The bottleneck with SFTP / SCP / SSH is usually the server software - SSH can multiplex streams, so it implements its own TCP-style sliding windows for channel data. Unfortunately OpenSSH and similar server implementations suffer from the exact same problems that TCP did, where the windows don't scale up to modern connection speeds, so the maximum data in-flight quickly gets limited at higher BDPs.
HPN-SSH[1] resolves this but isn't widely deployed.
OP mentions using "Cat 7" cables - please don't buy these. Cat 7 isn't something that exists in TIA/EIA standards, only in ISO/IEC and it requires GG45 or TERA connectors. Cat 7 with RJ45 connectors isn't standardized, so you have no idea what you're actually getting. Stick with pure copper Cat 6A.
Absolutely agreeing with you but replying to you instead of multiple others below with my views on this.
Cat6A can do 10Gbps at 100m. Cat7 and Cat8 can do higher speeds in short runs but those technologies are DEAD in DC tech now. 40G is legacy tech using four lanes of 10G, replaced by 100G which is four lanes of 25G. Copper patch cables are not used with these, everything is fiber or DAC.
If you use a Cat7 or Cat8 cable the higher MHz support listed on the spec will never be used. When using a real cable of these qualities all you are really getting is better protection from outside interference.
When buying premade patch cables only buy Cat6A. Anything you see online saying Cat7 or Cat8 has probably never been properly tested by the manufacturer.
When buying a spool of wire do your research on the manufacturer. There's plenty with false labels out there. I once saw a spool of 'Cat6e' which is not a real standard.
When paying others to run cables find out what brand and what warranty the installer is providing. If they only use Cat7 and cannot provide a good explanation on why they might not actually know as much as you should be expecting them to.
Cat 7 with RJ45 sockets is standardized, which is ideal for running it in walls. Sure, you don't want to use it for patch cables, but over long runs in walls it's a great solution, especially due to the better shielding of Cat 7.
> so you have no idea what you're actually getting
As Cat 7 is only sold by the meter on a roll, you know just as much what you're getting as with Cat 6A, spec-compliant network cables.
OP here, I looked into it. For legal reasons I will neither confirm nor deny any marketing claims here and let the experts decide. I will merely list the equipment I bought. [0] [1] [2] [3]
One copy of each would run you around 75-85 euros in total by my napkin math. Sticking with standard CAT 6A would have probably been 10-15 euros cheaper, and since I'm only aiming for 1 Gbps, not 10, I might have been able to get away with CAT 5e, even.
I suspect that the additional hours of time I would have had to spend actually doing my research here to make a fully informed purchase would have made this a slightly net negative decision financially. But that's mostly because of the small size and modest needs of the network I was wiring up. If I were wiring up anything that scaled beyond my own apartment it would have been valuable to know this, so thank you, my career will go better as a result of this correction.
So everything I say in this comment is unlikely to have any real impact if you were to replace the cables and retest, but I'm saying it for educational purposes. The reason the specs are strict is not because it cannot be done on less but because the acceptable margins for error and risk are lower in non consumer settings.
That switch does have metal around the ports but I could not find any indication in a datasheet that it designed to accept shielded cables. I also don't know what other devices you are connecting to the switch. Proper usage of shielded twisted pair needs the shielding to make contact to ground on both sides of the cable. I was taught years ago that using a shielded cable with neither side grounded or just one side grounded had the potential to turn the shielding into an antenna and make interference worse than with an unshielded twisted pair cable.
The flat cable is concerning. Flat cables are not part of any twisted pair spec. There tends to be two kinds of flat ethernet cables. The first being completely flat with no twisted pairs at all and the second kind having each pair twisted around each other but then the four pairs are parallel in the falter sheathing. The second kind is better and from the pictures that cable might be the second kind. However 33 meters is very long for a flat cable. Ideally you shouldn't use them but if you have to keeping them very short like under 2 meters is ok.
The pages for the other two cables never even show the cables but what looks like 3d renderings. I personally do not like that and it makes me think less of the vendors. I doubt any of the three cables would pass a full qualification test for Cat7 but they are probably completely indistinguishable from qualified Cat5e (since you are only using 1g) unless you are using them next to high voltage power conduits or next to a high power broadcast antenna. This just comes down to "Cat7 consumer products are a marketing scam."
Yes, that's standardized but is only rated for up to 30 meters at the higher speeds you get from it, so it's not very useful outside of server room / data center applications and you probably want to be using fiber at that point.
For what it's worth, I recently bought a spool of CAT7 cable and a bunch of RJ45 connectors and made my own cables that perform well and reliably. I don't know if this was wise in the end but I was able to get what I needed out of it.
Cloudflare will actually slow down TTFB for small, less popular sites since they don't maintain a keepalive connection to the origin. This means you pay an additional TCP/TLS setup cost from the Cloudflare POP to the origin which is worse than a direct connection. I also tried testing a smart-placed worker and cloudflared, neither of which seemed to help.
Ironically the AI crawlers I do want to block - the million-IP-strong residential botnets that fake their user agents - Cloudflare doesn't detect at all.
