Dec 12, 2014

BGP Related Internet Drafts and RFCs

Internet Drafts

Basic BGP Convergence Benchmarking Methodology for Data Plane Convergence

BGP is widely deployed and used by several service providers as the
default Inter AS routing protocol. It is of utmost importance to
ensure that when a BGP peer or a downstream link of a BGP peer fails,
the alternate paths are rapidly used and routes via these alternate
paths are installed. This document provides the basic BGP
Benchmarking Methodology using existing BGP Convergence Terminology,
RFC 4098.

Internet Exchange Route Server
This document outlines a specification for multilateral
interconnections at Internet exchange points (IXPs). Multilateral
interconnection is a method of exchanging routing information between
three or more exterior BGP speakers using a single intermediate
broker system, referred to as a route server. Route servers are
typically used on shared access media networks, such as Internet
exchange points (IXPs), to facilitate simplified interconnection
between multiple Internet routers.

Internet Exchange Route Server Operations
The popularity of Internet exchange points (IXPs) brings new
challenges to interconnecting networks. While bilateral eBGP
sessions between exchange participants were historically the most
common means of exchanging reachability information over an IXP, the
overhead associated with this interconnection method causes serious
operational and administrative scaling problems for IXP participants.

Multilateral interconnection using Internet route servers can
dramatically reduce the administrative and operational overhead
associated with connecting to IXPs; in some cases, route servers are
used by IXP participants as their preferred means of exchanging
routing information.

This document describes operational considerations for multilateral
interconnections at IXPs.

An Overview of BGPSEC
This document provides an overview of a security extension to the
Border Gateway Protocol (BGP) referred to as BGPSEC. BGPSEC improves
security for BGP routing.

BGP Extensions for Inter-AS Traffic Engineering (TE) Link Distribution
Protocol extensions to Interial Gataway Protocols (IGPs) have been
specified for the flooding of Traffice Engineering (TE) information
of the Inter-Autonomous System (AS) links into the local AS (RFC 5392
and RFC 5316), in which some information of the inter-AS links needs
to be manually configured. This document proposes BGP extensions for
dynamic advertisement of TE information of Inter-AS links between
adjacent ASes. Such mechanism may also be used for the distribution
of Inter-AS TE link information to some external entities, such as
Path Computation Element (PCE).


Making BGP filtering a habit: Impact on policies
This document describes how unexpected traffic flows can emerge
across an autonomous system, as the result of other autonomous
systems filtering, or restricting the propagation of overlapping
prefixes. We provide a review of the techniques to detect the
occurrence of this issue and defend against it.

BGP vector routing
Network architectures have begun to shift from pure destination based
routing to service aware routing. Operator requirements in this
space include forcing traffic through particular service nodes (e.g.
firewall, NAT) or segments. This document proposes an enhancement to
BGP to accommodate these new requirements.

This document proposes a pure control plane solution which allows
traffic to be routed via an ordered set of transit points (links,
nodes, or services) on the way to traffic's destination, with no
change in the forwarding plane. This approach is in contrast to
other proposal in this space which provide similar capabilities via
modifications to the forwarding plane.

BGP Auto Discovery
This document describes a method for automating portions of a
router's BGP configuration via discovery of BGP peers with which to
establish further sessions from an initial "bootstrap" router. This
method can apply for establishment of either Internal or External BGP
peering sessions.

Methods for Detection and Mitigation of BGP Route Leaks
In [I-D.ietf-sriram-route-leak-problem-definition], the authors have
provided a definition of the route leak problem, and also enumerated
several types of route leaks. In this document, we first examine
which of those route-leak types are detected and mitigated by the
existing BGPSEC protocol [I-D.ietf-sidr-bgpsec-protocol-09]. Where
the current BGPSEC protocol doesn't offer a solution, this document
suggests an enhancement that would extend the route-leak detection
and mitigation capability of BGPSEC. The solution can be implemented
in BGP without necessarily tying it to BGPSEC. Incorporating the
solution in BGPSEC is one way of implementing it in a secure way. We
do not claim to have provided a solution for all possible types of
route leaks, but the solution covers several, especially considering
some significant route-leak attacks or occurrences that have been
observed in recent years. The document also includes a stopgap
method for detection and mitigation of route leaks for the phase when
BGPSEC (path validation) is not yet deployed but only origin
validation is deployed.


