{"id":1475,"date":"2014-12-28T14:36:19","date_gmt":"2014-12-28T20:36:19","guid":{"rendered":"https:\/\/justinparrtech.com\/JustinParr-Tech\/?p=1475"},"modified":"2015-01-03T12:39:30","modified_gmt":"2015-01-03T18:39:30","slug":"how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention","status":"publish","type":"post","link":"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/","title":{"rendered":"How to Prevent DoS \/ DDoS Attacks (Sony and Microsoft: Please Pay Attention)"},"content":{"rendered":"<p><em>Denial of Service (DoS) attacks took down both Sony&#8217;s Playstation Network (PSN) and Microsoft&#8217;s XBox Live (XBL) on Christmas day &#8211; turning the joy of Christmas in to frustration and disappointment for anyone who received a new game for Christmas.\u00a0 As of 12\/26, XBox was largely restored, while Playstation was still at least partially offline, with PS3 access intermittent at best, the Playstation Network website &#8220;unavailable due to scheduled maintenance&#8221;, and PS4 access completely unavailable.<\/em><\/p>\n<p><em>Knowing in advance that threats had been made of a DoS attack on Christmas day, both companies had plenty of time to prepare, yet they either chose to ignore the threats or take insufficient precautions, leaving their staff scrambling, and their customers frustrated.<\/em><\/p>\n<p><em>Here is a simple method that could have been used to prevent the whole fiasco.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_81 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#how-global-distributed-services-are-designed\" >How Global, Distributed Services\u00a0are Designed<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#data-centers\" >Data Centers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#domain-name-system-dns\" >Domain Name System (DNS)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#internet-assigned-numbers-and-worldwide-regional-registries\" >Internet Assigned Numbers and Worldwide Regional Registries<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#routers\" >Routers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#firewalls\" >Firewalls<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#a-home-network-%e2%80%9crouter%e2%80%9d-is-a-firewall\" >A Home Network &#8220;Router&#8221; is a Firewall<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#intrusion-detection-and-prevention-idsips\" >Intrusion Detection and Prevention (IDS\/IPS)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#network-connections\" >Network Connections<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#connections-vs-sessions\" >Connections vs.\u00a0Sessions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#load-balancing-app-delivery\" >Load Balancing \/ App Delivery<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#high-availability-and-redundancy\" >High Availability and Redundancy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#summary-%e2%80%93-global-distributed-services\" >Summary &#8211; Global, Distributed Services<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#dos-and-ddos-attacks\" >DoS and DDoS Attacks<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#what-is-a-denial-of-service-dos-attack\" >What is a Denial of Service (DoS) attack?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#anatomy-of-a-dos-attack\" >Anatomy of a DoS Attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#the-big-picture\" >The Big Picture<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#architecture-for-preventing-ddos-attacks\" >Architecture for Preventing DDoS Attacks<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#step-1-use-source-based-access-policies-to-region-lock-connections\" >Step 1:\u00a0 Use Source-Based Access Policies to Region-Lock Connections<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#step-2-maintain-multiple-network-connections\" >Step 2: Maintain Multiple Network Connections<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#step-3-use-multiple-firewall-interfaces-with-source-based-routing\" >Step 3:\u00a0 Use Multiple Firewall Interfaces with Source-Based Routing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#step-4-use-multiple-server-pools\" >Step 4:\u00a0 Use Multiple Server Pools<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#step-5-design-application-architecture-to-use-session-quarantining\" >Step 5:\u00a0 Design Application Architecture to Use Session Quarantining<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/how-to-prevent-dos-ddos-attacks-sony-and-microsoft-please-pay-attention\/#conclusion\" >Conclusion<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"how-global-distributed-services-are-designed\"><\/span>How Global, Distributed Services\u00a0are Designed<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let&#8217;s start with some relevant background information.<\/p>\n<ul>\n<li><span style=\"text-decoration: underline;\"><strong>Service<\/strong><\/span>: \u00a0Something you use, such as e-mail or shopping. \u00a0Applications are often called services.<\/li>\n<li><span style=\"text-decoration: underline;\"><strong>Server<\/strong><\/span>: \u00a0A high-capacity PC, with lots of memory and many CPUs, that runs an application to provide a service. \u00a0An application is the code running on the server.