pello + network security

BGP strikes again? No… it’s just a change in the SNMP community name

Scapy and checksum calculation

Sometimes you have to (re)calculate a checksum when you modify packets or when you try to solve friends networking challenge like the following:

I’m 45000064000f0000fe013726c0a80108c0a8030b - a 20 bytes IP header.

What will be my checksum after the next hop? :-)

It’s easy with scapy … first, import the hex, modify the TTL, delete the checksum then apply show2() function. This one automatically recalculate the new checksum for you.

»> pownage=IP(import_hexcap())
0000 4500 0064 000f 0000 fe01 3726 c0a8 0108
0010 c0a8 030b
»> pownage.ttl = pownage.ttl - 1
»> del pownage.chksum
»> pownage.show2()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 100
id= 15
flags=
frag= 0L
ttl= 253
proto= icmp
chksum= 0x3826
src= 192.168.1.8
dst= 192.168.3.11
options= ”

OpenBSD 4.7 goodies and Cisco

Meat and goodies:

OpenBSD and Cizcoeee:

OpenBSD 4.7 Cisco

OpenBSD 4.7 official release date is 19th May of 2010 but already available as pre-order.

Big LAN and ARP broadcast

Sometimes the network suffers from a very BAD design (like large L2 domain).

In this situation, some (normal) network behavior are more visible than it should if the network had a better designer.

The reason of the bad design is often part of the history OR the hired consultant dislikes th company he works for and ship them with a bad design :D

One of the visible phenomenon occurs when many hosts are populated in ARP caches and the local table overflows. The default ARP cache on Linux (and every other OS) are not suited for the bad designed networks.

It results in broadcast storms that kills network performances. Another side effect that double the bad effect is when you have configured broadcast rate-limiter. This feature could kills ARP broadcast and make the packets dance … dance again and again through your L2 network.

To fix the network, you must go in two directions:

re-think your broadcast rate-limiter (in some network devices it’s done automatically without configuration! don’t trust the vendor pre-sales in his well-suited costume, trust the packets!
adjust ARP cache and garbage collector settings on your end hosts. And adjust CAM age entries on your transit L2 devices. For Linux, you can go with those parameters:

$ sudo echo ‘net.ipv4.neigh.default.gc_thresh3’ = 4096 » /etc/sysctl.conf

$ sudo echo ‘net.ipv4.neigh.default.gc_thresh2’ = 2048 » /etc/sysctl.conf

$ sudo echo ‘net.ipv4.neigh.default.gc_thresh1’ = 1024 » /etc/sysctl.conf

$ sudo sysctl -p

Et voilà!

Wireshark configuration for Check Point fw monitor

Here is how to set-up correctly wireshark in order to read fw monitor output friendly:

ctrl+shift+p
Protocols / Ethernet / Attempt to interpret as Firewall-1 monitor file
Protocols / FW-1 / Monitor file includes UUID and Interface list includes chain position
User Interface / Columns / Add : fw-1 chain|FW-1 monitor if/direction
Apply preferences
View / Coloring rules / New
preIn / fw1.direction==i
postIn / fw1.direction==I
preOut / fw1.direction==o
postOut / fw1.direction==O

Good luck!

802.3x prezo

Breaking the myth about 802.3x usage. Here is a public prezo I did for a customer.

Click here to download the prezo.

Table of contents:

Do you really know Flow Control?
802.3x standard
Places where you will find 802.3x
Pause frames were created to defeat non wirerates switches
Symetric vs Asymetric 802.3x
Asymetric speed connected to the same L2 device
Flow control on trunk/etherchannel impact
Where to use flow control
(some) Cisco switches behavior
Pause frames in wireshark
802.3x Black Hat
802.3x versus QoS
Datacenter
Ethernet over MPLS
Operational tips
Best practices summary

Enjoy …

Wireshark: extract HTTP objects from captured traffic

Looking for an elegant way to extract HTTP objects (images, javascript, …) from a pcap file?

Open the pcap file under wireshark then click on FILE => Export => Objects => HTTP.

802.3x blackhat pownage

Little leak from a future prezo for a customer:

802.3x flow control is a quick&dirty protocol. If you have physical access to install a hub anywhere on the network or already have a victim host under control it could lead to a massive Ethernet Denial of Service.

It’s very easy to kill a network at layer 2 if mitm is possible and flow control receive is on by replaying quanta 65535 pause frames.

Impact:

No new flows creation will be possible.

Existing connections breaks if DoS is longer than upper layers timeout.

Reply from 10.162.112.45: bytes=32 time<1ms TTL=255

Request timed out.

…

Request timed out.

Reply from 10.162.112.45: bytes=32 time=1729ms TTL=255 <— Attack stopped

Reply from 10.162.112.45: bytes=32 time<1ms TTL=255

2960_lab_test#sh int flow | inc (Fa0/48|Port)

Port Send FlowControl Receive FlowControl RxPause TxPause

Fa0/48 Unsupp. Unsupp. on on 385552 0

View Separately

bought 3 pieces of spitfire wax

View Separately

Clap! Clap! Clap! this morning I got this pop-up in firefox in order to prevent the latest java epic flaw: http://seclists.org/fulldisclosure/2010/Apr/119