DDoS Packet Forensics: Take me to the hex!

A few days ago, my colleague Marek sent an email about a DDoS attack against one of our DNS servers that we'd been blocking with our BPF rules. He noticed that there seemed to be a strange correlation between the TTL field in the IP header and the IPv4 source address.

CC BY 2.0 image by Jeremy Keith

The source address was being spoofed, as usual, and apparently chosen randomly, but something else was going on. He offered a bottle of Scotch to the first person to come up with a satisfactory solution.

Here's what some of the packets looked like: 

$ tcpdump -ni eth0 -c 10 "ip[8]=40 and udp and port 53"
1.181.207.7.46337 > x.x.x.x.53: 65098+  
1.178.97.141.45569 > x.x.x.x.53: 65101+  
1.248.136.142.63489 > x.x.x.x.53: 65031+  
1.207.241.195.52993 > x.x.x.x.53: 65072+

$ tcpdump -ni eth0 -c 10 "ip[8]=41 and udp and port 53"
2.10.30.2.2562 > x.x.x.x.53: 65013+  
2.4.9.36.1026 > x.x.x.x.53: 65019+  
2.98. Continue reading

Open vSwitch performance monitoring

Credit: Accelerating Open vSwitch to “Ludicrous Speed”
Accelerating Open vSwitch to "Ludicrous Speed" describes the architecture of Open vSwitch. When a packet arrives, the OVS Kernel Module checks its cache to see if there is an entry that matches the packet. If there is a match then the packet is forwarded within the kernel. Otherwise, the packet is sent to the user space ovs-vswitchd process to determine the forwarding decision based on the set of OpenFlow rules that have been installed or, if no rules are found, by passing the packet to an OpenFlow controller. Once a forwarding decision has been made, the packet and the forwarding actions are passed back to the OVS Kernel Module which caches the decision and forwards the packet. Subsequent packets in the flow will then be matched by the cache and forwarded within the kernel.

The recent Open vSwitch 2014 Fall Conference included the talk, Managing Open vSwitch across a large heterogeneous fleet by Chad Norgan, describing Rackspace's experience with running a large scale OpenStack deployment using Open vSwitch for network virtualization. The talk describes the key metrics that Rackspace collects to monitor the performance of the large pools of Open vSwitch instances.

Continue reading

Time For A Data Diet?

I’m running out of drive space. Not just on my laptop SSD or my desktop HDD. But everywhere. The amount of data that I’m storing now is climbing at an alarming rate. What’s worse is that I often forget I have some of it until I go spelunking back through my drive to figure out what’s taking up all that room. And it’s a problem that the industry is facing too.

The Data Junkyard

Data is accumulating. You can’t deny that. Two factors have lead to this. The first is that we now log more data from things than ever before. In this recent post from Chris Evans (@ChrisMEvans), he mentions that Virgin Atlantic 787s are generating 500GB of data per flight. I’m sure that includes telemetry, aircraft performance, and other debugging information that someone at some point deemed crucial. In another recent article from Jacques Mattheij (@JMattheij), he mentions that app developers left the debug logging turned on, generating enormous data files as the system was in operation.

Years ago we didn’t have the space to store that much data. We had to be very specific about what needed to be Continue reading

Python and MySQL

Let me preface this post by stating I am not a database expert. I use them occasionally now and then. The below post probably doesn’t show best practices. If you have any suggestions feel free to comment. Over the weekend I’ve been testing various ways for me to store, update, and retrieve data from a […]

Infographic: SDN’s Pulse Among Service Providers

Infographic: SDN's Pulse Among Service Providers

by Steve Harriman, VP of Marketing - January 6, 2015

As Howard Baldwin recently wrote in InfoWorld, the lure of new enterprise technology is great, but then comes the inevitable uncertainty about how in the world to manage it. The backdrop for his comment is the service provider survey we conducted last month at the SDN/MPLS International Conference in Washington, D.C.  As the infographic below shows, production deployment of SDN is way up among service providers, but nearly all are concerned about management.

