234: UDP, length 16
IP 198.18.35.51.61823 > 198.18.0.12.1234: UDP, length 16
IP 198.18.44.42.30344 > 198.18.0.12.1234: UDP, length 16
IP 198.18.106.227.38592 > 198.18.0.12.1234: UDP, length 16
IP 198.18.48.67.19533 > 198.18.0.12.1234: UDP, length 16
IP 198.18.49.38.40566 > 198.18.0.12.1234: UDP, length 16
IP 198.18.50.73.22989 > 198.18.0.12.1234: UDP, length 16
IP 198.18.43.204.37895 > 198.18.0.12.1234: UDP, length 16
IP 198.18.104.128.1543 > 198.18.0.12.1234: UDP, length 16
On the target side all of the packets are going to be forwarded to exactly one RX queue, therefore one CPU. We do this with hardware flow steering:

ethtool -N ext0 flow-type udp4 dst-ip 198.18.0.12 dst-port 1234 action 2
Benchmarking is always hard. When preparing the tests we learned that having any active raw sockets destroys performance. It’s obvious in hindsight, but easy to miss. Before running any tests remember to make sure you don’t have any stale tcpdump process running. This is how to check it, showing a bad process active:

$ ss -A raw,packet_raw -l -p|cat
Netid State Recv-Q Send-Q Local Address:Port
p_raw UNCONN 525157 0 *:vlan100 users:((“tcpdump”,pid=23683,fd=3))
Finally, we are going to disable the Intel Turbo Boost feature on the machine:

echo 1 | sudo tee /sys/devices/system/cpu/intel_pstate/no_turbo
While Turbo Boost is nice and increases throughput by at least 20%, it also drastically worsens the standard deviation in our tests. With turbo enabled we had ±1.5% deviation in our numbers. With Turbo off this falls down to manageable 0.25%.

layers

Step 1. Dropping packets in application
Let’s start with the idea of delivering packets to an application and ignoring them in userspace code. For the test setup, let’s make sure our iptables don’t affect the performance:

iptables -I PREROUTING -t mangle -d 198.18.0.12 -p udp –dport 1234 -j ACCEPT
iptables -I PREROUTING -t raw -d 198.18.0.12 -p udp –dport 1234 -j ACCEPT
iptables -I INPUT -t filter -d 198.18.0.12 -p udp –dport 1234 -j ACCEPT
The application code is a simple loop, receiving data and immediately discarding it in the userspace:

s = socket.socket(AF_INET, SOCK_DGRAM)
s.bind((“0.0.0.0”, 1234))
while True:
s.recvmmsg([…])
We prepared the code, to run it:

$ ./dropping-packets/recvmmsg-loop
packets=171261 bytes=1940176
This setup allows the kernel to receive a meagre 175kpps from the hardware receive queue, as measured by ethtool and using our simple mmwatch tool:

$ mmwatch ‘ethtool -S ext0|grep rx_2’
rx2_packets: 174.0k/s
The hardware technically gets 14Mpps off the wire, but it’s impossible to pass it all to a single RX queue handled by only one CPU core doing kernel work. mpstat confirms this:

$ watch ‘mpstat -u -I SUM -P ALL 1 1|egrep -v Aver’
01:32:05 PM CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
01:32:06 PM 0 0.00 0.00 0.00 2.94 0.00 3.92 0.00 0.00 0.00 93.14
01:32:06 PM 1 2.17 0.00 27.17 0.00 0.00 0.00 0.00 0.00 0.00 70.65
01:32:06 PM 2 0.00 0.00 0.00 0.00 0.00 100.00 0.00 0.00 0.00 0.00
01:32:06 PM 3 0.95 0.00 1.90 0.95 0.00 3.81 0.00 0.00 0.00 92.38
As you can see application code is not a bottleneck, using 27% sys + 2% userspace on CPU #1, while network SOFTIRQ on CPU #2 uses 100% resources.

By the way, using recvmmsg(2) is important. In these post-Spectre days, syscalls got more expensive and indeed, we run kernel 4.14 with KPTI and retpolines:

$ tail -n +1 /sys/devices/system/cpu/vulnerabilities/*
==> /sys/devices/system/cpu/vulnerabilities/meltdown /sys/devices/system/cpu/vulnerabilities/spectre_v1 /sys/devices/system/cpu/vulnerabilities/spectre_v2 protocol == IPPROTO_UDP
&& (htonl(iph->daddr) & 0xFFFFFF00) == 0xC6120000 // 198.18.0.0/24
&& udph->dest == htons(1234)) {
return XDP_DROP;
}
}
XDP program needs to be compiled with modern clang that can emit BPF bytecode. After this we can load and verify the running XDP program:

$ ip link show dev ext0
4: ext0: mtu 1500 xdp qdisc fq state UP mode DEFAULT group default qlen 1000
link/ether 24:8a:07:8a:59:8e brd ff:ff:ff:ff:ff:ff
prog/xdp id 5 tag aedc195cc0471f51 jited
And see the numbers in ethtool -S network card statistics:

$ mmwatch ‘ethtool -S ext0|egrep “rx”|egrep -v “: 0″|egrep -v “cache|csum”‘
rx_out_of_buffer: 4.4m/s
rx_xdp_drop: 10.1m/s
rx2_xdp_drop: 10.1m/s
Whooa! With XDP we can drop 10 million packets per second on a single CPU.

