Failure Analysis: An Interesting way to Break CAPWAP

I recently stumbled into what I think is a very interesting failure scenario with a Cisco Wireless solution. This was a traditional controller based solution that leveraged a CAPWAP data and control plane. The symptoms were fairly consistent and strange.

Symptoms:

  • When issues are occurring, all uploads reduce to about 1.5Mb/s
  • Installing a new AP seems to solve the issue
  • Issue re-occurs in a few minutes
  • Issues only occur for one specific site
  • Wireless is configured consistently across 5 sites
  • RF is not an issue

Topology:

When I got involved with this, a few people had reviewed the configuration and TAC had been involved for some time. While on-site, I took a look at RF and channel utilization (expecting to find it to be ugly since I knew it was heavily dependent on 2.4Ghz). My first order of business was to spin up a test AP in its own group and advertise a test SSID on a 5Ghz channel. Upon doing so, both iPerf and Speedtest were >50Mb/s. My initial thought was that the density needed to be increased and the radios tweaked to get more clients on 5Ghz. However, a few minutes into my testing–my upload also Continue reading

Intent-Based Networking Resources

Every now and then I get a question along the lines of I’m your subscriber and would like to know more about X, so I decided to start creating technology-specific pages on www.ipSpace.net that would include links to most relevant ipSpace.net blog posts, webinars, sections in our online courses, and interesting third-party resources.

The subscriber triggering this process asked me about Intent-Based Networking, so here’s the relevant resources page.

Master of web puppets: abusing web browsers for persistent and stealthy computation

Master of web puppets: abusing web browsers for persistent and stealthy computation Papadopoulus et al., NDSS’19

You’ve probably heard about crypto-currency mining and the like in hijacked browsers.

From a security perspective, a fundamental problem of web applications is that by default their publisher is considered as trusted, and thus allowed to run JavaScript code (even from third parties) on the user side without any restrictions… On the positive side JavaScript execution so far has been constrained chronologically to the lifetime of the browser window or tab that rendered the compromised or malicious website.

Not any more! This paper shows how modern browsers with support for Service Workers can be stealthily connected into a botnet, with a connection that persists until the user closes the browser completely: “in contrast to previous approaches for browser hijacking, a key feature of MarioNet is that it remains operational even after the user browses away from the malicious webpage.

MarioNet building blocks: Service Workers and WebRTC

Service Workers are non-blocking modules that reside in the user’s browser. Once registered they can run in the background without requiring the user to continue browsing on the originating site. In addition, service workers have Continue reading

Assange indicted for breaking a password

In today's news, after 9 years holed up in the Ecuadorian embassy, Julian Assange has finally been arrested. The US DoJ accuses Assange for trying to break a password. I thought I'd write up a technical explainer what this means.


According to the US DoJ's press release:
Julian P. Assange, 47, the founder of WikiLeaks, was arrested today in the United Kingdom pursuant to the U.S./UK Extradition Treaty, in connection with a federal charge of conspiracy to commit computer intrusion for agreeing to break a password to a classified U.S. government computer.
The full indictment is here.

It seems the indictment is based on already public information that came out during Manning's trial, namely this log of chats between Assange and Manning, specifically this section where Assange appears to agree to break a password:


What this says is that Manning hacked a DoD computer and found the hash "80c11049faebf441d524fb3c4cd5351c" and asked Assange to crack it. Assange appears to agree.

So what is a "hash", what can Assange do with it, and how did Manning grab it?

Computers store passwords in an encrypted (sic) form called a "one way hash". Since it's "one way", it can Continue reading

Kernel of Truth season 2 episode 5: The power of community

Subscribe to Kernel of Truth on iTunes, Google Play, SpotifyCast Box and Sticher!

Click here for our previous episode.

From developer days to hackathons and from events to forums, Slack and social media included- there’s a community out there waiting for you! In this episode, host Brian talks to community evangelist for Nutanix Angelo Luciani and our own Pete Lumbis about the power of community and self-service. What are the perks, both personally and professionally, that you get when you’re actively participating in a community? What are some communities and resources we’ve found useful? Grab a taco, listen and find out. We promise you’ll get the taco reference after listening.

