Y Safle

Regular visitors to this site would be forgiven for thinking they have clicked their way into a time warp, with all posts and comments after April 1st missing!

The posts will be back soon.

My hosting service suffered a disk crash last night. Well, these things happen. However, in proof of Murphy’s Law (if anything can go wrong, it will go wrong), it seems that their 24 hour backup overwrote the previous 24 hour backup with corrupt data.

So thus far, they have restored this site from backup to 1st April. It is up to me to do the rest (but never fear - Google has cached the posts, so I can get them all back including - I hope - the comments. It may just take me a while to do it all).

Oh well! Perhaps a timely reminder that if you want a secure backup of your blog - you are better off doing it yourself.

(Actually, I backed this blog up just last week when I upgraded the version of Wordpress… something I will no doubt have to do again now! The only problem is, I left the backup on the server! Doh!!!)

Code. Photo: David de la Calle CerezoThere is a post on MinTheGap about Posts in a series. This post will point you to the In Series plugin for Wordpress, which I have now added to this site. Shortly I will be categorising some of my previous series using this plugin.

However, there was a minor hitch. The plugin complained that the attribute_escape() function did not exist (on line 33), and it would not work properly. This function is a recent addition to Wordpress that allows plugin writers to avoid some cross site scripting attacks. Older versions of Wordpress had other functions doing much the same, but the new function just makes it a little easier.

So the problem could be fixed in two ways. I could have fixed the script to be backward compatible with Wordpress, but the problem was symptomatic of a more general problem with my site… it was time to upgrade my software.

Now it is actually very good practice to keep your software updated. Wordpress has suffered from cross site scripting vulnerabilities in the past, and as a general rule, you should keep software up to date in an attempt to stay ahead of attackers who may want to use your site for something nefarious! On the other hand, downloading and installing new versions of software is something of a chore.

So I should probably be reprimanded for not updating my software sooner. Procrastination is just so much easier

But nevertheless, today I backed up my software and database, reinstalled the newer version and everything worked just fine. In fact a few other plugins I was looking at seem now to be behaving better than they were. Thank goodness I didn’t break anything. (At least - nothing I have noticed!)

IPv4 may be nearing the end of its life, but there are still many times when network administrators need to sit down with pen and paper and calculate a subnetting scheme for a range of IP addresses.

Well the net is littered with subnet calculators that will work out subnets and supernets for you. I have added one to my site (an open source subnet calculator), which has the advantage of showing the binary masks. Nothing particularly original, but feel free to have a play.

Note that it makes an error on /31s. These are a special case used for point to point links, and a /31 has no broadcast address or network address. Thus there are precisely two IP numbers for host addressing on a /31. Very useful for point to point links (and making /30s redundant)

As the code is open source, I will probably fix it at some point… but not just yet

Enjoy.

Steve Gibson is several years out of date in his Security Now podcast, episode 47. He says:

[The October 2002 DDoS against the DNS]  was directed at all 13 of the main DNS servers, the so-called “root servers,” which maintain the master directories of domain names. Nine of the 13 DNS servers were brought down. Only four of the servers managed to stay on the ‘Net. [...] There really is no defense. The only thing that can be done is that – and this is what some of the commercial anti-denial-of-service service providers have done, is they could have servers connected to very large pipes

Mr Gibson’s analysis is wrong. There is no need for very large pipes to the DNS servers, because since 2002 a program of anycasting has been rolled out for the DNS servers whereby a number of the servers are essentially cloned around the net, and special BGP routes are announced to routers at multiple points across the Internet, such that traffic from a client will be routed to the nearest (in networking terms) DNS root server. This works because packets will be routed to the lowest cost route. It provides failover, because if one server dies, then the next least costly route will be used (which may be another anycast clone).

October 2002 was not the only DDOS attack against the DNS, but of late no attacks have succeeded, because instead of just 13 root servers, we now have many times that number, and we have very successful over provisioning of the root servers.

Last year I wrote this post: http://safle.org/wordpress/?p=4. In particular I looked up the current locations of the root name servers and used the Google Maps API to create this map of where the root name servers are located. The smaller pins show anycast IP duplicate servers. (Note that these are not accurate all the way down to the street level)

The effect of this is that any DDoS against the DNS will be diluted amongst all name servers, and is unlikely to succeed. With every additional anycast clone server, the chances of a successful attack on the DNS are further reduced (and DNS resolution for the new geographic area covered is imporved).

Mr Gibson’s explanation of what the root servers do is also sloppy. These servers do not hold master copys of the domain names. They merely hold data for the TLDs (top level domains) such as uk., us., to., tv., es., ru., … as well as the gTLDs such as com., org.

They used to hold  the next level of edu. I believe, although a quick dig for the edu. name servers quickly reveals this is no longer the case.

