Archive for March, 2009

How Traceroute Works Its Magic

Friday, March 6th, 2009

Do you wonder about how traceroute works? Here is how the traditional traceroute works…

TTL
Time To Live (TTL) is a part of the IP header, it is designed to prevent packets from looping forever.
When you send a packet, each router (hop) on the way will decrement the TTL value by one.
When the TTL value reaches zero (0), the packet is said to be ‘expired’ and is discarded.
The router that discards this packet will send an ICMP ‘Time Exceeded’ back to the sender.

By launching a ‘traceroute’ in linux you will send a series of UDP packets towards your target with an TTL starting at 1, and increased with 1 until the target is reached.

Fully explained, let us say you have this path to 10.0.1.2

  1. 10.0.5.1
  2. 172.16.1.1
  3. 10.0.0.3
  4. 192.168.100.1
  5. 172.16.18.9
  6. 10.0.1.2

By sending a packet with TTL one, then 10.0.5.1 will send you an ICMP Time Exceeded – and you have the first line in the traceroute.
TTL is set to 2 on the next packet, 172.16.1.1 will reply with ICMP Time Exceeded and you can see hop number two.

This method of tracerouting depends on the practise of sending ICMP packets back when the TTL has expired and the packet is discarded, when the packet it only discarded you will often see just a * * * in the traceroute, this also happens if the path is down. That’s usually when you do not reach your target.

Secure your Network: How ARP Spoofing Works

Friday, March 6th, 2009

You wonder how hackers got to your packets? Might it have been arp spoofing?

ARP Basics
ARP is a layer 2 protocol, its full name is actually “Address Resolution Protocol”.
Like the name indicates, ARP is used to resolve the layer 3 IP addresses to layer 2 MAC addresses.

It works pretty easy, if a host on the segment wants to talk to another host, but does not know its MAC address it will send a frame to broadcast (FF:FF:FF:FF:FF:FF) where it will say “who has 10.0.0.1”, then the host on 10.0.0.1 will see this request and reply with “10.0.0.1 is at ab:cd:ef:ab:cd:ef” then the ARP table will be updated with the corresponding information, and the two hosts will talk directly from now on.

Security problems in ARP
Usually most hosts will update their ARP table when they see a ‘10.0.0.1 is at’ ARP reply, even if it hasn’t requested it.
This keeps network traffic to the low, because the MAC address may be in the ARP table because some other host spoke to the server your computer wanted to talk to and your computer saw the ‘is at’ reply, hence making no need for an ARP request.

What if someone flooded your network with fake ARP replies ‘10.0.0.1 is at fa:ke:ad:dr:es’?
Exactly, the hosts will update their ARP table and start sending packets to the wrong host.
The machine at ‘fa:ke:ad:dr:es’ can then accept all packets and forward the correct ones to the actual 10.0.0.1 gateway (because the attacker does not poison its own arp table, the attacker will still be sending packets to the real IP address).

Imagine on a Wireless network how easy it is to become ‘attached’ to the network, they can also send spoofed ARP replies.

Tools
dsniff includes tools to arp spoof
ettercap is capable of doing arp poisoning too.
The package ‘arpalert’ on Ubuntu can notify you of changes in the ARP table.

To enable forwarding of packets in linux:

linux:~# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding

Munin Website Traffic Graph Plugin for Awstats

Thursday, March 5th, 2009

I wanted a better view of my web traffic, so I decided to make a plugin for munin that can make my visitors more visual.

I know it’s not directly related to Cisco, but sharing is caring – and it may improve your craving for stats!
I have just run it for a day or two, and I am not sure if it will always be pretty low and look a little hard to measure this way – in that case you might want to remove the lines with “.type COUNTER” in the script and run the real values, this will make wavy graphs that will fold every day at midnight.

The most important thing here is the concept of getting the numbers out of awstats from perl.

I have put it under download, the url is http://www.gho.no/download/awstats_

8 Great Resources that Every Computer Technician Should Know About

Tuesday, March 3rd, 2009

This post is a must read for computer technicians, and the resources can be used by both amateurs and professionals. I hereby share some of my clues for knowledge!

  1. The MAC address vendor search lets you identify the vendor for a MAC address, it is very helpful when troubleshooting ARP tables. Just insert the MAC address such as 00-00-01, you will see that it is identified as XEROX.
  2. Ever been on the lookout for a BGP looking glass? Wonder what your network look like on the Internet? Need to traceroute yourself? Thomas Kernen maintains traceroute.org, which is a public looking glass listing service. Alternatively you can use routeviews.org which also provides an excellent service!
  3. Need Cisco documentation? Ciscos own site can be a very good source for information, at least when you learn to find your way around. You can find an article about mostly every technology in a Cisco box on their website!
  4. Need something that can calculate your subnets on the fly? I have an Online IPv4 and IPv6 IP Calculator, and I also made an AJAX version of it which is available on ipv6calculator.net, it can be faster to use in some situations.
  5. The RIRs (Regional Internet Registry) can give you information about IP addresses, you can find out mostly anything you would like to know about the EU IP address space from querying for example RIPEs Whois Database.
    Here is a list of the RIRs and their respective Whois Database

    • RIPE Serves the EU Region
    • ARIN Serves the US Region
    • LACNIC Serves Latin America and the Carribean
    • AfriNIC serves the African Region
    • APNIC serves the Asian Region
    • If you just want to query one time, here is a free whois proxy
  6. To monitor your BGP announced prefix from the outside you can use the service BGPmon, which will monitor your prefixes and alert you in case of path changes.
  7. Dynamips is a Cisco emulator, it successfully emulates Cisco 7200, 3600 (3620, 3640 and 3660), 2691, 3725, 3745 and the 2600 platform. You can for example use it for testing network scenarios before deploying it!
  8. New software! Fresh meat! Check out freshmeat.net, this has been around forever now. New versions of open software projects are announced there, and it is also a browsable site for Open Software.

Now it is time for you to do your homework, let me know which sites you find useful or funny in your work or sites that you use on a daily basis, GO COMMENT!