As an operator, I have questions about this; I also have very good metrics. I see a lot of what looks like what has traditionally been SYN reflection attacks. I have solid metrics and TTPs, which I'm willing to share TLP:RED and possibly discuss TLP:YELLOW.
I'd like to see some metrics which compare proven bot activity vs SYN reflection against the same infrastructure.
You’re saying that Cloudflare’s capabilities are wildly overstated? Apostasy. In this forum, nothing ill must be said about their lame technology. You are only allowed to make vague complaints about their role in society.
Residential proxy botnets have exploded since LLMs became a thing. The amount of DDoS-level scraping we receive from residential IPs has exploded over the last year, one of our sites that typically sees around 10k unique IPs per day jumped to over 2M before we were able to deploy appropriate mitigations. We originally started blocking the IPs, but then we ended up blocking legitimate users as they seem to specifically use ISPs that have very dynamic IPs (i.e. the customer's IP will change even if their router stays on 24/7).
At first they were easily detectable using HTTP header analysis - e.g. pretending to be Chrome but not sending the headers that Chrome always sends. Now it's a combination of TLS / HTTP protocol level analysis and application layer - e.g. we send a cookie on the user's "normal" page view and check it exists on the higher-resource usage pages they might later visit - the bots don't care about normal viewing patterns and try to hit the higher-resource pages on their first visit, so they get blocked.
This is the same direction that Microsoft is taking Windows. Smart App Control is already rolling out to some regions - no .exe will run without a code signing certificate.
It requires a code signing certificate from one of the trusted central authorities, and generally as an individual you must have your legal name on the code signing certificate. It's not pseudonymous.
I really wish Microsoft made it cheaper to get a certificate. With Apple you pay $100 a year for any number of certs. Last I looked into it a cert for a single Windows app costs $400+ per year and requires a hardware token.
The setup is the most insane stupid stuff I've dealt with in a while. I am currently waiting for them to agree that my DUNS number is real, and they made me remove the WHOIS privacy from my domain name to verify that my address is associated with it. The billing receipts from my host were insufficient for reasons they couldn't explain. Had to upgrade to the $30/mo and then the $100/mo support plan just to speak to someone and it's been 4 weeks without movement. But hopefully it will be worth it in the end, the EV certs are crazy expensive and don't even remove smartscreen warnings anymore.
Ugh, sorry to hear that, yeah the whole setup process is just so insanely frustrating. I'm really dreading having to re-validate my identity documents once they expire.
For what it's worth, in my experience it was even worse with EV certs though - all the same steps including removing WHOIS privacy, plus some extra ones like voice phone number validation that had to be repeated every single year.
And then there were extra WTFs with the EV cert expiration being 365 days after an issue date which is several days before you actually receive the hardware token. Or one year they sent the hardware token fairly promptly, but forget to send the password needed to use it, and it took a week to get a response from support etc. Then again, Azure Trusted Signing has similar ridiculousness with billing being based on calendar months, with no proration for your first month even if you started at the end of the month... I mean it's just $10 but it really adds insult to injury after that signup gauntlet.
Anyway, I've heard that if your Azure Trusted Signing process gets stuck in limbo, it can be best to submit a different document, but I'm not sure if there's any alternative permitted for the DUNS step. That's especially annoying because trying to update outdated info with Dun & Bradstreet is problematic in my experience, i.e. their web forms just plain did not function properly.
Yeah I was with Comodo before and it's like you said. I thought Azure signing was going to be a breeze because I've had my Azure account for years. I submitted with both EIN and DUNS and then they said I can't submit any more validation requests for this "property", so that's why I went the $100/mo support plan to get a human somewhere to click a button and approve this thing.
Loss-based TCP congestion control and especially slow start are a relic from the 80s when the internet was a few dialup links and collapsed due to retransmissions. If an ISP's links can't handle a 50 KB burst of traffic then they need to upgrade them. Expecting congestion should be an exception, not the default.
Disabling slow start and using BBR congestion control (which doesn't rely on packet loss as a congestion signal) makes a world of difference for TCP throughput.
Slow start could be a great motivator for battling website obesity though. If we could give people an easy win here (get your page size down to 300 kb and it will load in one roundtrip), I think more frontend devs would be thinking about it. (Not much more, though – most still won’t care, probably.)
How did you deal with the length of the USB and display cables? I thought after 5m or so things would start falling apart. Are there active extenders and can they can handle 240+ Hz?
Yes, Monoprice sells a brand called "SlimRun" which actually convert the signal to fiber optic and can handle 100ft runs for USB, DisplayPort, and HDMI. They are pricey but they work.
I haven't tried 240Hz, but I have successfully run 7680x2160 wide screen at 120Hz (using HDMI), and 4k144Hz (using DisplayPort).
This can also happen with IP addresses. We recently moved one of our sites to a new IP and got a trickle of complaints about it being inaccessible from various authoritarian countries. After some digging, the new IP was used as a Tor bridge (not even an exit node) over _ten years ago_. I gave up any hope of fixing that and just ordered a different IP address.
HPN-SSH[1] resolves this but isn't widely deployed.
[1] https://www.psc.edu/hpn-ssh-home/