Re: OpenBSD and SYNFlood / DDoS protection

[Ryan McBride]

synproxy in pf already makes sure the 3-way handshake completes before
the connection is completed on the other side; rate limiting can also be
done on the OpenBSD firewall, so it's not clear why you would need an
extra box there.

The bigger problem with DDoS attacks is that the upstream pipe is filled
up with traffic, and no matter how much technology you deploy at your
end of the pipe, it's still going to be full. Rate limiting and such
needs to be deployed further out, at your ISP, and possibly further
upstream.

Also, it would help if all ISP's implemented proper egress filtering to
prevent spoofing.

On Fri, Jul 18, 2008 at 10:27:36PM -0700, Parvinder Bhasin wrote:
 This maybe dumb but won't hurt to throw this out there, maybe this has  
 to be built with combination of tools, technologies etc but i would  
 definately like to first collect as much info and then maybe work on  
 this (or maybe the solution - open source is already out there , in that 
 case I would like to know what :), I know of many 100K devices that will 
 do this.

 Is there a way that I can setup a machine (another openbsd machine) in  
 front of an OpenBSD firewall to help against DDoS attacks?
 If so what would be proper approach in doing so (if someone has already 
 approached this subject).

 Machine would have 2 or 3 nics (3rd nic for management maybe?).
   You take the internet drop on the first port, say for example:  fxp0 
 (external_if) .  Maybe implement SYNCOOKIE (technology).   The traffic 
 only gets passed on to the firewall port throught fxp1 (internal_if) , 
 once the server gets the ACK back.Would SYNPROXY do this too??
 This machine could also be doing some form of RATE LIMITING?? maybe??

 Anyone ?? Anytakes??

 /Parvinder Bhasin


-- 

Re: OpenBSD and SYNFlood / DDoS protection

[ropers]

2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:
 This maybe dumb but won't hurt to throw this out there, maybe this has to
be
 built with combination of tools, technologies etc but i would definately
 like to first collect as much info and then maybe work on this (or maybe
the
 solution - open source is already out there , in that case I would like to
 know what :), I know of many 100K devices that will do this.

 Is there a way that I can setup a machine (another openbsd machine) in
front
 of an OpenBSD firewall to help against DDoS attacks?
 If so what would be proper approach in doing so (if someone has already
 approached this subject).

 Machine would have 2 or 3 nics (3rd nic for management maybe?).
  You take the internet drop on the first port, say for example:  fxp0
 (external_if) .  Maybe implement SYNCOOKIE (technology).   The traffic only
 gets passed on to the firewall port throught fxp1 (internal_if) , once the
 server gets the ACK back.Would SYNPROXY do this too??
 This machine could also be doing some form of RATE LIMITING?? maybe??

 Anyone ?? Anytakes??

 /Parvinder Bhasin

I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it would
seem to me that you maybe didn't Use Teh Google.

Also from http://www.rayservers.com/ddos-protection :

 The bottom line is that whatever the appliance you use, you need upstream
bandwidth to be able to discard the attack traffic while allowing legitimate
traffic to your exisiting servers. You also need competent persons who
understand the technical issues, hardware and network bottlenecks and can put
a solution in place that is resistant to abuse that works with your budget.

--ropers

Re: CARP not leaving backup state

[Stuart Henderson]

On 2008-07-19, William Stuart [EMAIL PROTECTED] wrote:
 Thanks everyone I figured it out!

 19:13:46.334037 CARPv2-advertise 36: vhid=50 advbase=1 advskew=0 
 demote=0 (DF) [tos 0x10]
 19:13:46.334299 CARPv2-advertise 36: vhid=50 advbase=1 advskew=0 
 demote=0 (DF) [tos 0x10]

 Something is mirroring and replaying all the packets back.

 Grrr.  Must be a vmWare config issue.

Anyone asking about any wierd problems, _please_ mention any VMs that
may be involved early on in the thread... as always, a dmesg would be
a good starting point.

Re: how to undelete?

[Die Gestalt]

On Mon, Jul 7, 2008 at 9:30 PM, macintoshzoom [EMAIL PROTECTED] wrote:
 Which hex editor do you advise?
 Should I have to umount the partition before?
 the partition is 40 GB size on a secondary disk, OpenBSD old slice,
 should I need at least such space (/tmp ?) to open it on the hex editor
 from my OpenBSD 4.3?