<\/li>\n<li><span style=\"text-decoration: underline;\"><strong>Network<\/strong><\/span>: \u00a0A network connects consumers to businesses (B2C), businesses to other businesses (B2B), or peers (P2P). \u00a0The internet is one, big network.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"data-centers\"><\/span>Data Centers<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Global services such as PSN and XBL run on hundreds (or thousands) of servers that are grouped in large, secure, centralized facilies called data centers.<\/p>\n<p>Data centers are located logically and geographically to provide the best performance to specific regions of the world, while providing some redundancy in the event of a facility-wide failure.<\/p>\n<p>For regions where there are millions of customers, there might be multiple data centers within a single region, that provide redundancy and performance based on geographic diversity.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"domain-name-system-dns\"><\/span>Domain Name System (DNS)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>When you, as a PSN or XBL customer, connect to these services, you connect using a specific name, such as &#8220;playstation.com&#8221;.\u00a0 You don&#8217;t see this name, because it&#8221;s embedded within the configuration of your game console, unless you access their website using a browser.\u00a0 When you fire up your game console, it automatically connects to these services, and communicates with the underlying servers, to log you in, obtain updates, and allow your gamer friends to connect to and communicate with you online.<\/p>\n<p>Domain Name System (DNS) resolves the name &#8220;playstation.com&#8221; to a network Internet Protocol (IP) address, and your Playstation or XBox then uses the IP address to make a connection to the appropriate servers.<\/p>\n<p>Each world-wide region has its own domain name, such as &#8220;playstation.com&#8221; for North America, versus &#8220;playstation.co.uk&#8221; for the United Kingdom.\u00a0 Each name has its own IP address, that then routes your console to the respective data center for that region.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"internet-assigned-numbers-and-worldwide-regional-registries\"><\/span>Internet Assigned Numbers and Worldwide Regional Registries<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Internet Protocol (IP) addresses are assigned by the Internet Assigned Numbers Authority (IANA), who delegates ranges of addresses to each of the worldwide regional number registries, who then make specific IP address assignments, usually in large blocks, to the tier 1 providers (such as AT&amp;T, Time Warner, Verizon, and Cogent in the US).<\/p>\n<p style=\"padding-left: 30px;\"><a title=\"IANA Number Resources\" href=\"http:\/\/www.internetassignednumbersauthority.org\/numbers\" target=\"_blank\">http:\/\/www.internetassignednumbersauthority.org\/numbers<\/a><\/p>\n<p style=\"padding-left: 30px;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1482\" src=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-content\/uploads\/rir-map.png\" alt=\"rir-map\" width=\"450\" height=\"240\" srcset=\"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-content\/uploads\/rir-map.png 450w, https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-content\/uploads\/rir-map-300x160.png 300w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/p>\n<p style=\"padding-left: 30px; text-align: center;\"><em>(Graphic courtesy of IANA)<\/em><\/p>\n<p>Tier 1 providers then make smaller allocations to tier 2 providers, as well as companies such as Microsoft and Sony, for their data centers and associated networks.<\/p>\n<p>If the source and destination are within the same region, for example, if you live in North America, fire up your Playstation, and it connects to a North American data center, it&#8217;s reasonable to assume that both your home network&#8217;s IP address as well as the data center IP address were both assigned by ARIN. \u00a0There are a few exceptions to this, but in general, this rule works as described.<\/p>\n<p>In general, the first number of your IP address is tied to the regional registry, and therefore the region.<\/p>\n<p>My IP address is\u00a0<span style=\"text-decoration: underline;\"><strong>76.186.x.x<\/strong><\/span> (the last two numbers are hidden for security reasons). \u00a0Searching for my IP address on the ARIN website yields the following information:<\/p>\n<blockquote>\n<table>\n<tbody>\n<tr>\n<th colspan=\"2\">Network<\/th>\n<\/tr>\n<tr>\n<td>Net Range<\/td>\n<td>76.184.0.0 &#8211; 76.187.255.255<\/td>\n<\/tr>\n<tr>\n<td>CIDR<\/td>\n<td>76.184.0.0\/14<\/td>\n<\/tr>\n<tr>\n<td>Name<\/td>\n<td>RRACI<\/td>\n<\/tr>\n<tr>\n<td>Handle<\/td>\n<td>NET-76-184-0-0-1<\/td>\n<\/tr>\n<tr>\n<td>Parent<\/td>\n<td>NET76 (<a href=\"http:\/\/whois.arin.net\/rest\/net\/NET-76-0-0-0-0.html\">NET-76-0-0-0-0<\/a>)<\/td>\n<\/tr>\n<tr>\n<td>Net Type<\/td>\n<td>Direct Allocation<\/td>\n<\/tr>\n<tr>\n<td>Origin AS<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>Organization<\/td>\n<td>Time Warner Cable Internet LLC (RRSW)<\/td>\n<\/tr>\n<tr>\n<td>Registration Date<\/td>\n<td>2006-07-26<\/td>\n<\/tr>\n<tr>\n<td>Last Updated<\/td>\n<td>2007-03-12<\/td>\n<\/tr>\n<tr>\n<td>Comments<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>RESTful Link<\/td>\n<td><a href=\"http:\/\/whois.arin.net\/rest\/net\/NET-76-184-0-0-1\">http:\/\/whois.arin.net\/rest\/net\/NET-76-184-0-0-1<\/a><\/td>\n<\/tr>\n<tr>\n<td>See Also<\/td>\n<td>Related organization&#8217;s POC records.