Unfortunately it’s insanely hard to prove conclusively where the TCP resets are coming from, again the only evidence I’ve got that it has to be Cell C is the fact that it works flawlessly from everywhere else (SAIX ADSL, Mweb ADSL and Vodacom 3G). So the first things I started noticing yesterday was ssh connections going something down these lines (serenity is my local machine, linux.delter.co.za a relatively big mail server from one of my clients):

jkroon@serenity ~ $ ssh root@linux.delter.co.za 
ssh_exchange_identification: read: Connection reset by peer

Now my employees knows, if I can’t ssh and it’s your fault, you’re going to get it. Firstly I will hunt you down, then I will do things which cannot be considered polite, and if you’re name is bigger than mine and my client believes that because your name is bigger than mine that implies you’re right and I’m wrong I will ensure that I prove them wrong and make very sure that they understand that I don’t take these things lightly. Well, not when it affects my work anyway, but I do understand if things breaks periodically, but at the moment I can’t even browse and in excess of 95 % of the connections I’m pushing out over my Cell C SIM is outright being reset.

So after seeing the above for for approximately 3 out of 5 connections this morning whilst sitting in a data center in johannesburg I just ran a tcpdump in a different shell on serenity to see what happens:

08:53:56.835503 IP 196.35.70.139.ssh > 10.213.51.133.47019:
    Flags [R.], seq 2902460094, ack 3806794395, win 199,
    options [nop,nop,TS val 26312228 ecr 4876698], length 0

Now I KNOW the way I set up my servers. And if my server is in fact generating that RST then there is something severely broken. But I’m getting this from different servers. So, having had one of the craziest weekends for a while going on I decided to push this to the back of my mind and concentrate on more urgent matters. It’s only about 30 minutes back that I wanted to quickly check mail, browse a bit and just unwind a little that I couldn’t actually browse, ssh to my servers for a quick checkup after the weekend’s events and write an official complaint to a certain hosting company that I decided enough is enough. Got a jump box and ssh’ed via another route to linux.delter.co.za (and no surprises) it worked flawlessly. Fire up pppd and add a route for linux.delter.co.za over that, fire up tcpdump on both ends and I get this, first on serenity (sorry for the horizontal scrolling, and also note that the time on my laptop is out by ~30 minutes due to ntp failing and the CMOS on this Lenovo being of the ultra crappy kind):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

18:46:14.706636 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [S], seq 8197450, win 5840, options [mss 1460,sackOK,TS val 187563 ecr 0,nop,wscale 7], length 0
18:46:15.326350 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [S.], seq 1497501202, ack 8197451, win 5792, options [mss 1460,sackOK,TS val 2837150 ecr 187563,nop,wscale 6], length 0
18:46:15.326445 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [.], ack 1, win 46, options [nop,nop,TS val 187626 ecr 2837150], length 0
18:46:15.659155 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [P.], seq 1:21, ack 1, win 91, options [nop,nop,TS val 2837190 ecr 187626], length 20
18:46:15.659267 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [.], ack 21, win 46, options [nop,nop,TS val 187659 ecr 2837190], length 0
18:46:15.659458 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [P.], seq 1:22, ack 21, win 46, options [nop,nop,TS val 187659 ecr 2837190], length 21
18:46:15.969153 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [.], ack 22, win 91, options [nop,nop,TS val 2837221 ecr 187659], length 0
18:46:15.969221 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [P.], seq 22:814, ack 21, win 46, options [nop,nop,TS val 187690 ecr 2837221], length 792
18:46:16.349157 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [P.], seq 21:805, ack 22, win 91, options [nop,nop,TS val 2837221 ecr 187659], length 784
18:46:16.386434 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [.], ack 805, win 58, options [nop,nop,TS val 187732 ecr 2837221], length 0
18:46:16.599149 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [.], ack 814, win 116, options [nop,nop,TS val 2837284 ecr 187690], length 0
18:46:16.599227 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [P.], seq 814:838, ack 805, win 58, options [nop,nop,TS val 187753 ecr 2837284], length 24
18:46:16.926374 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [.], ack 838, win 116, options [nop,nop,TS val 2837315 ecr 187753], length 0
18:46:16.986396 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [P.], seq 805:957, ack 838, win 116, options [nop,nop,TS val 2837315 ecr 187753], length 152
18:46:16.986458 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [.], ack 957, win 71, options [nop,nop,TS val 187792 ecr 2837315], length 0
18:46:16.988362 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [P.], seq 838:982, ack 957, win 71, options [nop,nop,TS val 187792 ecr 2837315], length 144
18:46:17.477898 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [.], ack 982, win 140, options [nop,nop,TS val 2837372 ecr 187792], length 0
18:46:17.798919 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [P.], seq 957:1677, ack 982, win 140, options [nop,nop,TS val 2837372 ecr 187792], length 720
18:46:17.801802 IP 10.212.100.200.46247 > 196.35.70.139.ssh: Flags [P.], seq 982:998, ack 1677, win 83, options [nop,nop,TS val 187873 ecr 2837372], length 16
18:46:18.048892 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [R.], seq 1677, ack 982, win 0, length 0
18:46:18.088924 IP 196.35.70.139.ssh > 10.212.100.200.46247: Flags [R.], seq 1677, ack 998, win 0, length 0

