Attacks via HTTP and How to Protect Yourself against Them

What is HTTP?

HTTP, the Hypertext Transfer Protocol, is the ‘language’ that your web browser and websites speak to each other when you use the internet. It is mainly used to load web pages from the internet into a web browser. 

The server receives the corresponding request and then sends the web page back to your browser. This is done via an HTTP response. It’s like writing a letter to someone and then receiving a reply with the information you requested.

Attacks via HTTP

With the increasing popularity of HTTP, the security risks have increased and, like any protocol, HTTP is also vulnerable to attacks. For example, attackers use Denial of Service (DoS) attack techniques to limit the accessibility of a website. A DoS attack can be compared to flooding a mailbox with irrelevant letters so that real, relevant letters can no longer be delivered. In the world of the internet, this means that a website or online service is bombarded with so many requests that it is no longer able to process legitimate requests. As a result, the website or service is no longer available to normal users. Such an interrupted service can have serious consequences, as it denies users access to important resources or services. This can lead to a loss of revenue, especially for companies that rely on their online presence to sell products or to offer services. Furthermore, an interrupted service can affect user confidence and lead to a loss of reputation.

Connection between HTTP and TCP

HTTP runs via the Transmission Control Protocol (TCP). As a result, a web server can also be exposed to many TCP-related attacks. When planning protection for HTTP services, it is therefore important to note that the attack surface is much broader than just the HTTP protocol. Every distributed denial of service (DDoS) attack today uses multiple vectors to create a denial of service. To prevent this, the server should be able to protect itself from all these vectors. DDoS attacks are similar to DoS attacks, except that the requests are sent from different sources (vectors). A DDoS attack works similarly to mailboxes being flooded with letters. Instead of being sent by a single person, they are flooded by many different senders at the same time. These ‘letters’ are actually data packets sent to computers or websites. The large number of packets overloads the internet connection or website, making it inaccessible to normal users.

These attacks can target different services and protocols, not just HTTP.  However, due to its importance to the economy and the prevalence of HTTP, the protocol is often used for DoS attacks.

What types of attacks are there?

  • Injection attacks: In injection attacks, attackers insert malicious scripts or commands into HTTP requests to trigger unwanted actions on the server. For example, SQL injection attacks can be used to manipulate database queries and access confidential information.
  • Cross-site scripting (XSS): XSS attacks involve injecting malicious JavaScript code into websites or web applications that are viewed by other users. This allows attackers to redirect users to fraudulent websites, steal cookies or hijack user sessions.
  • Cross-site request forgery (CSRF): In CSRF attacks, a user is tricked into performing unwanted actions on a website where they are already logged in. This is often done by embedding malicious requests in legitimate HTTP requests, which are then executed without the user’s knowledge.

Methods for containing such attacks

Distinguishing HTTP flood attacks from normal traffic is very difficult because they use standard URL requests. This makes them one of the most challenging non-vulnerability-based security challenges servers and applications are facing today. Traditional rate-based detection is ineffective for HTTP flood attacks because the volume of traffic for HTTP floods is often below detection thresholds.

The most effective mitigation mechanisms rely on a combination of traffic profiling methods, including IP reputation identification, abnormal behaviour monitoring, and the use of advanced security challenges (for example, JavaScript parsing prompts).

Web Application Firewall (WAF) – a Solution for This Type of Attack

How a WAF blocks an attack from a compromised host. Image source: https://www.cloudflare.com/de-de/learning/ddos/glossary/web-application-firewall-waf/

A WAF, or ‘Web Application Firewall’, is like a security service for a website or online application. Imagine your website is a house, and the WAF is a bouncer who stands at the door and checks everyone entering to make sure they are not a threat.

If someone tries to visit your website, they have to get past the WAF. Similar to how security personnel check the identity and intentions of people, the WAF inspects the incoming traffic on your website. It checks whether the requests come from real users or whether they are malicious attacks, such as attempts to paralyse the website or access confidential data.