Problem Definition and Classification of BGP Route Leaks
A systemic vulnerability of the Border Gateway Protocol routing
system, known as 'route leaks', has received significant attention in
recent years. Frequent incidents that result in significant
disruptions to Internet routing are labeled "route leaks", but to
date we have lacked a common definition of the term. In this
document, we provide a working definition of route leaks, keeping in
mind the real occurrences that have received significant attention.
Further, we attempt to enumerate (though not exhaustively) different
types of route leaks based on observed events on the Internet. We
aim to provide a taxonomy that covers several forms of route leaks
that have been observed and are of concern to Internet user community
as well as the network operator community.

Enhancement to BGPSEC for Protection against Route Leaks
This document enumerates different types of route leaks based on
observed events on the Internet. It illustrates how BGPSEC in its
current form (as described in draft-ietf-sidr-bgpsec-protocol-09)
already provides protection against all but one of these route-leaks
scenarios. The document further discusses a design enhancement to
the BGPSEC protocol that will extend protection against this one
remaining type of route-leak attack as well. With the inclusion of
this enhancement, BGPSEC is expected to provide protection against
all types of route-leaks. The document also includes a stopgap
method for detection and mitigation of route leaks for the phase when
BGPSEC (path validation) is not yet deployed but only origin
validation is deployed.




RFCs
Threat Model for BGP Path Security
This document describes a threat model for the context in which
External Border Gateway Protocol (EBGP) path security mechanisms will
be developed. The threat model includes an analysis of the Resource
Public Key Infrastructure (RPKI) and focuses on the ability of an
Autonomous System (AS) to verify the authenticity of the AS path info
received in a BGP update. We use the term "PATHSEC" to refer to any
BGP path security technology that makes use of the RPKI. PATHSEC
will secure BGP, consistent with the inter-AS security focus of the
RPKI.

The document characterizes classes of potential adversaries that are
considered to be threats and examines classes of attacks that might
be launched against PATHSEC. It does not revisit attacks against
unprotected BGP, as that topic has already been addressed in the
BGP-4 standard. It concludes with a brief discussion of residual
vulnerabilities.

Security Requirements for BGP Path Validation
This document describes requirements for a BGP security protocol
design to provide cryptographic assurance that the origin Autonomous
System (AS) has the right to announce the prefix and to provide
assurance of the AS Path of the announcement.

BGP Prefix Origin Validation
To help reduce well-known threats against BGP including prefix mis-
announcing and monkey-in-the-middle attacks, one of the security
requirements is the ability to validate the origination Autonomous
System (AS) of BGP routes. More specifically, one needs to validate
that the AS number claiming to originate an address prefix (as
derived from the AS_PATH attribute of the BGP route) is in fact
authorized by the prefix holder to do so. This document describes a
simple validation mechanism to partially satisfy this requirement.

Distribution of Diverse BGP Paths
The BGP4 protocol specifies the selection and propagation of a single
best path for each prefix. As defined and widely deployed today, BGP
has no mechanisms to distribute alternate paths that are not
considered best path between its speakers. This behavior results in
a number of disadvantages for new applications and services.

The main objective of this document is to observe that by simply
adding a new session between a route reflector and its client, the
Nth best path can be distributed. This document also compares
existing solutions and proposed ideas that enable distribution of
more paths than just the best path.

This proposal does not specify any changes to the BGP protocol
definition. It does not require a software upgrade of provider edge
(PE) routers acting as route reflector clients.

