San Rafael | Salta, Tilcara, Humahuaca, Purmamarca Los mejores viajes junto Buenas Vibras
Si no podes visualizar este mail, ingresa a: http://news1.bonuscupon.com.ar/r.html?uid=1.12.29hh.j7.op60j7z2lk
Is not possible to disable sndiod process??
Hi all, How can I disable sndiod process?? I have configured under rc.conf: sndiod_flags=NO but every time host is rebooted, sndiod starts ... Why?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
carlopmart carlopm...@gmail.com writes: Hi all, How can I disable sndiod process?? I have configured under rc.conf: sndiod_flags=NO rc.conf isn't meant to be edited. use rc.conf.local but every time host is rebooted, sndiod starts ... Why?? Thanks. Without more details and given the non-standard setup... Here's a guess: you may have aucat_flags in rc.conf.local that override your non-standard changes. -- Jérémie Courrèges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: Is not possible to disable sndiod process??
On Sat, Jun 09, 2012 at 11:48:29AM +0200, carlopmart wrote: Hi all, How can I disable sndiod process?? I have configured under rc.conf: the recommended way to disable it by adding: sndiod_flags=NO in /etc/rc.conf.local sndiod_flags=NO but every time host is rebooted, sndiod starts ... Why?? indeed, it shouldn't start. May be you've multiple sndiod_flags definitions, or your setting is overriden in rc.conf.local or whatever else. -- Alexandre
Re: Is not possible to disable sndiod process??
On 06/09/2012 12:19 PM, Jérémie Courrèges-Anglas wrote: carlopmartcarlopm...@gmail.com writes: Hi all, How can I disable sndiod process?? I have configured under rc.conf: sndiod_flags=NO rc.conf isn't meant to be edited. use rc.conf.local Uhmm why?? I use rc.conf.local for daemons or options outside of openbsd soft base ... but every time host is rebooted, sndiod starts ... Why?? Thanks. Without more details and given the non-standard setup... What details do you need?? I use this openbsd box as a fw and I wnat ot disable sndiod process ... Here's a guess: you may have aucat_flags in rc.conf.local that override your non-standard changes. But there is not options for aucat_flags under rc.conf ... or maybe I only need to put under rc.conf.local aucat_flags=NO?? -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On 06/09/2012 12:21 PM, Alexandre Ratchov wrote: On Sat, Jun 09, 2012 at 11:48:29AM +0200, carlopmart wrote: Hi all, How can I disable sndiod process?? I have configured under rc.conf: the recommended way to disable it by adding: sndiod_flags=NO in /etc/rc.conf.local sndiod_flags=NO but every time host is rebooted, sndiod starts ... Why?? indeed, it shouldn't start. May be you've multiple sndiod_flags definitions, or your setting is overriden in rc.conf.local or whatever else. -- Alexandre Nop, I don't have a rc.conf.local file .. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Is not possible to disable sndiod process??
On Sat, Jun 09, 2012 at 11:48:29AM +0200, carlopmart wrote: Hi all, How can I disable sndiod process?? I have configured under rc.conf: sndiod_flags=NO but every time host is rebooted, sndiod starts ... Why?? Because you should not touch rc.conf; sndiod_flags _must_ be added to rc.conf.local. If you don't understand why, then have a look at the backward compat code in /etc/rc.conf. Also, from rc.conf(8): It is advisable to leave rc.conf untouched, and instead create and edit a new rc.conf.local file. -- Antoine
Re: Is not possible to disable sndiod process??
On Sat, Jun 09, 2012 at 12:35:07PM +0200, carlopmart wrote: On 06/09/2012 12:19 PM, J??r??mie Courr??ges-Anglas wrote: carlopmartcarlopm...@gmail.com writes: Hi all, How can I disable sndiod process?? I have configured under rc.conf: sndiod_flags=NO rc.conf isn't meant to be edited. use rc.conf.local Uhmm why?? For instance to avoid merges during upgrade; rc.conf contains the default configuration, and rc.conf.local contains local changes to the default configuration. I use rc.conf.local for daemons or options outside of openbsd soft base ... it can be used for the base system as well. but every time host is rebooted, sndiod starts ... Why?? Thanks. Without more details and given the non-standard setup... What details do you need?? I use this openbsd box as a fw and I wnat ot disable sndiod process ... Generally you don't need to disable sndiod. As long it's not used it consumes less resources than getty, which we don't disable either. -- Alexandre
Re: Is not possible to disable sndiod process??