How Does a WAF Work?

A WAF protects your web applications by filtering, monitoring and blocking any malicious HTTP/S traffic passing through the web application and preventing unauthorised data from leaving the application. It does so by checking against a set of policies that help determine whether traffic is deemed malicious or safe. Just as a proxy server acts as an intermediary to protect a client’s identity, a WAF works similarly, but in reverse – as a reverse proxy – and acts as an intermediary that protects the web application server from a potentially malicious client.

WAF Security Models

Three security approaches are typically applied by WAFs:

  • Allowlisting: A ‘permission list’ that uses machine learning and behaviour modelling algorithms to define what traffic is allowed through by the WAF. Everything else is blocked.
  • Blocklisting: A ‘blocklist’ based on current signatures against known vulnerabilities that define which traffic is rejected by the WAF. Anything else is accepted.
  • Hybrid approach: The WAF relies on a combination of positive and negative security models: a combination of allowlists and blocklists that determine what is allowed through.

What Are Network-Based, Host-Based and Cloud-Based WAFs?

A WAF can be implemented in one of three different ways, each of which has its own advantages and disadvantages:

  • A network-based WAF is generally hardware-based. Since it is installed locally, it minimises latency, but network-based WAFs are the most expensive option and require the storage and maintenance of physical hardware.
  • A host-based WAF can be fully integrated into an application’s software. This solution is less expensive than a network-based WAF and offers more customisation options. However, the drawbacks of a host-based WAF are the use of local server resources, implementation complexity and maintenance costs. These components usually require engineering time and can be costly.
  • Cloud-based WAFs offer an affordable option that is very easy to implement; they typically offer a ready-made installation that is as simple as changing the DNS to redirect traffic. Cloud-based WAFs also have no or minimal initial costs, as users pay monthly or annually for security as a service. Cloud-based WAFs can also provide a solution that is continuously updated to protect against the latest threats without any additional work or costs to the user. The disadvantage of a cloud-based WAF is that users hand over responsibility to a third-party provider, so some WAF functions may lack transparency for them.

How We Protect Our Customers from HTTP and DDoS Attacks

  • We offer Cloudflare as a CDN/WAF solution.
  • We help compile protective measures in the event of an attack.
  • If an attack is underway, we only have limited options to support the victim. We have to primarily focus on protecting other customers from the effects of the attack.
  • This means that we assign data traffic to a null route so that the victim becomes unreachable. This reduces the network load, while other customers can still be reached.

Conclusion

HTTP can be subject to various attacks, such as DoS, injection, XSS, CSRF, SYN flood and GET flood. A WAF is a comprehensive solution to protect web applications from such attacks. It can be network-, host- or cloud-based. It is most important to choose the option which prepares you best for an attack, and at Nine, we are happy to help you find and implement the protective measures that are right for you.

Featured image: How the botnet controller controls compromised hosts when a server is attacked. Image source: https://www.wallarm.com/what/website-security-and-prevention-of-a-http-flood-attack

New Data Protection Act in Switzerland: An overview of important changes at Nine

The new federal Act on Data Protection (nFADP) will take effect in Switzerland from 1 September 2023. This update involves changes affecting both companies and individuals. In view of these innovations, we have adapted our legal documents to meet the new provisions.

1. Automatic inclusion of the Data Processing Agreement (DPA) in our General Terms and Conditions (GTC)

One change concerns our Data Processing Agreement (DPA), which is now automatically included in our General Terms and Conditions (GTC). Previously, customers had to sign separate DPA agreements to ensure their data was processed in accordance with legal requirements. With the update of our General Terms and Conditions (GTC), this need no longer applies. This means that the Data Processing Agreement (DPA) now applies to all customers by default. You don’t need to do anything. Individual, already existing DPAs, ADVs or AVVs remain valid.