<\/td>\n<\/tr>\n<tr>\n<td>See Also<\/td>\n<td>Related delegations.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/blockquote>\n<p>The information provided is regarding Time Warner Cable, my internet provider. \u00a0Time Warner also does business as &#8220;Road Runner Cable&#8221;, thus the reference to &#8220;RR&#8221; in the organization&#8217;s handle.<\/p>\n<p>You can see that my IP address, starting with 76.186, is part of a rather large range starting with 76.184.0.0, ending with 76.187.255.255, identified by its CIDR (Classless Inter-Domain Routing) notation of 76.184\/14.<\/p>\n<p>The &#8220;\/14&#8221; indicates 14 subnet bits of the 76.184 address are fixed. \u00a0The simple explanation is that \/14 allows for a range of 76.184 through 76.187 to be included in the assignment.<\/p>\n<p>The more complex answer is that each &#8220;octet&#8221; has 8 bits, so the \/14 (meaning 14-bit) subnet mask would be 255.252.0.0, keeping the first octet number 76 fixed (255 subnet mask covers the first 8 bits, keeping them fixed), while allowing for the two least significant bits of the second octet, 184 to be excluded. \u00a0184 in binary is 1011 1000. \u00a0252, or 1111 1100 also allows 1011 1001 (185), 1011 1010 (186) and 1011 1011 (187) to fall within the same subnet.<\/p>\n<p>Clicking on the parent link for NET-76-0-0-0 yields information about the parent network block, and the provider who allocated 76.186 to Time Warner:<\/p>\n<blockquote>\n<table>\n<tbody>\n<tr>\n<th colspan=\"2\">Network<\/th>\n<\/tr>\n<tr>\n<td>Net Range<\/td>\n<td>76.0.0.0 &#8211; 76.255.255.255<\/td>\n<\/tr>\n<tr>\n<td>CIDR<\/td>\n<td>76.0.0.0\/8<\/td>\n<\/tr>\n<tr>\n<td>Name<\/td>\n<td>NET76<\/td>\n<\/tr>\n<tr>\n<td>Handle<\/td>\n<td>NET-76-0-0-0-0<\/td>\n<\/tr>\n<tr>\n<td>Parent<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>Net Type<\/td>\n<td>Allocated to ARIN<\/td>\n<\/tr>\n<tr>\n<td>Origin AS<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>Organization<\/td>\n<td>American Registry for Internet Numbers (<a href=\"http:\/\/whois.arin.net\/rest\/org\/ARIN.html\">ARIN<\/a>)<\/td>\n<\/tr>\n<tr>\n<td>Registration Date<\/td>\n<td>2005-06-17<\/td>\n<\/tr>\n<tr>\n<td>Last Updated<\/td>\n<td>2010-06-30<\/td>\n<\/tr>\n<tr>\n<td>Comments<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>RESTful Link<\/td>\n<td><a href=\"http:\/\/whois.arin.net\/rest\/net\/NET-76-0-0-0-0\">http:\/\/whois.arin.net\/rest\/net\/NET-76-0-0-0-0<\/a><\/td>\n<\/tr>\n<tr>\n<td>See Also<\/td>\n<td>Related POC records.<\/td>\n<\/tr>\n<tr>\n<td>See Also<\/td>\n<td>Related organization&#8217;s POC records.<\/td>\n<\/tr>\n<tr>\n<td>See Also<\/td>\n<td>Related delegations.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/blockquote>\n<p>Notice that there is no parent listed, and the Net Type is &#8220;Allocated to ARIN&#8221;, so this is a top-level assignment made by IANA to ARIN. \u00a0The CIDR notation is 76\/8, meaning that this range covers 76.0.0.0 through 76.255.255.255, which includes the Time Warner allocation, 76.184\/14, which includes my IP address, 76.186.x.x\/32.<\/p>\n<p>Any IP address starting with &#8220;76&#8221; belongs to ARIN, servicing North America, so any 76.x.x.x IP address probably falls within North America.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"routers\"><\/span>Routers<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Routers &#8220;route&#8221; traffic on the internet by forwarding chunks of data, called packets, between network segments. \u00a0Routers look at the source and destination IP address of each packet, to determine where to send it next. \u00a0Often, packets are forwarded by several routers, to get from the source to the destination.<\/p>\n<p>IANA provides high-level network routing information based on allocation to the regional registries, who then provide specific routing information for each allocated netblock.<\/p>\n<p>Within a provider\u00a0or company&#8217;s network, an allocated netblock can be broken in to multiple subnets, so it&#8217;s up to the provider or company holding the allocation to provide specific routing information for each IP address within the netblock.<\/p>\n<p>At a high level, every IP address on the internet needs to be able to communicate with every other IP address.<\/p>\n<p>The internet is composed of several, large, &#8220;backbone&#8221; internet providers that are connected to each other at multiple peering junctions. \u00a0Companies such as AT&amp;T, Verizon, and Cogent own these large backbone networks in North America and Europe, while in some countries, the internet &#8220;backbone&#8221; is owned by the government.