GNS3 Labs: BGP triggered rate limiting and less-than-best-effort (LBE) with QPPB

Posted on by Pier Carlo Chiodi
8 Comments

This post is part of a series about “ISP Security Tools and Techniques“; in this series I talk about some (I think) useful practices:

1. Remote Triggered Black Holing

2. BGP Customer triggered black holing

3. BGP triggered rate limiting and less-than-best-effort (LBE) with QPPB

4. Source-based RTBH with Unicast Reverse Path Forwarding (uRPF)

Stay tuned! 😉

As I already wrote in my previous posts, an ISP can provide their customers some useful tools to mitigate (D)DoS attacks: Remote Triggered Black Holing and its NOC-independent version, Customer triggered black holing are tools that, once identified attacked hosts or networks, let us to stop malicious traffic at the provider’s edge.

Anyway, when we drop traffic toward attacked hosts, we can’t investigate the attack anymore; we would need a tool which allowed us to analyze traffic and, in the meantime, that would avoid wasting network resources. Our (dear) provider could provide it by implementing rate limiting and less-than-best-effort services using QoS Policy Propagation via BGP (QPPB).

Read more …

Categories: Networking, Networking Labs, Security | Tags: , , , , , , , , , , , ,

GNS3 Labs: BGP Customer triggered black holing

Posted on by Pier Carlo Chiodi
12 Comments

This post is part of a series about “ISP Security Tools and Techniques“; in this series I talk about some (I think) useful practices:

1. Remote Triggered Black Holing

2. BGP Customer triggered black holing

3. BGP triggered rate limiting and less-than-best-effort (LBE) with QPPB

4. Source-based RTBH with Unicast Reverse Path Forwarding (uRPF)

Stay tuned! 😉

Remote Triggered Black Holing In this post I’ll show you how to let your customers to trigger black holing for their prefixes. What I will write is based on my previous post GNS3 Lab: Remote Triggered Black Holing: same scenario, same startup config (the final one of that post).

Read more …

Categories: Networking, Networking Labs, Security | Tags: , , , , , , ,

Zabbix: how to monitor Radius (and other services) with external check items and netcat (nc)

Posted on by Pier Carlo Chiodi
12 Comments

You can monitor Radius (and other services too, such as DNS and other) with Zabbix external check feature and netcat (nc).

How do external check items work?

“External check” items are monitored by Zabbix using external scripts, running on the server; you can create your own scripts and put them in the ExternalScripts directory, as defined by the zabbix_server.conf file:

# Location of external scripts
ExternalScripts=/etc/zabbix/externalscripts

You can setup an external check item using the following syntax for the key parameter:

Type: External check
Key: script[parameters]

For example, you can configure Zabbix to run the script checkradius.sh and to pass it the host IP address:

Description: Radius – Authentication
Type: External check
Key: checkradius.sh[{IPADDRESS}]
Type of information: Numeric (unsigned)

Zabbix will execute checkradius.sh HOSTNAME|HOSTIPADDRESS IPADDRESS, where HOSTNAME|HOSTIPADDRESS is the host name or IP address (it depends on the “Connect to” host parameter), and IPADDRESS is the value of the macro {IPADDRESS} used as parameter.

How to use netcat with external check items

With netcat (nc) you can send a host UDP or TCP data and get a response from it. For example, you can send a Radius authentication packet and wait for a response from the server.

Of course Netcat knows nothing about Radius or other protocols, it simply sends and receives data, so you have to forge an Access-Request packet and to parse an Access-Accept response.

Radius - Access-Request packetTo build the Radius Access-Request packet I simply sniffed a real packet using Wireshark and then I exported it to my Zabbix server (you can see it in the picture).

Once you have sent the Access-Request packet, you should receive an Access-Accept response from your server, so you can parse the response to see if it is the one you expected. You can do this using od to convert netcat output in hex and then grep the Radius Access-Accept code (0x02).

External check item and script configuration

My script uses only one argument, the one Zabbix always passes to external scripts, so I did’nt configure it to pass other parameters:

Description: Radius – Authentication
Type: External check
Key: checkradius.sh[]
Type of information: Numeric (unsigned)

The script gets the Radius packet to send to the server from the $1.rad file, where $1 is the host name or IP address; for example, for the Radius server at 10.0.0.1 I will put the Access-Request packet in the 10.0.0.1.rad file.

EDIT 2011-10-13: I think I forgot the “#! /bin/bash” line!

UPDATE 2011-12-01: I added the timelimit command to the script (you can install it with apt-get install timelimit). This command runs another command (nc in my script) and kills it after a specified time lapse. This is useful to handle endless netcat timeout. Remember to raise the default Timeout in the Zabbix configuration file in order to match your command timeout (file /etc/zabbix/zabbix_server.conf, parameter Timeout=10).