2. Transparency through complete publication of technical and organizational measures (TOM)

Previously, technical and organizational measures (TOMs) taken to ensure data protection were only available upon request. As part of the revDSG, we have decided to take a step towards greater transparency.  These measures have now been published in full and can be viewed by everyone. This enables customers, partners and interested parties to have a comprehensive insight into the security measures we have taken to adequately protect personal data.

 3. Central availability of legal documents

To make it easier to access important information, we have placed all legal documents in one central place on our website. Under https://docs.nine.ch/docs/category/legal-documents you will find a comprehensive collection of documents to help you better understand our privacy practices and policies.

 4. New obligations and cooperation in the event of breaches of data protection

The nFADP also introduces new provisions that oblige companies and data processors to strengthen cooperation and transparency in the event of breaches of data protection. In the case of a personal data breach pertaining to data which is processed by the Data Processor, the Data Processor notifies the Data Controller without delay, and no later than 48 hours after becoming aware of the breach In the event of a breach of data protection, data processors must assist the controller in carrying out a data protection impact assessment. This cooperation shall serve to take appropriate measures to reduce damage.

The introduction and publication of the contractual documents marks a significant step towards increased transparency, accountability and cooperation in the field of data protection.

We cordially invite you to review our updated Terms and Conditions and Privacy Policy available at https://docs.nine.ch/docs/category/legal-documents to learn more about the steps we take to protect your data and meet the new legal requirements.

Unlocking New Possibilities with the Nine Internet Solutions API

Modernise your web services with our new API and CLI tools.

At Nine, we’re always looking for innovative ways to improve and expand our services to better serve our customer base. As part of our ongoing mission to modernise our offerings and make our services applicable to the widest range of workflows, we’re excited to announce the launch of our new API and accompanying CLI tool, nctl.

Our API allows you to manage your Nine services with ease, while the nctl CLI tool provides a seamless way to interact with the API, streamlining tasks such as logging in or creating service accounts. This allows you a greater level of autonomy over your Nine solutions, and although we’re still working to include all of our services in the API, we believe that this is a significant step forward in making our platform more accessible and efficient.

Here’s a brief overview of what you can expect from these new features:

  • Flexibility and Integration

At Nine, we know that every customer’s requirements are unique. By offering an API in addition to our existing web-based interface, we’re opening the door for our customers to build custom integrations with their existing systems and tools. With the ability to connect to our services programmatically, businesses can streamline their operations and tailor their workflows to meet their unique requirements. Our API has a full OpenAPI specification, so you can easily integrate it into your own tooling and client if using nctl does not suit your workflow.

  • Automation and Efficency

As we strive to modernise our offerings and empower our customers, one of the key benefits of our new API is the ability to adopt DevOps workflows that were previously not possible with Nines’ services. Embracing DevOps practices can help your organisation streamline processes, improve collaboration, and reduce time-to-market. With our API, you can now fully integrate DevOps principles into your projects.

Leveraging our API will enable you to create, update and destroy services in an automated manner as part of your testing or deployment pipelines. This means you can rapidly spin up and tear down environments as needed, without manual intervention. By integrating our API into your continuous integration and continuous deployment (CI/CD) pipelines, you can accelerate your software development lifecycle and ensure that your applications are always up-to-date and reliable. With the API and nctl, it’s easier than ever to automate repetitive tasks and processes. Combined with existing Nine features such as autoscaling, KEDA, ArgoCD and Grafana, Nine now offers more tools than ever before to automate every aspect of your application lifecycle.

  • Onboarding Made Easy

At Nine, we understand that our customers have diverse needs and preferences when it comes to managing their web services. We believe in providing a range of tools that cater to different workflows, whether you’re a developer who prefers a command-line interface and yaml file, or a manager looking for a user-friendly graphical interface. That’s why we’ve developed our new CLI tool, nctl, in conjunction with our existing web interface, Cockpit.