On Sat, Jun 09, 2012 at 12:36:19PM +0200, carlopmart wrote: On 06/09/2012 12:21 PM, Alexandre Ratchov wrote: On Sat, Jun 09, 2012 at 11:48:29AM +0200, carlopmart wrote: Hi all, How can I disable sndiod process?? I have configured under rc.conf: the recommended way to disable it by adding: sndiod_flags=NO in /etc/rc.conf.local sndiod_flags=NO but every time host is rebooted, sndiod starts ... Why?? indeed, it shouldn't start. May be you've multiple sndiod_flags definitions, or your setting is overriden in rc.conf.local or whatever else. -- Alexandre Nop, I don't have a rc.conf.local file .. so, just do: echo 'sndiod_flags=NO' /etc/rc.conf.local see rc.conf(5) man page as well. -- Alexandre
Re: Is not possible to disable sndiod process??
carlopmart wrote: On 06/09/2012 12:19 PM, Jérémie Courrèges-Anglas wrote: carlopmartcarlopm...@gmail.com writes: Hi all, How can I disable sndiod process?? I have configured under rc.conf: sndiod_flags=NO rc.conf isn't meant to be edited. use rc.conf.local Uhmm why?? I use rc.conf.local for daemons or options outside of openbsd soft base ... it's simple: - read rc.conf(8) for a better understanding (or study the /etc/rc.conf script and try to figure out what could cause your sndiod_flags to get lost, after all, if you edit this script you should also be able to figure out the consequences of your actions, since it's advised to NOT edit this file) - (older) aucat_flags could interfere with sndiod_flags but if you haven't got a rc.conf.local this is probably not your problem - follow Alexandre's advice
Re: Is not possible to disable sndiod process??
On Sat, Jun 09, 2012 at 12:35:07PM +0200, carlopmart wrote: On 06/09/2012 12:19 PM, Jérémie Courrèges-Anglas wrote: rc.conf isn't meant to be edited. use rc.conf.local Uhmm why?? Because rc.conf(8) states that It is advisable to leave rc.conf untouched, and instead create and edit a new rc.conf.local file. Variables set in this file will override variables previously set in rc.conf. and you should always follow official recommandations before personal preferences, even if it seem ambiguous? -- Cheers, Erling
Ways to handle DNS amplification attacks with OpenBSD
Hello all, there is a need to restrict a specific type of DNS queries (ANY queries) in our nameservers. We faced a DDoS attack in our resolvers and the thing is that we could not simply cut access to DNS resolution to specific client IPs, the queries came from our own unsuspecting customers. The situation is similar but not the same as the one discribed here: https://isc.sans.edu/diary.html?storyid=13261 We used IPtables and the string module to match a specific signature of the problematic queries and it worked quite well (in our attack case the problematic queries had a very specific and simple pattern). The question is, if we had OpenBSD and PF as a firewall what could we do to address this? From searching the archives I saw this quite old post http://www.monkey.org/openbsd/archive/misc/0207/msg00743.html I haven't seen any string matching capability in PF for the packet payload. Unless I am missing something, what would your suggestions be in such a scenario? I am interested to hear possible solutions in other layers as well. Regards, Kostas
Re: Ways to handle DNS amplification attacks with OpenBSD
* Kostas Zorbadelos kzo...@otenet.gr [2012-06-09 13:12]: We used IPtables and the string module to match a specific signature of the problematic queries and it worked quite well (in our attack case the problematic queries had a very specific and simple pattern). The question is, if we had OpenBSD and PF as a firewall what could we do to address this? From searching the archives I saw this quite old post http://www.monkey.org/openbsd/archive/misc/0207/msg00743.html I haven't seen any string matching capability in PF for the packet payload. Unless I am missing something, what would your suggestions be in such a scenario? I am interested to hear possible solutions in other layers as well. string matching to more or less random packets' payload in the kernel? that is beyond insane. the proper solution is a small userland helper process, using divert-to and maybe socket splicing. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Ways to handle DNS amplification attacks with OpenBSD
Kostas Zorbadelos kzo...@otenet.gr writes: Hello all, Hi there is a need to restrict a specific type of DNS queries (ANY queries) in our nameservers. We faced a DDoS attack in our resolvers and the thing is that we could not simply cut access to DNS resolution to specific client IPs, the queries came from our own unsuspecting customers. So you run resolvers for your clients. I will assume you're an ISP. In that case, you should be checking that the DNS queries that seem to come from your clients *actually* come from your clients, not out of nowhere, from spoofed IPs. This could be done very easily with PF, *if* your current architecture allows it (if you have a way to distinguish network flow coming from your clients from spoofed requests coming from the Internet). Of course, if you're not an ISP, then forget what I said. The situation is similar but not the same as the one discribed here: https://isc.sans.edu/diary.html?storyid=13261 Indeed, that involves authoritative nameservers flooded with requests that can come from anywhere. [...] -- Jérémie Courrèges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: Ways to handle DNS amplification attacks with OpenBSD