There is a very nice hex editor specialized in forensics called
WinHex, but it runs on Windows. I don't know if there is an equivalent
tool in the *nix world.

Re: clock on alic3 board

[Alexander Hall]

Marc Balmer wrote:

* riwanlky wrote:

Hai all,

I have problem on clock with Alic3 board from Pc Engines on OpenBSD 4.3

dmesg-
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008



and the ntpd message on tail /var/log/daemon
Jul 17 16:14:44 pceng4 ntpd[5847]: adjusting local clock by 86915.408347s
Jul 17 16:18:00 pceng4 ntpd[5847]: adjusting local clock by 86914.457013s
Jul 17 16:20:37 pceng4 ntpd[5847]: adjusting local clock by 86913.683080s
Jul 17 16:21:46 pceng4 ntpd[5847]: adjusting local clock by 86913.389878s
Jul 17 16:26:04 pceng4 ntpd[5847]: adjusting local clock by 86912.104979s
Jul 17 16:26:33 pceng4 ntpd[5847]: adjusting local clock by 86911.965071s
Jul 17 16:27:03 pceng4 ntpd[5847]: adjusting local clock by 86911.859542s
Jul 17 16:31:19 pceng4 ntpd[5847]: adjusting local clock by 86910.603973s
Jul 17 16:33:26 pceng4 ntpd[5847]: adjusting local clock by 86910.009693s
Jul 17 16:37:10 pceng4 ntpd[5847]: adjusting local clock by 86908.914398s


and possible configuration error?


not an error, but you might want to start ntpd with the -s option.
put 'ntpd_flags=-s' into your /etc/rc.conf.local file.


True. A little addition for the archives (since it's been a while now):

$ date -r 86908
Fri Jan  2 01:08:28 CET 1970

This would mean your clock is about 1 hour and 8 minutes off, but is 
slowly (as expected) working to reduce the clock skew (while noting the 
difference in your log every time). Marc's suggestion would make the 
clock take a big leap on next reboot and voila - problem solved (unless 
you system is very sensitive about timing, in which case you'd just hav 
to wait a few months for the clock to adjust).


If you find the log entries confusing, go read the archives (might be a 
few years back from now), but PLEASE do NOT make any suggestion about 
changing the wording in the logs. It was beaten to death (or at least I 
really REALLY hope it's dead). So please. Don't.


Cheers
/Alexander

Re: clock on alic3 board

[Alexander Hall]

Alexander Hall wrote:

Marc Balmer wrote:

* riwanlky wrote:

Hai all,

I have problem on clock with Alic3 board from Pc Engines on OpenBSD 4.3

dmesg-
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008



and the ntpd message on tail /var/log/daemon
Jul 17 16:14:44 pceng4 ntpd[5847]: adjusting local clock by 
86915.408347s
Jul 17 16:18:00 pceng4 ntpd[5847]: adjusting local clock by 
86914.457013s
Jul 17 16:20:37 pceng4 ntpd[5847]: adjusting local clock by 
86913.683080s
Jul 17 16:21:46 pceng4 ntpd[5847]: adjusting local clock by 
86913.389878s
Jul 17 16:26:04 pceng4 ntpd[5847]: adjusting local clock by 
86912.104979s
Jul 17 16:26:33 pceng4 ntpd[5847]: adjusting local clock by 
86911.965071s
Jul 17 16:27:03 pceng4 ntpd[5847]: adjusting local clock by 
86911.859542s
Jul 17 16:31:19 pceng4 ntpd[5847]: adjusting local clock by 
86910.603973s
Jul 17 16:33:26 pceng4 ntpd[5847]: adjusting local clock by 
86910.009693s
Jul 17 16:37:10 pceng4 ntpd[5847]: adjusting local clock by 
86908.914398s



and possible configuration error?


not an error, but you might want to start ntpd with the -s option.
put 'ntpd_flags=-s' into your /etc/rc.conf.local file.


True. A little addition for the archives (since it's been a while now):

$ date -r 86908
Fri Jan  2 01:08:28 CET 1970


Oops. My bad. A better approach (combined with correct reading):

$ date -ur 0
Thu Jan  1 00:00:00 UTC 1970
$ date -ur 86908
Fri Jan  2 00:08:28 UTC 1970

So that would mean a little more than _one_day_ and eight minutes... No 
wonder it would take a few months (I was surprised and not at all 
convinced by my calculations). :-)


/Alexander

Re: clock on alic3 board

[Marc Balmer]

* Alexander Hall wrote:

[...]