Our nctl CLI tool is designed to make it simple for both new and existing customers to start using our API. With an intuitive command-line interface, you can quickly log in and access the API, making it easier to manage your services and explore the capabilities of our platform. This tool is particularly suited to developers who are comfortable with command-line utilities and prefer to automate tasks through scripts, or integrate with their existing toolchains.

In contrast, Cockpit is our web-based interface that provides a more accessible and visual way to manage your Nine products. It is designed for those who prefer a graphical interface, especially those in management roles or with less technical backgrounds. With Cockpit, you can easily monitor and control your resources, track usage, and configure settings through an intuitive dashboard. If you’re just starting out with using the API directly, it’s also a good way to double-check that any actions performed there had the desired effects on your configuration.

  • Service Accounts

As we continue to expand our offerings with the launch of our new API, we recognise the importance of providing our customers with robust security features and granular control over their resources. Following on from our recent introduction of personalised logins, we’re excited to introduce service accounts—a powerful tool that enhances the management and security of your Nine services.

Service accounts are designed to help you manage access to your resources and services within our platform more effectively. Here’s a brief overview of the benefits service accounts bring to our customers:

  1. Fine-Grained Access Control
    Service accounts allow you to define specific permissions and roles, ensuring that accounts have access only to the resources and actions necessary for their tasks. This approach provides you with granular control over your infrastructure, enabling you to implement the principle of least privilege and to minimise the risk of unauthorised access.
  2. Improved Security
    By using service accounts, you can further reduce the need for sharing personal user credentials, such as usernames and passwords, among your team members. As well as each team member having an individual login with Nine, they can generate service accounts which provide unique credentials that can be used to authenticate and interact with our API. This approach helps protect your sensitive information and makes it easier to track and manage access to your resources.
  3. Simplified Auditing and Monitoring
    Service accounts make it easier to monitor and audit the actions performed within your infrastructure. Currently, our service accounts only offer the ability to have “admin” or “viewer” roles applied, but we plan to expand this in future with the introduction of “Projects”, which will allow you to scope a service account to a defined subset of your organisation’s resources.
  • Ongoing Enhancements and Expansion

As we continue to develop and improve our API, we’ll be adding more features and services to enhance your experience. We’re committed to delivering a powerful, easy-to-use toolset that will help you modernise your infrastructure and stay competitive in the digital landscape. So expect more of our services to be available via this interface in the coming months.

To help you get started, we’ve prepared comprehensive documentation that outlines how to use the API and nctl CLI tool. You can find step-by-step guides, detailed explanations of available features, and example code to assist you in integrating our API into your workflow.

If you’re an existing Nine customer, you can already use the API and nctl today by visiting https://github.com/ninech/nctl and following the install instructions for your system. Our full API docs and OpenAPI spec are available at https://docs.nineapis.ch.

Next from Nine

But that’s not all—we have more exciting news on the horizon. We’re always working on new services to make our customers’ lives easier, and we’re thrilled to give you a sneak peek at what’s coming up next. Soon, we will be launching deplo.io, a cutting-edge, no-ops hosting service. This platform will enable you to deploy applications quickly and effortlessly, without the need to manage underlying infrastructure.

Deplo.io is designed to cater to the needs of modern developers, offering a seamless, configuration-based approach to deploying your applications. Deplo.io is committed to being a developer-first experience, meaning you can focus on your applications while we take care of the rest. We can’t wait to share more about this game-changing service in the coming weeks. To be one of the first to try it, please visit the website and sign up for more information.

At Nine Internet Solutions, we’re committed to providing our customers with the tools they need to succeed in an ever-evolving digital landscape. Our API, nctl, and upcoming services like deplo.io are just the beginning. Stay tuned for more updates as we continue to enhance our offerings and empower your business to thrive.

Introducing the Nine Self-Service API

As we launch our API we want to give some technical insights on how we got here and what can be achieved with it.