Kostas Zorbadelos kzo...@otenet.gr writes: there is a need to restrict a specific type of DNS queries (ANY queries) in our nameservers. We faced a DDoS attack in our resolvers and the thing is that we could not simply cut access to DNS resolution to specific client IPs, the queries came from our own unsuspecting customers. My first impulse when reading the sans diary item was to rate-limit, possibly via the overload table mechanism, and if not blocking them outright perhaps put the DNS requests from the overloads in a minimal-bandwidth queue. That may or may not be appropriate to your context, and I suspect detection may be the main priority. While string matching in PF is not an option, I vaguely remember snort users coming up with patterns to match earlier DNS tomfoolery, so there's a chance you may be able to get useful info and possibly even a working snort setup to deal with this one. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ways to handle DNS amplification attacks with OpenBSD
On Sat, 09 Jun 2012 13:51:00 +0200, jca+o...@wxcvbn.org (Jérémie Courrèges-Anglas) wrote: Kostas Zorbadelos kzo...@otenet.gr writes: Hello all, Hi there is a need to restrict a specific type of DNS queries (ANY queries) in our nameservers. We faced a DDoS attack in our resolvers and the thing is that we could not simply cut access to DNS resolution to specific client IPs, the queries came from our own unsuspecting customers. So you run resolvers for your clients. I will assume you're an ISP. In that case, you should be checking that the DNS queries that seem to come from your clients *actually* come from your clients, not out of nowhere, from spoofed IPs. This could be done very easily with PF, *if* your current architecture allows it (if you have a way to distinguish network flow coming from your clients from spoofed requests coming from the Internet). Does it affect cashing name server only or the one with zones to i know its stupid question because the authoritative server have to be open for all to redistribute domain ( or not for example we do not want some regions to access our domain ?) Of course, if you're not an ISP, then forget what I said. The situation is similar but not the same as the one discribed here: https://isc.sans.edu/diary.html?storyid=13261 Indeed, that involves authoritative nameservers flooded with requests that can come from anywhere. [...] -- Jérémie Courrèges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: em0: Invalid mac address and the device is not configured.
I have a Intel PRO/1000MT (82540EP) in my laptop which takes the same codepath (hw-mac_type of em_82540) and don't see any problems so I wonder what is different (corrupt eeprom?). If you can try defining DBG in sys/dev/pci/if_em_osdep.h this will produce a lot of debug output you can mail me off list. Failing that I'm happy to have a look with your extra card. On Thu, Jun 07, 2012 at 04:17:03PM -0500, Justin Haynes wrote: Misc - I have an Intel PRO/1000MT (82540EM) 32-bit PCI card which I've just added to an i386 architecture machine running OpenBSD 5.1. I have an extra card I can donate to a developer who may need it. The following line appears in my dmesg, and my Intel PRO/1000MT (82540EM) ethernet device fails to be configured: em0 at pci6 dev 1 function 0 Intel PRO/1000MT (82540EM) rev 0x02: apic 0 int 19em0: Invalid mac address (Full dmesg at end of email) After searching I found the closest situation to this one occured in 2005 in a thread on misc@openbsd with the title em (Intel 1000GT) on 3.6. A link to a search on marc.info for messages containing this text appears here: http://marc.info/?l=openbsd-miscw=2r=1s=em+%28Intel+1000GT%29+on+3.6q=b A similar problem appeared in a FreeBSD 8.0 Current bug with an arrival date of Wed Apr 29 05:50:01 UTC 2009: http://www.freebsd.org/cgi/query-pr.cgi?pr=134079 One listed resolution in that FreeBSD bug was: I changed the e1000_read_mac_addr_generic() function in /usr/src/sys/dev/e1000/e1000_nvm.c to the 7.2 version. It works for me. In OpenBSD 5.1 RELEASE GENERIC sys/dev/pci/if_em_hw.c I find a similar function beginning: --snip-- int32_t em_read_mac_addr(struct em_hw *hw) -snip- I thought it more efficient for the team if I post the error now rather than for me to try to make sense of differences going back through CVS. * * # dmesg OpenBSD 5.1 (GENERIC.MP) #188: Sun Feb 12 09:55:11 MST 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: AMD E-350 Processor (AuthenticAMD 686-class, 512KB L2 cache) 1.