<\/p>\n<p>Each router that services a peering junction between these backbones includes the high-level routes provided by ARIN and other registries, as well as more specific routing information about how to forward the packet within its own network.<\/p>\n<p>When sending data from your Playstation to one of Sony&#8217;s servers in a Sony data center, the traffic is routed from your house, to your neighborhood distribution point (Cable, DSL, and Fiber all use different technologies and topologies), to your regional distribution point, then on to your provider&#8217;s backbone, through a peering junction to Sony&#8217;s provider&#8217;s backbone, and then finally on to the Sony network, where it&#8217;s routed to the data center where Sony&#8217;s server is located. \u00a0The response packets follow the opposite path.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"firewalls\"><\/span>Firewalls<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Firewalls enforce &#8220;the rules of the road&#8221;, so to speak, to ensure that only public-facing services are accessible on the internet, and that they are accessed using the appropriate method.<\/p>\n<p>Firewalls block inappropriate or improper connections, based on a set of rules configured to allow traffic based on source IP address, destination IP address, connection endpoint (also called a TCP\/IP &#8220;port&#8221;), or other criteria.<\/p>\n<p>Specific services use specific well-known TCP\/IP ports (endpoints) based on a set of rules called RFCs (Requests for Comment), that allow multiple vendors and service providers to agree on a single standard, rather than have different standards for each vendor, provider, or region.<\/p>\n<p>Most data on the internet is transmitted using HyperText Transfer Protocol (HTTP), that encompasses HTML (formatted web pages) as well as raw XML data used to display web pages or transfer information between servers. \u00a0HTTP servers, when NOT using encryption, always listens on port 80, while encrypted HTTP servers always listen on port 443.<\/p>\n<p>A firewall sitting between the routers and the servers might have a rule to allow any source IP address, connecting on port 80 or 443, to the specific destination IP addresses (servers) that host public-facing services and content.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"a-home-network-%e2%80%9crouter%e2%80%9d-is-a-firewall\"><\/span>A Home Network &#8220;Router&#8221; is a Firewall<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Most people have what they call a &#8220;router&#8221; at their house, that allows multiple devices inside the home to share a single connection to their provider&#8217;s network, and ultimately access various services on the internet.<\/p>\n<p>These devices are actually firewalls!<\/p>\n<p>They perform Network Address Translation (NAT), allowing each device on the home network to &#8220;share&#8221; the public-facing, provider-assigned address to talk to various servers on the internet. \u00a0NAT maintains a list of who is talking to what, and ensures that return traffic sent FROM the internet servers are sent to the correct internal device on the home network.<\/p>\n<p>Home &#8220;routers&#8221; (firewalls) also maintain a list of rules about traffic flowing between the home network and the internet. \u00a0Usually by default, there is a single rule allowing outbound access for common services such as HTTP, and secure HTTP (HTTPS). \u00a0Some PC games and Voice over IP (VoIP) services require incoming connections, so most routers also allow advanced users to create additional rules for these types of services. \u00a0If you run a game server at your house, or you use an internet-based VoIP service, you may already have some of these additional rules configured on your router.<\/p>\n<p>For all practical purposes, you can think of a home network &#8220;router&#8221; as a one-way trapdoor, allowing PCs, game systems, and other devices on the home network to originate a connection to services on the internet, while preventing inbound connections originating from the internet from connecting to the home devices. \u00a0So you can connect to Google any time you want, but Google can never connect to you, because there is no rule on your router to allow it.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"intrusion-detection-and-prevention-idsips\"><\/span>Intrusion Detection and Prevention (IDS\/IPS)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Most data centers, in addition to firewalls whose job is to regulate traffic, also employ Intrusion Detection Systems (IDS) and \/ or Intrusion Prevention Systems (IPS).<\/p>\n<p>The job of IDS\/IPS is to detect suspicious traffic and either alert (IDS) or stop it (IPS). \u00a0In the case of IPS, the traffic is simply dropped without a response to the sender.<\/p>\n<p>IDS\/IPS, in addition to signatures for specific types of malicious traffic, employ behavioral analysis to try to detect and stop malicious traffic. \u00a0For example, scanning (attempting to connect) for services on a server or across servers on the same subnet might trigger IPS to drop the traffic.<\/p>\n<p>In some cases, IPS can be configured to update a blacklist, which is a list of known, malicious IP addresses. \u00a0Network equipment that supports black listing, can either read the blacklist directly, or in some cases, the IPS can trigger a script that updates routers and firewalls to explicitly deny traffic from these sources.