An abbreviated version of this post originally appeared on TechCrunch
Looking back over 2016, we saw the good and bad that comes with widespread use and abuse of the Internet.
In both Gabon and Gambia, Internet connectivity was disrupted during elections. The contested election in Gambia started with an Internet blackout that lasted a short time. In Gabon, the Internet shutdown lasted for days. Even as we write this countries like DR Congo are discussing blocking specific Internet services, clearly forgetting the lessons learned in these other countries.
CC BY 2.0 image by Aniket Thakur
DDoS attacks continued throughout the year, hitting websites big and small. Back in March, we wrote about 400 Gbps attacks that were happening over the weekend, and then in December, it looked like attackers were treating attacks as a job to be performed from 9 to 5.
In addition to real DDoS, there were also empty threats from a group calling itself Armada Collective and demanding Bitcoin for sites and APIs to stay online. Another group popped up to copycat the same modus-operandi.
The Internet of Things became what many had warned it would become: an army of devices used for attacks. A botnet army of IoT cameras and a major attack took out DNS service provider Dyn.
Non-DDoS attacks continued apace with hacks that need WAF protection like httpoxy and ImageTragick causing disruption for unprotected sites. And TLS experienced yet another attack called DROWN.
But it wasn’t all doom and gloom. IPv6 went on a rampage and suddenly felt absolutely real. Apple announced that iOS apps must support IPv6 only networks and major ISPs started prioritizing use of IPv6. TLS 1.3 went live to dramatically simplify and improve the security of the Internet.
And the Internet got a lot faster with widespread support for HTTP/2 including Server Push. As the web has gone encrypted, the need to optimize TLS and TCP together has become more important and Cloudflare helped contribute to increased security with Origin CA, HTTPS Everywhere and giving protected WebSockets to everyone.
Open Source Commitment
During 2016, Cloudflare has continued to support open source software with releases of code throughout the year. These include a SQLAlchemy dialect for ClickHouse, a Go implementation of the FourQ elliptic curve, a large number of contributions to OpenResty, work on OpenWhiteBox whitebox cryptography research, a vaultless password manager written in Go, a tool for managing SSL certificates using CFSSL, upstreaming our changed to LMDB, a Mesos notification tool, code to add OAuth to NGINX, our whole UI Framework, nodejs code for HTTP/2 Server Push, and much, much more.
The Year Ahead
The team at Cloudflare decided to stare into a virtual crystal ball and come up with predictions for 2017. Here’s what we think the year ahead will have to offer.
1Tbps DDoS attacks will become the baseline for ‘massive attacks’
Four years ago, we illustrated a blog post about a 65Gbps DDoS with a picture of the band Massive Attack. The following year, Massive Attack were back illustrating a 300Gbps attack and as Internet speeds have gone up worldwide, so have DDoS sizes. Sporadically in 2016, we’ve seen 1Tbps DDoS attacks reported from various service providers. We believe that in 2017, the baseline for a massive attack will be 1Tbps (and we hope that Massive Attack’s 2016 song releases presage a 2017 album).
The Internet will get faster yet again as protocols like QUIC become more prevalent
Although HTTP/2 has a large effect on web performance, it also depends on the the TCP protocol for connections, which can cause performance problems on lossy network. Google has been experimenting with a protocol called QUIC which uses UDP instead of TCP. We expect such UDP-based web protocol experiments to continue and become mainstream.
IPv6 will become the defacto for mobile networks and IPv4-only fixed networks will be looked upon as off
Our data says IPv6 is 27% faster, Facebook says 10-15% faster, LinkedIn says between 10-40% faster for mobile. Regardless of which numbers you believe, it’s clear that IPv6 provides a speed advantage. At the same time, ISPs and mobile networks are pushing for greater deployment of IPv6, and we’ll expect IPv6 to be the norm in 2017 for all networks. Specifically for mobile networks, we believe IPv4 will be deprecated.
This chart shows the percentage of top 25,000 websites (according to Alexa) that are available over IPv6. The steep rise in the last few months is caused by Cloudflare’s enablement of IPv6 for all our customers.
A SHA-1 collision will be announced
Back in 1996 potential collisions in MD5 were identified, but it wasn’t until 2005 that actual collisions were demonstrated. At the time the death of both MD5 and SHA-1 were predicted. MD5 is now seen is cryptographically useless and has even been used in malware to forge a certificate.
Since 2005 bad news about collision resistance in SHA-1 has been gathering and we predict that an actual collision will be computed in 2017.
Layer 7 attacks will rise but Layer 6 won’t be far behind
When people think of DDoS attacks they are typically thinking of volumetric attacks against layers 3 and 4 (such as SYN floods). We believe that Layer 7 attacks (particularly against the HTTP and DNS protocols) will continue to rise in 2017 as attackers look for smart ways to knock web applications offline beyond simply volumetric attacks.
At the same time, Layer 6 attacks against the TLS protocol will make an appearance. We have already seen such attacks in the past (attacks that were designed to consume server CPU by asking for slow or complex cryptographic operations) and smart attackers will continue their search for any weakness in a web application or protocol implementation.
Mobile traffic will account for 60% of all Internet traffic by the end of the year
The number of mobile Internet users surpassed fixed Internet users back in 2014 and today over 80% of Internet users own a smartphone and 89% of their mobile time is spent using apps.
This means that acceleration and protection of APIs (that are used by apps for their Internet connectivity) is essential and trends indicate that mobile traffic will be 60% of all Internet traffic this year. This switch to mobile puts more emphasis on optimized web experiences and robust APIs than before.
The security of DNS will be taken seriously
The attack on Dyn’s DNS service showed how an often overlooked piece of the Internet, the Domain Name System, is critical to its functioning. Much of the news around DDoS attacks until the Dyn attack was focussed on attacks on websites and networks. With the realization that DNS is critical its security will be taken seriously in 2017 and the protection of DNS infrastructure and servers will become a business necessity.
At the same time, the open nature of DNS will come into focus and DNSSEC will take on a greater role in securing DNS responses from attack.
Conclusion
Cloudflare looks forward to serving our ever growing customer base in 2017. We'll also be hiring people to help build a better, faster and more secure Internet over the coming year.