Baldwin concludes his article by pointing out that although SDN holds great promise for automating and managing WAN operations, traditional management tools, processes, and standards will not work. The good news, he says, is that “…IT is not only being liberated from hardware-specific configuration, it’s also being liberated from hardware-specific management. In other words, you’ll be able to manage devices the way you want to, not the way the application dictates.”

Right now that’s more of a hope than a concrete solution. At Packet Design, we have made some headway on our concept of a Network Access Broker. See our conceptual demo here: http://www.packetdesign.com/blog/network-access-broker-conceptual-demo

Continue reading

Hello 2015!

Hard to be believe 2014 is gone and and 2015 is here! Yea I know we are already a few days into 2015 but hey for some reason I still hear people saying “Happy New Year”, much like I still Christmas decorations out. So what’s in store in for 2015!? Well we are going to […]

PQ Show 40 – HP Networking – Multi Service Routers (HP MSR)

This is a continuation of the sponsored series of shows we recorded at the HP Discover Barcelona conference in December 2014. An interesting facet of HP Discover to me was meeting smart HP folks at random. Sue Darte is such a person I was lucky enough to bump into. Here’s the story. While waiting to record a […]

Author information

Ethan Banks

Co-host at Packet Pushers

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
TwitterGoogle+LinkedIn

The post PQ Show 40 – HP Networking – Multi Service Routers (HP MSR) appeared first on Packet Pushers Podcast and was written by Ethan Banks.

OpenFlow integration

Northbound APIs for traffic engineering describes how sFlow and OpenFlow provide complementary monitoring and control capabilities that can be combined to create software defined networking (SDN) solutions that automatically adapt the network to changing traffic and address high value use cases such as: DDoS mitigation, enforcing black lists, ECMP load balancing, and packet brokers.

The article describes the challenge of mapping between the different methods used by sFlow and OpenFlow to identify switch ports:
  • Agent IP address ⟷ OpenFlow switch ID
  • SNMP ifIndex ⟷ OpenFlow port ID
The recently published sFlow OpenFlow Structures extension addresses the challenge by providing a way for switches to export the mapping as an sFlow structure.

The Open vSwitch recently implemented the extension, unifying visibility and control of the virtual network edge. In addition, most physical that support OpenFlow also support sFlow. Ask vendors about their plans to implement the sFlow OpenFlow Structures extension since it is a key enabler for SDN control applications.

The Story Behind the Migration

A number of people have asked me why I migrated from WordPress—which powered my blog for 9 years—to Jekyll and GitHub Pages. Now that the migration is finally complete, I can share with you the story behind the migration: why I migrated, the process I followed, and some of the tools I used.

Why I Migrated

“Why?” is a question I heard quite a bit as I was sharing updates on the progress of the blog migration over the Christmas/New Year holiday. It’s quite simple, really: I needed to walk the walk.

Allow me to explain. For the last couple of years, I’ve occasionally been giving presentations at VMUG meetings and other events on how to stay relevant in the fast-changing world of IT. The most recent instance was a whirlwind tour of Dallas, Chicago, and Phoenix in September of this last year, where I presented this deck, titled “Closing the Cloud Skills Gap.”

In that presentation, one of the recommendations I made to the audience was to become more familiar with the software development process. That includes tools like Git (and, by extension, GitHub), Vagrant (a quick introduction is available here), and others. I Continue reading

A Look Ahead to Packet Pushers Content in 2015

Here’s an update on some Packet Pushers news, and a look ahead to the content we’re planning for 2015. No scary announcements, just some thoughts to share. Circling Back Around On Show 200 I think we’ve mentioned it before, but the response we received to show 200 was very encouraging to us. That’s understated. You really blew […]

Author information

Ethan Banks

Co-host at Packet Pushers

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
TwitterGoogle+LinkedIn

The post A Look Ahead to Packet Pushers Content in 2015 appeared first on Packet Pushers Podcast and was written by Ethan Banks.