CC BY-SA 2.0 image by Andrew Filer

Summary
We repeated the these for both IPv4 and IPv6 and prepared this chart:

Generally speaking in our setup IPv6 had slightly lower performance. Remember that IPv6 packets are slightly larger, so some performance difference is unavoidable.

Linux has numerous hooks that can be used to filter packets, each with different performance and ease of use characteristics.

For DDoS purporses, it may totally be reasonable to just receive the packets in the application and process them in userspace. Properly tuned applications can get pretty decent numbers.

For DDoS attacks with random/spoofed source IP’s, it might be worthwhile disabling conntrack to gain some speed. Be careful though – there are attacks for which conntrack is very helpful.

In other circumstances it may make sense to integrate the Linux firewall into the DDoS mitigation pipeline. In such cases, remember to put the mitigations in a “-t raw PREROUTING” layer, since it’s significantly faster than “filter” table.

For even more demanding workloads, we always have XDP. And boy, it is powerful. Here is the same chart as above, but including XDP:

If you want to reproduce these numbers, see the README where we documented everything.

Here at Cloudflare we are using… almost all of these techniques. Some of the userspace tricks are integrated with our applications. The iptables layer is managed by our Gatebot DDoS pipeline. Finally, we are working on replacing our proprietary kernel offload solution with XDP.

Want to help us drop more packets? We’re hiring for many roles, including packet droppers, systems engineers and more!

Special thanks to Jesper Dangaard Brouer for helping with this work.

All content © 2018 Cloudflare

hpi.de: Is someone spying on you?

hpi.de: Is someone spying on you?

Toggle navigation

Accounts
8,165,169,702
Leaks
810
Leaked accounts per day
883,687
Is someone spying on you?
Everyday personal data is stolen in criminal cyber attacks. A large part of the stolen information is subsequently made public on Internet databases, where it serves as the starting point for other illegal activities.

With the HPI Identity Leak Checker, it is possible to check whether your email address, along with other personal data (e.g. telephone number, date of birth or address), has been made public on the Internet where it can be misused for malicious purposes.

Please enter your email address here.
The email address you have entered will only be used for searching in our database and, when applicable, to subsequently send an email notification. It will be saved in an obfuscated way to protect you from potential email spam and is never given to a third party.
Our other services and research on IT security
HPI-VDB – Our database for IT attack analysis and self-diagnosis,
tele-TASK – Lectures, not only on IT security,
openHPI – Our interactive online educational program.
… and more about our research in the field of IT security.

Privacy Statement Contact – Disclaimer © Hasso Plattner Institute 2014-2019

oneplus.com: Downloads und Aktualisierungen

oneplus.com: Downloads und Aktualisierungen

OnePlus 6T New Zubehör
Gehäuse & Schutz

Netzanschluss & Kabel

Audio

Pakete

Accessoires
Marke Support Community

Downloads und Aktualisierungen
Laden Sie die aktuellste Oxygen OS Version für Ihr OnePlus Gerät herunter.

OnePlus 6T

OnePlus 6

OnePlus 5T

OnePlus 5

OnePlus 3T

OnePlus 3

OnePlus X

OnePlus 2

OnePlus 1
Telefon
OnePlus 6T
OnePlus 6
OnePlus 5T
OnePlus 5
OnePlus 3T
Zubehör
Gehäuse & Schutz
Netzanschluss & Kabel
Audio
Pakete
Accessoires
Programme
Studenten Programm
Trade-in Program
Empfehlungsprogramm
Aufgenommen auf dem OnePlus
Support
FAQs zum Thema Kauf
Benutzerhandbuch
Software-Upgrade
Reparaturservice
Kontaktiere uns
Unternehmen
Über OnePlus
Community
Karriere
Presse
Deutschland ( Deutsch / EUR ) +49 800 100 6293 (Toll Free) 8:00 am – 5:00 pm CET, Monday to Friday
© 2013 – 2018 OnePlus. All Rights Reserved.
Datenschutzbestimmungen. User Agreement Verkaufsbedingungen Security Feedback
TRUSTe