 True. A little addition for the archives (since it's been a while now):

 $ date -r 86908
 Fri Jan  2 01:08:28 CET 1970

 Oops. My bad. A better approach (combined with correct reading):

 $ date -ur 0
 Thu Jan  1 00:00:00 UTC 1970
 $ date -ur 86908
 Fri Jan  2 00:08:28 UTC 1970

 So that would mean a little more than _one_day_ and eight minutes... No 
 wonder it would take a few months (I was surprised and not at all convinced 
 by my calculations). :-)

Remember that the ALIX.2/3 boards usually do not have a battery
to backup a realtime clock.  Their clocks always start at 0 when
powered up, and 0 is the epoch, Jan. 1 1970.  A mechanism like
ntpd -s is needed for those boards.

The ALIX.1B/C do have a battery, btw.

- Marc Balmer

Re: how to undelete?

[Nick Guenther]

On Sat, Jul 19, 2008 at 5:23 AM, Die Gestalt [EMAIL PROTECTED] wrote:
 On Mon, Jul 7, 2008 at 9:30 PM, macintoshzoom [EMAIL PROTECTED] wrote:
 Which hex editor do you advise?
 Should I have to umount the partition before?
 the partition is 40 GB size on a secondary disk, OpenBSD old slice,
 should I need at least such space (/tmp ?) to open it on the hex editor
 from my OpenBSD 4.3?

 There is a very nice hex editor specialized in forensics called
 WinHex, but it runs on Windows. I don't know if there is an equivalent
 tool in the *nix world.


hexdump -C?

Re: OpenBSD and SYNFlood / DDoS protection

[Henning Brauer]

* Ryan McBride [EMAIL PROTECTED] [2008-07-19 10:16]:
 The bigger problem with DDoS attacks is that the upstream pipe is filled
 up with traffic

that was true in the 90s, and maybe the first half of this decade, but
really isn't any more. Most server installs I have worked with have
the pipe limit at 100 MBit/s at their lan port. A DoS with 5 MBit/s
can be very effective.

 Also, it would help if all ISP's implemented proper egress filtering to
 prevent spoofing.

!!!

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Setting priority on interface fails in latest snapshot

[Rolf Sommerhalder]

After updating my i386 firewall cluster to the latest snapshot (16 Jul, 22:15)

# ifconfig vr0 priority 2
ifconfig: priority: bad value

Is this a regression, or did the syntax change since my last update
about one week ago? I did re-read the man page and also looked through
the CVS commits, but did not find any obvious hints.

Thanks,
Rolf

svnd questions (encrypting all of a partition or disk)

[Jonathan Thornburg]

My laptop (Thinkpad T41p) and I are going to be doing a lot of
travelling in the next year, so I'm investigating how to
(cryptographically) improve my security in case of loss/theft/seizure.
Right now I use cfs (ports) for a few sensitive subdirectories, but
95+% of my /home is still cleartext to anyone with physical access to
the laptop.  The same applies for my external backup disks.

I'm considering putting all of /home under svnd encryption
(still keeping cfs on top for sensitive subdirectories), and I have
some questions (see below).  I have RTFMs svnd(4), vnconfig(8), and
mount_vnd(8), and googled my way to some useful web pages, notably
  http://www.xs4all.nl/~hanb/documents/OpenBSDEncryptedFilesystemHOWTO.html
  http://mareichelt.de/pub/notmine/linuxbsd-comparison.html
  http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto
(Some of these web pages seem to be a bit old, (eg) complaining about
the now-fixed dictionary-attack vulnerability).