<\/p>\n<p>IDS\/IPS is like airport security, who scans all of the traffic, and only allows traffic to pass if it doesn&#8217;t contain any obviously malicious content, and conforms to appropriate access rules.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"network-connections\"><\/span>Network Connections<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A network connection usually uses Transmission Control Protocol (TCP).<\/p>\n<p>A TCP connection is established via the following sequence:<\/p>\n<ol>\n<li>Client sends <span style=\"text-decoration: underline;\"><strong>SYN<\/strong><\/span> (&#8220;synchronize&#8221;) packet, initiating the connection, and requesting that the server &#8220;synchronize&#8221; by sending an ACK (&#8220;acknowledgement&#8221;) packet.<\/li>\n<li>Server sends <span style=\"text-decoration: underline;\"><strong>SYN-ACK<\/strong><\/span> (&#8220;synchronize&#8221; plus &#8220;acknowledgement&#8221;) packet, acknowledging the client SYN, and requesting an ACK.<\/li>\n<li>Server sends an <span style=\"text-decoration: underline;\"><strong>ACK<\/strong><\/span> packet, responding to the server SYN<\/li>\n<\/ol>\n<p>This is known as the &#8220;three-way handshake&#8221;, establishing the TCP connection.<\/p>\n<p>Once the session is established, the server expects the client to send a request, and the server will respond, sending some data back to the client.<\/p>\n<p>In reality, as long as the server and client agree on the data format, data and \/ or instructions can be sent in either direction!<\/p>\n<p>Let&#8217;s consider the following scenario:<\/p>\n<ul>\n<li>Client initiates a connection<\/li>\n<li>Client reads a command (message) queue from the server<\/li>\n<li>Client executes instructions<\/li>\n<\/ul>\n<p>This is functionally-equivalent to the server initiating a connection, but respects home network firewall rules.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"connections-vs-sessions\"><\/span>Connections vs.\u00a0Sessions<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A &#8220;connection&#8221; is the function of a network. \u00a0Two systems connect to each other on a network, to pass some data back and forth.<\/p>\n<p>A &#8220;session&#8221; is the specific environment created for you, when you connect to a server. \u00a0Keeping in mind that when you connect to a server, you connect to a well known endpoint, such as HTTP (port 80) or HTTPS (port 443). \u00a0When a server receives a new connection, it creates a session for that connection, and maps the client IP address to that session. \u00a0There are some additional mechanics that allow multiple PCs or game consoles to connect to the same server at the same time from ONE shared IP address, but let&#8217;s keep things simple.<\/p>\n<p>Sessions usually start by asking you to log in &#8211; if you have Yahoo or Google mail, you usually have to log in at the start of the\u00a0<em>session<\/em> before you read your e-mail. \u00a0After you log in, the session maintains your status, such as whether you&#8217;re online, busy, or idle, as well as what game you&#8217;re playing.<\/p>\n<p>When your friends get an alert, invite you to a lobby, or send you a message, this is all handled through your server session.<\/p>\n<p>Remembering that home networks deny incoming connections, when you invite your friend to a lobby or send him a message, this is all handled on the server side! \u00a0Your friend&#8217;s game console can&#8217;t connect directly to your game console. \u00a0Each server session maintains a message queue, and the game console polls its message queue. \u00a0When you send your friend a message, the servers within the network communicate to each other, and your message gets delivered almost instantly to your friend&#8217;s message queue, where your friend&#8217;s console is maintaining a connection from his house, reads the message queue maintained by his console&#8217;s server session, and pops up a message for him.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"load-balancing-app-delivery\"><\/span>Load Balancing \/ App Delivery<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Each server session requires a little bit of memory and other server resources, meaning, there is a limit to the number of sessions per server.<\/p>\n<p>Global services such as PSN and XBL require many many servers, because they support millions of concurrent connections.<\/p>\n<p>Mapping every new user to a specific server would quickly become unmanageable! \u00a0How do they do it?<\/p>\n<p>Load balancing, also known as Application Delivery, accepts the incoming network connection, and then routes a second, internal connection to one of several servers that are configured in a &#8220;pool&#8221;. \u00a0The load balancer uses one of several algorithms to determine the least-busy server, the server with the fewest connections, or perhaps &#8220;round-robin&#8221;, where each new connection goes to the next server in sequence.