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,NXE,MMXX,FFXSR,LONG,SSE3,MWAIT,SSSE3,CX16,POPCNT,LAHF,SVM,ABM,SSE4A,WDT real mem = 2814578688 (2684MB) avail mem = 2758422528 (2630MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/16/10, SMBIOS rev. 2.6 @ 0xe9070 (60 entries) bios0: bios0: ASUSTeK Computer INC. E35M1-M PRO acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG HPET SSDT SSDT acpi0: wakeup devices SBAZ(S4) PS2K(S4) PS2M(S4) UAR1(S4) P0PC(S4) UHC1(S4) UHC2(S4) USB3(S4) UHC4(S4) USB5(S4) UHC6(S4) UHC7(S4) BR14(S4) PE20(S4) PE21(S4) RLAN(S4) PE22(S4) BR23(S4) PE23(S4) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD E-350 Processor (AuthenticAMD 686-class, 512KB L2 cache) 1.60 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,NXE,MMXX,FFXSR,LONG,SSE3,MWAIT,SSSE3,CX16,POPCNT,LAHF,SVM,ABM,SSE4A,WDT ioapic0 at mainbus0: apid 0 pa 0xfec0, version 21, 24 pins ioapic0: misconfigured as apic 3, remapped to apid 0 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318180 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (BR15) acpiprt2 at acpi0: bus -1 (PCE6) acpiprt3 at acpi0: bus -1 (PCE7) acpiprt4 at acpi0: bus -1 (PCE8) acpiprt5 at acpi0: bus 1 (BR14) acpiprt6 at acpi0: bus 3 (PE20) acpiprt7 at acpi0: bus 4 (PE21) acpiprt8 at acpi0: bus 5 (PE22) acpiprt9 at acpi0: bus 6 (BR23) acpiprt10 at acpi0: bus 7 (PE23) acpicpu0 at acpi0: C2, PSS acpicpu1 at acpi0: C2, PSS acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xe200 0xce800/0x1000 cpu0: 1600 MHz: speeds: 1600 1280 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 AMD AMD64 14h Host rev 0x00 vga1 at pci0 dev 1 function 0 ATI Radeon HD 6310 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 1 function 1 ATI Radeon HD 6310 HD Audio rev 0x00: msi azalia0: no supported codecs ppb0 at pci0 dev 4 function 0 AMD AMD64 14h PCIE rev 0x00: apic 0 int 16 pci1 at ppb0 bus 1 ahci0 at pci0 dev 17 function 0 ATI SBx00 SATA rev 0x40: apic 0 int 19, AHCI 1.2 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: ATA, SAMSUNG HN-M101M, 2AR1 SCSI3 0/direct fixed naa.50024e920664f093 sd0: 953869MB, 512 bytes/sector, 1953525168 sectors sd1 at scsibus0 targ 1 lun 0: ATA, SAMSUNG HN-M101M, 2AR1 SCSI3 0/direct fixed naa.50024e920664f095 sd1: 953869MB, 512 bytes/sector, 1953525168 sectors ohci0 at pci0 dev 18 function 0 ATI
Re: Is not possible to disable sndiod process??
On Sat, 09 Jun 2012 12:35:07 +0200 carlopmart wrote: Uhmm why?? I use rc.conf.local for daemons or options outside of openbsd soft base ... In addition to what others have said it keep your changes easily identified. If you put . /etc/rc.conf.localbase in rc.conf.local you could seperate out what you currently have in rc.local wirth rc.conf.localbase having the override ability in this case. Personally I don't see why except maybe delegating editing to certain users. You could just have a section marked by comments in rc.conf.local
Re: Ways to handle DNS amplification attacks with OpenBSD
On Sat, 09 Jun 2012 14:08:58 +0200 Peter N. M. Hansteen wrote: While string matching in PF is not an option, I vaguely remember snort users coming up with patterns to match earlier DNS tomfoolery, so there's a chance you may be able to get useful info and possibly even a working snort setup to deal with this one. I've made custom rules scanning for user names with Snort and it was pretty easy. I had little performance concerns though so if possible, minimising the packet percentage handed to Snort or analysed would obviously be important.
drm
Hi, Has any of you managed to run drm driver for OpenBSD there are some for intel and radeon i wonder will they work with radeon built in to zacate platform. Is it possible to run gnome 3.4.1 from jhbuild on OpenBSD 5.1 i already run the sh script and configure but when i compile i get errors i wonder is it fought of drm lack Best Regards Tomasz Marszal
Re: Ways to handle DNS amplification attacks with OpenBSD
Am Samstag, den 09.06.2012, 14:11 +0300 schrieb Kostas Zorbadelos: The situation is similar but not the same as the one discribed here: https://isc.sans.edu/diary.html?storyid=13261 We used IPtables and the string module to match a specific signature of the problematic queries and it worked quite well (in our attack case the problematic queries had a very specific and simple pattern). Mitigating this with snort looks much uglier than the beautiful and elegant iptables counter measure posted in this list. Not sure how it holds up under load, though. Since the attacker uses fixed patterns, he/she seems to be a script kiddy, and there is a good chance that the TTL can be used to identify his/her packets. My approach would be to check what TTLs the packets have vs. those from your clients and see whether you can filter based on that. Rudi
Re: basic smtpd question
On Mon, Jun 4, 2012 at 4:36 AM, Gilles Chehade gil...@poolp.org wrote: On Sun, Jun 03, 2012 at 03:02:46PM +0200, Christopher Zimmermann wrote: [...] Relay how? Using smarthost? Possibly password protected? Then you need something like this: map secrets { source db /etc/mail/secrets.db } accept from ... for all relay via smarthost tls auth secrets You should drop the '{' as they will be gone in the future, I made them optional so that it doesn't break setups but it should read: map secrets source db /etc/mail/secrets.db That doesn't work in 5.1, unfortunately. I get a syntax error when I remove the { and }. Also, mind slapping me with a cluestick? The below is my config, but I can't even send myself an email? wan_if = em0 lan_if = fxp0 listen on lo0 listen on $lan_if map aliases { source db /etc/mail/aliases.db } accept for local alias aliases deliver to mbox accept for domain *.spidernet.to deliver to mbox accept for domain *.bofh.to deliver to mbox # echo test|mail root send-mail: command failed: 530 5.0.0 Recipient rejected: r...