Wednesday, December 16, 2009

IP Based search engine

Search on gigablast provide a unique facility to search based on IP/IP Range.
eg: ip:69.63.181 (http://gigablast.com/search?k4a=576656&s=10&q=ip:69.63.181)
List all the websites hosted on the facebook ip range. quite interesting to know. :)

Friday, October 30, 2009

Conditional BGP Advertisement


Introduction:
This we can use to advertise the prefixes automatically when one peer goes down rather manually advertise the prefixes.
Design Notes:
In this example I’m trying to advertise 10.0.0.0/16 through AS 65001 but if the peer (203.143.0.5) goes down automatically advertise the 10.0.0.0/16 through AS 65002(203.143.0.1).
To make the configuration works we need to match against a prefix that advertise from that(203.143.0.5) peer. But to make sure that learned through that peer we can use AS-Path match or community based match. Here in this example I’m matching against 172.16.0.0/24 advertise through 65001 and match against the as path ^ 65001.
Configuration Notes:
This is the only configuration different from normal one:
neighbor 203.143.0.1 advertise-map otherblock non-exist-map[exist-map] inblock
Better notes on this:

Normal Status:

R2#show ip bgp neighbors 203.143.0.1 | inc Cond
Condition-map inblock, Advertise-map otherblock, status: Withdraw
R0#show ip route
Gateway of last resort is not set
B 172.16.0.0/16 [20/0] via 203.143.0.2, 00:08:41
203.143.0.0/30 is subnetted, 1 subnets
C 203.143.0.0 is directly connected, FastEthernet0/0
B 192.168.0.0/16 [20/0] via 203.143.0.2, 00:08:11


R2#show ip bgp neighbors 203.143.0.1 advertised-routes
BGP table version is 5, local router ID is 203.143.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 172.16.0.0 203.143.0.5 0 0 65001 i
*> 192.168.0.0/16 0.0.0.0 0 32768 i
Total number of prefixes 2

When the BGP PEER Down:

R2#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
203.143.0.1 4 65002 113 141 7 0 0 00:13:20 0
203.143.0.5 4 65001 117 121 0 0 0 00:00:52 Active
R2#show ip bgp neighbors 203.143.0.1 advertised-routes
BGP table version is 7, local router ID is 203.143.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0/16 0.0.0.0 0 32768 i
*> 192.168.0.0/16 0.0.0.0 0 32768 i
Total number of prefixes 2
R2#show ip bgp neighbors 203.143.0.1 | inc Cond
Condition-map inblock, Advertise-map otherblock, status: Advertise


Configuration:

R2#
hostname R2
interface FastEthernet0/0
ip address 203.143.0.2 255.255.255.252
duplex auto
speed auto

interface FastEthernet0/1
ip address 203.143.0.6 255.255.255.252
duplex auto
speed auto
!
router bgp 65003
no synchronization
bgp log-neighbor-changes
network 10.0.0.0 mask 255.255.0.0
network 192.168.0.0 mask 255.255.0.0
neighbor 203.143.0.1 remote-as 65002
neighbor 203.143.0.1 soft-reconfiguration inbound
neighbor 203.143.0.1 advertise-map otherblock non-exist-map inblock
neighbor 203.143.0.5 remote-as 65001
neighbor 203.143.0.5 soft-reconfiguration inbound
neighbor 203.143.0.5 prefix-list allow_65001 out
neighbor 203.143.0.5 route-map inbound_65001 in
no auto-summary
!
ip route 10.0.0.0 255.255.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip as-path access-list 1 permit ^65001
ip prefix-list allow_65001 seq 5 permit 10.0.0.0/16
ip prefix-list allow_65002 seq 5 permit 192.168.0.0/16
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 2 permit 172.16.0.0 0.0.255.255
route-map otherblock permit 10
match ip address 1
!
route-map allow_65001 permit 10

route-map inbound_65001 permit 10
set community 4259905537
route-map inblock permit 10
match ip address 2
match as-path 1 ! to match the as-path
end
R2 END#

R1#show run!
!
interface FastEthernet0/0
ip address 203.143.0.5 255.255.255.252
duplex auto
speed auto
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 172.16.0.0
neighbor 203.143.0.6 remote-as 65003
no auto-summary
!
ip forward-protocol nd
ip route 172.16.0.0 255.255.0.0 Null0
R1 END#
R0#show run
ip cef
interface FastEthernet0/0
ip address 203.143.0.1 255.255.255.252
duplex auto
speed auto

router bgp 65002
no synchronization
bgp log-neighbor-changes
neighbor 203.143.0.2 remote-as 65003
neighbor 203.143.0.2 soft-reconfiguration inbound
no auto-summary

Saturday, October 10, 2009

Network Switch ip to port mapping using neo

Open Source Network Administration gives some introduction to this network tool called neo. Latest version can be found ktools.org
(http://www.ktools.org/dist/neo/neo-1.3.1.tar.gz)

There is one catch while you compile & install in Ubuntu since the object_statstransfer.c , object_sleeper.c uses CLK_TCK i think CLK_TCK obsolete we have to use CLOCKS_PER_SEC instead. But i just defined as followed in the both files.

