Archive for the 'Networking' Category

Anycast

I’d never heard of anycast until I read Mark Jeftovic’s post today. Seems that my DNS host uses anycast to improve their resiliency to DDoS attacks.

Essentially you have multiple hosts on the public internet with identical routable IP-addresses, and use traditional routing protocols to guide traffic to the closest one. This is really only suitable for connectionless protocols, like DNS. Neat stuff.

More details can of course be found at the usual repository of all human knowledge.

HTTP Speculative Response?

Seems like a cursory analysis of the newyorktimes.com web server would show a high correlation between GET requests for index.html and a whole bunch of images, etc.

If every request for index.html strongly predicts a request for foo.jpg, why not just send them both together?

Or do they already do this?

WiFi “Standards”

I just downgraded my access point from WPA2-PSK/CCMP+TKIP to WPA1-PSK/TKIP. This was the only way I could satisfy my MacBooks, PCI WiFi cards, and Airport Expresses. Grrr. I want my Saturday morning back.

If the best thing about standards is that there are so many to choose from, the next best thing is that there are so many (incompatible) ways to implement whichever one you pick.

BitTorrent Horks My DSL

Whenever my wife uses BitTorrent, I immediately notice increased network latency. Web browsing and other interactive sessions begin to suck. I’ve tried some simple traffic shaping, but it did not really help.

I know that most BT clients have built in limit settings, but these don’t seem to help much either. They attempt to limit the amount of bandwidth used by the client, but my problem is clearly one of latency. Additionally, this does not scale. I want to solve this problem once, in one place.

I’m considering some layer-7 stuff to identify BT traffic and give it a low priority. Encrypted BT would be a problem here. The deep packet inspection would also require a lot of horsepower — perhaps more than I have.

But the bigger problem is that I feel scummy about it. How will I ever argue Net Neutrality again? Anyway, I don’t really want to look in the damn packets — I just want the network to remain usable.

So, with apologies to jwz:

Dear Lazyweb,

How the hell do you use BitTorrent without killing your network?

Netfilter’s SAME Target

My awesome ISP has given me a /29 block of IP addresses. Yesterday, I decided to try SNAT’ing out all of them. My first attempt:

iptables -t nat -A POSTROUTING -o $EXT_PPPOE -j SNAT --to-source 1.2.3.17-1.2.3.22

According to the docs, netfilter should round-robin through the 6 addresses. I visited a few of those “What’s my IP address?” web sites and got a few different answers. So far, so good.

After a few hours, however, it became obvious that something was wrong. Apparently the round-robin is done per-connection, and thus it can break any protocol which expects multiple connections from a single host to have a single IP.

(For instance, I couldn’t connect to AIM reliably. Turns out that, in order to connect to AIM you must make two connections. First to an authorization server where you then receive a token for use on the 2nd connection. The token seems only to be good for a certain IP address. So 1/6th of the time I would get lucky, draw the same IP twice, and AIM would connect. Otherwise, no dice.)

Thanks to the helpful fellas on irc.freenode.net #netfilter, I learned about the SAME target:

…the SAME target will try to always use the same outgoing IP address for all connections initiated by a single host on your network.

Now that sounds perfect. So I made the following change:

iptables -t nat -A POSTROUTING -o $EXT_PPPOE -j SAME --to 1.2.3.17-1.2.3.22 --nodst

Now everything works great. Visiting one of the “What’s my IP” sites gives different answers from different hosts, but always the same answer for a specific host. Sweet!

Update 4/17/2008:
Looks like the SAME target is obsolete and removed from kernel 2.6.25. I guess the SNAT target does what I want now. I’ll find out for sure when the gaping security hole is discovered and I’m forced to upgrade my kernel, heh.

Are You Being DoS’d?

My network connection was “teh suck” all weekend until I did this:


      iptables -A INPUT -s 212.17.87.173 -j DROP

Who, you might ask, is 212.17.87.173? I have no freaking clue, except that he’s Austrian and really loves photos of my wedding. It was harder to diagnose this problem than you might expect. Apache apparently writes it’s access.log after a request has completed. Thank god for netstat, or I might never have figured this one out.

Thanks to the oh-so-typically-condescending folks on freenode #apache, I’ve enabled mod_status with ExtendedStatus On, so that I can view HTTP requests in-flight.

Next I’ll try to install mod_evasive.

Network Addressable DVI Switch?

I hate KVM switches. They are expensive and under-featured. Occasionally, they lose their minds and my mouse goes all wonky. The tangled web of cables beneath my desk would make a tuna net jealous.

I like Synergy. It makes sense to use the LAN for low bandwidth stuff. The flexibility of a software solution enables neat tricks like clipboard synchronization, simultaneous desktop locking, etc.

This begs the question: is it possible to do 100% of this stuff over the LAN? Alas, I fear the answer is no.

Gigabit Ethernet = 1 Gb/s = 125 MB/s
1600x1200x24bpp = 5.5 MB * 30 fps = 164 MB/s (conservative)

Yes, 10Gb Ethernet exists, but what will you buy first: new network hardware, or a 30-inch Apple Cinema HD Display?
30-inch Apple Cinema HD Display
Yes, one could employ VNC, or some fancy X forwarding, or RDP. Fun experiment: try playing WoW like this.

If I was a hardware hacker, I would design a box with a bunch of DVI ports. I’d skip PS2 or USB entirely, and instead ship with a copy of Synergy. My gizmo would also sport one Ethernet port, and a simple open protocol with messages like connect port X to port Y.

Come to think of it, this gizmo could actually be built into the monitors themselves. Talk about value-add. Please Apple, hear my cry. Put 4 DVI inputs on your monitor and make it software switchable over Ethernet. (Oh, and advertise the protocol over Bonjour, thanx.)