2010 Jun 12 - Sat
Real Time Black Holing (RTBH)
Here are some notes to self regarding real time blackholing configurations for dropping / analyzing
packets that 'do not belong'.
From the c-nsp list, RTBH commonly used next hops are RFC based Test Networks:
- IPv4 RFC3330 192.0.2.0/24
- IPv6 RFC5156 2001:db8::/32
[/Networks]
permanent link
2009 Dec 06 - Sun
ToS/DSCP Cheat Sheet
On the Flow-Tools email list, Craig Weinhold published a cheat sheet for how to treat IP Packet ToS (Type of Service) bits:
**** Pre-1998
The IPv4 ToS byte was part of the original 1981 definition of Internet Protocol
in RFC 791, which specified a 3-bit precedence value and 3-bits of ToS attributes.
In the tables below, "tos" values refer to the entire byte.
In 1992, RFC 1349 added a fourth ToS attribute.
0x80 0x40 0x20 0x10 0x08 0x04 0x02 0x01
+-----+-----+-----+-----+-----+-----+-----+-----+
| PRECEDENCE | TOS attributes | - |
+-----+-----+-----+-----+-----+-----+-----+-----+
PRECEDENCE TOS attributes
name dec tos bin name dec tos bin
network 7 224 111 min-delay 8 16 1000
internet 6 192 110 max-throughput 4 8 0100
critical 5 160 101 max-reliability 2 4 0010
flash-override 4 128 100 min-monetary-cost 1 2 0001
flash 3 96 011 normal 0 0 0000
immediate 2 64 010
priority 1 32 001
routine 0 0 000
**** Post-1998
RFC 2474 reworked the ToS as a 6-bit Differentiated Services Code Point (DSCP)
and, soon after, RFC 3168 allocated the lowest two bits for
Error Congestion Notification (ECN,
an IP analogy of frame-relay FECN and ATM EFCI).
0x80 0x40 0x20 0x10 0x08 0x04 0x02 0x01
+-----+-----+-----+-----+-----+-----+-----+-----+
| DSCP | ECN |
+-----+-----+-----+-----+-----+-----+-----+-----+
DSCP
name dec tos binary name dec tos binary
AF11 10 40 001010 CS1 8 32 001000
AF12 12 48 001100 CS2 16 64 010000
AF13 14 56 001110 CS3 24 96 011000
AF21 18 72 010010 CS4 32 128 100000
AF22 20 80 010100 CS5 40 160 101000
AF23 22 88 010110 CS6 48 192 110000
AF31 26 104 011010 CS7 56 224 111000
AF32 28 112 011100 EF 46 184 101110
AF33 30 120 011110 default 0 0 000000
AF41 34 136 100010
AF42 36 144 100100 AF = assured forwarding
AF43 38 152 100110 EF = expedited forwarding
CS = class selector
ECN (unrelated to QoS)
00 Not-ECT Not ECN-Capable Transport
01 ECT(0) ECN-Capable Transport
10 ECT(1) ECN-Capable Transport
11 CE Congestion Experienced
**** Notes on interpreting the ToS byte
The two definitions are complimentary for the upper 3-bits. This is good,
since those three bits are often copied to/from the 3-bit
class-of-service (CoS) field of layer-2 802.1p frames and
the 3-bit experimental (EXP) field of MPLS frames.
Bits 3-5, however, are fairly incompatible..
Thus, it's important not to oversimplify precedence/DSCP as a simple pecking order. In reality, each unique precedence/DSCP value conveys a packet's requirements for throughput, latency, and packet loss, three traits that are somewhat at odds with each other. And, any value can be assigned to any organizationally-unique purposes. For example,
- Packets with precedence 5 and/or DSCP EF are often serviced by priority queues, so they may delay packets with higher precedence/DSCP values.
- Within each AF level (e.g., AF2x includes AF21, AF22, and AF23), the higher values indicate a higher tolerance to packet loss. I.e., a congested interface should drop AF22 packets earlier than AF21 packets. In Cisco IOS, this behavior is implemented with DiffServ-complaint WRED ('random-detect dscp' on a class-map).
- Any DSCP value under CS6 can be assigned for any organizationally-unique use. For example, Precedence 1/DSCP CS1 is often assigned for use as a less-than-best-effort class called scavenger. To successfully implement the scavenger class, all network devices must agree to treat CS1 traffic worse than Precedence 0/DSCP default.
