My spare time is somewhat busy the past weeks

Because of:

  • Aggressive inline skating - My Salomon STI pro with Featherlite2 frames rolls again as the sunny days are back
  • A coding project in Python about network security. Actually 3476 lines and growing up every day

Focus focus focus on the objectives

Happy Easter 2010! Roller Bunny

EDNS0 DNS PMTU

EDNS pmtu calculation:

$ dnsfunnel -t A @c.dns.gandi.net packetfault.org

217.70.182.20   4096B   0.001536
217.70.182.20   2304B   0.001531
217.70.182.20   1408B   0.001587
217.70.182.20   960B    0.001484
217.70.182.20   736B    0.001468
217.70.182.20   624B    0.001484
217.70.182.20   568B    0.001468
217.70.182.20   540B    0.001444
217.70.182.20   526B    0.001635
217.70.182.20   519B    0.001489
217.70.182.20   515B    0.001459
217.70.182.20   513B    0.001616
217.70.182.20   512B    0.003511
217.70.182.20   4096B   0.001517
————————————————-
PMTU walking summary:
======================================================
Name                    Keys    Small   Largest Optimal
Server    IP            fit?    Buffer  Buffer  Buffer
———————————————————————————
c.dns.gandi.net.
        217.70.182.20   yes     512     4096    121

BGP ASN collision

Gem from the past:
% whois -h whois.ripe.net AS1712

aut-num:        AS1712
as-name:        FR-RENATER-ENST
descr:          Ecole Nationale Superieure des Telecommunications,
descr:          Paris, France.
descr:          FR

% whois -h whois.arin.net AS1712     

OrgName:    Twilight Communications 
City:       Wallis
StateProv:  TX
Country:    US

oups!

The great firewall block dns g root server

The great firewall of China block the g root serv0r

http://www.cymru.com/monitoring/dnssumm/index.html

Behavior caused by bad programming (or not)

Sometimes I play with Cisco IOS and stuff occurs despite my will…

A14-7206#dir nvram:
Directory of nvram:/

%Error calling getdents for nvram:/ (Device or resource busy)

129016 bytes total (111124 bytes free)

Astalavista… IOS!

6 stages of debugging: 1) can’t happen 2) doesn’t repro 3) shouldn’t happen 4) why is that happening? 5) I see! 6) How did that ever work?

FX

whois AS number

$ whois AS23724

Don’t play with this AS! it’s EVIL!

python debuggers

A list of python debuggers I found with my google-fu:

pdb (pdb.set_trace), pydb, winpdb, gdb (pystack..for debugging python himself), ddd

python pdb is your friend

Yo! python debugger pdb in da place for handling npeid issue.

Little debugger but helpful :)

imhidden@Networker:/home/hidden# ./npeid.py

> /home/hidden/npeid.py(18)handleTcpStream()

-> toserver = tcp.server.data[:tcp.server.count]

(Pdb) n

> /home/hidden/npeid.py(19)handleTcpStream()

-> toclient = tcp.client.data[:tcp.client.count]

(Pdb) n

> /home/hidden/npeid.py(20)handleTcpStream()

-> ((src, sport), (dst, dport)) = tcp.addr

(Pdb) n

> /home/hidden/npeid.py(21)handleTcpStream()

-> scan_tcp_body = None

(Pdb) n

> /home/hidden/npeid.py(22)handleTcpStream()

-> proto = None

(Pdb) n

> /home/hidden/npeid.py(23)handleTcpStream()

-> if dport in (80, 8000, 8080):

(Pdb) n

> /home/hidden/npeid.py(24)handleTcpStream()

-> proto = “HTTP”

(Pdb) n

> /home/hidden/npeid.py(25)handleTcpStream()

-> header_len = toclient.find(‘\r\n\r\n’)

(Pdb) n

> /home/hidden/npeid.py(26)handleTcpStream()

-> get_request = toserver.split(‘\n’)[0][:-1]

(Pdb) n

> /home/hidden/npeid.py(27)handleTcpStream()

-> host = toserver.split(‘\n’)[1][:-1]

(Pdb) n

IndexError: ‘list index out of range’

> /home/hidden/npeid.py(27)handleTcpStream()

-> host = toserver.split(‘\n’)[1][:-1]