As I understand it, the basic procedure for using svnd is this (starting
with a brand-new-from-the-computer-store disk sd0, and with steps numbered
for later reference:
[1] # fdisk sd0 ... create single msdos-partition
[2] # disklabel sd0 ... create single openbsd-partition a
[3] # newfs /dev/sd0a
[4] # mount -o softdep /dev/sd0a /mnt
[5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=...
[6] # vnconfig -vck -K 10 -S /var/saltfile svnd0 /mnt/imagefile
[7] # disklabel svnd0   ... create encrypted openbsd-partition a
[8] # newfs /dev/svnd0a
[9] # mount -o rw,nodev,nosuid,softdep -t vnd /dev/svnd0a /home

Now my questions:
1. Are there other Fine Manuals (relevant to svnd) I should Read
   besides the ones I listed above?
2. Where (besides the source code) can I find the svnd encryption
   algorithm documented?  This would help me research the answer to
   the next question...
3. What are the error propagation properties of the svnd encryption?
   That is, for example, if a disk/USB/memory error corrupts a single
   512-byte block in the middle of /dev/sd0a, will that show up as
   512 bytes of corruption in /dev/svnd0c, or will the entire
   /dev/svnd0c be corrupted from that point onwards?
4. Is there any upper size limit to the size of an encrypted image
   apart from the kernel 8TB limit and fsck time and memory usage?
   For example, is there any problem with using the above on (say) a
   250GB disk?
5. Is there any problem with using softdep in steps [4] and [9]?
6. Are there any special newfs parameters needed for either the underlying
   filesystem (step [3]) or the encrypted one (step [8])?  The underlying
   filesystem will only hold a single huge 'imagefile', whose size won't
   change after initial creation (step [5]), so I could imagine saving
   a bit of disk space by configuring very few inodes.  What about the
   FFS/FFS2 minimum free space threshold (newfs -m) -- with the imagefile
   preallocated (step [5]), is there any benefit to a nonzero minimum
   free space threshold?
7. How worried should I be about bug kernel/5709 rapidly creating many
   small files on crypted svnd locks box, which as of a few minutes
   ago was/is shown as in state open?

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] [EMAIL PROTECTED]
   t = 31.Aug.2008: School of Mathematics, U of Southampton, England
   t1.Sep.2008: Dept of Astronomy, Indiana University, Bloomington, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

OpenCON 2008

[Edd Barrett]

Hi,

I was just wondering if a date for OpenCON 2008 is known.

I would like to try to book earlier to save pennies :)

Thanks

-- 

Best Regards
Edd

http://students.dec.bmth.ac.uk/ebarrett

Re: Weird RAIDFrame behaviour in 4.3 [Solved]

[Simon Vallet]

On Mon, 14 Jul 2008 16:26:45 +0200
Simon Vallet [EMAIL PROTECTED] wrote:
 
 [...]
 I suspect this is due to a problem with the raidframe label on wd0d, but
 I have no clue on how to fix this :

It turns out the component label simply hadn't been written on wd0,
since my raid0.conf at -I time contained the wrong device.

Rebooting on a minimal install, recreating the RAID device with a
correct config and re-issuing a 'raidctl -I raid0' solved the problem.

Simon

Re: how to undelete?

[Sviatoslav Chagaev]

On Sat, 19 Jul 2008 10:18:19 -0400
Nick Guenther [EMAIL PROTECTED] wrote:
 On Sat, Jul 19, 2008 at 5:23 AM, Die Gestalt [EMAIL PROTECTED] wrote:
  On Mon, Jul 7, 2008 at 9:30 PM, macintoshzoom [EMAIL PROTECTED] wrote:
  Which hex editor do you advise?
  Should I have to umount the partition before?
  the partition is 40 GB size on a secondary disk, OpenBSD old slice,
  should I need at least such space (/tmp ?) to open it on the hex editor
  from my OpenBSD 4.3?
 
  There is a very nice hex editor specialized in forensics called
  WinHex, but it runs on Windows. I don't know if there is an equivalent
  tool in the *nix world.
 
 
 hexdump -C?
 

bvi ( http://bvi.sourceforge.net/ )

Re: Setting priority on interface fails in latest snapshot

[Claudio Jeker]

On Sat, Jul 19, 2008 at 05:34:10PM +0200, Rolf Sommerhalder wrote:
 After updating my i386 firewall cluster to the latest snapshot (16 Jul, 22:15)
 
 # ifconfig vr0 priority 2
 ifconfig: priority: bad value
 
 Is this a regression, or did the syntax change since my last update
 about one week ago? I did re-read the man page and also looked through
 the CVS commits, but did not find any obvious hints.
 

This diff got removed from the latest snaps.

-- 
:wq Claudio

Re: svnd questions (encrypting all of a partition or disk)

[Marco Peereboom]

This might be a good time to try my giant softraid diff that makes
crypto useful.