/* Define my constant */
#define CLK_TCK 100

Installation process :
1 ) gunzip -c neo-1.3.1.tar.gz | tar xvf -
2 ) cd neo-1.3.1
3 ) ./configure
4 ) Do the relevant changes as explained earlier in the both source files.
5 ) make
6 ) make install

neo has its own command line. But basic things you need to get ip to port map two command arpfind , locate .

Before doing that you can define the switches & the core router in one file. (router needed to find the ip to arp resolution)
example /var/neo/switches

192.168.1.10
192.168.1.11

if you want to find the relevant ip to arp mapping you could issue the command as
neo -c "community string" arpfind @f:/var/neo/switches
This will give u the arp address ,
then you can issue the location command to locate the port number.


neo -c "community string" locate @f:/var/neo/switches

I've combined both into one perl script. I haven't use the community string here since i complied the default community as relevant string. You can change the community string while compiling (
object_global.c


g->argv0=NULL;
g->readcom=strdup("public");
g->writecom=strdup("public");
neo_global_set_burst(g, 1);



#!/usr/bin/perl
#Arp to IP Mapper Argument as host
$arg = $ARGV[0];

#To save the actual arp
$real_arp = "";
#Identify the arp of the host
@arp = `neo arpfind $arg \@f:/root/gobi/neo-1.3.1/switches`;
foreach (@arp)
{
if ($_ =~ /says/)
{
$real_arp = substr($_,-18);
last ;
}
}
chomp($real_arp);
@port = `neo locate -u $real_arp \@f:/root/gobi/neo-1.3.1/switches`;

foreach(@port)
{
print $_;
}

root@--:~/gobi# ./run.pl 192.168.29.2
Found on 6@192.168.0.200
Found on 10@192.168.0.204

I'm doing some reverse mapping also using simple snmp queries like
@ip2arp_tbl = `snmpwalk -c "public" -v 2c 192.168.0.99 "ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress"`; I'll give that in a different post if successful .

Tuesday, September 22, 2009

Mysql Ipaddress subnet wise search

I was encountered to search mysql table with ip address based on subnetmask information. This was part of the netflow tools for our internal use. I exported the flow data from flow-export to mysql database. I created the database "ip address" as Text.The built-in mysql function makes life easy to search the table.

According to Mysql ref: if an ip is 209.207.224.40
The generated number is always in network byte order. For the example just shown, the number is calculated as 209×(256^3) + 207×(256^2) + 224×256 + 40.

To search subnet we need add relevant no # host data to the search.
for example to search 216.239.60.0/23
i need to convert the network detail to number - 3639557120
since /23 i need to add 512 to the network figure so 3639557632
Then if i could write the query .. like this works fine..

mysql> select dstaddr ,dpkts,srcaddr,srcport,dstport from Raw1253672304 where INET_ATON(dstaddr) > 3639557120 and INET_ATON(dstaddr) <>

May be there can be easy way.

Sunday, August 2, 2009

DDOS protection using iptables (recent module)

This article related to iptable recent module. which can be used to defend against the DDOS attack. This setup tested in bridged mode.
Recent working with DDOS mitigation for one of the customer had give some interesting capabilities "recent module" of iptables.
One of the website came under attack with extensive sync and "GET" request from distributed zombies. we could identify around 4000 - 5000 unique hosts.
to define the attack pattern we have captured some traffic it had only sync and GET request nothing else to define the pattern. therefore I've conceptualized if the one host create more than 20 session during 100 seconds drop the packet.
iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW -m recent --set
iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW -m recent --update --seconds 100 --hitcount 20 -j DROP

Initially i applied these rules but no traffic reduction. When i checked the source code
static unsigned int ip_list_tot = 100;
static unsigned int ip_pkt_list_tot = 20;

(http://www.il.is.s.u-tokyo.ac.jp/lxr-xp/source/net/netfilter/xt_recent.c)
Therefore only 100 unique source ips can be in the list. this was not capable to handle more then 4000 hosts.
Therefore i've removed module and changed the default value.
iptables -F
rmmod xt_recent
modprobe ipt_recent ip_list_tot=5000 ip_pkt_list_tot=100 

reapplied the rules that filtered the massive traffic. when i'm writing this post still the attack is going on :( . But still the web sever able to handle the load :)

-- notes --
following script as cron with the combination of XT_RECENT can help a bit. But be aware this may block the normal user .