Over the last two years we have been reworking on how we provision new infrastructure at Nine. The main goals for this were:

  • fully automated to allow customers to self-service nine’s products and services.
  • create a standard approach that can be used in all internal teams

It all started when we got more familiar with writing Kubernetes controllers in Go during our development of Nine Managed GKE. It was around the same time that we discovered Crossplane. It was still early days and it would take quite a bit of time for v1 to be released, so we were being a bit cautious. After some first experiments with trying to manage our Terraform modules with it, we decided to make use of it for our new Object Storage service and built our first controllers using crossplane-runtime.

We have been using this new approach for quite some time now and our frontend Cockpit has also been using the new API since we launched the updated Object Storage in 2021. As we added more services which make use of this new system like our Managed Kubernetes NKE we gained confidence in the system, the APIs and controllers that power it. Having confidence in the system allowed us to take the next step and open it to customers, so they could also consume the API directly.

The main landing page for the new API can be found within our docs on docs.nineapis.ch. In addition to that, the API definitions (Go types and OpenAPI v2 Spec) can be found on GitHub.

CLI

With the launch we also introduced a new CLI tool that helps with authenticating against the API. It’s called nctl and the full source and installation instructions can be found on GitHub.

We implemented a login flow similar to gcloud, simply running nctl auth login <cockpit account name> will redirect you to your browser to enter your Cockpit login credentials. After logging in you can then create a service account to access the API in your own automation workflows.

The CLI implements just a few of our services right now but it also allows you to CRUD any API object from a yaml or json file similar to kubectl with nctl create/apply/delete -f <file>.

Integrations

Besides interacting with the API using nctl there are already other existing integrations that work out of the box. As our API is built on top of Kubernetes anything that can interact with a Kubernetes Custom Resources will be able to speak to our API. We can, for example, leverage Terraform to provision any service on our API or use kubectl to interact with any object on the API once authenticated with nctl.

Terraform

The Kubernetes Terraform provider supports applying any Kubernetes object using the kubernetes_manifest resource. Here’s a minimal example that will create a service account on our API using Terraform. It will also wait until the resource is reported to be ready which can be especially helpful if you later want to retrieve the secret that the service account creates. 

resource "kubernetes_manifest" "sample_cluster" {
manifest = {
apiVersion = "infrastructure.nine.ch/v1alpha1"
kind = "KubernetesCluster"
metadata = {
name = "sample-cluster"
namespace = "<cockpit account name>"
}
spec = {
forProvider = {
vcluster = {
version = "1.24"
}
nodePools = []
location = "nine-es34"
}
writeConnectionSecretToRef = {
name = "sample-cluster"
namespace = "<cockpit account name>"
}
}
}

wait {
condition {
type = "Ready"
status = "True"
}
}
}

# read secret that the KubernetesCluster creates
data "kubernetes_secret_v1" "example_sa" {
metadata {
name = kubernetes_manifest.sample_cluster.manifest.spec.writeConnectionSecretToRef.name
namespace = kubernetes_manifest.sample_cluster.manifest.spec.writeConnectionSecretToRef.namespace
}
}

# put token into an output. This could then be used by another module for example.
output "kubeconfig" {
sensitive = true
value = data.kubernetes_secret_v1.sample_cluster.data.kubeconfig
}

-> Code <-

We can apply this as usual with Terraform and we can see that after the cluster creation is completed, we can read out the secret containing the kubeconfig to access our new cluster.

$ terraform apply
[...]
kubernetes_manifest.sample_cluster: Creating...
kubernetes_manifest.sample_cluster: Still creating... [10s elapsed]
kubernetes_manifest.sample_cluster: Still creating... [20s elapsed]
kubernetes_manifest.sample_cluster: Still creating... [30s elapsed]
kubernetes_manifest.sample_cluster: Still creating... [40s elapsed]
kubernetes_manifest.sample_cluster: Still creating... [50s elapsed]
kubernetes_manifest.sample_cluster: Still creating... [1m0s elapsed]
kubernetes_manifest.sample_cluster: Still creating... [1m10s elapsed]
kubernetes_manifest.sample_cluster: Creation complete after 1m12s
data.kubernetes_secret_v1.sample_cluster: Reading...
data.kubernetes_secret_v1.sample_cluster: Read complete after 0s [id=nine/sample-cluster]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

kubeconfig = <sensitive>

 -> Code <-

For more examples and instructions on how to authenticate against the API with Terraform, head over to GitHub.