@urd.spidernet.to # echo test|mail test send-mail: command failed: 530 5.0.0 Recipient rejected: t...@urd.spidernet.to # cat /var/log/maillog Jun 9 11:14:35 urd smtpd[3173]: lka_session_done: expansion led to empty delivery list Jun 9 11:14:35 urd smtpd[13437]: 50f71e78: from=r...@urd.spidernet.to, relay=0@localhost [IPv6:::1], stat=LocalError (530 5.0.0 Recipient rejected: r...@urd.spidernet.to) Jun 9 11:16:22 urd smtpd[3173]: lka_session_done: expansion led to empty delivery list Jun 9 11:16:22 urd smtpd[13437]: 218b8c90: from=r...@urd.spidernet.to, relay=0@localhost [IPv6:::1], stat=LocalError (530 5.0.0 Recipient rejected: t...@urd.spidernet.to) I swear users root and test exists... -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
I need your comeback with reverse-proxy
Hi For protected my server web, I'm use one reverse-proxy. Two good choice : choice 1 : Varnish choice 2 : Nginx My webserver is Yaws. Depending on your returns, the best couple is Yaws- Varnish or Yaws-Nginx. Actuces and thank you for your feedback. Cordialy
Re: Ways to handle DNS amplification attacks with OpenBSD
Hi, will try to comment to many posts at once :) Kostas Zorbadelos kzo...@otenet.gr writes: there is a need to restrict a specific type of DNS queries (ANY queries) in our nameservers. We faced a DDoS attack in our resolvers and the thing is that we could not simply cut access to DNS resolution to specific client IPs, the queries came from our own unsuspecting customers. pe...@bsdly.net (Peter N. M. Hansteen) writes: My first impulse when reading the sans diary item was to rate-limit, possibly via the overload table mechanism, and if not blocking them outright perhaps put the DNS requests from the overloads in a minimal-bandwidth queue. That may or may not be appropriate to your context, and I suspect detection may be the main priority. I also thought about this one, but unfortunately it would affect service for the customers and it would be unacceptable in this case. We would also need to automate detection as you mentioned. While string matching in PF is not an option, I vaguely remember snort users coming up with patterns to match earlier DNS tomfoolery, so there's a chance you may be able to get useful info and possibly even a working snort setup to deal with this one. From the little I know about snort, I am not sure what would the action be in case of detection. The desired outcome is to filter the problem traffic not allowing it to reach the nameservers. Perhaps a working setup could be achieved, rearranging however the network setup. jca+o...@wxcvbn.org (Jérémie Courrèges-Anglas) writes: So you run resolvers for your clients. I will assume you're an ISP. Yes. In that case, you should be checking that the DNS queries that seem to come from your clients *actually* come from your clients, not out of nowhere, from spoofed IPs. This could be done very easily with PF, *if* your current architecture allows it (if you have a way to distinguish network flow coming from your clients from spoofed requests coming from the Internet). Ohh, they do and that is the problem. We can't just cut the offending clients because they will have no Internet service :) Also we do not accept packets with sources in our network ranges from the outside in our border ACLs (I guess this is common antispoof practice). Of course, if you're not an ISP, then forget what I said. The situation is similar but not the same as the one discribed here: https://isc.sans.edu/diary.html?storyid=13261 Indeed, that involves authoritative nameservers flooded with requests that can come from anywhere. Exactly. Henning Brauer lists-open...@bsws.de writes: string matching to more or less random packets' payload in the kernel? that is beyond insane. I am interested to know if this has caused problems in IPtables' setups. It sounds dangerous, however Linux systems provide the capability. I guess they have thought about consequences and hopefully somehow addressed them. the proper solution is a small userland helper process, using divert-to and maybe socket splicing. I am not sure we are talking about the same thing (you must have an implementation clearly in your mind ;-) ), but my feeling for a proper way to address this problem is via a userland application in a proxy or intercepting mode. This could filter the offending traffic and give to the nameserver the rest to service. I think you also talk about this (correct me if I am wrong). The main problem with it is that it needs to be developed :) Perhaps relayd is a good match for this one. IPtables' string module however is here now and it provided a crude but working solution. Thanks for all the comments. Kostas
Re: Ways to handle DNS amplification attacks with OpenBSD