And on linux.delter.co.za:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

20:17:52.448213 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: S 8197450:8197450(0) win 5840 <mss 1460,sackOK,timestamp 187563[|tcp]>
20:17:52.448247 IP linux.delter.co.za.ssh > 41.157.80.24.57790: S 1497501202:1497501202(0) ack 8197451 win 5792 <mss 1460,sackOK,timestamp 2837150[|tcp]>
20:17:52.840000 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: . ack 1 win 46 <nop,nop,timestamp 187626 2837150>
20:17:52.846789 IP linux.delter.co.za.ssh > 41.157.80.24.57790: P 1:21(20) ack 1 win 91 <nop,nop,timestamp 2837190 187626>
20:17:53.079622 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: . ack 21 win 46 <nop,nop,timestamp 187659 2837190>
20:17:53.161323 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: P 1:22(21) ack 21 win 46 <nop,nop,timestamp 187659 2837190>
20:17:53.161345 IP linux.delter.co.za.ssh > 41.157.80.24.57790: . ack 22 win 91 <nop,nop,timestamp 2837221 187659>
20:17:53.162056 IP linux.delter.co.za.ssh > 41.157.80.24.57790: P 21:805(784) ack 22 win 91 <nop,nop,timestamp 2837221 187659>
20:17:53.750503 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: P 22:814(792) ack 21 win 46 <nop,nop,timestamp 187690 2837221>
20:17:53.784763 IP linux.delter.co.za.ssh > 41.157.80.24.57790: . ack 814 win 116 <nop,nop,timestamp 2837284 187690>
20:17:53.839959 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: . ack 805 win 58 <nop,nop,timestamp 187732 2837221>
20:17:54.100058 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: P 814:838(24) ack 805 win 58 <nop,nop,timestamp 187753 2837284>
20:17:54.100072 IP linux.delter.co.za.ssh > 41.157.80.24.57790: . ack 838 win 116 <nop,nop,timestamp 2837315 187753>
20:17:54.102989 IP linux.delter.co.za.ssh > 41.157.80.24.57790: P 805:957(152) ack 838 win 116 <nop,nop,timestamp 2837315 187753>
20:17:54.479858 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: . ack 957 win 71 <nop,nop,timestamp 187792 2837315>
20:17:54.630280 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: P 838:982(144) ack 957 win 71 <nop,nop,timestamp 187792 2837315>
20:17:54.664784 IP linux.delter.co.za.ssh > 41.157.80.24.57790: . ack 982 win 140 <nop,nop,timestamp 2837372 187792>
20:17:54.673005 IP linux.delter.co.za.ssh > 41.157.80.24.57790: P 957:1677(720) ack 982 win 140 <nop,nop,timestamp 2837372 187792>
20:17:55.236939 IP 41.157.80.24.57790 > linux.delter.co.za.ssh: R 982:982(0) ack 1677 win 0

Upon initial inspection I have to say, I don’t see the tell-tale signs of tcp splicing as I did with Vodacom. There doesn’t appear to be any sequence number adjustments. There is some NAT going on which isn’t desirable (and Vodacom moved away from using NAT once they’re user base started getting beyond a certain point because “it didn’t scale” according to one of their lead technicians).

When I say I can’t find signs of tampering I really mean it. Looking at the above you’ll see there is 19 packets on linux.delter.co.za and 21 on serenity. The first 18 of both these traces ARE IDENTICAL (other than the NAT’ed IP). After this 18th packet the server side receives an RST packet directly after it sent the data for 957:1677, along with a correct ACK for 1677. The client side receives this data, and no surprisingly doesn’t actually respond with an RST but instead with an ACK. Directly after sending this ACK it receives two identical RST packets, which again, has not been sent by the server.

So I ask this – who is generating these RST packets? Who can I have beaten with a blunt object? I want to unwind – it’s been a bad weekend with this little cherry on top.

Share on Facebook

Now, the price tag on the IS uncapped account mentioned above is slightly in excess of R2000 ex VAT. For my office I’ll need two of those accounts (we run through approximately 100GB worth of traffic each month and I’m NOT willing to sacrifice on quality of the service). For those doing the math already, R4400 vs R5000 … yea. If those were the complete facts I might consider switching and doing some careful load balancing over the two accounts to try and stay out of the top 20 % as well as to remain under the floating cap. However, the price difference isn’t severe enough for me to honestly consider it, and I’ve got another trick up my sleave: split routing.

I’ve approximately three years ago figured out how to separate local and international bandwidth at the client premises into two separate accounts. This allows me to utilize cheap local-only ADSL accounts for local bandwidth, and normal blended ADSL accounts for my international traffic. Seeing that our split is about 60 % local 40 % international this means that my cost ends up being around R2500 to R3000 per month, ex VAT for my bandwidth every month. And I get this at the same quality that you’ve come to expect from SAIX’s ADSL accounts. No frills, no fuss, good international latencies (usually at around 250 to 300 ms) and excellent local latencies of as low as 10ms (compared to around 25 to 30 on IS accounts).

Even three years ago this was beneficial, and I thought that this concept was going to be killed when the uncapped accounts started entering the market … yet the opposite has become true – I’ve now got even more inquiries asking WHY uncapped is so bad, and what alternatives are there. And this is only from a “consumer dsl” perspective (ie, sme and home market).
When one starts looking at data centres the costs associated with bandwidth starts looking even worse. No more el-cheapo ADSL (yes, trust me when I tell you ADSL bandwidth is EXTREMELY cheap). Now you have to start getting things like metro-ethernet. You need to start buying transit. If you’re hosting you’re most likely paying per GB over a certain thresshold (eg, first 3GB for your server is included with monthly and after that you’re paying per GB). If you’re the hosting environment you’re most likely buying bandwidth in per mega-bit chunks.
No matter in which of these arenas you’re playing there is NO SUCH THING as uncapped bandwidth. Either you’re being limited by an artificial cap such as you can use 3GB at any rate you please (which is also a lie as the upstream BW has a limit in terms of bits per second) or you’re being limited by the bits per second.