Recommendation for Not Using AS_SET and AS_CONFED_SET in BGP
This document recommends against the use of the AS_SET and
AS_CONFED_SET types of the AS_PATH in BGPv4. This is done to
simplify the design and implementation of BGP and to make the
semantics of the originator of a route more clear. This will also
simplify the design, implementation, and deployment of ongoing work
in the Secure Inter-Domain Routing Working Group.

Multi-Threaded Routing Toolkit (MRT) Border Gateway Protocol (BGP) Routing Information Export Format with Geo-Location Extensions
This document updates the Multi-threaded Routing Toolkit (MRT) export
format for Border Gateway Protocol (BGP) routing information by
extending it to include optional terrestrial coordinates of a BGP
collector and its BGP peers.

BGP Traffic Engineering Attribute
This document defines a new BGP attribute, the Traffic Engineering
attribute, that enables BGP to carry Traffic Engineering information.

The scope and applicability of this attribute currently excludes its
use for non-VPN reachability information.

Capabilities Advertisement with BGP-4
This document defines an Optional Parameter, called Capabilities,
that is expected to facilitate the introduction of new capabilities
in the Border Gateway Protocol (BGP) by providing graceful capability
advertisement without requiring that BGP peering be terminated.

Outbound Route Filtering Capability for BGP-4
This document defines a BGP-based mechanism that allows a BGP speaker
to send to its BGP peer a set of Outbound Route Filters (ORFs) that
the peer would use to constrain/filter its outbound routing updates
to the speaker.

Address-Prefix-Based Outbound Route Filter for BGP-4
This document defines a new Outbound Router Filter (ORF) type for
BGP, termed "Address Prefix Outbound Route Filter", that can be used
to perform address-prefix-based route filtering. This ORF-type
supports prefix-length- or range-based matching, wild-card-based
address prefix matching, as well as the exact address prefix matching
for address families.

Address-Prefix-Based Outbound Route Filter for BGP-4
This document defines a new Outbound Router Filter (ORF) type for
BGP, termed "Address Prefix Outbound Route Filter", that can be used
to perform address-prefix-based route filtering. This ORF-type
supports prefix-length- or range-based matching, wild-card-based
address prefix matching, as well as the exact address prefix matching
for address families.

Avoid BGP Best Path Transitions from One External to Another
In this document, we propose an extension to the BGP route selection
rules that would avoid unnecessary best path transitions between
external paths under certain conditions. The proposed extension
would help the overall network stability, and more importantly, would
eliminate certain BGP route oscillations in which more than one
external path from one BGP speaker contributes to the churn.

Multiprotocol Extensions for BGP-4
This document defines extensions to BGP-4 to enable it to carry
routing information for multiple Network Layer protocols (e.g., IPv6,
IPX, L3VPN, etc.). The extensions are backward compatible - a router
that supports the extensions can interoperate with a router that
doesn't support the extensions.


BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP)
The Border Gateway Protocol (BGP) is an inter-autonomous system
routing protocol designed for TCP/IP internets. Typically, all BGP
speakers within a single AS must be fully meshed so that any external
routing information must be re-distributed to all other routers
within that Autonomous System (AS). This represents a serious
scaling problem that has been well documented with several
alternatives proposed.

This document describes the use and design of a method known as
"route reflection" to alleviate the need for "full mesh" Internal BGP
(IBGP).

BGP MULTI_EXIT_DISC (MED) Considerations
The BGP MULTI_EXIT_DISC (MED) attribute provides a mechanism for BGP
speakers to convey to an adjacent AS the optimal entry point into the
local AS. While BGP MEDs function correctly in many scenarios, a
number of issues may arise when utilizing MEDs in dynamic or complex
topologies.

This document discusses implementation and deployment considerations
regarding BGP MEDs and provides information with which implementers
and network operators should be familiar.

BGP Communities for Data Collection
BGP communities (RFC 1997) are used by service providers for many
purposes, including tagging of customer, peer, and geographically
originated routes. Such tagging is typically used to control the
scope of redistribution of routes within a provider's network and to
its peers and customers. With the advent of large-scale BGP data
collection (and associated research), it has become clear that the
information carried in such communities is essential for a deeper
understanding of the global routing system. This memo defines
standard (outbound) communities and their encodings for export to BGP
route collectors.