<\/p>\n<p>Once the connection is established, the server creates a session, and the load balancer maintains &#8220;session persistence&#8221;, sending all subsequent requests from your console to the exact same server, so that your session can be maintained on one server. \u00a0If you got routed to a different server each time, you&#8217;d have several sessions across several servers! \u00a0Message queuing definitely would NOT work correctly!<\/p>\n<p>Load balancing allows a large number of network connections to be serviced by multiple servers that each host a group of sessions &#8211; a portion of the total number of sessions.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"high-availability-and-redundancy\"><\/span>High Availability and Redundancy<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In addition to allowing multiple servers to act as &#8220;one big&#8221; server, load balancing also provides high availability and redundancy.<\/p>\n<p>High availability means that if one server fails, the load balancer automatically routes your connection to another server. \u00a0If the application has been designed correctly, the new server reads your session information in to memory, and maintains your session from that point until you log out, ending the session.<\/p>\n<p>Load balancers also allow for redundancy, which is the flip side of high availability. \u00a0Redundancy means excess capacity that is configured and ready, in the event of a failure. \u00a0Most load balancers are explicitly-redundant! \u00a0A pair of load balancer devices act as a single device, providing 100% redundancy, if the load balancer fails. \u00a0Some redundancy schemes include having excess capacity incorporated in to the main server &#8220;pool&#8221;, or having a separate &#8220;overflow&#8221; pool available if something fails.<\/p>\n<p>Load balancing comes in two flavors: \u00a0Global Server Load Balancing (GSLB), and LTM (Local Traffic Management). \u00a0Various load balancer vendors may refer to these using slightly different terms, but the concepts are consistent. \u00a0GSLB allows traffic to be routed to multiple data centers (Active-Active) or to provide data center failover (active-passive). \u00a0LTM allows traffic to be routed to multiple servers within a data center (active-active), or to provide server failover (active-passive).<\/p>\n<p>Designed correctly, YOU CAN HAVE AN ENTIRE DATA CENTER FAIL, plus some of your servers in the OTHER data center, and STILL not have any down time.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"summary-%e2%80%93-global-distributed-services\"><\/span>Summary &#8211; Global, Distributed Services<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>When you fire up your game console, it originates a connection via your home &#8220;router&#8221; (firewall) that allows the traffic to be sent to the internet. \u00a0Internet routers forward your traffic to your appropriate regional PSN or XBL data center based on domain name, and its associated regional IP addresses. \u00a0Services such as PSN and XBL then use firewalls, IDS \/ IPS, and load balancing to ensure that your connection is legitimate, remove malicious connections, and route your connection to a specific server. \u00a0When you log in, messages and invites from your friends get routed to your server, and your console reads them from the server using its connection.<\/p>\n<p>Load balancing provides high availability, in the event of failure, upgrades, or other environmental or technical problems.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"dos-and-ddos-attacks\"><\/span>DoS and DDoS Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are designed to overload a network with multiple bogus connections, or server farms with mutliple bogus sessions, in order to prevent or &#8220;deny&#8221; legitimate consumer traffic, or choke out legitimate user sessions due to lack of resources.<\/p>\n<p>Let&#8217;s look at how this is done.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"what-is-a-denial-of-service-dos-attack\"><\/span>What is a Denial of Service (DoS) attack?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Denial of Service (DoS) means that a legitimate consumer can&#8217;t access the services in question. \u00a0A DoS attack is designed to prevent legitimate access by overloading the network or server resources used to host the service in question.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"anatomy-of-a-dos-attack\"><\/span>Anatomy of a DoS Attack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Denial of Service is achieved by overloading network and server resources.<\/p>\n<p>Network components, such as firewalls and routers, require a tiny amount of information for each unique connection. \u00a0This information is maintained in a connection table, and the connection table is limited by memory available to the device.<\/p>\n<p>Using valuable router, firewall, and server resources results in fewer resources available for legitimate connections.<\/p>\n<p>Each connection uses memory, and moving memory blocks requires CPU resources. \u00a0Thus, spamming a router or firewall with thousands or millions of bogus connections chews up resources, preventing legitimate connections from being established.