flak rss random

exfiltration via receive timing

Another similar way to create a backchannel but without transmitting anything is to introduce delays in the receiver and measure throughput as observed by the sender. All we need is a protocol with transmission control. Hmmm.


Posted 22 Dec 2016 15:20 by tedu Updated: 22 Dec 2016 15:20
Tagged: c network programming security

exfiltration via request timing

There are any number of ways to exfiltrate data via covert channels. For example, a popular technique is to make DNS lookups for a series of hostnames like “attack.example.com”, “atdawn.example.com”, etc. which will be passed through most firewalls. For a long time DNS requests weren’t monitored, but savvy network operators have grown wise. So if we wanted to beam some data off a device surreptitiously, what else can we do?


Posted 19 Dec 2016 17:30 by tedu Updated: 19 Dec 2016 17:30
Tagged: c network programming security

Lo and Behold

Werner Herzog reflects on the reveries of the connected world. There’s a lot of short sequences here, but not much tying it together.


Posted 25 Aug 2016 01:00 by tedu Updated: 25 Aug 2016 18:04
Tagged: moviereview network web

accidentally nonblocking

A continuation, perhaps culmination, of a series that includes rough idling, firefox vs rthreads, and browser ktrace browsing.


Posted 06 Jun 2016 05:41 by tedu Updated: 06 Jun 2016 12:57
Tagged: c network openbsd programming

the day some of the DNS stopped

For the past few months, my iPhone has had a peculiar bug. Apple services didn’t work in my house. I could listen Amazon music, but not Apple music. I could update my Facebook status, but not the Facebook app itself. I could read Apple’s website and learn about security updates in the latest version of iOS, but not download them.


Posted 17 May 2016 23:45 by tedu Updated: 12 Jul 2016 04:33
Tagged: network openbsd

SIGPIPE can happen to you

Some recent flak outages were mysterious. One day things would be working, but the next they wouldn’t. All the flak.lua processes had disappeared. No error messages were reported in any observable location. No unusual looking requests were observed in any recorded location. Sometimes a process would survive days of heavy traffic. Other times it would die after only a few hours of light traffic. It was as if the process involved simply lost the will to live.


Posted 02 Dec 2015 16:06 by tedu Updated: 02 Dec 2015 16:06
Tagged: network programming

userland traffic shaping

A short program to demonstrate network filtering with Lua. Although the kernel provides pf filtering and some bandwidth shaping facilities, they don’t cover every scenario. For example, consider the case where our server is connected to a network port where we pay for some amount of bandwidth, but have burstable speeds much faster than that. Commonly seen as 95th percentile billing. As long as we’re under our five minute quota, we want to pass traffic full speed, but as we approach that mark, we want to start clamping down. The pf.conf burst queueing rules can’t quite handle this situation.

For more flexibility, we can pass all our network traffic through userland using tun and have an arbitrary program analyze and shape it. This setup requires a whole mess of virtual interfaces to be configured with ifconfig, but it’s really not so bad. We want to pass ethernet frames, so we use the link0 flag.

ifconfig tun0 create link0
ifconfig bridge0 create add em0 add tun0
ifconfig tun1 create link0
ifconfig vether0 create
ifconfig bridge1 create add vether0 add tun1

Now we have a vether interface connected, via bridges and tuns, to the network. We configure this interface with our IP (run dhclient if you like), and it effectively replaces em0 as the primary interface. This is an endpoint configuration; vether can be replaced by a physical interface for a router. All that’s missing is a program to pass traffic between the two tun interfaces.

Here’s a short Lua (luajit) program. It reads from the two tun interfaces and passes packets between them as they arrive. As the amount of traffic passed approaches our five minute quota, it starts probabilistically dropping packets. As written it lets you use 75% of your quota at full speed before rather sharply curtailing it. (As a bonus, it will occasionally print a frequency count of each byte to demonstrate other uses.)


See also trickle.

Posted 15 Jun 2014 02:49 by tedu Updated: 15 Jun 2014 02:49
Tagged: lua network openbsd programming

comcast ping times

Despite their wonky customer service, I have generally been happy with Comcast’s technical service. Occasionally though, I have to question what in the world is going on with their network. Recently I noticed that my internet connection would alternate between working and not on roughly a two minute interval. One minute things work fine, the next minute nothing works at all, the next minute everything is fine. During the blackout minutes, making a new connection would timeout, but established ssh connections would remain up, but nothing would happen until the blackout was over. Here are a few pings I sent out (2014-02-13).


Posted 13 Feb 2014 21:49 by tedu Updated: 25 Jun 2015 17:56
Tagged: bugs network rants