#!/bin/bash
mv /home/gobi/new_ips.txt /home/gobi/old_ips.txt
awk '{ if ($7 > 100) print $1 }' /proc/net/xt_recent/DEFAULT | sort > /home/gobi/new_ips.txt
sort /home/gobi/new_ips.txt /home/gobi/old_ips.txt | uniq -u | awk -F '=' '{print $2}' > /home/gobi/ips
sh /home/gobi/add_iptables.sh

---add_iptables.sh
#!/bin/bash
for WORD in `cat /home/gobi/ips`
do
iptables -I FORWARD -p tcp --dport 80 -s $WORD -i bridge1 -j DROP
done

Saturday, May 23, 2009

GNS3 Lab for Framerelay over ISIS


Here i've shared the GNS3 files for CCNP BSCI lab.

LINK:
http://ifile.it/vz0h8gx

Experience vs Knowledge Trouble shooting ~

Have to face some situation, something physically goes wrong or somebody else screw up your network. This kind of scenario your knowledge will give you confidence but knowledge sometime unable to provide the answer. Something I've learned from the faults and mistakes.

1) Don't panic. When you feel the pressure you are unable to concentrate.
2) Use the tools you have in your hand. ( Trace route, looking glasses, ping , etc...)
3) Isolate the problem. In this step people try to correlate with existing experience !! sometime the prediction is correct some time utterly wrong.
4) Try to contact the right person, provide the correct detail. Persuade the people to work for you is really hard thing. sometime they also bound to some contract that makes that you can get help from them. have some good relationship. Thank them when the problem is resolved. Until they understand they won't put their heart !

5) Hope for the best ! :)

Tuesday, April 21, 2009

Mikrotik Hierachical Queue



This particular setup to provide guaranteed bandwidth for Mail traffic. I archived through Queue tree because we can archive most complicated queuing structure through queue tree and pcq.

This is a simple setup:
1) Need to mark the relevant connection andpackets.
This can be a ip firewall address list / src address or port number this is depend on your requirements.
2) Define parent queue and child queues.

1)Mark the connection for mail traffic:
chain=prerouting action=mark-connection new-connection-mark=mail passthrough=yes src-address=10.10.10.3

chain=prerouting action=mark-packet new-packet-mark=mail-packet passthrough=no connection-mark=mail

chain=prerouting action=mark-packet new-packet-mark=others passthrough=yes packet-mark=!mail
(please note the ! sign)


2)
create relevant queues and apply it.

3 name="Parent" parent=ether3 packet-mark="" limit-at=0 queue=default priority=8 max-limit=1024000 burst-limit=0
burst-threshold=0 burst-time=0s

4 name="Mail" parent=Parent packet-mark=mail limit-at=256000 queue=default priority=8 max-limit=1024000 burst-limit=0
burst-threshold=0 burst-time=0s

5 name="queue1" parent=Parent packet-mark=others limit-at=768000 queue=default priority=8 max-limit=1024000


This particular queuing strategy will satisfy the above requirements. You can identify the particular traffic using different parameters :)



Wednesday, April 8, 2009

hierarchical queuing on Cisco


Recently i tested on assigning different bandwidth requirement for number of users. Example setup is showed in the following diagram. 512kbps is divided between users and one user can use whole bandwidth when others are not using.I've done some testing on this and i archived the requirement through hierarchical queuing strategy.

1) I setup the natting / and other basic setup-

ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip nat inside source list 2 interface FastEthernet0/0 overload
access-list 2 permit 192.168.2.0 0.0.0.255
ip nat outside
ip nat inside


2) Define the class-maps.

2.1 - Access-list for match the ips.


access-list 101 permit ip host 192.168.2.1 any
access-list 101 permit ip any host 192.168.2.1
access-list 102 permit ip host 192.168.2.2 any
access-list 102 permit ip any host 192.168.2.2
access-list 103 permit ip host 192.168.2.3 any
access-list 103 permit ip any host 192.168.2.3


2.2 - match ACL.


class-map match-all shape256_pir256_HostA
match access-group 101
class-map match-all shape64_pir64_HostB
match access-group 102
class-map match-all shape128_pir512_HostC
match access-group 103


3) queues ..
3.1 - Define the parent shaper.

policy-map shape_512
class class-default
shape average 512000
service-policy shapeinside


3.2 - child queues

policy-map shapeinside
class shape256_pir256_HostA
bandwidth 256
police rate 256000 bps burst 32000 bytes
class shape64_pir64_HostB
bandwidth 64
police rate 64000 bps burst 32000 bytes


4) Apply it on the interface

interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
duplex auto
speed auto
service-policy output shape_512

My test result showed the bandwidth guaranteed for the HOST A,B if those are not using HOST C can utilize that's the reason i did not put any shape in the child.