(Pdb) n

—Return—

> /home/hidden/npeid.py(27)handleTcpStream()->None

-> host = toserver.split(‘\n’)[1][:-1]

(Pdb) n

IndexError: ‘list index out of range’

> /home/hidden/npeid.py(70)main()

-> nids.run()

(Pdb) n

> /home/hidden/npeid.py(71)main()

-> except nids.error, e:

(Pdb) n

> /home/hidden/npeid.py(73)main()

-> except KeyboardInterrupt:

(Pdb) n

> /home/hidden/npeid.py(76)main()

-> except Exception, e:

(Pdb) n

> /home/hidden/npeid.py(77)main()

-> print sys.exc_info()

(Pdb) n

(<type ‘exceptions.IndexError’>, IndexError(‘list index out of range’,), <traceback object at 0x873b7d4>)

—Return—

> /home/hidden/npeid.py(77)main()->None

-> print sys.exc_info()

(Pdb) n

—Return—

> /home/hidden/npeid.py(80)<module>()->None

-> main()

(Pdb) n

Ho yeaaah! damn line number 27! After fixing:

1mh1dd3n@Networker:/home/h1dd3n# ./npeid.py

> /home/h1dd3n/npeid.py(18)handleTcpStream()

-> toserver = tcp.server.data[:tcp.server.count]

(Pdb) n

> /home/h1dd3n/npeid.py(19)handleTcpStream()

-> toclient = tcp.client.data[:tcp.client.count]

(Pdb) c

> /home/h1dd3n/npeid.py(18)handleTcpStream()

-> toserver = tcp.server.data[:tcp.server.count]

(Pdb) c

> /home/h1dd3n/npeid.py(18)handleTcpStream()

-> toserver = tcp.server.data[:tcp.server.count]

(Pdb) n

> /home/h1dd3n/npeid.py(19)handleTcpStream()

-> toclient = tcp.client.data[:tcp.client.count]

(Pdb) n

> /home/h1dd3n/npeid.py(20)handleTcpStream()

-> ((src, sport), (dst, dport)) = tcp.addr

(Pdb) n

> /home/h1dd3n/npeid.py(21)handleTcpStream()

-> scan_tcp_body = None

(Pdb) n

> /home/h1dd3n/npeid.py(22)handleTcpStream()

-> proto = None

(Pdb) n

> /home/h1dd3n/npeid.py(23)handleTcpStream()

-> if dport in (80, 8000, 8080):

(Pdb) n

> /home/h1dd3n/npeid.py(24)handleTcpStream()

-> proto = “HTTP”

(Pdb) n

> /home/h1dd3n/npeid.py(25)handleTcpStream()

-> header_len = toclient.find(‘\r\n\r\n’)

(Pdb) n

> /home/h1dd3n/npeid.py(26)handleTcpStream()

-> get_request = toserver.split(‘\n’)[0][:-1]

(Pdb) n

> /home/h1dd3n/npeid.py(27)handleTcpStream()

-> host = toserver.split(‘\n’)[0][:-1]

(Pdb) n

> /home/h1dd3n/npeid.py(28)handleTcpStream()

-> print “%s” % str(get_request)

(Pdb) n

> /home/h1dd3n/npeid.py(29)handleTcpStream()

-> print “%s” % str(host)

(Pdb) n

> /home/h1dd3n/npeid.py(30)handleTcpStream()

-> try:

(Pdb) n

> /home/h1dd3n/npeid.py(31)handleTcpStream()

-> gzip_data = toclient[header_len+4:]

(Pdb) n

> /home/h1dd3n/npeid.py(32)handleTcpStream()

-> gzip_data = StringIO.StringIO(gzip_data)

(Pdb) n

> /home/h1dd3n/npeid.py(33)handleTcpStream()

-> gzipper = gzip.GzipFile(fileobj=gzip_data)

(Pdb) n

> /home/h1dd3n/npeid.py(34)handleTcpStream()

-> scan_tcp_body = gzipper.read()

(Pdb) n

> /home/h1dd3n/npeid.py(40)handleTcpStream()

-> if scan_tcp_body.startswith(‘MZ’):

(Pdb) n

—Return—

> /home/h1dd3n/npeid.py(40)handleTcpStream()->None

-> if scan_tcp_body.startswith(‘MZ’):