* Kostas Zorbadelos kzo...@otenet.gr [2012-06-09 18:02]: Henning Brauer lists-open...@bsws.de writes: string matching to more or less random packets' payload in the kernel? that is beyond insane. I am interested to know if this has caused problems in IPtables' setups. It sounds dangerous, however Linux systems provide the capability. I guess they have thought about consequences and hopefully somehow addressed them. your guess is wrong... they might have been lucky so far, or not, I don't follow all the itables bugs. the proper solution is a small userland helper process, using divert-to and maybe socket splicing. I am not sure we are talking about the same thing (you must have an implementation clearly in your mind ;-) ), but my feeling for a proper way to address this problem is via a userland application in a proxy or intercepting mode. This could filter the offending traffic and give to the nameserver the rest to service. that is pretty much what it comes down to, tho writing these proxies is very easy these days, using the techniques i mentioned above. I think you also talk about this (correct me if I am wrong). The main problem with it is that it needs to be developed :) right. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Ways to handle DNS amplification attacks with OpenBSD
Rudolf Leitgeb rudolf.leit...@gmx.at writes: Am Samstag, den 09.06.2012, 14:11 +0300 schrieb Kostas Zorbadelos: The situation is similar but not the same as the one discribed here: https://isc.sans.edu/diary.html?storyid=13261 We used IPtables and the string module to match a specific signature of the problematic queries and it worked quite well (in our attack case the problematic queries had a very specific and simple pattern). Mitigating this with snort looks much uglier than the beautiful and elegant iptables counter measure posted in this list. Not sure how it holds up under load, though. In our case (nameservers handling thousands of queries per second) and during the time of attack multiple times that, it worked with negligible performance impact. The actual network traffic however was in the order of 40-50 Mbps per server. Since the attacker uses fixed patterns, he/she seems to be a script kiddy, and there is a good chance that the TTL can be used to identify his/her packets. My approach would be to check what TTLs the packets have vs. those from your clients and see whether you can filter based on that. What do you mean identify and filter based on TTL? In our case the attacker used a specific query for a single domain. Rudi Kostas
Re: drm
On Sat, Jun 9, 2012 at 4:49 PM, Tomasz Marszal kap...@toya.net.pl wrote: Hi, Has any of you managed to run drm driver for OpenBSD there are some for intel and radeon i wonder will they work with radeon built in to zacate platform. If there's vga supported by X then why not. Just check man pages Is it possible to run gnome 3.4.1 from jhbuild on OpenBSD 5.1 i already run the sh script and configure but when i compile i get errors i wonder is it fought of drm lack ? There's 3.4.2 in current http://openports.se/meta/gnome Best Regards Tomasz Marszal
Re: Ways to handle DNS amplification attacks with OpenBSD
Am Samstag, den 09.06.2012, 19:17 +0300 schrieb Kostas Zorbadelos: What do you mean identify and filter based on TTL? In our case the attacker used a specific query for a single domain. I mean the TTL field from the IP header of these packets. While the attacker's packets spoof the sender address, they might not spoof the TTL, and probably being away more hops from your servers than your clients, their packets should have lower TTL values. A network traffic dump could show quickly whether this approach could possibly work. Cheers, Rudi PS: Obviously a skilled attacker can also crank up TTL values to compensate for their longer route, but fixed pattern indicates to me that you deal with a script kiddie here.
noisy sound output from SPARCstation 5
Hi, out of curiosity I connected some active PC speakers to my SS5, but so far, I was not yet successful to play something good. I made some minimal tests using an au file downloaded from here: http://www-mmsp.ece.mcgill.ca/documents/AudioFormats/AU/Samples/AFsp/M1F1-int8-AFsp.au playing this on i386 sounds good: (audioctl -f /dev/audioctl play.channels=2; audioctl play.precision=8;audioctl play.rate=8000; audioctl play.sample_rate=8000; cat M1F1-int8-AFsp.au) /dev/audio0 but doing the same on the SS5, I get some very noisy output. Don't know when those timeouts entered dmesg. Before I made the tests with the .au file, I tried playing a mp3 using mpg123. Is there anything I can do to improve the audio on the sparc? Sebastian $ mixerctl -v inputs.dac=0,0 volume inputs.dac.mute=on [ on off ] inputs.line=0,0 volume inputs.line.mute=on [ on off ] inputs.mic=0 volume inputs.mic.mute=on [ on off ] inputs.cd=0,0 volume inputs.cd.mute=on [ on off ] monitor.monitor=32 volume outputs.monitor.mute=off [ on off ] outputs.output=192,192 volume outputs.output.mute=off [ on off ] record.record=0,0 volume record.record.source=mic [ mic line cd dac ] monitor.output=spkr [ spkr line hp ] $ audioctl name=SUNW,CS4231 version=a config=onboard1 encodings=mulaw:8:1:1,alaw:8:1:1,slinear_le:16:2:1,ulinear:8:1:1,slinear_be:16:2:1,slinear:8:1:1*,ulinear_le:16:2:1*,ulinear_be:16:2:1*,adpcm:8:1:1 properties=full_duplex full_duplex=0 fullduplex=0 blocksize=400 hiwat=163 lowat=1 output_muted=0 monitor_gain=32 mode= play.rate=8000 play.sample_rate=8000 play.channels=2 play.precision=8 play.bps=1 play.msb=1 play.encoding=mulaw play.gain=0 play.balance=32 play.port=0x0 play.avail_ports=0x0 play.seek=400 play.samples=46686 play.eof=0 play.pause=0 play.error=1 play.waiting=0 play.open=0 play.active=0 play.buffer_size=65536 play.block_size=400 play.errors=57 record.rate=8000 record.sample_rate=8000 record.channels=2 record.precision=8 record.bps=1 record.msb=1 record.encoding=mulaw record.gain=0 record.balance=32 record.port=0x1 record.avail_ports=0x7 record.seek=0 record.samples=0 record.eof=0 record.pause=0 record.error=0 record.waiting=0 record.open=0 record.active=0 record.buffer_size=65536 record.block_size=400 record.errors=0 $ dmesg OpenBSD 5.1-current (GENERIC) #62: Sun May 27 12:05:06 MDT 2012 dera...