What uncapped really means is unmetered. In other words: We will allow you to consume bandwidth at an average of X bits per second, and we won’t actually (for billing purposes) measure how many bytes you push over the link. This means immediately that you pay for capacity instead of per byte. It’s also possibly to buy such unmetered solutions in an oversubscribed manner, for example, you can buy “gold” or “silver” transit from SAIX, “gold” means that you will have a contention ratio of 1:1 (meaning you will always be able to use your full capacity), or with silver you can get a contention ratio of 3:1 – which means that permitting that the other people aren’t consuming bandwidth you can burst up to your pipe size, but you’re only guaranteed of a third of it. Either way – 4Mbps of this is likely to make you understand why uncapped ADSL is a bad idea.

Share on Facebook

I’m not sure whether this is a result of too little testing, total ignorance or just incompetence. Either way, it would seem it’s a bit of a race condition, and hits something similar to what we in the office refer to as the “connection tracking bit bucket”. Basically it seem most connection tracking implementations (when combined with a state full firewall such as that used by Vodacom – as per their own admission in their last letter to me) results in certain flows being prematurely marked as “invalid”. In particular in the example that Kevin has captured for me the server ends up being the first entity to send a GRE packet, this then gets (or got, seeing that it’s fixed again) intercepted by the firewall, perceived as an inbound connection to the client and the uni-directional flow gets marked as invalid. When the client now sends GRE traffic to the server this gets allowed, but the return traffic still bites the “invalid” mark. I can only speculate as to the exact state (seeing that Vodacom doesn’t reveal exactly what software they are using – probably proprietary anyway) of things, making it difficult. This I will attempt to speculate as objectively as possible (not always easy).

Seeing that there are two entities involved in this dump, and I want to do a side-by side comparison, some ASCII art is in order. Essentially three columns being used, the sending agent will indicate what is being sent, and if it was received by the destination I’ll mark that column with an ACK. I’ll also add (R) to retransmits on the sending side. The ISN mods still applies to the TCP connections, however, the data itself isn’t being tampered with in this case. Note that in the GRE traffic case there are still ACK packets being sent by the server, these ACK packets however goes lost (as indicated in the packet sequence).

Client                Direction  Server
SYN                        ->    ACK
ACK                        <-    SYN
PPTP (Start Req)           ->    ACK
ACK                        <-    PPTP (Start Resp)
                           <-    GRE (PPP-LCP Conf Req)
GRE (PPP-LCP Conf Req) (R) ->    ACK (goes lost)
GRE (PPP-LCP Conf Req) (R) ->    ACK (goes lost)
... a few more of these ...
GRE (PPP-LCP Conf Req) (R) ->    ACK (goes lost)
PPTP (Call Clear Req)      ->    ACK

Once the Call Clear Req is received TCP/IP teardowns happens, surprisingly without the flurry of injected RST packets I’ve growned accustomed to, just a single out-of-order delivery between one ACK and FIN/ACK packet.

What I would want (not sure what resolution they picked) is for them to either perform a routine inspection of the PPTP control traffic (specifically the Start Request and Start Reply packets) to determine the GRE traffic parameters (based on what I can see, just mark the fact that GRE is to be expected between the two given end points) and allow that traffic, or, stop this firewalling nonsense. It’s only the Cellular “ISPs” performing actions such as these. The arguments for providing this protection is sound. But then it needs to be done sanely. For the most part I’ll have to admit that the firewall works and doesn’t cause too many problems.

Seeing that the problem has been resolved by Vodacom, I’ll let it rest, for now.

Share on Facebook

So how does Linux determine this? Dead simple actually.

1. It does a forward lookup of it’s hostname (r2d2 in this case), including any domain and search domains configured in /etc/resolv.conf, if nsswitch actually reaches DNS lookups.
2. It does a reverse lookup of the obtained IP and this result is used as the FQDN.

Complex? Not really, until you start looking at what all needs to work in order for this to be correct. A common thing done by many a sysadmin is to in /etc/hosts modify this line:

127.0.0.1   localhost

To:

127.0.0.1   localhost hostname

Well, this will result in hostname -f giving you “localhost” as the FQDN. That’s broken. The correct line above (for r2d2) would be:

127.0.0.1 r2d2.uls.co.za r2d2 localhost localhost.localdomain

That is overly complete and localhost.localdomain can probably be left out. There is another way though, because let’s face it, 127.0.0.1 isn’t our public IP. So here we go, with the “correct” way:

• Set the domain/search lines in /etc/resolv.conf correctly. Basically I’d recommend leaving “search” alone unless you want to search multiple domains for a “short” name, and only set up “domain”.
• Make sure that there is a properly configured PTR record for you public IP.
• Make sure that hostname.${domain} resolves to your, and only your, public IP.

Eg, in my /etc/resolv.conf I’ve got “domain uls.co.za” along with my nameservers (ok, 127.0.0.1 which points to a djb dnscache). Then my hostname is set to “r2d2″. With this configuration when I resolve r2d2 I get an IP of 196.35.70.140, then when I reverse-lookup that IP then I get r2d2.uls.co.za which is my FQDN. Forward looking up r2d2.uls.co.za again resolves to that IP which is exactly what I want.

Share on Facebook

Finding the Bluetooth drivers for your chip is not something I’m going to discuss, lspci and lshw is your friends in this respect, and most distro’s will auto-load kernel modules based on available hardware. If you can type “ip ad sh” and see a pan0 device you’re probably good to go.

At this point I suggest looking at /etc/bluetooth and editing as you see fit (starting with main.conf, probably only want to edit Name = … and even that’s a maybe).

To find out whether all actually works as expected, you should be able to run “hcitool scan”, this should output something like:

# hcitool scan
Scanning ...
        34:7E:39:62:7B:65       Reboot
#

Reboot is my new Nokia phone. The MAC-addr like number on the left is called a bdaddr. Get that string in your cut buffer – you’re going to need it a lot.