ECN (RFC 3168) is an emerging issue for traditional netflow collection
and processing. The jist of ECN is that an intermediary router can,
after sensing congestion, change the lower two bits of ToS to indicate
congestion so that the hosts can slow themselves down. It's a L3
implementation of frame-relay FECN, essentially. Unfortunately, since
the ToS field changes packet-to-packet and hop-to-hop, it also disrupts
the traditional netflow 7-tuplet key (protocol, src/dst IP, src/dst port,
ToS, input interface).
If you can, exclude ToS as a flow key on your netflow sources. Recent
cisco IOS versions let you do this with flexible netflow while still
exporting netflow v5.
[/Networks]
permanent link
2009 Oct 11 - Sun
Traceroute Methods
Traceroute, in a nutshell, is about iteratively sending packets to the network
with specific TTL (Time To Live) settings. The first round of packets uses a TTL of 1. The second
uses a value of 2. The values are adjusted upwards each iteration until the destination responds,
or the maximum number of hops has been evaluated.
The traditional form of pinging is to send out an ICMP type 8 packet. There are other forms:
- Windows 'tracert' uses ICMP type 8 with incrementing TTL
- Unix 'traceroute' uses UDP packets starting port 33434 through
(33434 + - 1)
- TcpTraceRoute which
uses TCP syn packets to penetrate firewalls and NAT systems
[/Networks]
permanent link
2009 Sep 07 - Mon
Converting MIBS to OIDS
From a Cisco perspective, on the Cisco-NSP mailing list, Lee provided a simple method
to convert between a MIB and an OID.
First obtain the oid files from Cisco's web site:
ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz. Expand the file and extract the
included files. Then:
cat * | sort -k 2,2 -k 1 | uniq | nawk '{printf("%-50s %s\n", $1,$2) }' > ../oids_all.txt
If you want to use it on Windows, use
unix2dos ../oids_all.txt
snmptranslate from net-snmp.sourceforge.net/ does a similar job.
One can also browse them at
Cisco's OID Browser.
[/Networks]
permanent link
2009 Aug 29 - Sat
Tools for Testing Your Internet Connection
Measurement Lab has a series of tools for
Testing Your Internet Connection:
- Network Diagnostic Tool: Test your connection speed and receive sophisticated diagnosis of problems limiting speed
- Glasnost: Test whether BitTorrent is being blocked or throttled
- Network Path and Application Diagnosis: Diagnose common problems that impact last-mile broadband networks
- Pathload2: Test your available bandwidth
- Diffprobe: Determine whether an ISP is giving some traffic a lower priority than other traffic
- NANO: Determine whether an ISP is degrading the performance of a certain subset of users, applications, or destinations
[/Networks]
permanent link
VOIP Security Tools
The Voice over IP Security Alliance has an interesting collection of
VoIP Security Tool List which includes things like:
- VoIP Sniffing Tools
- VoIP Scanning and Enumeration Tools
- VoIP Packet Creation and Flooding Tools
- VoIP Fuzzing Tools
- VoIP Signaling Manipulation Tools
- VoIP Media Manipulation Tools
- Miscellaneous Tools
- Tool Tutorials and Presentations
Use at your own risk.
[/Networks]
permanent link
2009 Aug 19 - Wed
Simple Desktop Network Monitoring Tools
Here are a few simple tools useful on a Windows' desktop for monitoring basic network stuff:
- TCPTraceRoute: mBy sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.
- LFT: Layer Four Traceroute which is mostly non Windows based tool, but partially works in Cygwin.
- Ping Plotter: helps you pinpoint where the problems are in an intuitive graphical way, and to continue monitoring your connection long-term to further identify issues.
- SNMP Traffic Grapher: monitor a couple of SNMP values in near real time.
- WinMTR: WinMTR is a windows clone of popular Matt's
traceroute/ping program called MTR.
[/Networks]
permanent link
2009 Jun 27 - Sat
Network Broadcast Addresses
A customer was performing penetration testing on their network. Once the test results
were in, among other things, they had a couple questions about responses to certain addresses
on their external subnet range.
