Archive for the 'Networking' Category

Anycast

I’d never heard of anycast until I read Mark Jeftovic’s post today. Seems that my DNS host uses anycast to improve their resiliency to DDoS attacks.

Essentially you have multiple hosts on the public internet with identical routable IP-addresses, and use traditional routing protocols to guide traffic to the closest one. This is really only suitable for connectionless protocols, like DNS. Neat stuff.

More details can of course be found at the usual repository of all human knowledge.

HTTP Speculative Response?

Seems like a cursory analysis of the newyorktimes.com web server would show a high correlation between GET requests for index.html and a whole bunch of images, etc.

If every request for index.html strongly predicts a request for foo.jpg, why not just send them both together?

Or do they already do this?

WiFi “Standards”

I just downgraded my access point from WPA2-PSK/CCMP+TKIP to WPA1-PSK/TKIP. This was the only way I could satisfy my MacBooks, PCI WiFi cards, and Airport Expresses. Grrr. I want my Saturday morning back.

If the best thing about standards is that there are so many to choose from, the next best thing is that there are so many (incompatible) ways to implement whichever one you pick.

BitTorrent Horks My DSL

Whenever my wife uses BitTorrent, I immediately notice increased network latency. Web browsing and other interactive sessions begin to suck. I’ve tried some simple traffic shaping, but it did not really help.

I know that most BT clients have built in limit settings, but these don’t seem to help much either. They attempt to limit the amount of bandwidth used by the client, but my problem is clearly one of latency. Additionally, this does not scale. I want to solve this problem once, in one place.

I’m considering some layer-7 stuff to identify BT traffic and give it a low priority. Encrypted BT would be a problem here. The deep packet inspection would also require a lot of horsepower — perhaps more than I have.

But the bigger problem is that I feel scummy about it. How will I ever argue Net Neutrality again? Anyway, I don’t really want to look in the damn packets — I just want the network to remain usable.

So, with apologies to jwz:

Dear Lazyweb,

How the hell do you use BitTorrent without killing your network?

Netfilter’s SAME Target

My awesome ISP has given me a /29 block of IP addresses. Yesterday, I decided to try SNAT’ing out all of them. My first attempt:

iptables -t nat -A POSTROUTING -o $EXT_PPPOE -j SNAT --to-source 1.2.3.17-1.2.3.22

According to the docs, netfilter should round-robin through the 6 addresses. I visited a few of those “What’s my IP address?” web sites and got a few different answers. So far, so good.

After a few hours, however, it became obvious that something was wrong. Apparently the round-robin is done per-connection, and thus it can break any protocol which expects multiple connections from a single host to have a single IP.

(For instance, I couldn’t connect to AIM reliably. Turns out that, in order to connect to AIM you must make two connections. First to an authorization server where you then receive a token for use on the 2nd connection. The token seems only to be good for a certain IP address. So 1/6th of the time I would get lucky, draw the same IP twice, and AIM would connect. Otherwise, no dice.)

Thanks to the helpful fellas on irc.freenode.net #netfilter, I learned about the SAME target:

…the SAME target will try to always use the same outgoing IP address for all connections initiated by a single host on your network.

Now that sounds perfect. So I made the following change:

iptables -t nat -A POSTROUTING -o $EXT_PPPOE -j SAME --to 1.2.3.17-1.2.3.22 --nodst

Now everything works great. Visiting one of the “What’s my IP” sites gives different answers from different hosts, but always the same answer for a specific host. Sweet!

Update 4/17/2008:
Looks like the SAME target is obsolete and removed from kernel 2.6.25. I guess the SNAT target does what I want now. I’ll find out for sure when the gaping security hole is discovered and I’m forced to upgrade my kernel, heh.

Are You Being DoS’d?

My network connection was “teh suck” all weekend until I did this:


      iptables -A INPUT -s 212.17.87.173 -j DROP

Who, you might ask, is 212.17.87.173? I have no freaking clue, except that he’s Austrian and really loves photos of my wedding. It was harder to diagnose this problem than you might expect. Apache apparently writes it’s access.log after a request has completed. Thank god for netstat, or I might never have figured this one out.

Thanks to the oh-so-typically-condescending folks on freenode #apache, I’ve enabled mod_status with ExtendedStatus On, so that I can view HTTP requests in-flight.

Next I’ll try to install mod_evasive.

Network Addressable DVI Switch?

I hate KVM switches. They are expensive and under-featured. Occasionally, they lose their minds and my mouse goes all wonky. The tangled web of cables beneath my desk would make a tuna net jealous.

I like Synergy. It makes sense to use the LAN for low bandwidth stuff. The flexibility of a software solution enables neat tricks like clipboard synchronization, simultaneous desktop locking, etc.

This begs the question: is it possible to do 100% of this stuff over the LAN? Alas, I fear the answer is no.

Gigabit Ethernet = 1 Gb/s = 125 MB/s
1600x1200x24bpp = 5.5 MB * 30 fps = 164 MB/s (conservative)

Yes, 10Gb Ethernet exists, but what will you buy first: new network hardware, or a 30-inch Apple Cinema HD Display?
30-inch Apple Cinema HD Display
Yes, one could employ VNC, or some fancy X forwarding, or RDP. Fun experiment: try playing WoW like this.