#! /bin/bash

cat /etc/zabbix/externalscripts/$1.rad | 
        timelimit -q -t 5 -T 5 nc -u -w 1 $1 1812 | od -t x1 | 
        grep "0000000 02" > /dev/null
if [ $? == 0 ]; then
        echo 1
        exit 1
else
        echo 0
        exit 0
fi

References

Radius RFC: http://www.ietf.org/rfc/rfc2865.txt

Zabbix: http://www.zabbix.com/

Netcat: http://netcat.sourceforge.net/

Wireshark: http://www.wireshark.org/

Categories: Systems Administration | Tags: , , , , , , ,

Cisco “clear ip nat translation” helper tool

Posted on by Pier Carlo Chiodi
8 Comments

Have you ever had to clear some specific NAT translations while avoiding to drop them all? You have to enter a long and annoying command such this a lot of times:

clear ip nat translation udp inside 1.2.3.4 7021 192.168.0.112 7021 outside 5.6.7.8 5060 5.6.7.8 5060

And you know, you have to do it many times, for every NAT entry you have to clear… and those entries are all there, within a single command output:

#show ip nat translations | inc 192.168.0.112
udp 1.2.3.4:7021     192.168.0.112:7021    5.6.7.8:5060    5.6.7.8:5060
udp 1.2.3.4:7022     192.168.0.112:7022    5.6.7.8:5060    5.6.7.8:5060

Well, I was bored once too often, so I’ve built a little tool: you have just to copy show ip nat translations entries you have to clear, paste them into this tool, and it builds the clear ip nat translation statements for you! ready to be pasted into your telnet/ssh client.

It’s an HTML page with a simple javascript; you can find it online, or here is the source code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
	"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Cisco "clear ip nat translation" helper</title>
<style type="text/css">
	body,td,th { color:black;font-family:Verdana; font-size: 8pt }
	input, textarea { color:black;font-family:Verdana; font-size: 8pt }
</style>

<script type="text/javascript">
	function Do()
	{
		var sEntries = new String();
		sEntries = document.forms['frmMain'].entries.value;

		var sVRF = new String();
		sVRF = document.forms['frmMain'].vrf.value;

		var sReplace;
		if ( sVRF == '' )
			sReplace = "clear ip nat translation $1 inside $2 $3 $4 $5 outside $6 $7 $8 $9"
		else
			sReplace = "clear ip nat translation vrf " + sVRF + " $1 inside $2 $3 $4 $5 outside $6 $7 $8 $9";

		sEntries = sEntries.replace(/^(tcp|udp)s+(d{1,3}.d{1,3}.d{1,3}.d{1,3}):(d+)s+(d{1,3}.d{1,3}.d{1,3}.d{1,3}):(d+)s+(d{1,3}.d{1,3}.d{1,3}.d{1,3}):(d+)s+(d{1,3}.d{1,3}.d{1,3}.d{1,3}):(d+)/gm, sReplace)

		document.forms['frmMain'].result.value = sEntries;
	}
</script>

</head>

<body>

<form id=frmMain name=frmMain style="MARGIN:0px" action="#">
<table>
 <tr>
  <td colspan=2><b>Entries to clear</b></td>
 </tr>
 <tr>
  <td colspan=2>

Paste here the <b>show ip nat translations</b> entries you want to clear:

  </td>
 </tr>
 <tr>
  <td colspan=2><textarea wrap=off style="white-space:pre; overflow-x: scroll; overflow-y: scroll" name=entries id=entries cols=100 rows=10></textarea></td>
 </tr>

 <tr>
  <td colspan=2><br></td>
 </tr>

 <tr>
  <td colspan=2><b>VRF aware?</b></td>
 </tr>
 <tr>
  <td colspan=2>

If these entries are part of a vrf, write here the vrf name, otherwise leave this box empty:

  </td>
 </tr>
 <tr>
  <td><b>VRF name:</b></td>
  <td><input type=text name=vrf id=vrf size=15 value=""></td>
 </tr>

 <tr>
  <td colspan=2><br></td>
 </tr>

 <tr>
  <td colspan=2><b>Results</b></td>
 </tr>
 <tr>
  <td colspan=2><textarea wrap=off style="white-space:pre; overflow-x: scroll; overflow-y: scroll; WIDTH:99%" readonly name=result id=result cols=100 rows=10></textarea></td>
 </tr>

 <tr>
  <td colspan=2><br></td>
 </tr>

 <tr>
  <td colspan=2 align=center><input type=button onclick="Do()" value="  Build clear ip nat translation statements  "></td>
 </tr>

</table>
</form>

<br>

by Pier Carlo Chiodi - AKA Pierky<br>
<br>
Blog: <a href="http://blog.pierky.com" target="_blank">http://blog.pierky.com</a><br>
Contact me: <a href="http://piercarlochiodi.tel" target="_blank">http://piercarlochiodi.tel</a><br>

</body>
</html>
Categories: Networking | Tags: , ,

GNS3 Lab: Remote Triggered Black Holing

Posted on by Pier Carlo Chiodi
6 Comments

This post is part of a series about “ISP Security Tools and Techniques“; in this series I talk about some (I think) useful practices:

1. Remote Triggered Black Holing

2. BGP Customer triggered black holing

3. BGP triggered rate limiting and less-than-best-effort (LBE) with QPPB

4. Source-based RTBH with Unicast Reverse Path Forwarding (uRPF)

Stay tuned! 😉

Remote Triggered Black HolingIn this post I would like to talk about Remote Triggered Black Holing, a mechanism to protect a network by filtering malicious traffic at the edge. It’s a powerful tool ISPs can (and should) adopt to stop DDOS attacks on their networks.

UPDATE 2009-06-21: You can find a related solution to use customer triggered blackholing in this new post!

Read more …

Categories: Networking, Networking Labs, Security | Tags: , , , , , , , ,