On Sat, Jul 19, 2008 at 05:04:44PM +0100, Jonathan Thornburg wrote:
 My laptop (Thinkpad T41p) and I are going to be doing a lot of
 travelling in the next year, so I'm investigating how to
 (cryptographically) improve my security in case of loss/theft/seizure.
 Right now I use cfs (ports) for a few sensitive subdirectories, but
 95+% of my /home is still cleartext to anyone with physical access to
 the laptop.  The same applies for my external backup disks.
 
 I'm considering putting all of /home under svnd encryption
 (still keeping cfs on top for sensitive subdirectories), and I have
 some questions (see below).  I have RTFMs svnd(4), vnconfig(8), and
 mount_vnd(8), and googled my way to some useful web pages, notably
   http://www.xs4all.nl/~hanb/documents/OpenBSDEncryptedFilesystemHOWTO.html
   http://mareichelt.de/pub/notmine/linuxbsd-comparison.html
   http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto
 (Some of these web pages seem to be a bit old, (eg) complaining about
 the now-fixed dictionary-attack vulnerability).
 
 As I understand it, the basic procedure for using svnd is this (starting
 with a brand-new-from-the-computer-store disk sd0, and with steps numbered
 for later reference:
 [1] # fdisk sd0   ... create single msdos-partition
 [2] # disklabel sd0   ... create single openbsd-partition a
 [3] # newfs /dev/sd0a
 [4] # mount -o softdep /dev/sd0a /mnt
 [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=...
 [6] # vnconfig -vck -K 10 -S /var/saltfile svnd0 /mnt/imagefile
 [7] # disklabel svnd0 ... create encrypted openbsd-partition a
 [8] # newfs /dev/svnd0a
 [9] # mount -o rw,nodev,nosuid,softdep -t vnd /dev/svnd0a /home
 
 Now my questions:
 1. Are there other Fine Manuals (relevant to svnd) I should Read
besides the ones I listed above?
 2. Where (besides the source code) can I find the svnd encryption
algorithm documented?  This would help me research the answer to
the next question...
 3. What are the error propagation properties of the svnd encryption?
That is, for example, if a disk/USB/memory error corrupts a single
512-byte block in the middle of /dev/sd0a, will that show up as
512 bytes of corruption in /dev/svnd0c, or will the entire
/dev/svnd0c be corrupted from that point onwards?
 4. Is there any upper size limit to the size of an encrypted image
apart from the kernel 8TB limit and fsck time and memory usage?
For example, is there any problem with using the above on (say) a
250GB disk?
 5. Is there any problem with using softdep in steps [4] and [9]?
 6. Are there any special newfs parameters needed for either the underlying
filesystem (step [3]) or the encrypted one (step [8])?  The underlying
filesystem will only hold a single huge 'imagefile', whose size won't
change after initial creation (step [5]), so I could imagine saving
a bit of disk space by configuring very few inodes.  What about the
FFS/FFS2 minimum free space threshold (newfs -m) -- with the imagefile
preallocated (step [5]), is there any benefit to a nonzero minimum
free space threshold?
 7. How worried should I be about bug kernel/5709 rapidly creating many
small files on crypted svnd locks box, which as of a few minutes
ago was/is shown as in state open?
 
 ciao,
 
 -- 
 -- Jonathan Thornburg [remove -animal to reply] [EMAIL PROTECTED]
t = 31.Aug.2008: School of Mathematics, U of Southampton, England
t1.Sep.2008: Dept of Astronomy, Indiana University, Bloomington, USA
Washing one's hands of the conflict between the powerful and the
 powerless means to side with the powerful, not to be neutral.
   -- quote by Freire / poster by Oxfam

Re: svnd questions (encrypting all of a partition or disk)

[Chris Kuethe]

If you have some time and a spare disk, why not experiment with the 3
or 4 options available to you before settling on one.
- cfs
- svnd backed by a file in a filesystem
- svnd backed by a whole slice on disk
- softraid w/ crypto

softraid w/ crypto is still kind of a work in progress, but it's very
functional already. i'm running it on my laptop for all of /home. just
make sure you use the latest diff (posted to tech@)

On Sat, Jul 19, 2008 at 9:04 AM, Jonathan Thornburg
[EMAIL PROTECTED] wrote:
 My laptop (Thinkpad T41p) and I are going to be doing a lot of
 travelling in the next year, so I'm investigating how to
 (cryptographically) improve my security in case of loss/theft/seizure.
 Right now I use cfs (ports) for a few sensitive subdirectories, but
 95+% of my /home is still cleartext to anyone with physical access to
 the laptop.  The same applies for my external backup disks.

i'm not super keen on cfs - managed to crash it horribly under load a
while back and wasn't terribly impressed with it.