Now you need to “pair” your phone with your laptop. This is the hardest part of the whole exercise and depends on which of the tools you’re using. I had quite a lot of trouble doing this from command-line only and eventually just installed gnome-bluetooth and used the wizard to pair, then on my phone set my laptop to authorized to allow it to connect without having to go through the whole pairing process every time. On the laptop side I didn’t actually change anything or had to set things explicitly.

The next step is to locate the bluetooth “endpoint” on the phone to use for dial-up networking. This is done using sdptool:

# sdptool search --bdaddr 34:7E:39:62:7B:65 DUN
Searching for DUN on 34:7E:39:62:7B:65 ...
Service Name: Dial-Up Networking
Service RecHandle: 0x10047
Service Class ID List:
  "Dialup Networking" (0x1103)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 5
Language Base Attr List:
  code_ISO639: 0x454e
  encoding:    0x6a
  base_offset: 0x100
Profile Descriptor List:
  "Dialup Networking" (0x1103)
    Version: 0x0100
 
#

The important bit there is Channel: 5. Now edit /etc/bluetooth/rfcomm.conf, in particular we want to create a serial device called rfcomm0, that always binds to our phone, on the correct channel. The config file ends up looking like this:

rfcomm0 {
    bind yes;
    device 34:7E:39:62:7B:65;
    channel 5;
    comment "DUN on Reboot";
}

Now restart bluetooth again and you should now have a rfcomm0 device node in /dev/. If you do, try opening two terminals, in the one, issue cat /dev/rfcomm0, and in the other issue “echo ATZ > /dev/rfcomm0″, the cat side should echo back your ATZ and hopefully not spit too much gunk at you. From here on it’s pretty simple. I use my chat perl script from my 3G, PINs, prompts and pppd entry, along with this file in /etc/ppp/peers/:

/dev/rfcomm0
linkname 3g-rfcomm0
defaultmetric 5000
 
# Don't require the peer to authenticate (this _seems_ to get the connection going in a shorter time)
noauth
 
# If you want more detailed logs, enable this (it doesn't generate that much
# noise, but assists a lot in finding problems):
#debug
 
# Make this one second since the modem probably has to be re-initialized at least
# once.
holdoff 1
 
# modem initialization
connect /usr/local/sbin/uls_3g_connect.pl
 
# We probably want to use the DNS as advertized by the peer
usepeerdns
 
# Use this link as the default gateway
defaultroute
 
# Inform out ip-up script about what this is:
ipparam "type=intl dnsroutes=yes routemetric=10"
 
# 3G doesn't like all kinds of compression ... which they did - it's slow
# enough.
noccp
nobsdcomp
novj
 
# Make the connection persistent, and not terminate if/when errors occur.
persist
maxfail 0

There is no real difference between this peers file and the one in 3g from the blog mentioned above. This one just adds a linkname and explicit reference to the rfcomm0 device. I saved this file as bluetooth. Now you should be able to run “pon bluetooth”, or more directly “pppd call bluetooth” or even “pppd call bluetooth debug nodetach” if you prefer.

Share on Facebook

1. The ibdriver package – used for the iBurst usb and pcmcia devices.
2. The dahdi 2.0.x drivers used for telephony in Asterisk.

The latter isn’t that serious a problem as I really need to move to dahdi-2.2.x anyway, the ibdriver however caused me some embarrasment as I plugged in the usb device, downloaded the drivers and … it didn’t compile. Oops. So I decided it’s time to return to some of my older roots and just make the driver work – and that’s exactly what I did.

This morning, after reading a blog post yesterday about it taking a guy two hours (without posting patches) I set aside three, and figured, at a minimum I’ll remember why I don’t do kernel hacking for a living.  That happened, but it also only took me about 30 minutes to build a patch for running the iburst drivers against the 2.6.31 kernel.  The main changes are that you’re now to use netdev_priv(dev) for accessing private data instead of dev->priv and a bunch of the device operations which has previously been part of the net_device struct is now in net_device_ops, with a few slight name changes.  The only other thing really is that one struct changed name in the pcmcia subsystem (config_info_t -> socket_state_t).

With no further ado, you can find the patch here.

Please note that whilst I’m busy running the code with this patch I can’t guarantee that there are no mistakes in it.  I just took the kernel headers, and updated the ibdriver code according to what I could tell from these headers, use at your own risk.

Share on Facebook

At the time we figured this was a misconfigured or faulty gateway (Seeing as Internet Solutions is using HSVRP we figured these outages were just the “fail over” time).  Quintin however was told that our gateways are misconfigured and they told him he should be using x.y.z.253 and NOT x.y.z.1 as we were told during the installation of these servers.  Since then the Windows server which he was working on was not affected again and seeing as most of my Linux servers just keep running I didn’t think too much about this again until last weekend when I was actively working on one of them.  I re-reported the issue, making it clear that the explanations I were given previously was inaddequate and not acceptable (I were given answers such as someone accidentally bumped a cable etc …).

After running mtr traces from my dsl into the DC to three of the servers (web/mail, voip and windows) since reporting it at 15:54 (first response at 16:48 – reasonable response time for ONCE, thanks IS) I realized two things:

1. ~ 30% round-trip packet loss on the final hop, and around 0.4 – 0.7 % loss on the hops before that (meaning, probably the DSL side of things).
2. The Windows server was not affected at all!  This made no sense whatsoever to me until I realized it was using a different gateway.