If I was a hardware hacker, I would design a box with a bunch of DVI ports. I’d skip PS2 or USB entirely, and instead ship with a copy of Synergy. My gizmo would also sport one Ethernet port, and a simple open protocol with messages like connect port X to port Y.

Come to think of it, this gizmo could actually be built into the monitors themselves. Talk about value-add. Please Apple, hear my cry. Put 4 DVI inputs on your monitor and make it software switchable over Ethernet. (Oh, and advertise the protocol over Bonjour, thanx.)

New Printer

Our old Lexmark ran out of ink, so we decided to buy some more — inside a new printer. Printers are the packaging that ink comes in.

I picked up a Brother HL-5250DN from NewEgg for $205 shipped. Two hundred bucks. For a monochrome laser that does 30ppm, 1200×1200 dpi, ethernet, duplexing, PCL6, and Postscript 3. What a bargain.

It also supports Bonjour, so I was expecting some plug and play action. I was wrong.

Everything looked good at first. The printer got an IP and I could ping it by name. However, a few minutes later dhcpd3 would come along and delete the A record from bind. The lease was still present, and valid, but I could no longer resolve “printer”.

I eventually gave up and just assigned it a static IP. After four hours. Zeroconf my ass.

DSL Modem Web Interface in Bridged Mode

Since I run my own netfilter-based router, my Zoom ADSL modem operates in bridged mode and I have almost no need for the web-config interface thingy. I say almost because the web interface is apparently the only way to see the actual ADSL sync speed.

Here’s the stanza from my /etc/interfaces which configures the external interface:


auto eth0
iface eth0 inet static
        address 66.114.146.48
        netmask 255.255.255.0
        broadcast 66.114.146.255
        gateway 66.114.146.1

As you can see, I have a static IP of 66.114.146.48. To access the web interface on 10.0.0.2, I’m supposed to configure my PC with a specific IP (10.0.0.4). If I did that, however, it would override my static IP and I’d lose net connectivity.

Last night I discovered a way to have my cake and eat it too:


auto eth0:1
iface eth0:1 inet static
        address 10.0.0.4
        netmask 255.255.255.0
        gateway 10.0.0.2 # Bad idea, see below!

This creates an alias for eth0 with the modem’s preferred IP settings. This virtual interface runs concurrently with the real one, so net connectivity is unaffected. After adding this stanza and performing a quick ifup eth0:1, I could ping 10.0.0.2 from my router.

Browsing to http://10.0.0.2/ from any of the internal machines immediately brought up the modem’s web interface. This surprised me a little at first. I expected to need some extra iptables rules, but it turns out to just work with my existing IP masquerading setup. I think this is because of two facts:

  • eth0:1 automatically becomes the route for pakets targeting the 10.0.0.0/24 network
  • IP masq SNATs the outgoing packets to its interface’s IP (in this case, 10.0.0.4).

Now that I know my actual ADSL speeds, I’m going to give wondershaper a try.

Update:
My original article had a major bug (see the strikethrough text above). If I include that line, I’m essentially telling Linux that I have multiple default routes to the internet, and so my routing tables look like this:


10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.4
192.168.1.0/24 dev ath1  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.1
66.114.146.0/24 dev eth0  proto kernel  scope link  src 66.114.146.48
default via 10.0.0.2 dev eth0  src 10.0.0.4
default via 66.114.146.1 dev eth0

That penultimate line is the problem. If I omit the gateway declaration, however, I get only one (sensible) default route and everything seems to work.

Privileged and Unprivileged WiFi Segments

Here’s a recipe for disaster:

  • Least common denominator encryption.
  • Access points which bridge WiFi and wired Ethernet
  • The fact that WEP can be pwn3d in 60 seconds.

So lets imagine you just bought a Nintendo DS, and you have a Linksys WRT54G at home. The WRT54G bridges your wired and wireless networks — which means that anyone who gets on your wireless network is behind your firewall. The DS only supports WEP, which leads to the least common denominator problem. Forced to choose between multiplayer Mario Kart and a secure network, we all know what choice will be made. As Mario himself says, “Here we go!”

I’ve discovered a great solution to this problem.

My homebrew Linux access point is based around the MADWiFi driver, which allows me to create virtual access points out of a single card. I created two virtual access points with two SSIDs:

  • Santaniello-WPA2, my privileged WiFi segment. I bridge it with the wired LAN and use WPA2-PSK to keep the neighbors out. Heavyweight WiFi clients, like our laptops, use this segment. Because it’s bridged with the LAN, things like Samba and mt-daapd just work.
  • Santaniello-WEP, my unprivileged WiFi segment. Here I use weak WEP that my Nintendo DS supports. WEP is insecure, but that’s OK because this segment isn’t bridged with anything. Instead I assign it a whole separate subnet and apply the same strict netfilter firewall policy that I use on my incoming DSL.

Pretty cool, eh? Do that with your WRT54G. 🙂

Update:
It turns out to be important to expressly disallow routing between the unprivileged wifi and the rest of the world. My box was routing between them by default, and I didn’t realize this. I’ve added the following lines to my iptables setup script:


# default DROP
iptables -P FORWARD DROP
# don't allow unpriv wifi to access adsl modem
iptables -A FORWARD -i $WEPWIFI_IFACE -d 10.0.0.0/8 -j DROP
# don't route unpriv wifi except to the external world
iptables -A FORWARD -i $WEPWIFI_IFACE -o $EXTERNAL_IFACE -j ACCEPT