BGP Extended Communities Attribute
This document describes the "extended community" BGP-4 attribute.
This attribute provides a mechanism for labeling information carried
in BGP-4. These labels can be used to control the distribution of
this information, or for other applications.

BGP-4 Protocol Analysis
The purpose of this report is to document how the requirements for
publication of a routing protocol as an Internet Draft Standard have
been satisfied by Border Gateway Protocol version 4 (BGP-4).

This report satisfies the requirement for "the second report", as
described in Section 6.0 of RFC 1264. In order to fulfill the
requirement, this report augments RFC 1774 and summarizes the key
features of BGP-4, as well as analyzes the protocol with respect to
scaling and performance.

BGP Security Vulnerabilities Analysis
Border Gateway Protocol 4 (BGP-4), along with a host of other
infrastructure protocols designed before the Internet environment
became perilous, was originally designed with little consideration
for protection of the information it carries. There are no
mechanisms internal to BGP that protect against attacks that modify,
delete, forge, or replay data, any of which has the potential to
disrupt overall network routing behavior.

This document discusses some of the security issues with BGP routing
data dissemination. This document does not discuss security issues
with forwarding of packets.

A Border Gateway Protocol 4 (BGP-4)
This document discusses the Border Gateway Protocol (BGP), which is
an inter-Autonomous System routing protocol.

The primary function of a BGP speaking system is to exchange network
reachability information with other BGP systems. This network
reachability information includes information on the list of
Autonomous Systems (ASes) that reachability information traverses.
This information is sufficient for constructing a graph of AS
connectivity for this reachability from which routing loops may be
pruned, and, at the AS level, some policy decisions may be enforced.

BGP-4 provides a set of mechanisms for supporting Classless Inter-
Domain Routing (CIDR). These mechanisms include support for
advertising a set of destinations as an IP prefix, and eliminating
the concept of network "class" within BGP. BGP-4 also introduces
mechanisms that allow aggregation of routes, including aggregation of
AS paths.

BGP Wedgies
It has commonly been assumed that the Border Gateway Protocol (BGP)
is a tool for distributing reachability information in a manner that
creates forwarding paths in a deterministic manner. In this memo we
will describe a class of BGP configurations for which there is more
than one potential outcome, and where forwarding states other than
the intended state are equally stable. Also, the stable state where
BGP converges may be selected by BGP in a non-deterministic manner.
These stable, but unintended, BGP states are termed here "BGP
Wedgies".

Configuring BGP to Block Denial-of-Service Attacks
This document describes an operational technique that uses BGP
communities to remotely trigger black-holing of a particular
destination network to block denial-of-service attacks. Black-holing
can be applied on a selection of routers rather than all BGP-speaking
routers in the network. The document also describes a sinkhole
tunnel technique using BGP communities and tunnels to pull traffic
into a sinkhole router for analysis.

Border Gateway Protocol (BGP) Persistent Route Oscillation Condition
In particular configurations, the BGP scaling mechanisms defined in
"BGP Route Reflection - An Alternative to Full Mesh IBGP" and
"Autonomous System Confederations for BGP" will introduce persistent
BGP route oscillation. This document discusses the two types of
persistent route oscillation that have been identified, describes
when these conditions will occur, and provides some network design
guidelines to avoid introducing such occurrences.

BGP Route Flap Damping
A usage of the BGP routing protocol is described which is capable of
reducing the routing traffic passed on to routing peers and therefore
the load on these peers without adversely affecting route convergence
time for relatively stable routes. This technique has been
implemented in commercial products supporting BGP. The technique is
also applicable to IDRP.

The overall goals are:
o to provide a mechanism capable of reducing router processing load
caused by instability
o in doing so prevent sustained routing oscillations
o to do so without sacrificing route convergence time for generally
well behaved routes.