Either way, after sending these traces off to IS @ 17:25 – showing even higher loss on the last hop than the above 30 % (67 % and 57 % respectively), and later (18:40) passing on an update showing that I could still get responses from my servers internally inbetween each other in spite of not being able to get access to the outside world.  At 7:38 the Sunday I looked at the traces again and since the loss decreased to 5 % and 6 % I figured they must’ve restored sanity and fixed the problem.   I was wrong, very very wrong.

One of my clients phoned me around 8:45ish and said I should look at my email – they think I might want to look at it, it looks like my admin site has been compromised.  Of course I immediately loaded the site, just to see a funny bar at the top-left and all my fonts looking rather funky.  A few page source showed a <script> tag embedded right at the beginning of my html document, even before the <!DOCTYPE declaration!  If you’ve ever seen me fire up a shell and ssh into a server you know it can be done quickly – I believe I broke all known records that morning … the grep was fired off so quickly on the php scripts I barely had time to think about it … nothing.  mysqldump with the grep … nothing, on /etc … nothing, /home … nothing (this took a while), / … nothing (this one took a LONG time).

So off I went to GLUG … ah, gotta love GLUG … and this thread ensued:  http://www.linux.org.za/Lists-Archives/glug-tech-0905/msg00009.html

As per the thread my initial thought was compromised proxy … however, seeing as I described the gateway problem first you can hopefully already guess that this was NOT the case. The post that can be located on http://www.linux.org.za/Lists-Archives/glug-tech-0905/msg00013.html was the breakthrough.  Specifically Quintin mentioned that he has issues loading certain pages and then I tried to load pages from other servers in the DC, and this in particular should explain:

Come to think of it - there is some correlation between the servers
that's available via our gateway and those that aren't.  I can reproduce
this "page hack" on the web pages that sporadically goes awol, but not
on those that doesn't (In our particular little subnet).  I wonder
whether those two are not perhaps related.  ARP spoofing anyone?  I
suspect this issue is going to be handed off to IS... sorry for the IS
guys on the list, but there is some work coming your way.

After this realization it became much easier to look for what I feared:  A router compromise.  So I started sniffing for arp traffic (inside of screen writing to a file), and it wasn’t long before I found sequences like this:

12:57:07.871279 ARP, Reply x.y.z.1 is-at 00:11:43:dc:15:24 (oui Unknown), length 46
12:57:07.884269 ARP, Reply x.y.z.1 is-at 00:11:43:dc:15:24 (oui Unknown), length 46
12:57:07.889516 ARP, Reply x.y.z.1 is-at 00:11:43:dc:15:24 (oui Unknown), length 46
12:57:08.433296 ARP, Reply x.y.z.1 is-at 00:00:0c:07:ac:0a (oui Cisco), length 46
12:57:08.433350 ARP, Reply x.y.z.1 is-at 00:00:0c:07:ac:0a (oui Cisco), length 46

That actually tells us three things, not just one:

1. There is definitely somebody spoofing the router address, specifically, some device which thinks it’s a Dell router.
2. There is likely a loop on the physical network seeing as we’re receiving the same packet multiple times (It’s actually an IS engineer that pointed this one out for me).
3. IS is using HSRVP for their routers (which I already knew, but the MAC address from Cisco confirms this.

At 19:50 I once more sent an email to IS, asking them once more to get serious with this since this was a security issue, I also had to spell out what exactly was going on (not something that comes overly easy to me).  So for those that have been raising their eyebrows at the above – the best analogy that I could come up with is something down this lines:

A LAN is essentially like a room full of people, where each person represents a computer.  Just about none of these people generally know each other, they cannot communicate with anybody outside of the room.  In order to communicate to the outside you’ve got to speak with a special person that stands in a door – you only have his name and you’ve got no way to confirm who’s standing in doors and who not – not even by asking them.  So if I want to send a message to sombody not in the room I basically call out:  Hey Mr Router – who are you? and then Mr Router is supposed to call back, hey you, here I am!  What’s happening above is that two people is calling back, so which one is the real Mr Router and which one is the impersonator?  You’ve got to make a choice and follow through.  If you pick the right one, your message goes where it’s supposed to, if you don’t, well, nasty things can happen, as in this story:

The computer that pretended to be the router took the message, looking for certain things in the message, modified the message and then passed in on to the real Mr Router – pretending to be us.  Very, very naughty.

Even after all of this non-circumstantial evidence and definite proof (well beyond speculation) I received this shortly before 21:00 the sunday evening:

Network engineer found that there is a problem with the available uplink bandwidth from the switch and that this is entering planning for rectification. We will get our Netops engineers to assist, but will not be able to resolve it tonight.

I thought I was going to kill someone. My reply to this was simple, yet effective:

What does available uplink bandwidth have to do with a machine that’s spoofing ARP responses?

Yes, the uplink bandwidth is a problem, I’ve been saying that for a while now … but this issue is happening over a WEEKEND (A LONG WEEKEND I MAY ADD) when it’s dead quiet, so there is a better chance of hell freezing over than that it’s an uplink bandwidth issue.

I also immediately called in to the GSC in order to try and speak with whatever engineer made the assessment and to try and hammer it into his head what was going on, as they tried to connect me he fortunately called me.  This helped somewhat with my mood.

This is fortunately where things turned, within a few minutes of him calling me I managed to explain to him what was actually happening and he took action and disabled the compromised host’s port and all went back to normal by 21:30.  Confirmed by 21:34 with ARP traces that finally looked normal:

21:22:16.089287 arp reply x.y.z.1 is-at 00:00:0c:07:ac:0a (oui Cisco)
21:22:51.888723 arp reply x.y.z.1 is-at 00:00:0c:07:ac:0a (oui Cisco)
21:23:27.688410 arp reply x.y.z.1 is-at 00:00:0c:07:ac:0a (oui Cisco)
21:24:14.599464 arp reply x.y.z.1 is-at 00:00:0c:07:ac:0a (oui Cisco)

Much better, no duplicates, no more issues with ssh just going awol.  No more ping timeouts, no more infected HTTP responses.