Going forward

Our eventual goal is to provide all our services via this API. It will take some time to get there but now that the groundwork has been set, developing new services will be faster than ever and will bring down our need to do manual tasks considerably which in turn allows us to further improve our services.

Cloudflare: Protecting Apfelkiste.ch from DDoS Attacks

apfelkiste.ch is one of Switzerland’s biggest online shops. In 2020, it saw a turnover of 60 m Swiss Francs.

From the start, the company’s enormous growth made it clear that apfelkiste.ch would become the target of DDoS attacks. Thus, the company worked with Nine and Cloudflare to establish a solution early on. This solution is not only resistant to DDoS attacks, but also offers many other advantages by providing less complexity and stronger performance.



Interview with Sven Härtwig  (CEO and Proprietor of narf-studios GmbH, commissioned by apfelkiste.ch to maintain their webshop). Blogpost created by Tom Hug (Nine).


Why did you purchase Cloudflare from Nine?

Cloudflare offers a Content Delivery Network (CDN) as well as Distributed Denial of Services (DDoS) Protection and a Web Application Firewall (WAF) from a single provider. With 200 locations around the world (Zurich and Geneva in Switzerland) and excellent peering with a variety of internet providers, Cloudflare is well-equipped to improve the performance of devices used in Switzerland and thus enables an unhindered shopping experience for our customers.

In connection with their CDN, apfelkiste.ch also uses so-called Edge Computing, which eases the pressure on servers hosted by Nine. Edge Computing means, for example, that images are only stored in their original size on Nine’s servers, while any custom sizes are created by Cloudflare on the fly. This can lower CPU usage and save a lot of storage space. Cloudflare Workers uses a JavaScript Runtime on Edge which is very accommodating when it comes to individual client requirements. Thanks to the use of JavaScript, the application makes any front-end developer feel right at home. For example, a self-developed Worker can directly recognise devices (e.g. smartphones or 3G-enabled devices), meaning that images can be adapted to each device as well as the necessary bandwidth without any contribution from the application itself. In addition, we can edit entire websites and add dynamic content, such as impromptu promotional pop-up messages, from the cache – before they even hit the device – without completely rebuilding caching. In this way, we attain maximum performance while keeping usage on our application servers as low as possible. 

Furthermore, we appreciate the flexibility of caching, which allows, among other things, for purging of individual pages via tags and API. If a change to a product is detected, Cloudflare receives a command directly from the backend and all cached objects which are connected to this particular product are first invalidated, and then rebuilt through a cache-warming process. As a result, we attain a high cache rate, while maintaining strong flexibility, and can thus consistently provide optimal performance and quick delivery times while keeping server usage low.

Nine is a Cloudflare Enterprise Partner, and Nine’s engineers possess the necessary know-how to support us. They know which Cloudflare services would best complement our setup and are aware of their advantages and drawbacks.

Why did you choose Nine at the time?

Nine was able to quickly provide a solution tailored to our needs and to ensure a swift and straightforward migration. Thanks to Nine’s long-standing experience, our issues were well-known to their engineers, and they knew how to tackle our challenges perfectly and reliably.

How would you describe Nine in one sentence?

Through a combination of strong expertise and technical solutions, Nine provides us with the security needed to no longer face days such as Black Friday trembling in fear, and the possibility to offer an extremely high-performance web shop.

What are the emerging trends and developments in the market (from your point of view)?