Whilst we are talking about this podcast, Steve Gibson gets onto his pet subject - raw sockets in Windows XP. His argument was that raw sockets were a bad idea because they allow someone with admin priveleges (the default user in XP home edition) to run programs that can become worms and the like.

To an extent he was right - but the problem is not raw sockets. The problem is the brain dead decision of Microsoft to continue allowing technically illiterate users run with full admin priveleges on their network connected boxes by default. In Mr Gibson’s dialogue with Microsoft he claims that raw sockets were his one problem with Windows XP. But these were not the problem.

Yes its hard to have backward compatibility without admin priveleges - especially if you are using NT as your operating system. But look at what Apple did with OS X, and you can see how it is quite possible (for a little pain) to make an astoundingly good OS, with backward compatibility and security designed in (thanks to the use of UNIX).

So enough self congratulation in spotting a problem with raw sockets. The question Mr Gibson should be asking is when will Microsoft release an O.S. with security designed in? When will users no longer be logged in with admin priveleges?

 

IPv6 is an important topic, and Steve Gibson pretty much botches it in his Security Now! episode 25.

Now I should add a copule of quick disclaimers: for all the controversy around Steve Gibson (and this is not the Steve Gibson of Truth Driven Thinking incidentally), we should really cut him some slack on this podcast. What he is trying to do on this show is huge, and the breadth of reading he must undertake to understand the issues must not be underestimated. He is bound to make mistakes.

But maybe the problem is that he is trying to do too much himself. He is setting himself up as an expert in all things, but we know the Jack of all trades is the master of none. Certainly there are often large gaps in his knowledge that would be better filled by bringing in some other expert to discuss the issues of, say, NAT or CSMA/CD.

But on IPv6 Gibson’s gap of knowledge is so large that he fails to direct listeners adequately at all. He writes:

If it weren’t for NAT router technology that basically allows many machines to share a single public IP, we really would be in trouble already with IP space depletion. But NAT routers happened, and they’re just a good thing for everybody. Corporations are using them. There are even some ISPs that are using NAT routers and putting all their customers behind a big NAT router because it really works very well, not perfectly, but very well, as most home users know. And so the prevalence and birth of NAT routing technology has hugely reduced the pressure on the move to IPv6.

Steve Gibson is wrong as follows:

• NAT is not a good security solution. The part of NAT that is adding security is the same part that adds security in a non NAT perimeter firewall.
• The gains from NAT have largely been achieved with respect to address depletion. NAT extended IPv4 to give us time to migrate to IPv6, but the gains are not limitless. See the Internet Protocol Journal Volume 8, number 3 for more on this.
• NAT actually doesn’t work that well. We are just getting good at working around its limitations. This is why Gibson endlessly pushes the proprietry non-standard Hamachi solution for encrypted tunnels, and other mechanisms to make some kind of peer to peer work
• IP address depletion is more imminent than the Steve Gibsons of this world think. We are certainly in the last decade of IPv4, and we may see address depletion in as little as four or five years. Again see the Internet Protocol Journal at http://www.exio.com/web/about/ac123/ac147/archived_issues/ipj_8-3/from_the_editor.html

IPv6 has so much more to offer than Steve Gibson realises. Zero configuration, IP mobility, multiple addresses per interface, router discovery, link level encryption (he mentioned that one in passing), authentication… the list goes on.

He also says:

The problem is that it’s not easily compatible with IPv4. The problem that IPv6 is having is, you know, the manufacturers who are making the routers, I mean even, for example, the PC manufacturers are supporting Version 6, though no one’s using it yet. You know, Windows Server 2003 and XP can do IPv6. But you can’t get it anywhere. I mean, there’s nowhere to plug it in to get Version 6

Actually IPv6 does play very nicely with IPv4, and you can get it now. See for instance the BT Exact tunnel broker service.

The real worry here is that Gibson clearly does not understand the mechanism by which we must transition from IPv4 to IPv6. There is not going to be a single big switch over. We must create islands of IPv6 (falling back on IPv4 automatically when we must). We connect these islands by one of the many tunnelling protocols, and as the islands grow, the sea of IPv4 is slowly pushed back. Before you know it we are all using IPv6 - just in time to stave off address depletion.

But whilst the Gibsons of this world stick their head in the sand and pretend this is just not an issue, because we have NAT, we continue to drown in the IPv4 sea.

You want security now? Implement IPv6. Learn how to rewrite your firewalls for IPv6 (yes you need to do that). Learn about its encryption and authentication mechanisms. That is the way to secure networking (well more secure at least).

So in closing - Steve Gibson should keep up his podcast, but until he starts consulting with IT security and networking experts, the podcast will always dissapoint. A pity, as the idea is good.

But I wouldn’t want to do it on my own!