The HTTP infections themselves were also pretty ingenious.  In particular, a typical HTTP response looks something like this:

HTTP/1.1 200 OK
Date: Sun, 03 May 2009 08:49:07 GMT
Server: Aapche
Content-Length: 2698
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
<html>

As you can see, there is a number of unneeded headers.  Now what would happen if we were to strip some of these out?  Eg, the Server, Keep-Alive, and Connection: headers?  Firstly, the lack of Keep-Alive would cause the connection to be closed, a new one will be re-opened for subsequent requests (slight slowdown … whoopdy do), The lack of the Server: header makes no difference at all, but now we do need (due to technical requirements of not disturbing the packet length) to adjust the Content-Length: header, and the opened up space gets padded with spaces.  So basically if we rip out X bytes from the headers we pre-pad the content (from <!DOCTYPE onwards) with spaces which doesn’t change the meaning of the content, we increase the Content-Length by X (being careful around magnitude boundaries, eg, going from 3 digit values to 4 digit values in which case we need to consume one of our added spaces again).  Since we now have a bunch of spaces at the beginning of the content we’ve got space to add some stuff in there (this broke the HTML standard in my page’s case but generally html devs don’t have those <!DOCTYPE headers and by the time anybody notices this it’s already too late anyway).  In this case the “payload” was a <script> tag using a src attribute pointing to a .gif file which actually contains some javascript.  This then proceeded to exploit some Windows bug and actually compromise the machine for whatever nefarious purpose the hacker had in mind.

There is more detailed explanations in the GLUG thread for some of these things, in particular you may also want to read these posts:

• http://www.linux.org.za/Lists-Archives/glug-tech-0905/msg00018.html
• http://www.linux.org.za/Lists-Archives/glug-tech-0905/msg00022.html
• http://www.linux.org.za/Lists-Archives/glug-tech-0905/msg00026.html

I really need to learn how to write this kind of garbage in english and not my variant of techbabble.

Some further discussion regarding possible fixes ensued, and I made this post after discussion with various people, including the orignal person asking the question, I quote from http://www.linux.org.za/Lists-Archives/glug-tech-0905/msg00028.html:

> So we have a neat and devilishly cunning way of getting content onto a browser
> machine virtually anonymously. Ouch.
>
> What's the defense?

You don't want the answer to this.  In a word:  NONE.

I've been thinking really hard, and I can come up with only a handful of
"solutions":

1.  Hardcode the router's MAC in /etc/ethers.  This still doesn't
prevent the injection from happening with MAC spoofing (some host can
confuse the switch into overflowing it's MAC tables and thus effectively
sending all traffic everywhere, but getting the switch to only send it
to that host would be significantly harder, but not impossible, and
HSRVP could in this case actually provide a stepping stone for actually
making the exploit possible again.

2.  In this particular setup there are a few routers high in the range,
I could hard code my router to one of them seeing as only .1 was
targeted in this case.

3.  There is apparently some options on the CISCO switches which can
guess as to whom the attacker is and shut down that port, or at a
minimum detect and report it.  This will probably be quite effective in
the subnet.

4.  It's possible to configure CISCO switches to only allow
communication with the router port, but then you need to also configure
exceptions between servers that are allowed to communicate.

And all of those, without exception, only protects the local subnet.  It
DOES NOT prevent this attack from happening between other hops further
down the route.

As a friend of mine (IPv6 fanatic) would say:  This is a fundamental
flaw in IPv4.  We need IPv6 with build in security mechanisms and HMACs
which guarantees authenticity (Ok, we have it in IPv4 in IPSec, which is
basically the "security" features from IPv6 back-ported).  Not that I
understand how you can authenticate a packet unless you have a shared
key to run the HMAC with, which also implies that we're going to need
X509 certificates on a per-IP basis to be issued to each and every
machine on the Internet.  Which brings me to my next question:  How much
will Thawte and/or Verisign ask for such a certificate?  And how much
are they going to put into MS's pockets to prevent other parties from
entering the arena?

Also, considering that you now need to run two cryptographic hashes per
packet coming in off the wire, or going out on the wire, what
implications will this have on already loaded servers?

Just some things to ponder.

Jaco

The option referenced in 4 is called PVLAN (An extension of the VLAN aka virtual LAN concept).  Re option three, Simeon Miteff mentioned there is a tool called arpwatch which does this same thing on your Linux servers.  At a minimum this will allow one to detect this crap much quicker, and take appropriate action in a shorter time without having to go through the trouble of running sniffers and the like.

Share on Facebook

VoIP Traffic Graph

One can clearly see the 10:00 tea time, then lunch at 13:00 and tea again at 15:00 before things start quieting down for the weekend at around 16:30.  Surprisingly there is still a decent amount of activity for a saturday .

Share on Facebook

What kinds of speeds is “fast enough”?  What is the trade-off between throughput and latency?

Personally, I could do with >4Mbps links, but this isn’t essential for me.  Heck, I still use a 384 DSL line at home.  However, I obviously won’t be running a company off of it.  Nor am I a big leecher that tries to download a gazillion gigabytes every month.

Half the time, I find that people that complain about “slow” internet isn’t even saturating their link at all.  So why do they consider their links to be slow?  Simple, latency.  Let’s say you’re browsing to google.co.za, (hope page, excluding images is 2909 bytes, that’s _two_ TCP segments).  At 4Mbps that’s a fraction of a second, then why does it feel like google.co.za takes a second to load?  Because it actually does:

1. SYN packet gets sent.
2. ~300ms later the SYN/ACK arrives.
3. ACK gets sent + request gets sent off.
4. ~300ms later the response starts coming in.