(Pdb) n

—Call—

> /home/h1dd3n/npeid.py(7)handleTcpStream()

-> def handleTcpStream(tcp):

(Pdb) n

> /home/h1dd3n/npeid.py(9)handleTcpStream()

-> if tcp.nids_state == nids.NIDS_JUST_EST:

(Pdb) n

> /home/h1dd3n/npeid.py(10)handleTcpStream()

-> ((src, sport), (dst, dport)) = tcp.addr

(Pdb) n

> /home/h1dd3n/npeid.py(11)handleTcpStream()

-> if dport in (80, 8000, 8080) or sport == 20:

(Pdb) n

> /home/h1dd3n/npeid.py(12)handleTcpStream()

-> tcp.client.collect = 1

(Pdb) n

> /home/h1dd3n/npeid.py(13)handleTcpStream()

-> tcp.server.collect = 1

(Pdb) n

—Return—

> /home/h1dd3n/npeid.py(13)handleTcpStream()->None

-> tcp.server.collect = 1

How to reset Internet Protocol (TCP/IP)

VMWARE virtual networking concepts

tcp timestamps

TCP timestamps notes:

  • rfc1323
  • Timestamps: TSval 4125101209, TSecr 0 (SYN)
  • Timestamps: TSval 15477599, TSecr 4125101209 (SYN/ACK)
  • No timestamps with RST pkts (Linux 2.6.31 stack)
  • No timestamps with SYN&SYN/ACK (windows … need to be tested with win7)
  • Bad: rttm only when the tcp window is low. Not realistic. Lead to introducing “aliasing” artifacts into the estimated RTT. Must be used with all segments
  • Part of TCP options
  • Linux stack 2.6.31 appears to not start timestamp counter as the PC booted up (3 hours delay during my testing)
  • TCP timestamp can lead to slow network applications issues
  • About the TCP timestamp generation (not covered by RFC1312) : http://tools.ietf.org/html/draft-gont-tcpm-tcp-timestamps-03
  • disect (tcp timestamp covert channel) http://www.mit.edu/~gif/covert-channel/src/
  • Arbitrary TCP ISN timestamps http://lkml.org/lkml/2008/2/15/244
  • TCP timestamp can lead to false result under linux when syn cookies enabled
  • If more than 1 tsval is rcvd before echoed back:
    • delayed ack (btw must be less than 0.5s): answer by the first tsval received
    • ACK out of order segment (congestion): answer by the last pkt received

to be completed

traceroute nanog version

Determine route of packets in TCP/IP networks (NANOG variant)
This is the traceroute program maintained by Ehud Gavron. It is based on
the Van Jacobson/BSD traceroute and has additional features like AS lookup,
TOS support, microsecond timestamps, path MTU discovery, parallel probing
and others. The NANOG traceroute upstream FTP archive can be found at
ftp://ftp.login.com/pub/software/traceroute/

pello@Networker:~$ sudo traceroute-nanog -uAOP www.dailymotion.com
traceroute to www.dailymotion.com (195.8.215.139), 64 hops max, 40 byte packets
1  192.168.0.254 (192.168.0.254) [AS7531] nobody@invalid  28.513 ms  28.509 ms  28.514 ms
2  78.238.158.254 (78.238.158.254) [AS12322] hostmaster@proxad.net  71.040 ms  71.050 ms  71.054 ms
3  * * *
4  th2-crs16-1-be1104.intf.routers.proxad.net (212.27.56.153) [AS12322] hostmaster@proxad.net  71.328 ms  71.577 ms  71.854 ms
5  free-pni2.xe3-0-0.th2.par.as8218.eu (212.27.40.82) [AS12322] hostmaster@proxad.net  71.862 ms  72.079 ms  72.506 ms
6  xe2-2-0.tcr1.gs.par.as8218.eu (83.167.56.176) [AS8218] support@neotelecoms.com  72.755 ms  73.051 ms  73.477 ms
7  * * *
8  v204.dist-02.std.dailymotion.com (195.8.214.165) [AS41690] hostmaster@dailymotion.com  73.742 ms  73.986 ms  73.990 ms
www.dailymotion.com (195.8.215.139) [AS41690] hostmaster@dailymotion.com  74.464 ms  74.254 ms  74.650 ms
pello@Networker:~$