Guest Bios

Brian O’Sullivan: Brian currently heads Product Management for Cumulus Linux. For 15 or so years he’s held software Product Management positions at Juniper Networks as well as other smaller companies. Once he saw the change that was happening in the networking space, he decided to join Cumulus Networks to be a part of the open networking innovation. When not working, Brian is a voracious reader and has held a variety of jobs, including bartending in three countries and working as an extra in a German Continue reading

Collaboration, Connectivity, and Self-Determination

Over 20 million people in North America lack access to fast, affordable, and reliable Internet. In October 2018, the Indigenous Connectivity Summit gathered over 150 Indigenous leaders, policymakers, network operators, and community members in the Canadian Arctic town of Inuvik to focus on a common goal: bringing fast, affordable, and reliable Internet to Indigenous communities. The event featured success stories of community networks across North America to demonstrate the power of communities to lead their own Internet solutions, and how anyone can support them.

Crystal Gail Fraser, a Gwichyà Gwich’in woman who calls Inuvik home, sees collaborative Internet solutions as a critical path to self-determination for her community.

As I stepped off the plane in Inuvik, I inhaled the arctic air. I observed the scenic landscape of Dinjii Zhuh (Gwich’in) and Inuvialuit territory, taking in the familiarity: the snow-covered rolling hills, stunted spruce trees, and ice crystals in the air.

A scenic landscape on the Inuvik-Tuktoyaktuk Highway, which is located on Inuvialuit
land.
Photo credit: April Froncek

This land and all that it holds, means, and represents, has been critical to Dinjii Zhuh culture, economies, and lifestyles since Ts’ii Dęįį (Time Immemorial).

Crystal Gail Fraser and her daughter Quinn Addison Continue reading

Internet of Things Devices as a DDoS Vector

As adoption of Internet of Things devices increases, so does the number of insecure IoT devices on the network. These devices represent an ever-increasing pool of computing and communications capacity open to misuse. They can be hijacked to spread malware, recruited to form botnets to attack other Internet users, and even used to attack critical national infrastructure, or the structural functions of the Internet itself (we give several examples from recent headlines in the Reference Section, below).

The problem this poses is what to do about IoT as a source of risk. This blog post includes reflections on events that came to light in recent weeks, sets out some thoughts about technical mitigations, and sketches out the boundaries of what we think can be done technically. Beyond those boundaries lie the realms of policy measures, which – while relevant to the big picture – are not the topic of this post.

Why are we exploring this issue now? Partly because of our current campaign to improve trust in consumer IoT devices.

And partly, also, because of recent reports that, as a step towards mitigating this risk, connected devices will be subjected to active probing, to detect whether or not they Continue reading

Terraform your physical network with YANG

Every time when I get bored from my day job I tend to find some small interesting project that I can do that can give me an instant sense of accomplishment and as the result lift my spirits and improve motivation. So this time I remembered when someone once asked me if they could use Terraform to control their physical network devices and I had to explain how this is the wrong tool for the job. Somehow the question got stuck in my head and now it came to fruition in the form of terraform-yang.

This is a small Terraform plugin (provider) that allows users to manipulate interface-level settings of a network device. And I’m not talking about a VM in the cloud that runs network OS of your favourite vendor, this stuff is trivial and doesn’t require anything special from Terraform. I’m talking about Terraform controlling your individual physical network devices over an OpenConfig’s gNMI interface with standard Create/Read/Update/Delete operations exposed all the way to Terraform’s playbooks (or whatever they are called). Network Infrastructure as code nirvana…

Writing a custom Terraform provider for a network device

Although this may look scary at the beginning, the process of creating your Continue reading

Cisco taps into AWS for data center, cloud applications

Cisco has released a cloud-service program on its flagship software-defined networking (SDN) software that will let customers manage and secure applications running in the data center or in Amazon Web Service cloud environments.The service, Cisco Cloud ACI (application centric infrastructure) for AWS lets users configure inter-site connectivity, define policies and monitor the health of network infrastructure across hybrid environments, Cisco said.[ Check out What is hybrid cloud computing and learn what you need to know about multi-cloud. | Get regularly scheduled insights by signing up for Network World newsletters. ] Specifically, this connectivity includes an "underlay network for IP reachability (IPsec VPN) over the Internet, or through AWS Direct Connect; an overlay network between the on-premises and cloud sites that runs BGP EVPN [Ethernet VPN] as its control plane and uses Virtual Extensible LAN (VXLAN) encapsulation and tunneling as its data plane,” Cisco says.To read this article in full, please click here

1 1,218 1,219 1,220 1,221 1,222 3,797