 As I understand it, the basic procedure for using svnd is this (starting
 with a brand-new-from-the-computer-store disk sd0, and with steps numbered
 for later reference:
 [1] # fdisk sd0 ... create single msdos-partition
 [2] # disklabel sd0 ... create single openbsd-partition a
 [3] # newfs /dev/sd0a
 [4] # mount -o softdep /dev/sd0a /mnt
 [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=...

i guess i can understand use of arandom so as not to leak where data
has and hasn't been written... if you're just evaluating crypto
solutions for performance and ease of use, you could create a sparse
file by DD'ing a block way out at the end... bs=1k count=1
skip=1024000 would give you a 1G file that uses 1-8K on disk
(initially) depending on how you set up the filesystem.

 [6] # vnconfig -vck -K 10 -S /var/saltfile svnd0 /mnt/imagefile
 [7] # disklabel svnd0   ... create encrypted openbsd-partition a
 [8] # newfs /dev/svnd0a
 [9] # mount -o rw,nodev,nosuid,softdep -t vnd /dev/svnd0a /home

 Now my questions:
 1. Are there other Fine Manuals (relevant to svnd) I should Read
   besides the ones I listed above?

those are them. you might want to read up on bioctl, though.

 2. Where (besides the source code) can I find the svnd encryption
   algorithm documented?  This would help me research the answer to
   the next question...
 3. What are the error propagation properties of the svnd encryption?
   That is, for example, if a disk/USB/memory error corrupts a single
   512-byte block in the middle of /dev/sd0a, will that show up as
   512 bytes of corruption in /dev/svnd0c, or will the entire
   /dev/svnd0c be corrupted from that point onwards?

man vnconfig says the cipher is blowfish. the source says:

blf_ecb_encrypt(vnd-sc_keyctx, iv, sizeof(iv));
if (encrypt)
blf_cbc_encrypt(vnd-sc_keyctx, iv, addr, bsize);
else
blf_cbc_decrypt(vnd-sc_keyctx, iv, addr, bsize);

 4. Is there any upper size limit to the size of an encrypted image
   apart from the kernel 8TB limit and fsck time and memory usage?
   For example, is there any problem with using the above on (say) a
   250GB disk?

largest crypto disk i've built is 500G. takes a while to fsck but it works.

 5. Is there any problem with using softdep in steps [4] and [9]?

not that i've noticed

 6. Are there any special newfs parameters needed for either the underlying
   filesystem (step [3]) or the encrypted one (step [8])?  The underlying
   filesystem will only hold a single huge 'imagefile', whose size won't
   change after initial creation (step [5]), so I could imagine saving
   a bit of disk space by configuring very few inodes.  What about the
   FFS/FFS2 minimum free space threshold (newfs -m) -- with the imagefile
   preallocated (step [5]), is there any benefit to a nonzero minimum
   free space threshold?

i'd go with try it and see. i never bothered messing about with
those settings... the defaults were good enough.

 7. How worried should I be about bug kernel/5709 rapidly creating many
   small files on crypted svnd locks box, which as of a few minutes
   ago was/is shown as in state open?

again, try it and see. i never hit this untarring ports or src...
maybe i was lucky.


-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: how to undelete?

[dermiste]

You might want to try Photorec :
http://www.cgsecurity.org/wiki/PhotoRec

good luck

On Mon, Jul 7, 2008 at 1:48 PM, macintoshzoom [EMAIL PROTECTED] wrote:
 I deleted a directory from an OpenBSD slice from my 2nd HD, and I need
 to recover a single file.

 I tried : http://myutil.com/2008/1/15/undelete-unrm-for-openbsd-4-2-with-dls
 but  failed :

 # dls /dev/wd1x  /xxx/xx/undelete.bin
 Sector offset supplied is larger than disk image (maximum: 0)

 Help  thanks.

Re: Setting priority on interface fails in latest snapshot

[Rolf Sommerhalder]

cjeker wrote:
 This diff got removed from the latest snaps.