<\/p>\n<p>The earliest attacks were &#8220;SYN&#8221; attacks, consisting of sending multiple, random SYN packets that appear to originate from random source IP addresses. \u00a0On older firewalls, this results in a connection being allocated in memory, and a SYN-ACK packet is sent to the fake source IP address, who has no idea what is going on!\u00a0 Meanwhile, the firewall waits for a response &#8220;ACK&#8221; packet, allocating extra resources for the fake connection until it times out.<\/p>\n<p>Firewall vendors responded by having a configurable SYN timeout, that more rapidly flushed half-open connections.<\/p>\n<p>Later, &#8220;Distributed&#8221; Denial of Service (DDoS) attacks consisted of an attacker compromising multiple intermediary &#8220;zombies&#8221; &#8212; PCs that had been previously compromised, each of which spams the firewall with thousands of fake SYN packets, that all appear to originate from random parts of the internet.\u00a0\u00a0 As fast as the older firewalls could flush half-open connections, the aggregate effect was the same &#8211; legitimate connections would be choked out, and the distributed nature of the attack meant that an attacker could actually use up the victim&#8217;s internet bandwidth.<\/p>\n<p>Modern firewalls block SYN attacks by having a &#8220;quarantine&#8221; memory area, that limits the number of incomplete connections. \u00a0As new &#8220;SYN&#8221; packets are received, memory within the SYN quarantine area is reallocated, dropping the oldest requests. \u00a0Once a valid ACK packet is received from the client, the connection is moved from the SYN quarantine area, to the main connection table. \u00a0This prevents thousands or millions of &#8220;spam&#8221; SYN packets from disrupting valid, established connections by chewing up resources. \u00a0Only &#8220;complete&#8221; connections get moved to the &#8220;valid&#8221; (&#8220;established&#8221;) connection table.<\/p>\n<p>From a bandwidth standpoint, having multiple internet circuits prevents a single circuit from becoming saturated.<\/p>\n<p>Modern, sophisticated denial attacks use zombie networks to make &#8220;real&#8221;, established connections, and then spam the server with bogus, but legitimate-looking requests.<\/p>\n<p>Routing rules in the application delivery tier (load balancing tier) route certain types of requests to specific server pools based on content or formatting.\u00a0 For example, a game console might send an XML formatted request, while a PC or mobile handset might send an HTML formatted request.\u00a0 Further, the mobile request is probably looking for mobile-formatted content.\u00a0 App delivery might route each of these three types of requests to a separate server pool.<\/p>\n<p>Because of the app delivery tier, an effective DDoS attack has to have some valid data and formatting.<\/p>\n<p>The down side is that each attacking node (&#8220;zombie&#8221;) also has to maintain legitimate network connection, unlike SYN attacks that appear to originate from random addresses, allowing the victim to manually identify and block the attack one node at a time &#8211; a time-consuming, and effort-intensive process.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"the-big-picture\"><\/span>The Big Picture<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>DoS and DDoS attacks use large networks of zombie PCs to generate millions of fake requests, to completely consume firewall connections and server resources, thus &#8220;denying&#8221; legitimate traffic.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"architecture-for-preventing-ddos-attacks\"><\/span>Architecture for Preventing DDoS Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>At a high level, differentiating traffic by geographic and logical source based on IP address, across multiple pipes, allows the app delivery tier to effectively route legitimate traffic, while defining rules preventing traffic from crossing to other pipes or server pools.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"step-1-use-source-based-access-policies-to-region-lock-connections\"><\/span>Step 1:\u00a0 Use Source-Based Access Policies to Region-Lock Connections<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Zombie farms (large networks of compromised PCs) often exist across regional boundaries.\u00a0 Often PCs from Eastern Europe and Asia are compromised, because they have fewer protections than PCs in North America.<\/p>\n<p>By creating regional source-based access policies, traffic originating from RIPE or APNIC regions is prevented from reaching the ARIN region.\u00a0 Further, traffic from RIPE or APNIC can&#8217;t be used to DDoS each other.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"step-2-maintain-multiple-network-connections\"><\/span>Step 2: Maintain Multiple Network Connections<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>From a logical standpoint, direct access to your data center is facilitated by direct connections from the major providers:<\/p>\n<ul>\n<li>AT&amp;T<\/li>\n<li>Verizon<\/li>\n<li>Time Warner<\/li>\n<\/ul>\n<p>For a service provided almost exclusively to home networks, these three companies service over 90% of your connections in the US.