So yes, that’s around 600ms (on a low-latency round trip) before we even START receiving the data from google back.  Please note that local caches and other factors obviously influences this.

Then, there is probably the single factor that I consider to be the most crucial piece of the puzzle at the moment:  packet loss!  I’ve recently started seeing round-trip packet loss of around 5 %!  Sounds low?  Well, it’s actually less than 5 % as the 5 % is round-trip, so it’s probably like 2.6 % per direction.  Either way, for VoIP we are trying to send 50 packets per direction per second, at 2 % that means we’re losing a fragment per second (0.02ms worth of audio).

As previously stated we can get away with relatively little bandwidth for VoIP, but there are a few things we do want:

1. Lowish (<100ms) latency.
2. Low jitter (The lower ping’s mdev value, the better, <5ms works well).
3. NO PACKET LOSS.  We do NOT want to lose packets at all.

It is mostly for the latter two reasons that we HIGHLY recommend dedicated internet links for VoIP purposes in SA (No QoS on the network).  However, it seems recently the major providers started competing to see who can provide the highest latency (iBurst is mostly winning here at around 150ms+ latency for local traffic) and packet loss (it’s hard to say who’s leading here … I saw iBurst at 40% the other weekend, I’m getting more DSL lines at 5%+), and let’s not even go into jitter …

No, internet in South Africa at this point in time is a mixture of disappointment and utter frustration.  I’ve been with my hands in my hair the last while, and I’ve no idea where to turn next.  Diginet?  If only it was as good as they claim, and if only it was affordable.

Share on Facebook

The Naïve approach

Yesterday I still thought this would work quite well.  I was wrong.  Essentially, on the server just add three additional IPs for a total of four IPs, so we now have $ip1, $ip2, $ip3 and $ip4, all in the same /24 subnet, and all assigned to the same physical NIC.  The routing table ends up looking (ignoring other the rest of the NICs on the setup):

${subnet}/24 dev eth0 scope link src ${ip1}
default via ${subnet_gw}

Now anybody familiar with how udp and the sendto() function works will immediately spot the problem, whatever we send back to the client, no matter on which IP we recieved the request, the response will always have ${ip1} as it’s source.  So whilst it’s perfectly legal to set up four iax accounts on the client pointing to the four different IPs on the server this just ends you in a spot of trouble (Set up the four peers with qualify=yes and routing to each of the four server IPs over separate PPPoE connections and you’ll notice that three of them end up being unreachable).

To clarify, let’s say on the client machine we have four pppoe connections, with four IPs of $dsl1, $dsl2, $dsl3 and $dsl4, so we don’t do a default route on any of them (that goes via our normal gateway anyway), so our routing ends up something like (please note there are some additional prohibit routes in order to prevent stuff going over our data link but in an ideal case the below is sufficient):

${ip1} scope link dev ppp0
${ip2} scope link dev ppp1
${ip3} scope link dev ppp2
${ip4} scope link dev ppp3
192.168.0.0/24 scope link dev eth0
default via 192.168.0.1

Now, when we try to POKE on $ip2 we’d want to receive an ACK response from $ip2, instead we get an ACK from $ip1, which then evokes an INVAL response back to $ip1 (from $dsl1 no less).

In a similar fashion call setup also fails, never mind actual voice streams.

Making the naïve aproach work

The best way of making this work is probably to update asterisk to actually explicitly set the from address on outbound packets which are replies to requests (or related to already associated connections).  This doesn’t look too trivial and the asterisk devs are going to raise more than just a few eyebrows.  Probably not too hard either, we already need to store the peer’s IP somewhere … we could just add the local IP there as well.

You’d reckon I’d simply give up there.  But fortunately there is a relatively simple fix:  Add a specific route for $dsl[234] on the server side.  This works, but is a nasty, nasty hack imho.  Basically you need to perform some kind of DNS/registration tracking on the server side which knows how to keep track of the installed routes, when to remove them and when to add new ones.  It also needs to know which _source_ IP to use for each of these.  The simple, stupid way is a script like:

#! /bin/bash

ip1=??
ip2=??
ip3=??
ip4=??

function check()
{
local name=$1
local dst=$2
local src=$3
local olddst=”"

[ -r /var/lib/route-check-${name} ] && olddst=$(</var/lib/route-check-${name})

if [ "${dst}" != "${olddst}" ]; then
[ -n "${olddst}" ] && /sbin/ip ro del ${olddst}
[ -n "${dst}" ] && /sbin/ip ro ad ${dst} via 196.35.70.1 src ${src}

echo “${dst}” > /var/lib/route-check-${name}
fi
}

check ${ppp2_name} “$(/usr/bin/dnsip ${ppp2_dnsname} |sed -e ’s/ //’)” $ip2
check ${ppp3_name} “$(/usr/bin/dnsip ${ppp3_dnsname} |sed -e ’s/ //’)” $ip3
check ${ppp4_name} “$(/usr/bin/dnsip ${ppp4_dnsname} |sed -e ’s/ //’)” $ip4

There is no need to explicitly monitor ppp1 as this will just make use of the defaul IP anyway.  Surprisingly this does actually work.