Platitudes are only skin deep

I overdosed on Disney Channel over the holidays, because of course children control the remote. It sounds like it's teaching kids wholesome lessons, but if you pay attention, you'll realize it's not. It just repeats meaningless platitudes with no depth, and sometimes gets the platitudes wrong.

For example, it had a segment on the importance of STEAM education. This sounds a lot like "STEM", which stands for "science, technology, engineering, and math". Many of us believe in interesting kids in STEM. It's good for them, because they'll earn twice that of other college graduates. It's good for society, because there aren't enough technical graduates coming out of college to maintain our technology-based society. It's also particularly important for girls, because we still have legacy sexism that discourages girls from pursuing technical careers.

But Disney adds an 'A' in the middle, making STEM into STEAM. The 'A' stands for "Arts", meaning the entire spectrum of Liberal Arts. This is nonsense, because at this point, you've now included pretty much all education. The phrase "STEAM education" is redundant, conveying nothing more than simply "education".

What's really going on is that they attack the very idea they pretend to promote. Proponents of STEM Continue reading

Upcoming Ansible Training Classes

ANSible_101

We are pleased to announce to training courses. These courses are taught by members of the Ansible Team and will give a great look at how to get started using Ansible.

In this course, students will explore the origins of Ansible, how Ansible approaches automation, and the common use cases for Ansible. Students will learn about key Ansible concepts, including playbooks, plays, tasks, and modules, and the course will go through step-by-step creation of a playbook to deploy a full application from beginning to end. 

The cost is $199.

Choose from one of the dates below. 
Online Training: Introduction to Ansible - February 4th
Online Training: Introduction to Ansible - March 17th

Get ready to replace datacenter appliances with telco services

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  As 2014 drew to a close, Network World contributor Steve Alexander proclaimed 2015 to be the year that Software Defined Networking (SDN) and Network Functions Virtualization (NFV) go mainstream. Calling them "transformative technologies," Alexander expects enterprises to consume services from telcos and other service providers instead of buying traditional data center hardware appliances.To read this article in full or to leave a comment, please click here

Continuous Integration Pipeline for Networking

This entry is part 3 of 3 in the series DevOps for Networking

Popular development methodologies like Continuous Integration are usually accompanied by some kind of automated workflow, where a developer checks in some source code, which kicks off automated review, testing, and deployment jobs. I believe the same workflows can be adopted by network engineers.

Let’s say you are the Senior Network Engineer for your entire company, which boasts a huge network. You don’t have time to touch every device, so you have a team of junior-level network engineers that help you out. Let’s say you want to offload the creation/deletion of DHCP reservations to these junior engineers, but you still want to be able to approve all changes, just as a last line of defense, and a sanity check.

For this, I’m gong to show you how I’m managing my own home DHCP server (ISC) with Gerrit, Jenkins, and Ansible.

 

Config Review and Versioning with Git and Gerrit

I mentioned in a previous post that version control is an important component of efficiently managing network infrastructure. I’m going to take it a step further than what most are doing with RANCID, which is traditionally used at the end of a Continue reading

On Losing

When I got off the phone, I knew I’d blown it. I’d gotten so wrapped up in the discussion on eVPNs that I might have crossed over that magical line between, “this is a really neat technology,” to, “this technology will solve world hunger.” It brought back to mind my first “real fight” in the world of technology, a long ago argument between two network operating systems (Novell Netware and Banyan Vines).

At the time, I was a buck sergeant in the USAF assigned to the Small Computer Support Office. We were building a new base backbone, and trying to decide what network operating system to standardize on as an organization (as a base). The decision had come down to two options — Novell Netware and Banyan Vines. I was in the camp that wanted Vines. In fact, I’d written two papers (long’ish, on the order of 80 pages each), going through the positives and negatives in each direction. I’d been to a number of meetings, and we had small networks set up running both in our lab. In the end, though, I lost. The technology I was advocating for wasn’t chosen by “the powers that be,” and so Continue reading

1 3,574 3,575 3,576 3,577 3,578 3,760