As a background, every subnet with a network mask of /30 or shorter has three address groups:
- first address: the zeros address aka network address
- middle addresses: usuable addresses
- last address: the ones address aka broadcast address
For explanation purposes, imagine a router with two interfaces:
- interface 1, the ingress interface, with address range of 10.0.0.0/30 and interface address of 10.0.0.1.
- interface 2, the egress interface, with address range of 10.0.0.4/30 and interface address of 10.0.0.5.
For some network devices, for a packet arriving on the ingress interface destined for the broadcast address
of the egress interface (10.0.0.7), the network device will forward the packet, effectively broadcasting to
all devices located in the subnet of the egress interfaces. When many packets arrive in this manner,
this is known as a
Smurf Attack.
Current Cisco devices, by default, no longer forward packets to broadcast addresses, but may respond to these
packets. The following command is applied by default to prevent forwarding of packets to broadcast addresses:
no ip directed-broadcast
At the other end of the subnet, for the network address, I originally thought this was a quiescent address. However,
I did find that the an ICMP echo request arriving on the ingress interface destined to the network address (10.0.0.4) of the
egress interface will generate an echo-reply with the ingress ip address (10.0.0.1) as the source address.
It appears that in days gone past, that for BSD Unix boxes and various other equipment, the network address was *the*
broadcast address. This is why some configurations allow one to configure the address of the broadcast address setting,
whether it be the high end or low end of a subnet. (thanx to Steinar Haug for this info).
rfc 1122 formalizes this broadcast address
configuration (thanx to an inciteful responder named Lee):
3.3.6 Broadcasts
There is a class of hosts* that use non-standard broadcast
address forms, substituting 0 for -1. All hosts SHOULD
recognize and accept any of these non-standard broadcast
addresses as the destination address of an incoming datagram.
A host MAY optionally have a configuration option to choose the
0 or the -1 form of broadcast address, for each physical
interface, but this option SHOULD default to the standard (-1)
form.
The host will respond with the echo-reply because of
rfc 791:
3.2.1.3 Addressing: RFC-791 Section 3.2
... An incoming datagram is destined
for the host if the datagram's destination address field is:
(1) (one of) the host's IP address(es); or
(2) an IP broadcast address valid for the connected
network; or
From a Cisco router perspective, the default use of the command 'no ip directed-broadcast', allows one
to use a /31 subnet (two ip addresses) for point to point links instead of the usual /30 subnet (four ip addresses).
One can effectively address twice as many links with the same number of addresses. This feature is mentioned in
Cisco's Feature Guide:
Using 31-Bit Prefixes on IPv4 Point-to-Point Links.
Coincidently, while I was writing this article, I received a note that there are a couple of TCP Security Assessment
documents available:
These documents go into the details of the bits and bytes making up the TCP protocol, analyzing the reasons for the bits,
how they can be misused, and suggesting counter-measures when used illegally. Theres is a detailed bibilography with
active links to related papers and documents.
An idea of the scope of the document can be seen through its first level table of content:
- The Transmission Control Protocol
- TCP Header Fields
- Common TCP Options
- Connection-Establishment Mechanism
- Connection-Termination Mechanism
- Buffer Management
- TCP Segment Reassembly Algorithm
- TCP Congestion Control
- TCP API
- Blind In-Window Attacks
- Information Leaking
- Covert Channels
- TCP Port Scanning
- Processing of ICMP Error Messages by TCP
- TCP Interaction with the Internet Protocol (IP>
- References
[/Networks]
permanent link
2009 May 26 - Tue
VMWare Datastore Browser
I'm sure the VMWare people have hidden this on purpose... just so you think you are forced into
installing command line utilities or buying licensing for their management products.
Anyway, I have a couple of ESXi 3.5 U4 servers installed. I created a Virtual Machine on one server, then
used the SSH scp command to copy the Virtual Machine from one host to the other. That is all well and good, but
how do you get it to show in inventory?
The answer to that is to run the VMWare Infrastructure Client. That is no problem. The trick is to click on
the Summary tab while in Inventory mode, and right click on the datastore. One can then browse the datastore.
And one can right click on a .vmx file to register the Virtual Machine in Inventory. That same menu allows one
to upload and download images from a local computer.
I think it would have been more intuitively obvious to have the datastore(s) listed in the left hand tree,
but I guess that would make too much sense.
