Wednesday, December 16, 2009

IP Based search engine

Search on gigablast provide a unique facility to search based on IP/IP Range.
eg: ip:69.63.181 (
List all the websites hosted on the facebook ip range. quite interesting to know. :)

Friday, October 30, 2009

Conditional BGP Advertisement

This we can use to advertise the prefixes automatically when one peer goes down rather manually advertise the prefixes.
Design Notes:
In this example I’m trying to advertise through AS 65001 but if the peer ( goes down automatically advertise the through AS 65002(
To make the configuration works we need to match against a prefix that advertise from that( peer. But to make sure that learned through that peer we can use AS-Path match or community based match. Here in this example I’m matching against advertise through 65001 and match against the as path ^ 65001.
Configuration Notes:
This is the only configuration different from normal one:
neighbor advertise-map otherblock non-exist-map[exist-map] inblock
Better notes on this:

Normal Status:

R2#show ip bgp neighbors | inc Cond
Condition-map inblock, Advertise-map otherblock, status: Withdraw
R0#show ip route
Gateway of last resort is not set
B [20/0] via, 00:08:41 is subnetted, 1 subnets
C is directly connected, FastEthernet0/0
B [20/0] via, 00:08:11

R2#show ip bgp neighbors advertised-routes
BGP table version is 5, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0 0 65001 i
*> 0 32768 i
Total number of prefixes 2

When the BGP PEER Down:

R2#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 4 65002 113 141 7 0 0 00:13:20 0 4 65001 117 121 0 0 0 00:00:52 Active
R2#show ip bgp neighbors advertised-routes
BGP table version is 7, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0 32768 i
*> 0 32768 i
Total number of prefixes 2
R2#show ip bgp neighbors | inc Cond
Condition-map inblock, Advertise-map otherblock, status: Advertise


hostname R2
interface FastEthernet0/0
ip address
duplex auto
speed auto

interface FastEthernet0/1
ip address
duplex auto
speed auto
router bgp 65003
no synchronization
bgp log-neighbor-changes
network mask
network mask
neighbor remote-as 65002
neighbor soft-reconfiguration inbound
neighbor advertise-map otherblock non-exist-map inblock
neighbor remote-as 65001
neighbor soft-reconfiguration inbound
neighbor prefix-list allow_65001 out
neighbor route-map inbound_65001 in
no auto-summary
ip route Null0
ip route Null0
ip as-path access-list 1 permit ^65001
ip prefix-list allow_65001 seq 5 permit
ip prefix-list allow_65002 seq 5 permit
access-list 1 permit
access-list 2 permit
route-map otherblock permit 10
match ip address 1
route-map allow_65001 permit 10

route-map inbound_65001 permit 10
set community 4259905537
route-map inblock permit 10
match ip address 2
match as-path 1 ! to match the as-path

R1#show run!
interface FastEthernet0/0
ip address
duplex auto
speed auto
router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor remote-as 65003
no auto-summary
ip forward-protocol nd
ip route Null0
R0#show run
ip cef
interface FastEthernet0/0
ip address
duplex auto
speed auto

router bgp 65002
no synchronization
bgp log-neighbor-changes
neighbor remote-as 65003
neighbor soft-reconfiguration inbound
no auto-summary

Saturday, October 10, 2009

Network Switch ip to port mapping using neo

Open Source Network Administration gives some introduction to this network tool called neo. Latest version can be found

There is one catch while you compile & install in Ubuntu since the object_statstransfer.c , object_sleeper.c uses CLK_TCK i think CLK_TCK obsolete we have to use CLOCKS_PER_SEC instead. But i just defined as followed in the both files.

/* Define my constant */
#define CLK_TCK 100

Installation process :
1 ) gunzip -c neo-1.3.1.tar.gz | tar xvf -
2 ) cd neo-1.3.1
3 ) ./configure
4 ) Do the relevant changes as explained earlier in the both source files.
5 ) make
6 ) make install

neo has its own command line. But basic things you need to get ip to port map two command arpfind , locate .