@sparc.openbsd.org:/usr/src/sys/arch/sparc/compile/GENERIC real mem = 200933376 (191MB) avail mem = 192966656 (184MB) mainbus0 at root: SUNW,SPARCstation-5 cpu0 at mainbus0: MB86907 @ 170 MHz, on-chip FPU cpu0: 16K instruction (32 b/l), 16K data (32 b/l), 512K external (32 b/l) DVMA coherent cache enabled obio0 at mainbus0 clock0 at obio0 addr 0x7120: mk48t08 (eeprom) timer0 at obio0 addr 0x71d0 delay constant 82 zs0 at obio0 addr 0x7110 pri 12, softpri 6 zstty0 at zs0 channel 0: console zstty1 at zs0 channel 1 zs1 at obio0 addr 0x7100 pri 12, softpri 6 zskbd0 at zs1 channel 0: no keyboard zsms0 at zs1 channel 1 wsmouse0 at zsms0 mux 0 slavioconfig at obio0 addr 0x7180 not configured auxreg0 at obio0 addr 0x7190 power0 at obio0 addr 0x7191 fdc0 at obio0 addr 0x7140 pri 11, softpri 4: chip 82077 iommu0 at mainbus0 addr 0x1000: version 0x5/0x0, page-size 4096, range 64MB sbus0 at iommu0: 21.250 MHz dma0 at sbus0 slot 5 offset 0x840: rev 2 esp0 at dma0 offset 0x880 pri 4: ESP200, 40MHz scsibus0 at esp0: 8 targets, initiator 7 cd0 at scsibus0 targ 2 lun 0: MATSHITA, CD-ROM CR-504, ST23 SCSI2 5/cdrom removable sd0 at scsibus0 targ 3 lun 0: IBM, DCAS32160SUN2.1G, S60B SCSI2 0/direct fixed serial.IBM_DCAS32160SUN2.1GF2583160_ sd0: 2063MB, 512 bytes/sector, 4226725 sectors bpp0 at sbus0 slot 5 offset 0xc80: DMA2 ledma0 at sbus0 slot 5 offset 0x8400010: rev 2 le0 at ledma0 offset 0x8c0 pri 6: address 08:00:20:89:d9:b5 le0: 16 receive buffers, 4 transmit buffers audiocs0 at sbus0 slot 4 offset 0xc00 pri 9 audio0 at audiocs0 power-management at sbus0 slot 4 offset 0xa00 not configured cgsix0 at sbus0 slot 3 offset 0x0 pri 9: SUNW,501-2325, 1152x900, rev 11 wsdisplay0 at cgsix0 mux 1 wsdisplay0: screen 0 added (std, sun emulation) vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets bootpath: /iommu@0,1000/sbus@0,10001000/espdma@5,840/esp@5,880/sd@3,0 root on sd0a (767d44393957fabc.a) swap on sd0b dump on sd0b audiocs0: timeout committing fspb audiocs0: timeout committing cdf audiocs0: timeout waiting for !mce audiocs0: timeout committing fspb audiocs0: timeout committing cdf audiocs0: timeout waiting for !mce audiocs0: timeout committing fspb audiocs0: timeout committing cdf audiocs0:
OT: bitrig relation to OpenBSD
Hi, is bitrig fork just because of license, goals issue or is this also because some disagreements between developers? I personally would love to see completely different things get improved in OpenBSD than stuff in their 'roadman' https://www.bitrig.org/index.php?title=Roadmap Anyway, people can do whatever they want, it's free code and let's hope both sides would benefit from this. jirib
Re: I need your comeback with reverse-proxy
On 06/09/2012 10:52 AM, hvom .org wrote: Hi For protected my server web, I'm use one reverse-proxy. Two good choice : choice 1 : Varnish choice 2 : Nginx My webserver is Yaws. Depending on your returns, the best couple is Yaws- Varnish or Yaws-Nginx. Actuces and thank you for your feedback. Cordialy Nginx, especially since it's in base and works fine for that. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Possible hacking project-- axe driver
I purchased one of these USB ethernet adaptors to add an extra interface to one of my OpenBSD devices: http://www.amazon.com/Plugable-Gigabit-Ethernet-Network-Adapter/dp/B003VSTDFG It's an AX88178 chipset device, and so should be supported by the axe driver. Indeed, when plugged into my OpenBSD 5.1 system it is recognized: axe0 at uhub0 port 2 configuration 1 interface 0 ASIX Electronics AX88178 rev 2.00/0.01 addr 2 axe0: AX88178, address 00:0e:c6:88:e0:ec rgephy0 at axe0 phy 2: RTL8169S/8110S PHY, rev. 2 The interface is configured during the normal boot process and I can even view packets via the network interface with tcpdump. However, the device never successfully transmits packets. tcpdump on the OpenBSD machine shows the device attempting to send packets, but tcpdump on other network hosts shows no packets actually being emitted onto the wire. dmesg shows the following errors: axe0: watchdog timeout axe0: usb error on tx: TIMEOUT So the packets are getting queued up on the outgoing interface but never actually getting transmitted? Odd problem. I'm happy to donate the device I purchased to whoever would like to take a shot at fixing the problem. Could be a fun hacking project, but I personally just don't have time to work on it. Contact me off-list and I'll arrange to have the dongle shipped to you. Cheers! Hal Pomeranz
Re: Ways to handle DNS amplification attacks with OpenBSD
On 2012-06-09, Kostas Zorbadelos kzo...@otenet.gr wrote: I am interested to hear possible solutions in other layers as well. http://fanf.livejournal.com/122111.html seems a nice approach...