Thanks for prompt reply. That's bad news, as I am using it on the
firewall cluster to resolve a problem in connection with default
routes and dhclient, as per your previous recommendation.

Is this removal just a temporary measure until some isse is solved, or
will interface priorities not return at all, e.g. do I need to go back
to ifstated for some crutches?

Rolf

Re: svnd questions (encrypting all of a partition or disk)

[Tobias Ulmer]

On Sat, Jul 19, 2008 at 05:04:44PM +0100, Jonathan Thornburg wrote:
 My laptop (Thinkpad T41p) and I are going to be doing a lot of
 travelling in the next year, so I'm investigating how to
 (cryptographically) improve my security in case of loss/theft/seizure.
 Right now I use cfs (ports) for a few sensitive subdirectories, but
 95+% of my /home is still cleartext to anyone with physical access to
 the laptop.  The same applies for my external backup disks.
 
 I'm considering putting all of /home under svnd encryption
 (still keeping cfs on top for sensitive subdirectories), and I have
 some questions (see below).  I have RTFMs svnd(4), vnconfig(8), and
 mount_vnd(8), and googled my way to some useful web pages, notably
   http://www.xs4all.nl/~hanb/documents/OpenBSDEncryptedFilesystemHOWTO.html
   http://mareichelt.de/pub/notmine/linuxbsd-comparison.html
   http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto
 (Some of these web pages seem to be a bit old, (eg) complaining about
 the now-fixed dictionary-attack vulnerability).
 
 As I understand it, the basic procedure for using svnd is this (starting
 with a brand-new-from-the-computer-store disk sd0, and with steps numbered
 for later reference:
 [1] # fdisk sd0   ... create single msdos-partition
 [2] # disklabel sd0   ... create single openbsd-partition a
 [3] # newfs /dev/sd0a

use ffs2 and 64k blocks

 [4] # mount -o softdep /dev/sd0a /mnt
 [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=...

prepare to wait a few days... there is known plaintext at specific
locations anyway, disklabel, filesystem metadata,...

It's not really worth it imho

 [6] # vnconfig -vck -K 10 -S /var/saltfile svnd0 /mnt/imagefile
 [7] # disklabel svnd0 ... create encrypted openbsd-partition a
 [8] # newfs /dev/svnd0a

make this ffs2 as well, it will speed up fsck a lot, also bump blocksize
if you have lots of large files or couldn't care less if you're going to
waste a few megabytes...

 [9] # mount -o rw,nodev,nosuid,softdep -t vnd /dev/svnd0a /home
 
 Now my questions:
 1. Are there other Fine Manuals (relevant to svnd) I should Read
besides the ones I listed above?
 2. Where (besides the source code) can I find the svnd encryption
algorithm documented?  This would help me research the answer to
the next question...
 3. What are the error propagation properties of the svnd encryption?
That is, for example, if a disk/USB/memory error corrupts a single
512-byte block in the middle of /dev/sd0a, will that show up as
512 bytes of corruption in /dev/svnd0c, or will the entire
/dev/svnd0c be corrupted from that point onwards?

Afaik it uses blowfish in CBC mode, so you're fscked... Otoh modern
disks make quite some noise before they start running out of spare blocks.
Backups are a must, crypto or not.

(That said, i've never managed to really fry a svnd disk)

 4. Is there any upper size limit to the size of an encrypted image
apart from the kernel 8TB limit and fsck time and memory usage?
For example, is there any problem with using the above on (say) a
250GB disk?

No problem, for the paranoid however you might want to read up on the
birthday paradox ;)

 5. Is there any problem with using softdep in steps [4] and [9]?
 6. Are there any special newfs parameters needed for either the underlying
filesystem (step [3]) or the encrypted one (step [8])?  The underlying
filesystem will only hold a single huge 'imagefile', whose size won't
change after initial creation (step [5]), so I could imagine saving
a bit of disk space by configuring very few inodes.  What about the
FFS/FFS2 minimum free space threshold (newfs -m) -- with the imagefile
preallocated (step [5]), is there any benefit to a nonzero minimum
free space threshold?

-m 0 -o time or whatever it is doesn't hurt.

 7. How worried should I be about bug kernel/5709 rapidly creating many
small files on crypted svnd locks box, which as of a few minutes
ago was/is shown as in state open?

If you check the bugreport, it's a P3 450 with 256mb ram. It usually takes
24h+ using 20+ processes that write 5kb files (bit larger than the fragment
size) to reproduce it on my T42.