Before doing that you can define the switches & the core router in one file. (router needed to find the ip to arp resolution)
example /var/neo/switches

if you want to find the relevant ip to arp mapping you could issue the command as
neo -c "community string" arpfind @f:/var/neo/switches
This will give u the arp address ,
then you can issue the location command to locate the port number.

neo -c "community string" locate @f:/var/neo/switches

I've combined both into one perl script. I haven't use the community string here since i complied the default community as relevant string. You can change the community string while compiling (

neo_global_set_burst(g, 1);

#Arp to IP Mapper Argument as host
$arg = $ARGV[0];

#To save the actual arp
$real_arp = "";
#Identify the arp of the host
@arp = `neo arpfind $arg \@f:/root/gobi/neo-1.3.1/switches`;
foreach (@arp)
if ($_ =~ /says/)
$real_arp = substr($_,-18);
last ;
@port = `neo locate -u $real_arp \@f:/root/gobi/neo-1.3.1/switches`;

print $_;

root@--:~/gobi# ./
Found on 6@
Found on 10@

I'm doing some reverse mapping also using simple snmp queries like
@ip2arp_tbl = `snmpwalk -c "public" -v 2c "ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress"`; I'll give that in a different post if successful .

Tuesday, September 22, 2009

Mysql Ipaddress subnet wise search

I was encountered to search mysql table with ip address based on subnetmask information. This was part of the netflow tools for our internal use. I exported the flow data from flow-export to mysql database. I created the database "ip address" as Text.The built-in mysql function makes life easy to search the table.

According to Mysql ref: if an ip is
The generated number is always in network byte order. For the example just shown, the number is calculated as 209×(256^3) + 207×(256^2) + 224×256 + 40.

To search subnet we need add relevant no # host data to the search.
for example to search
i need to convert the network detail to number - 3639557120
since /23 i need to add 512 to the network figure so 3639557632
Then if i could write the query .. like this works fine..

mysql> select dstaddr ,dpkts,srcaddr,srcport,dstport from Raw1253672304 where INET_ATON(dstaddr) > 3639557120 and INET_ATON(dstaddr) <>

May be there can be easy way.

Sunday, August 2, 2009

DDOS protection using iptables (recent module)

This article related to iptable recent module. which can be used to defend against the DDOS attack. This setup tested in bridged mode.
Recent working with DDOS mitigation for one of the customer had give some interesting capabilities "recent module" of iptables.
One of the website came under attack with extensive sync and "GET" request from distributed zombies. we could identify around 4000 - 5000 unique hosts.
to define the attack pattern we have captured some traffic it had only sync and GET request nothing else to define the pattern. therefore I've conceptualized if the one host create more than 20 session during 100 seconds drop the packet.
iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW -m recent --set
iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW -m recent --update --seconds 100 --hitcount 20 -j DROP

Initially i applied these rules but no traffic reduction. When i checked the source code
static unsigned int ip_list_tot = 100;
static unsigned int ip_pkt_list_tot = 20;

Therefore only 100 unique source ips can be in the list. this was not capable to handle more then 4000 hosts.
Therefore i've removed module and changed the default value.
iptables -F
rmmod xt_recent
modprobe ipt_recent ip_list_tot=5000 ip_pkt_list_tot=100 

reapplied the rules that filtered the massive traffic. when i'm writing this post still the attack is going on :( . But still the web sever able to handle the load :)

-- notes --
following script as cron with the combination of XT_RECENT can help a bit. But be aware this may block the normal user .

mv /home/gobi/new_ips.txt /home/gobi/old_ips.txt
awk '{ if ($7 > 100) print $1 }' /proc/net/xt_recent/DEFAULT | sort > /home/gobi/new_ips.txt
sort /home/gobi/new_ips.txt /home/gobi/old_ips.txt | uniq -u | awk -F '=' '{print $2}' > /home/gobi/ips
sh /home/gobi/
for WORD in `cat /home/gobi/ips`
iptables -I FORWARD -p tcp --dport 80 -s $WORD -i bridge1 -j DROP

Saturday, May 23, 2009

GNS3 Lab for Framerelay over ISIS

Here i've shared the GNS3 files for CCNP BSCI lab.