In ecommerce, there is a clear trend towards more mobile devices. In 2019, their share already made up more than 60%! In addition, fast loading times are becoming much more important. In this context, approaches such as headless PWA concepts are gaining in importance as well.

Which topics have you and your team focussed on in the past months?

At the moment, our redundant cluster is only running in one of Nine’s locations. We are aiming to expand our setup further, while adding more reliability as well. Performance optimisation is and will always remain a topic we are constantly working on.


If you would like further information regarding Cloudflare or DDoS protection, contact Nine.

Looking Back on our TechTalkThursday #13

Our TechTalkThursday took place on the 1st of October at 18:00. We had with only 15 participants onsite around 1/3 of a Pre-Corona Meetup and it was the first time we streamed live on YouTube (original link, uncut). We had a peak of 18 simultaneous participants watching our stream. Room to improve! Subscribe to our YouTube Channel to get notifications for new videos and live streams of our events!

Thomas Hug, the founder of nine introduces the two speakers Eric Funk of Nine Internet Solutions AG and Tobias Brunner of VSHN AG.

Develop like a Linux pro on Windows

Microsoft has always been attractive for a massive community of software developers. Whilst focusing on the Windows platform in the beginning and very little engagement in open source and Linux, things have changed quite significantly in the last years. In our nine TechTalk Eric explains the reasons behind the move towards great Linux support and the engagement of Microsoft to build great Development tools and how to run and use Docker, Kubernetes, databases and Visual Studio Code to allow you to be a productive software developer on Windows 10. 

Resources: 

Install WSL 2
https://docs.microsoft.com/en-us/windows/wsl/install-win10
User Docker with WSL
https://docs.docker.com/docker-for-windows/wsl/
Use WSL 2 With VS Code
https://code.visualstudio.com/blogs/2019/09/03/wsl2

How Project Syn helps to manage a fleet of Kubernetes Clusters

Have you ever had to manage more than a handful of Kubernetes clusters? We at VSHN do this all day and we learned the hard way what this actually means. With our Open Source toolkit called Project Syn we want to help others facing the same challenges. 

Project Syn brings a hierarchical configuration management system based on GitOps principles, reusable components, and an inventory with all information about the managed Kubernetes clusters. It does not aim to reinvent the wheel and reuses already existing tooling as much as possible, like Argo CD or Kapitan, and glues them together. 

Project Syn was born out of our daily work, and as such it is ready out to solve real-world needs. It’s still a young project and we’re working hard to make it production ready. Interested? Just head over to https://syn.tools and get all the information you need.

TechTalkThursday

Want to stay up to date?

Subscribe to our YouTube Channel!

Looking Back on our TechTalkThursdays #11 and #12

Besides our normal TechTalkThursdays in the evening, we tried new times during lunch and at 08:00 in the morning. Neither of them proved to be better than in the evening as we didn’t have the same amount of participants.

We use this article to summarize the topics of Demian Thoma and Daniel Lorch.

How a Titan empowers our Cloud Monitoring Infrastructure

Nine is hosting and managing thousands of servers for its customers. They recently moved to a new monitoring solution based on the open-source tools around Prometheus. Nine’s Demian Thoma talks about how nine implemented its new monitoring solution and how it gave them more insight into their infrastructure.

Nine was using Nagios before switching to Prometheus. By changing their monitoring stack, it allowed them to simplify the setup, get more insights into their services and to remove a separate analytics stack of infrastructure.

Site Reliability Engineering: What you need to know about Service Level Indicators, Service Level Objectives and Error Budgets

What does reliability mean to you? In his talk, Daniel Lorch reiterates the claim that reliability is the most important feature of any system. But services need to be just reliable enough to make its users happy – investing too much in reliability results in higher cost (engineering time and infrastructure) without added benefit. Investing too little on the other hand will result in unhappy users.