This must be accomplished keeping other goals of BGP in mind:
o pack changes into a small number of updates
o preserve consistent routing
o minimal addition space and computational overhead

An excessive rate of update to the advertised reachability of a
subset of Internet prefixes has been widespread in the Internet.
This observation was made in the early 1990s by many people involved
in Internet operations and remains the case. These excessive updates
are not necessarily periodic so route oscillation would be a
misleading term. The informal term used to describe this effect is
"route flap". The techniques described here are now widely deployed
and are commonly referred to as "route flap damping".

Protection of BGP Sessions via the TCP MD5 Signature Option
This memo describes a TCP extension to enhance security for BGP. It
defines a new TCP option for carrying an MD5 [RFC1321] digest in a
TCP segment. This digest acts like a signature for that segment,
incorporating information known only to the connection end points.
Since BGP uses TCP as its transport, using this option in the way
described in this paper significantly reduces the danger from certain
security attacks on BGP.

A Unified Approach to Inter-Domain Routing
This memo is an informational RFC which outlines one potential
approach for inter-domain routing in future global internets. The
focus is on scalability to very large networks and functionality, as
well as scalability, to support routing in an environment of
heterogeneous services, requirements, and route selection criteria.

Note: The work of D. Estrin and S. Hotz was supported by the National
Science Foundation under contract number NCR-9011279, with matching
funds from GTE Laboratories. The work of Y. Rekhter was supported by
the Defense Advanced Research Projects Agency, under contract
DABT63-91-C-0019. Views and conclusions expressed in this paper are
not necessarily those of the Defense Advanced Research Projects
Agency and National Science Foundation.

Border Gateway Protocol 3 (BGP-3)
This memo, together with its companion document, "Application of the
Border Gateway Protocol in the Internet", define an inter-autonomous
system routing protocol for the Internet. This RFC specifies an IAB
standards track protocol for the Internet community, and requests
discussion and suggestions for improvements. Please refer to the
current edition of the "IAB Official Protocol Standards" for the
standardization state and status of this protocol. Distribution of
this memo is unlimited.

Border Gateway Protocol (BGP)
This RFC, together with its companion RFC-1164, "Application of the
Border Gateway Protocol in the Internet", define a Proposed Standard
for an inter-autonomous system routing protocol for the Internet.

This protocol, like any other at this initial stage, may undergo
modifications before reaching full Internet Standard status as a
result of deployment experience. Implementers are encouraged to
track the progress of this or any protocol as it moves through the
standardization process, and to report their own experience with the
protocol.

This protocol is being considered by the Interconnectivity Working
Group (IWG) of the Internet Engineering Task Force (IETF).
Information about the progress of BGP can be monitored and/or
reported on the IWG mailing list (IWG@nri.reston.va.us).

Please refer to the latest edition of the "IAB Official Protocol
Standards" RFC for current information on the state and status of
standard Internet protocols.

Oct 16, 2014

List of must-have softwares for Yosemite

Because recently, I've been working on some side projects that involve constantly reinstall my OSX, and I hate to remember all the softwares I need to install for every single time. So here we are, my list of all the must-have softwares for a fresh Yosemite.

EDIT: add some more on Oct. 17, 2014.
EDIT: add MacVim, Spotify, VLC, Plex, XMind on Oct. 27, 2014.

Apps:

  • Chrome (Safari is the fastest browser to download Chrome, IE is the second)
  • iWork set
    • Keynote
    • Numbers
    • Pages (barely use)
    • iPhoto
    • iMovie (just in case I have nothing to do)
  • iTerm 2 - the best terminal emulator on Mac and I don't know why. It is just good.
  • 163 Music (you need to at least know some Chinese to appreciate it)
  • Dropbox
  • Wunderlist
  • Evernote
  • Alfred (I like to set the key to be double tap "command")
  • Feedly
  • Mint
  • Skitch
  • Caffine
  • Intellij (for Java development, note it requires Java SE 6 runtime to run and will install on start)
  • cdto (a nice plugin for finder to open iterm at current folder)
  • Baidu Input Method (for Chinese input, download is always painfully slow)
  • OmniGraffle
  • QQ
  • Cinch (search "irradiated")
  • Mendeley (best tool for paper reading)
  • Skype
  • LyX (quick write up for school homework)
  • SourceTree (to quick manipulate git repo)
  • MacVim (Open text file with Vim!) (use the RCDefaultApp to change the default app setting)
  • RCDefaulApp (change default application for extensions)
  • Spotify (nice radios)
  • VLC (yet another video player)
  • PlexHomeTheater (watching videos could be fun)
  • XMind (Mind mapping)