Abusing policy based routing

This was quite annoying actually.  I set up policy-based routing on the ppp devices anyway such that any traffic that gets originated with that IP will actually be sent back using the appropriate device.  This then made me think about the server case … what if we only bound asterisk to ${ip1} and then had a small relay agent run on each of the other IPs that litterally consisted of about 50 lines of C code that opens port 4569 on the IP, and whatever it receives from ${ip1} it forwards to the appropriate dynamic IP (since we have three IPs we’re listening on we can accomodate up to three additional links.  The downside here is that asterisk loses some source information regarding the IPs, also, I don’t think we can use this for multiple clients unless the agent actually understand at least a small amount of the IAX protocol (or use a port other than the default 4569).  For a two-ip on the server case we’d thus have three channels, in ${ppp1} -> ${ip1}, ${ppp2} -> ${ip2}, and lastly ${ip2} -> ${ip1}.  This should work as far as I can tell.  Asterisk on the server will see the calls as coming from ${ppp1}, ${ip2}, ${ip3} and ${ip4} but I’m fine with that.  It does reduce our redirect options significantly though.

Each call is also limited to a dsl line, and if that line goes down mid-call the call is screwed.

Extreme routing

This idea steams from the first, basically we run a small packet capturing sniffing for packets coming into the system on port 4569 (and 5060 would actually work cleanly for this too as far as I can tell) for each packet we look at {source, dest} and see if we have a route to source via our normal gateway and with src set to dest.  If not, update our routing table. This will likely hammer the system quite badly though with continuous routing table updates, result in an insanely large routing table unless the program also flushes routes again from time to time that it hasn’t seen in a longer than maxexpiry period.

Thus, if a packet comes in from ${ppp2} to ${ip2}, ensure that we have the route ${ppp2} via ${gateway_ip} src ${ip2}.  This will effectively fix the redirect problem too, and at the same time keep latency down as there is not an additional process for packets to go through.  One could even possibly rather make use of ipsets in iptables (along with the SNAT target)… efficiency will need to be trialed though.

Scary enough, this actually seems quite feasible to me.  Except for the resources that will be spent keeping track of the IP pairings I actually quite like this solution.  It’s relatively simple, doesn’t require assistance from asterisk, can happen realtime and without the need for third-party intervention (the less the system needs to rely on other systems the better).

Truly load balancing the IAX data stream

Then I came to the realization that we’re splitting up the calls, and packing them into partitions in order to get load balancing done.  Now if I tell you that the dialplan to get this done is fugly, please understand that I’m not trying to brag about getting it right.  It truly is FUGLY, and I really fail to see a way of cleaning this up.  It’s a hack making use of the GROUP functions to count the number of calls over the individual lines and balancing them out.  Nor does it solve for the inbound case!  And it still drops calls on the lines that die (and with the iBurst connections I’ve seen the last 24 hours or so … damn).

Ok, so the idea becomes to have a really, really dumb relay agent.  Doing something like ip-in-ip, but since the end points don’t give a rats about the original IPs (IAX/2 is very friendly towards both SNAT and DNAT … thanks be to Mark Spencer) we can do some really cool forwarding.

So on both servers we bind the IAX in asterisk to 127.0.0.1, we assign a secondary IP of 127.0.0.2 to the local loopback, and we bind a “proxy” on that, which also binds the four actual IPs.  Now we just need to know what the “pairing” IP is for each of our public facing IPs, so we need to register a set somehow.  So a client will let us know “these are my IPs, I’m going to be sending from all of them to your IPs, please round-robin between them when sending back”, after which it should be able to immediately send a register and start getting going.  At this point I can address another issue, since we now round-robin the packets, and we know which set of peer IPs belong together we can actually get rid of our additional IPs on the server!  I’d still keep two public-facing ones, one for the raw IAX/2 asterisk port (for efficiencies sake for those clients that don’t need the load balancing), and the latter for balancing the IAX/2, which then dynamically creates an alias on local loopback and transmits to the other IP (last I checked the Linux kernel could get quite confucious about this …. but it should be possible to get something working).

The downside here is that we lose the ability to redirect our calls, but seeing as we’re load balancing we may not actually want those redirected streams as they mess with our ability to “trunk” calls.  Instead I’d say just charge the client a premium for the ability to load balance.

Even more scary with this is that if a link does go down we just gained the ability to (permitting we realize the dead link quick enough) not drop the call (we can now actually “jump” the voice data over to different links).  Let’s say we do have a 4-way setup, and we do lcp echo requests every 5 seconds, and 3 consecutive no-responses kills the link it’s going to imply a bi-directional packet loss of 25% for around 15 seconds.  This is NOT so hot, but in many cases better than dropping the call entirely.

Just flippen update the protocol!

Ok, by now I’m slightly fed up actually (tired).  Come to think of it though – what is there to prevent this being added directly into asterisk and the IAX/2 protocol?  Basically tel asterisk to perform the round-robin on a set of local interfaces (source IPs?) for a particular peer/user, and if the peer supplied us with multiple IPs in it’s registration, round robin it on that side too!  Really, consider something like this quickly:

[ulsvoip]
type=friend
host=voip.uls.co.za
local_ifaces=ppp0,ppp1,ppp2,ppp3
…

Also assume that voip.uls.co.za (for now, resolves to a single IP only), now, when we register we supply all active IPs for ppp0, ppp1, ppp2 and ppp3 (so if one of more of the devs is done they simply get ignored for that round but if a device does change state we need to refresh our registration).  Now we have a set of IPs for local, and we simply alternate with using those IPs as source.  Let the kernel handle the actual routing (just make sure your policy based routing is set up properly – not difficult to do).

On the server side it’s dead simple, when the registration comes in it’ll contain multiple IPs, so any packets coming from any of those IPs are treated as coming from a single source.  When sending packets back, we simply rotate the destinations so as to effectively round-robin between the different links on it’s side.

And lasty, there is no reason why this can’t be done on both ends simultaniously, even with different numbers of links on both sides!  In other words, the example above, but voip.uls.co.za resolves to 4 or even 5 different IPs (Rather moot at this point since all IPs are assigned to the same interface anyway).

Share on Facebook