Tags: udp

03/31/17

  02:37:00 pm, by The Dreamer   , 1149 words  
Categories: Software, Networking

TP-Link TR-WR1043ND DoS Protection Feature and QUIC

So, discovered a problem with QUIC and my TP-Link TR-WR1043ND router the other day.

I have DoS security enabled on my, which will block hosts for ICMP-flooding, UDP flooding or TCP-SYN flooding. The default is for a 10 second sampling period, and triggers on 50 ICMPs or 500 UDPs or 50 TCP-SYNs....

Well, I fired up Chrome on my Mac (default browser is Safari, but it wouldn't open my HSA's website) And, suddenly, my Mac lost all Internet connectivity. Could still access all my local network devices, and then found that other devices (iPad) on my home network could still reach the outside world. Rebooting the Mac didn't help, nor did rebooting cable modem or router.

So, connected to my router from the Mac, to see if there any mysterious setting change (access controls?) that was getting in the way. When I happened to look at statistics, and it showed that I had hit a max of 563 udp packets during a 10 second window (to have DoS protection, statistics needed to be enabled. Which lead me to the DoS protection feature.

For some reason I had assumed it meant WAN side DoS, though it just says "protect the Router from being attacked by TCP-SYN Flood, UDP Flood and ICMP-Flood" It's from here that I can also control if it should respond to ping's on the WAN side and/or LAN side. I have it allowed for both, since ping is part of my internal Nagios check of it, and I used to have DSLreports pinging to generate latency graphs...

But, I guess it makes sense that it does internal hosts (as well?) To protect against a computer on my home network getting compromised and become a bot. Though that hasn't happened yet, as I have generally kept up with things at home.... (such as need to have antivirus software on my Macs... tried a number of free ones, but eventually purchased ClamXav, which I had used it when it was free to protect my work Macs.

So, what would be a reasonable setting for UDP-Flood protection that won't trigger due to Chrome's / Google's use of QUIC for https....likely due to having not used Chrome in a while, and it needing to update many of my extensions/apps as well as itself and other things. Though I still need to work out sync of bookmarks between my different browsers....

When looking at blocked hosts, found that my MacBookPro was also in the list, wonder when that had happened, as its been sleeping for some time now....plus I can't recall if I've gotten around to installing Chrome on it. Need to find a way to synchronize some/all of my apps between Macs.... The MacBookPro had reached a peak of 654 UDPs.... wonder if there's some way to monitor when it has blocked a host, etc. Didn't report anything in its internal logging, or daily email of logs.

Pages: 1· 2

04/21/13

  10:52:00 pm, by The Dreamer   , 2431 words  
Categories: Software, Computer, Ubuntu, FreeBSD, CFEngine

Home server migration ran into some cacti

The home server migration that I wrote about on April 7th, hit a delay .... I started working on migrating cacti and nagios.

I probably should've started with nagios, since I don't think that would've taken as long as cacti has.

I had already been monitoring the new servers using my old cacti installation. I had pretty much decided that moving the old installation to the new servers wasn't going to straightforward.... partly because of versions, and no easy intermediary. But, I wasn't too worried about the historical data in my old cacti....

I figured that once I got things up and running, I'd just export the templates and import them into my new system and I'd be done.

But, then I hit a hitch....the squid templates I had weren't working on the new system....all I could find were old results about issues with doing SNMP to ports other than 161, and possibly due to newer versions of net-snmp....though that later turned out to be a wild goose.

Anyways...the work around was to use the proxy option in net-snmp. Though I recall having tried net-snmp before discovering bsnmpd on FreeBSD, but I gave it a shot.

Before I got to testing the proxy...I soon saw that it wasn't giving the same information as bsnmpd...specifically, for the HOST-RESOURCES-MIB and parts of UCB-SNMP-MIB. So, I decided that I could proxy net-snmp to bsnmpd and get those. But, that didn't work.....after some reading the answer was I needed to either map bsnmpd in somewhere else or exclude those areas from net-snmp.

Well, during the build of net-snmp, it did make reference to being able to set some variables in make.conf -- such as NET_SNMP_WITH_MIB_MODULE_LIST and NET_SNMP_WITHOUT_MIB_MODULE_LIST. And, by default NET_SNMP_WITH_MIB_MODULE_LIST contained "host disman/event-mib smux mibII/mta_sendmail mitII/tcpTable ucd-snmp/diskio sctp-mib if-mib"

So, I tried setting NET_SNMP_WITH_MIB_MODULE_LIST without host and ucb-snmp/diskio and tried to exclude the rest of ucb-snmp in NET_SNMP_WITHOUT_MIB_MODULE_LIST. Which got me a strange error about host being in both lists.

I delved into the Makefile, and found while the other settable NET_SNMP parameters were done as '?=' in the Makefile, the NET_SNMP_WITH_MODULE_LIST was done as '+='...with conditionals that '+=' the last two modules.

OSVERSION >= 700028 adds 'sctp-mib' and the port option MFD_REWRITES adds 'if-mib'....I had started looking at what the fix might be, but decided that all I needed to do was remove all these lines...since I'm going to have my own definition in my /etc/make.conf file.

Trying to exclude all of ucd-snmp wouldn't make things work....but I did an snmpwalk comparing bsnmpd and net-snmp, and decided that the two areas that were lacking were ucd-snmp/diskio and ucd-snmp/disk_hw. So, I recreated the 'original' NET_SNMP_WITH_MODULE_LIST in /etc/make.conf, without 'host' and 'ucd-snmp/diskio' and put 'ucd-snmp/disk_hw' in NET_SNMP_WITHOUT_MODULE_LIST. The build grumbled, but finished.

I that worked.....all my ucd/snmp host graphs were working on m new cacti server in the same detail that I was getting before (IE: the CPU Utilization gave traces for each of the 8 vCPUs...instead of just one.... I could see all the ZFS filesystems, not just the the single zroot.

So, I went back to looking at getting squid graphs to work....that didn't work.

Pages: 1· 2· 3

Now instead of subjecting some poor random forum to a long rambling thought, I will try to consolidate those things into this blog where they can be more easily ignored profess to be collected thoughts from my mind.

Latest Poopli Updaters -- http://lkc.me/poop

bloglovin

There are 20 years 6 months 20 days 14 minutes and 34 seconds until the end of time.
And, it has been 4 years 6 months 7 days 13 hours 48 minutes and 22 seconds since The Doctor saved us all from the end of the World!

Search

June 2017
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    
Google

Linkblog

  XML Feeds

Who's Online?

  • Guest Users: 0
This seal is issued to lawrencechen.net by StopTheHacker Inc.
multiblog

hosted by
Green Web Hosting! This site hosted by DreamHost.

monitored by
Monitored by eXternalTest
SiteUptime Web Site Monitoring Service
website uptime