Command line tools:

Games:

Other settings:

  • VPN Gate
    • I use Tsubuka's
    • vg2947755109.opengw.net
    • vpn:vpn

Oct 12, 2014

Hackintosh experience on Dell Alienware X51

Failed steps:

Follow the steps described here:
http://www.hackintoshosx.com/topic/21475-guide-aio-guides-for-hackintosh/?p=106895

Use boot flag "-v dart=0" and do not inject NVidia card driver.

After the first time of struggling, this time I am much faster on figuring out what to do when got stuck as the white screen. I think it was due to the conflict on the NVidia driver.

Installation is swift. However, I encountered the same problem as before,
Missing Bluetooth Controller Transport!
I tried :

  1. "-v dart=0" and not inject NVidia card, failed
  2.  "-v" and not inject NVidia card, failed
  3. InjectEDID+LoadVideoBios, failed
  4. "-v -f" failed


Switched to Unibeast.
Create bootable drive, use "-x" option for usage.

Switched back to clover:

  • -xcpm "Force XCPM to use mach_kernel for CPU Power Management on IvyBridge system."
  • UseKernelCache=Yes. Otherwise, the bootup could be really slow. 
  • "dart=0, injectNVidia"

Successful Steps:

Forgive me about these mess. I was just trying to keep a log of what I have done. And finnaly, I found my answer here
Type: mount -uw /
Type: cd /System/Library/Extensions
Type: mkdir intel_back
Type: mv AppleIntelHD* AppleIntelF* intel_back/
Type: touch ../Extensions

Turns out the problem is indeed the Intel video card driver problem.

Here is the config file I used:
https://gist.github.com/digizeph/a030a7b9d5bee21c33ee

Post installation

Audio driver:

Oct 5, 2014

Struggling youth

I've just discovered a great answer on Quora on the question of "What does it feel like to be really old knowing that death is imminent?"

I am too young to think about this question, however that does not prevent from rethinking what my life has become comparing what I expect it to be. Good things happened, bad things happened, and mostly nothing happened. The last thing scares me.

I can't remember how many times I tried to start a blog and told myself that I was going to keep writing no matter what. After a while, everything back to usual.

My life was like a pond of water peaceful like an mirror, while I expect it to be a place filled with storms and hurricanes. There are always two voices in my mind. One tells me to keep calm and carry on whatever I was doing, don't change. While the other one cuts me with its little knife of vision and ambition, pointing the places where others have been or are trying to go. Often the case, I compromise to the reality because I am afraid of changing my habit or my slow pace of life and work.

Will the imminent death change everything?

Read Quote of Stan Hayward's answer to What does it feel like to be really old knowing that death is imminent? on Quora

Oct 2, 2014

How to up subdomain on your Ubuntu server, and why you CAN'T do it.

What you have in hand:

You have a computer with a domain name pointing your machine's public IP.

What you want to do:

Create a subdomain for your server. For example, you have example.com and you want to have www.example.com.

What you essentially needs to do:

Create a virtualhost on your Apache server. In other words, although both www.example.com and example.com all pointing to the same IP address, you can process them differently.

How you can do it, ideally:


1. Go to /etc/apache2/sites-available/
2. Copy 000-default.conf to 001-example.conf. Name does not matter.
3. Add basic template to the new .conf file.