<\/p>\n<p>Starting with multiple independent connections gives you the advantage over an attacker, having to launch multiple attacks using sources on multiple networks, as opposed to being able to overrun a single connection using a single attack, using sources from multiple networks.\u00a0 At best, an attacker with a mass of zombies on one provider&#8217;s network can ONLY clog that one pipe.<\/p>\n<p>Again, source-based access control policies either at the router or firewall prevents an attacker from crossing network boundaries to execute an attack.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"step-3-use-multiple-firewall-interfaces-with-source-based-routing\"><\/span>Step 3:\u00a0 Use Multiple Firewall Interfaces with Source-Based Routing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Source-based routing policies look at the source IP address, and use a specific interface to transmit the traffic to the next device.<\/p>\n<p>With modern, high-speed networks, information is transmitted at 1 gigabit per second (1 Gbps) or even 10 gigabits per second (10 Gbps), which is significantly faster than most internet links.\u00a0 In theory, the aggregate bandwidth between two devices can be increased by grouping multiple interfaces together, but in reality, unused (unneeded) interfaces can be used to split traffic based on a range of addresses because each interface can carry all of the traffic if needed.\u00a0 If an attack comes in from a certain range of addresses, it can be detected as increased traffic on a particular interface, making it less likely for an attacker to be able to overrun the whole device, and allowing administrators to quickly detect and stop an attack.<\/p>\n<p>Source-based routing can be further used to split traffic in to multiple connections, between the firewall and app delivery tier.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"step-4-use-multiple-server-pools\"><\/span>Step 4:\u00a0 Use Multiple Server Pools<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Using advanced virtualization techniques, capacity can be dynamically allocated between pools.<\/p>\n<p>Rather than having two or three large pools, use the app delivery tier to further dissect the traffic in to, perhaps, twenty smaller pools, each of which have resources added dynamically based on load.\u00a0 If one pool becomes overloaded, the other pools are not affected.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"step-5-design-application-architecture-to-use-session-quarantining\"><\/span>Step 5:\u00a0 Design Application Architecture to Use Session Quarantining<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Just as firewalls use connection quarantines to prevent SYN attacks, applications should shunt &#8220;young&#8221; sessions to a quarantine session pool, until they are proven.<\/p>\n<p>DDoS attacks are not structured to perform complex transactions.\u00a0 Therefore, applications should be structured to quarantine sessions that have not been fully vetted.\u00a0 Once some &#8220;complexity&#8221; metric has been established, the connection can be moved from the smaller quarantine session pool to a trusted session pool.\u00a0 If the quarantine pool gets overrun, the server can start recycling connections without affecting the larger, trusted pool.<\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>By splitting traffic in to as many paths as possible, and maintaining source-based access policies, an attacker is prevented from using globally-wide resources from overrunning a single connection.<\/p>\n<p>Application connection pools should be configured to marginally trust &#8220;young&#8221; connections, and once vetted, transfer the connection to a trusted connection pool.<\/p>\n<p>If an attacker overruns a single connection, or a quarantine connection or session pool, the rest of the network continues to function, unaffected.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Denial of Service (DoS) attacks took down both Sony&#8217;s Playstation Network (PSN) and Microsoft&#8217;s XBox Live (XBL) on Christmas day &#8211; turning the joy of Christmas in to frustration and disappointment for anyone who received a new game for Christmas.\u00a0 As of 12\/26, XBox was largely restored, while Playstation was still at least partially offline, [&hellip;]<\/p>\n","protected":false},"author":16,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-1475","post","type-post","status-publish","format-standard","hentry","category-analyses-and-responses"],"_links":{"self":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/1475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/comments?post=1475"}],"version-history":[{"count":10,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/1475\/revisions"}],"predecessor-version":[{"id":1544,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/posts\/1475\/revisions\/1544"}],"wp:attachment":[{"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/media?parent=1475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/categories?post=1475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justinparrtech.com\/JustinParr-Tech\/wp-json\/wp\/v2\/tags?post=1475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}