Some random notes on ESXi 3.5 U4:
- One needs to purchase at least the foundation license in order to get the remote command line tools to
work
- When in the ESXi console, one can use vmkfstools to create and resize virtual drives. The GUI does not
allow the 'thin' command, but the vmkfstools command does. 'thin' is the ability to indicate what the overall
size is, but not to preallocate all the space necessary all at once.
- When using an Asterisk based server in VMWare, allocate at least 500MHz to the server in order to maintain
non slipping time. More
VMWare Timekeeping Best Practices
- Veeam FastSCP: Veeam FastSCP-
VMware ESX/ESXi managment tool
FastSCP provides a fast, secure and easy way to manage files and bulk copy VMs across your VMware ESX
environment.
[/Networks/VMWare]
permanent link
2009 May 24 - Sun
VMWare on HP DL360 G6
I recently acquired a couple of decently configured HP DL360 G6 servers. Each boots VMWare directly from an
embedded USB Token. Now that is a server that works right out of the box. And it did.
It is an excellent ability to be able to use HP's management tools to view the console remotely. I've not
laid hands on the server, but I have almost complete visibility into the unit. There are about 20 different
temperature sensors, I can monitor and cap power usage, evaluate processor utilization, and much more. Remote
access to CDRoms is also available through a virtual media Java mechanism. I'm using that now to upgrade to U4
of ESXi.
HP has their own special image and after a bunch of searching, I found it at
Software Depot Home.
I had tried the U4 version from VMWare's site, but it wouldn't install itself in the correct spot. That is
when I figured that HP must have a special version. Don't try to install HP's v8.20 of management tools either.
They are frought with installation problems.
[/Networks/VMWare]
permanent link
Enable SSH on VMWare ESXi
VMMWare ESXi is installed and started with SSH disabled. To enable it is an unsupported
option, as it allows a user access to the console, operating system and associated file
system.
My primary reason for accessing the VMWare ESXi file system (vmfs), is the ease in which
one can get ISO images on to the system. When running the VMWare Infrastructure Client,
during the creation of a virtual machine, the virtual CD Drive can be attached to an ISO
image resident in the DataStore, with the DataStore basially being the vmfs file system.
So to get read/write access to vmfs, one needs to activate SSH on VMWare:
- At the console of ESXi host, press Alt-F1 to access bypass the simple management
window and gain access to the console window.
- There is no prompt and no text echo, but type unsupported and hit
the enter key.
- Enter the password you've assigned for root.
- A prompt of ~ # will become visible.
- Use vi to edit /etc/inetd.conf.
- Find the line that begins with #ssh and remove the #, and save the file.
- Use ps | grep inetd to find the existing inetd process id.
- Restart the process with kill -HUP id.
- You will now have access via SSH.
After logging in, the default datastore can be found at /vmfs/volumes/DataStore1. I
created a sub-directory there named ISO to hold my ISO images. The directory and files are
accessible from the VMWare Infrastructure Client when creating a new Virtual Machine. ISO
files can be retrieved with the wget command.
I havn't done it yet, but one could add a .ssh directory on /root, do the appropriate
magic (covered in another article), and login with an ssh key rather than root password.
Much of the information here was extracted from a couple of web sites, with
VM-Help
being the primary one. It's forum entries have additional useful information.
[/Networks/VMWare]
permanent link
2009 May 16 - Sat
Martians
In terms of managing addresses on for the public internet, there are a set of address
ranges which one should never see... publically. Privately, that is, within someone's local
network, they can be seen, are seen, and should be seen.
- 0.0.0.0/8: not seen as an address but as a default route.
- 10.0.0.0/8: a common internal rfc 1918 range.
- 127.0.0.0/8: localhost addresses, ie, loopbacks on individual machines, with 127.0.0.1 the most common. I've used addional
addresses for setting proxy forwarding with ssh port forwarding configurations
- 169.254.0.0/16: rfc 3927 for internal networks without dhcp and no addressing
structure
- 172.16.0.0/12: a common internal rfc1918 range.
- 192.0.2.0/24: rfc 3330 for documentation and example code
- 192.168.0.0/16: a common internal rfc1918 range.
- 198.18.0.0/15: rfc 2544 network benchmark tests
- 223.0.0.0/8: reserved
- 224.0.0.0/3: multicasting
More information on IPv4 addressing can be found at Wikipedia.
[/Networks]
permanent link
|