How do you determine and agree upon what “reliable enough” is to your services and your organization? Site Reliability Engineering provides tools and concepts to formalize this discussion, notably:

  • Service Level Indicators (SLIs): a monitoring metric that is indicative of a user’s goal
  • Service Level Objectives (SLOs): a target on an SLI that if barely met, keeps the users happy
  • Error Budgets: the maximum amount of time the system can fail without contractual consequences. It is the remainder / inverse of the SLO

Watch the 30’ talk below to learn about these concepts and see how an example SLI/SLO is being defined for a fictitious game platform. Links to further information are provided at the end of the talk.

On this occasion, we would like to once again thank our speakers for presenting!

Processing authoritative requests

Processing authoritative requests

As every now and then we receive requests by authorities to provide information on their investigation I want to shed some light on how we process such requests, what that means for us and especially what that means for our customers and why they can rest assured that we still take their privacy seriously. That is mostly Police but through different channels, either directly or through the based on the “EJPD”.

We basically have three different scenarios:

1. Authority is not an authority (or request lacks legitimation)

This could be a foreign authority approaching us directly or a local authority placing a request which is not (yet) officially authorized. The latter case occurs very rarely the first one a bit more often. Depending on what information is requested we most often have to reject such requests. However, sometimes the information requested is actually publicly available but overlooked for some reason. If this is the case we might hint the requestor in the right direction in order to not having to deal with further requests from requesters side. If the requested information is not publicly available we have to reject the request and redirect it to a legal way.

2. Authority “just” requesting contact information

This is most often the case as for almost all systems/setups we do not have data sovereignty but our customers have. We only do have data sovereignty over data of our own systems for internal purposes. In this case, if the request is legitimate we provide the requested contact information and the authority then approaches our customer directly.

3. Authority requesting additional information

These are very rare cases and proper legitimation such a request is essential. In that case, if not subpoenaed, we contact the customer about the request and attempt to permanently save the information requested in order to provide it to authorities. It is especially important to provide only the information requested for and protect other customer’s data.

Why do we have to deal with such requests?

As a service provider, we are of course bound to the law. We only can provide services to our customers safe when we have a safe set up ourselves. A safe set up means also a setup compliant with all applicable laws.

What is the reason behind such requests / How can you avoid getting the target of such a request?

First of all: there is no definitive universal advice, as there is always a slight chance of getting targeted accidentally. Generally speaking, we can say that for all requests we received so far there were good reasons. Those were customers that either were abusing their setups for illegal activities themselves or more often customers that neglected their setup and thus got compromised.

So why can’t nine protect customers from getting compromised when they neglect their setup?

For one responsibilities are clear: Nine provides a service the customer can use. It is the customer’s obligation to use it in a responsible manner. This also means that any applications run on top of our service area within the customer’s responsibility to maintain.
For the other: Nine cannot monitor each and every application a customer sets up as this would make it a managed application. Also, we do not know about the customer’s requirements for this application. Maybe the customer is aware of some risks and has to accept them due to dependencies or for other reasons.

Lastly: If Nine gets aware of an insecure or even compromised setup we immediately contact that customer so he can take corrective measures, in which we also support them in our best effort.

To sum it all up:

Nine takes your privacy very seriously. Nine will not process requests for which there is no legal basis. However, when we are legally obliged to comply with authoritative requests, we will process that request. It is important to say that while doing so, we make absolutely sure no other customer’s privacy is at stake. This means, for example, that we insist on an electronic version of such requests in order to just copy&paste the addressing elements of the requested information to avoid any typos and accidentally target wrong customers. We also insist on a secure (encrypted) way of transmitting requested information to the recipient. Nine will also inform its customers (unless subpoenaed on a legal basis) about such requests.

As a customer, you can avoid getting targeted by complying with laws and terms and conditions of the contract and also by keeping your setup maintained and applying updates and patches in a timely manner to avoid it being exploited by criminals.

If you have any questions or need assistance, please do not hesitate to contact us.

Talk to one of our experts

Do you have any questions about our products? Either contact Sales or go directly to your cockpit to see all the possibilities at Nine.