<VirtualHost *:80>
           ServerName www.example.com
           DocumentRoot /var/www/www.example.com
 </VirtualHost>
4. Create a corresponding folder in /var/www, which is "www.example.com". Again the name does not matter.

Why you won't succeed:

The Internet do NOT have the DNS record for the www.example.com. In other words, when you type in www.example.com in your browser, you browser cannot find the corresponding IP address for this URL, which means the traffic will never arrive to your machine.


How you deal with it:

Go ask your DNS provider (or parent domain) admin to delegate DNS records to your machine, meaning that your machine will need to act as both the web-server and DNS server. Whenever a strange URL comes, such as wtf.example.com, your parent DNS server knows that you might know the IP and you're the delegated server for your zone, so it will forward the request to you now. Now it's up to your server to decide which IP the wtf.example.com belongs to.

Then, how do you setup DNS Server then?
1.  a "zone" at /etc/bind/named.conf.local. Something like this:
zone "example.com" {
        type master;
        file "zones/unsigned/example";
};
2. create a folder /var/cache/bind/zones/unsigned/. Create a file named "exmaple.com". Name MATTERS now.
3. Edit the file and add the following content :
$TTL 60
$ORIGIN exmaple.com.
@ 1D IN SOA ns1example.com. root.example.com. (
        2014100200 ; serial
        360 ; refresh (6 minutes)
        360 ; retry (6 minutes)
        1800 ; expire (30 minutes)
        60 ; minimum (1 minute)
)
        IN NS ns1.example.com.
ns1     IN A YOURIP
www     IN A YOURIP
Note, remember to replace YOURIP with your actual IP address.
4. sudo service bind9 restart
5. sudo service apache2 restart





Sep 30, 2014

Setting up Snort IDS on Ubuntu 14.04 [2]


In the previous post, I've talked about how to install and set up a running intrusion detection system using the tool called "Snort". As I mentioned, the interpretation of the alert log is critical to understanding the situation of your system. Therefore we need a better idea of how the Snort logging system works and how can we read them. I've only worked on this tool for several hours so far, so my understanding may be highly naive. 

OK, let's start.

Snort output configuration


First thing of all, we need to know where are all the configuration files located in our system. For all Snort related config files, they are in /etc/snort folder. Apparently the most important (or useful) file for us is the snort.conf. It contains all the major configurations for Snort. For now, we only need to worry about the output part.

We are going to work on the config file comes with the Ubuntu's Snort package. If you don't see such a file, then it is probably a good time for you to go and [download one](http://books.gigatux.nl/mirror/snortids/0596006616/snortids-APP-B.html) now. Let's now go to the "Step #6: Configure output plugins" of /etc/snort/snort.conf. You will see a recommended method has been enabled, and all others were disabled. We will need to use unified2 binary format for our logging plugin. There is only one thing that I recommend to change. Go use alert and log (two files) for logging, instead of put everything into one gigantic file. Just comment out the 
output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types

and remove the comment mark for the following two lines:
output alert_unified2: filename snort.alert, limit 128, nostampoutput log_unified2: filename snort.log, limit 128, nostamp

After the modification, you should go restart your snort daemon:
sudo service snort restart

As a result, you should be able to see two files in /var/log/snort/ folder, one is snort.alert, and one is snort.log. The snort.alert file will give you a summarized information for what the alerting packet that your machine has received. The snort.log file will give you the actual packet dump for it. 

As I just mentioned, the unified2 file is a binary file, invented for high-performance logging. You need to use a special to in order to read the content. Remember in the last post, we mentioned the tool U2SpewFoo. We went through a lot of hassle just to install it. Here we're going to use it. Run the following command to dump the binary unified2 file into human readable output.
u2spewfoo snort.alert

You should be able to see organized table output as you hit the enter key. See the two figures below:

[snort.alert]


[snort.log]

You can also see why I recommend you to separate the output into two files. In case of some large packet, the output for snort.log for a single packet could be really long. Therefore, if you're only interested in what kind of stuff your machine is going through and not care the exact packet load, our way is best for you.

