Geek Style

You probably know the long story about SCO and IBM on Linux. So I am not going to tell you the whole story.
Everyone has an opinion. I am a Unix fan and I am on SCO side ( cat flames > /dev/null ). But Eric S. Raymond seems to be too much angry about this subject. And not everyone is agree with him.
Neither am I.

( I don’t know why “SCO vs. IBM” reminds me “Freddy vs. Jason” )

Update: Do you remember the old story about IP theft in Linux kernel?

Worms are hot topic of day. Blaster and Nachi are making trouble for ISPs as well as end users worldwide.
There are diffrent ways to combat these worms. If you are a network administrator utilizing Cisco gear in your network, you can reduce the effect of these worms using some simple tricks. I have already posted an article on blocking Blaster worm in a cisco router.
But blocking Nachi is a little bit tricky since it uses ICMP echo/reply to map your network and propagate its code. This will cause a heavy ICMP storm in your netowork (that you may have already noticed). The most simple way is blocking all ICMP traffic which is not a good solution and harms your customers (They won’t be able to do PING measurement in this case).

Here is what I did to protect against Nachi (in a Cisco router):

Setup your NULL0 interface like this:

!
interface Null0
no ip unreachables
!

Then make an access-list that matches ICMP echo/reply packets:

!
ip access-list extended nachi-list
permit icmp any any echo
permit icmp any any echo-reply
!

Now the trick:

!
route-map nachi permit 10
match ip address nachi-list
match length 92 92
set interface Null0
!

Fortunately, Nachi uses fixed size ICMP packets (92 bytes, including IP header) as reachability probe. Above route-map will forward all ICMP packets with size of 92 bytes to Null0 interface. Null0 will not return any unreachable code and just drops the packet.

You should put this route-map on your network interface, like this (necessary parts listed only):

!
interface FastEthernet0/0
description Connected to Local Network
ip route-cache policy
ip policy route-map nachi
!

That “ip route-cache policy” is very important because it asks the router to cache all policy-route information in order to reduce processor load. (CEF won’t be useful here).

This is the result after 5 minutes:

router#sh route-map nachi
route-map nachi, permit, sequence 10
Match clauses:
ip address (access-lists): nachi-list
length 92 92
Set clauses:
interface Null0
Policy routing matches: 190909 packets, 20236354 bytes

Congratulations! Your network is saved.

I discovered the reason of Columbia space shuttle’s crash: NASA controls space shuttles using Microsoft Windows, not the Flight Linux as they claim.
They are even running their Flight Linux website on a Windows 2000 box according
to Netcraft.

I blocked SOBIG.F worm on our mail server (Postfix on FreeBSD) using header_checks feather in Postfix. This way we discard emails with specific subjects to reduce the worm effect.

mail:~# zcat /var/log/maillog.* | grep -i sobig | wc -l
1022

1022 infected emails in a couple of days, for a not so busy mail server (say 1000 mails per day) is too much.

I wonder if anyone else has done such measurement on their mail traffic to see if they are receiving this high volume of infected emails.

Iljitsch van Beijnum, author of my favorite book BGP, explains his experience with MS SQL worm and its effect on Cisco routers on Oreilly Network’s ONLamp.com.

Almost the same thing happened to me last week which caused complete crash on our edge router. We were running CEF but it didn’t help. After getting into router through serial console and shutting down all interfaces I found that there is sort of malformed traffic is passing through our edge router headed to internet from our local network. I didn’t even had chance to do traffic inspection on the router itself, since once I was trying to bring up the FastEthernet interface, the cpu usage on the router hits the max. So I got into the Catalyst switch and checked all connected interfaces for abnormal traffic pattern, and I found it! It was an infected MS SQL host inside our network.

Folks, please keep your windows box up to date. This is serious.

After moving our Looking Glass service from Netherlands to Tehran, we are the first iranian looking glass according to traceroute.org.
Isn’t it cool?

Cisco Packet Magazine and Internet Protocol Journal are my favorite magazines. Excellent content! and best of all, they are free.
IPJ is a quarterly journal about IP technologies, and has no more than 5-6 articles per issue. It’s a valuable rousource for IP engineers, even if they are not using Cisco products.
Packet is more product-oriented and promotes cisco technologies and products. It has many cisco specific articles and tips that makes it a good resource for cisco geeks.

DNS administrators are already familiar with dnstop from The Measurement Factory. Using dnstop you can monitor your DNS traffic, from diffrent point of views.
Another interesting piece of software is a set of scripts from Nate Campi that generates neat graphs from your DNS traffic. He also has some tips for DNS administrators which is interesting.

Your mailserver logs its activities in /var/log/maillog (no, I am not talking about Windows). So using a simple shell script you can make statistical graphs from your email traffic.
mailgraph came to existence to do it for you. It analyzes your maillog periodically and exports statistical data to a RRD database. A nice cgi also produces dynamic graphs on your request (output sample). Its fun.

You won’t need to install any third party anti-virus to catch viruses, if you are expert enough and know how to setup postfix to do it for you, like Steve Friedl did.
He has a nice tip on blocking SOBIG.F virus using postfix.