Experience vs Knowledge Trouble shooting ~

Have to face some situation, something physically goes wrong or somebody else screw up your network. This kind of scenario your knowledge will give you confidence but knowledge sometime unable to provide the answer. Something I've learned from the faults and mistakes.

1) Don't panic. When you feel the pressure you are unable to concentrate.
2) Use the tools you have in your hand. ( Trace route, looking glasses, ping , etc...)
3) Isolate the problem. In this step people try to correlate with existing experience !! sometime the prediction is correct some time utterly wrong.
4) Try to contact the right person, provide the correct detail. Persuade the people to work for you is really hard thing. sometime they also bound to some contract that makes that you can get help from them. have some good relationship. Thank them when the problem is resolved. Until they understand they won't put their heart !

5) Hope for the best ! :)

Tuesday, April 21, 2009

Mikrotik Hierachical Queue

This particular setup to provide guaranteed bandwidth for Mail traffic. I archived through Queue tree because we can archive most complicated queuing structure through queue tree and pcq.

This is a simple setup:
1) Need to mark the relevant connection andpackets.
This can be a ip firewall address list / src address or port number this is depend on your requirements.
2) Define parent queue and child queues.

1)Mark the connection for mail traffic:
chain=prerouting action=mark-connection new-connection-mark=mail passthrough=yes src-address=

chain=prerouting action=mark-packet new-packet-mark=mail-packet passthrough=no connection-mark=mail

chain=prerouting action=mark-packet new-packet-mark=others passthrough=yes packet-mark=!mail
(please note the ! sign)

create relevant queues and apply it.

3 name="Parent" parent=ether3 packet-mark="" limit-at=0 queue=default priority=8 max-limit=1024000 burst-limit=0
burst-threshold=0 burst-time=0s

4 name="Mail" parent=Parent packet-mark=mail limit-at=256000 queue=default priority=8 max-limit=1024000 burst-limit=0
burst-threshold=0 burst-time=0s

5 name="queue1" parent=Parent packet-mark=others limit-at=768000 queue=default priority=8 max-limit=1024000

This particular queuing strategy will satisfy the above requirements. You can identify the particular traffic using different parameters :)

Wednesday, April 8, 2009

hierarchical queuing on Cisco

Recently i tested on assigning different bandwidth requirement for number of users. Example setup is showed in the following diagram. 512kbps is divided between users and one user can use whole bandwidth when others are not using.I've done some testing on this and i archived the requirement through hierarchical queuing strategy.

1) I setup the natting / and other basic setup-

ip route
ip nat inside source list 2 interface FastEthernet0/0 overload
access-list 2 permit
ip nat outside
ip nat inside

2) Define the class-maps.

2.1 - Access-list for match the ips.

access-list 101 permit ip host any
access-list 101 permit ip any host
access-list 102 permit ip host any
access-list 102 permit ip any host
access-list 103 permit ip host any
access-list 103 permit ip any host

2.2 - match ACL.

class-map match-all shape256_pir256_HostA
match access-group 101
class-map match-all shape64_pir64_HostB
match access-group 102
class-map match-all shape128_pir512_HostC
match access-group 103

3) queues ..
3.1 - Define the parent shaper.

policy-map shape_512
class class-default
shape average 512000
service-policy shapeinside

3.2 - child queues

policy-map shapeinside
class shape256_pir256_HostA
bandwidth 256
police rate 256000 bps burst 32000 bytes
class shape64_pir64_HostB
bandwidth 64
police rate 64000 bps burst 32000 bytes

4) Apply it on the interface

interface FastEthernet0/1
ip address
ip nat inside
duplex auto
speed auto
service-policy output shape_512

My test result showed the bandwidth guaranteed for the HOST A,B if those are not using HOST C can utilize that's the reason i did not put any shape in the child.