Re: Possible hacking project-- axe driver
watchdog timeouts are more often than not problems with interrupt routing. Can you include the rest of your dmesg? On Sat, Jun 09, 2012 at 03:57:40PM -0700, Hal Pomeranz wrote: I purchased one of these USB ethernet adaptors to add an extra interface to one of my OpenBSD devices: http://www.amazon.com/Plugable-Gigabit-Ethernet-Network-Adapter/dp/B003VSTDFG It's an AX88178 chipset device, and so should be supported by the axe driver. Indeed, when plugged into my OpenBSD 5.1 system it is recognized: axe0 at uhub0 port 2 configuration 1 interface 0 ASIX Electronics AX88178 rev 2.00/0.01 addr 2 axe0: AX88178, address 00:0e:c6:88:e0:ec rgephy0 at axe0 phy 2: RTL8169S/8110S PHY, rev. 2 The interface is configured during the normal boot process and I can even view packets via the network interface with tcpdump. However, the device never successfully transmits packets. tcpdump on the OpenBSD machine shows the device attempting to send packets, but tcpdump on other network hosts shows no packets actually being emitted onto the wire. dmesg shows the following errors: axe0: watchdog timeout axe0: usb error on tx: TIMEOUT So the packets are getting queued up on the outgoing interface but never actually getting transmitted? Odd problem. I'm happy to donate the device I purchased to whoever would like to take a shot at fixing the problem. Could be a fun hacking project, but I personally just don't have time to work on it. Contact me off-list and I'll arrange to have the dongle shipped to you. Cheers! Hal Pomeranz
[For..2-6]桔災頳 [EndFor]...
跃眜伅遺贲 疂捓闄縎 憆 綘浟煶 漾 螿廈 斺 輞殬譑 拾磭蕙醽阓 陞 嵨涮滠 瓼頦綰嫠緘 硼士矨 砃钦舍胤倥 啗荜 垘杧騭渰蕻 介囼 置铂!
Re: OT: bitrig relation to OpenBSD
On 06/09/12 14:01, Jiri B wrote: Hi, is bitrig fork just because of license, goals issue or is this also because some disagreements between developers? I think you ask the wrong people. Not sure why you would ask here, rather than the people who actually DID the fork. ... Anyway, people can do whatever they want, it's free code and let's hope both sides would benefit from this. 'zactly. Nick.
Re: OpenBSD is just an OS, not a firewall...
Hmm..I get This post could not be found. Cheers, Lars On Sat, Jun 9, 2012 at 1:55 AM, Chris Smith obsd_m...@chrissmith.org wrote: ... if you really want a firewall you need pfSense. Also if you walk into any security experts convention and claim that raw OpenBSD is a firewall, you will get laughed out of the room for lack of clue. Guess I've been wrong all these years: see the comments to https://plus.google.com/u/0/104027218792812194992/posts/K3NsGE2UrCe
Re: OpenBSD is just an OS, not a firewall...
On 06/09/2012 10:52 PM, Lars Hansson wrote: Hmm..I get This post could not be found. Cheers, Lars On Sat, Jun 9, 2012 at 1:55 AM, Chris Smith obsd_m...@chrissmith.org wrote: ... if you really want a firewall you need pfSense. Also if you walk into any security experts convention and claim that raw OpenBSD is a firewall, you will get laughed out of the room for lack of clue. Guess I've been wrong all these years: see the comments to https://plus.google.com/u/0/104027218792812194992/posts/K3NsGE2UrCe Troll posts are often lost... -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]