Setting up Snort IDS on Ubuntu 14.04 [1]

Here is my log on how to install and set up the Snort IDS (Intrusion Detection System) on a single server (meaning not for a network) that runs Ubuntu 14.04 on it.

Motivation

I am a PhD student in a small research laboratory, with several server machines for experiments purposes. I am also kind of the admin for these machines, and I have the access to read some log files in /var/log. I noticed several times before that our machines were under constant SSH login attempts. That bothers me and I don't have time to do something until now. So, this time I would like to set up a IDS that helps me detect such attempts and then further devise the reactions. So here I am, installing Snort.

Steps

First, I've tried to use the Ubuntu's repository directly,
"sudo apt-get install snort"
Though everything looks good after installation, I found that the package does not provide a very essential tool: U2SpewFoo, a tool that reads Unified2 files (the default log file for Snort) and dump it to STDOUT. Basically, without it you can't know anything about the IDS results.

To work it around, I need to install it from source. Following the link here https://www.snort.org/#get-started, I encountered some minor problems.
  1. When installing daq, there are two missing packages: bison and flex. Simply install these two can fix the problem.
  2. When installing snort, there is one missing package: dnet header. The ./configure tells me to go to this website for the dnet header https://code.google.com/p/libdnet/.  After download and untar the package, simply make and install will do the trick. (Download link: https://libdnet.googlecode.com/files/libdnet-1.12.tgz)

After that, the Snort should be manually installed on your computer. By the way, "sudo ./configure" is a stupid idea. There is no reason to use sudo for any situation unless it is necessary to do so. For example, when you need to copy the binaries to system path folders.

Though installed, all the configuration files are still missing. Recall that, the only reason I started installing Snort manually is because the u2spewfoo is not there in the package. For now, that software is already there, and I do not want to manually create all the configuration files by myself (at least for now). As a result, I apt-get the snort again. Ignore this step if you're confident or patient enough to set up everything by your own hands.

Understand the log


Now the Snort IDS should be running on your machine as a daemon process. You can check the running status by:
sudo service snort status
Then, you should be able to see something like this:





Now let's look at the events log. For the only several minutes I've been running snort, I've got a pretty impressive amount of events that have been logged into /var/log/snort/snort.log. In order to take a peek at the log, you need this u2spewfoo tool:
sudo u2spewfoo snort.log
The output should look like this:





Future work

In the following blog posts, I will further dig into how to read snort log file, and make sense of it. Most important of all, how can we react to different events. Recall that I took the easy way here by installing all the default rules. From what I can see now, it might be too sensitive, and generating too much "not-important" alerts. As I dig into this tool, we will learn how to tailor the Snort to best fit your needs.

Thanks for reading this post. If you have any comments, please don't hesitate to contact me.

Smarter core for the Internet

Since "the Internet is far too large to sustain the concept of a flag day for deployment of any technology", according to Geoff Huston, we need to be really smart at designing new technologies if the deployment is part of the goal (of course it is :D).

Therefore, instead of frying your brain and looking for a ``best'' solution for gradual deployment, I'd like to see a smarter Internet that can incorporate both new and old technologies. One way to achieve this goal is to design or improve a smarter core of the Internet.

You may wonder, the Internet is supposed to be a flat design from the ISP level (or other coarser granularities), but that does not stop us from designing something like a next-gen Internet Exchange Point that applies the most tolerant and intelligent algorithms on it. The of the this kind of IXP is:
  • allow different versions of the routing protocol to run in the same environment without requiring ubiquitous deployment.
  • enable monitoring systems to play and get the most of it to protect the current Internet. For example, a Buddyguard system that is deployed in an IXP can absorb the most accurate and up-to-date information to learn the best ``normalities'' from the BGP updates. So does I-seismograph. In other words, a playground for different monitoring systems could be a big beneficial point for both the maintenance of the Internet, and the progression of the future protocols.
  • a smarter IXP could also be used as an super learning source for the future of the artificial intelligence. However, this is only my own ambitious vision, which may not have any academical goods.