Like on a powerfailure, it's going to throw away a few recent changes
to the filesystem and is fine afterwards.


 
 ciao,
 
 -- 
 -- Jonathan Thornburg [remove -animal to reply] [EMAIL PROTECTED]
t = 31.Aug.2008: School of Mathematics, U of Southampton, England
t1.Sep.2008: Dept of Astronomy, Indiana University, Bloomington, USA
Washing one's hands of the conflict between the powerful and the
 powerless means to side with the powerful, not to be neutral.
   -- quote by Freire / poster by Oxfam

uvideo trouble with snapshot of 20080717

[Maxim Belooussov]

Hi all,

Lenovo X300, snapshot for i386, from 20080717 (also 20080716) dumps
into dbb on boot on uvideo:

uvm_fault(0xd0814b20, 0x0, 0, 1) - e
kernel: page fault trap, code=0
Stopped at   uvideo_vs_negotiation+0x81:   mov10x15(%eax),%eax
ddb{0}

//no console to capture output, made some photos//
last line of output from trace:
Bad frame pointer: 0xd09555e78

Previous snapshot of a week ago was booting just fine, I sent in the
dmesg to [EMAIL PROTECTED] few days back.

snippet from previous dmesg:

uvideo0 at uhub6 port 1 configuration 1 interface 0 Chicony
Electronics Co., Ltd. product 0x4807 rev 2.00/31.25 addr 2
video0 at uvideo0

Disabling uvideo* on ukc allows kernel to boot.

(the machine has 4G of ram, sounds like a problem already reported)

Should I file a bug for this one?
Any cluesticks/patches to try are appreciated. I can send the pictures
of trace/ps if contacted off-list.

Maxim

Re: OpenCON 2008

[fabioFVZ]

On Saturday 19 July 2008 18:33:33 you wrote:
 Hi,
 
 I was just wondering if a date for OpenCON 2008 is known.
 
 I would like to try to book earlier to save pennies :)
 
 Thanks
 

Hi, 
28-30 November 2008
Venice, Italy 
Bye
-- 
fabioFVZ

Re: OpenBSD and SYNFlood / DDoS protection

[Parvinder Bhasin]

On Jul 19, 2008, at 1:26 AM, ropers wrote:


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:

This maybe dumb but won't hurt to throw this out there, maybe this
has to be
built with combination of tools, technologies etc but i would
definately
like to first collect as much info and then maybe work on this (or
maybe the
solution - open source is already out there , in that case I would
like to
know what :), I know of many 100K devices that will do this.

Is there a way that I can setup a machine (another openbsd machine)
in front
of an OpenBSD firewall to help against DDoS attacks?
If so what would be proper approach in doing so (if someone has
already
approached this subject).

Machine would have 2 or 3 nics (3rd nic for management maybe?).
You take the internet drop on the first port, say for example:  fxp0
(external_if) .  Maybe implement SYNCOOKIE (technology).   The
traffic only
gets passed on to the firewall port throught fxp1 (internal_if) ,
once the
server gets the ACK back.Would SYNPROXY do this too??
This machine could also be doing some form of RATE LIMITING?? maybe??

Anyone ?? Anytakes??

/Parvinder Bhasin


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it would
seem to me that you maybe didn't Use Teh Google.



Perhaps I didn't make it clear..maybe but yeah..I totally know that
there are PAY solutions, like I mentioned that I know of many devices
that can achieve this.  I have done research on these devices and was
thinking maybe something ( open source - openbsd baseddevice?? maybe)
can be made to prevent this attack upstream.

So I have experienced (my network) attack that choked our GigE link to
where DDoS attack was consuming almost 500mpbs (50% of total
bandwidth) available.  We still had 500mbps more that we would've
liked to have used for our business purposes but the problem with
these attacks is that they are NOT just meant to choke the BANDWIDTH,
they are actually meant to choke the CPU and other resources on your
firewalls or any devices you have in front.

Its just that if some device was there upstream to take 50% or more
load from the firewalls (cpu resources etc) in these attacks, maybe
the firewalls won't be that busy as to stop responding to legitimate
requests.  Ofcourse BANDWIDTH consumption becomes a problem where if
you had smaller pipe than basically you are screwed.   I know that the
ISPs can provide protection and some of them have already started
doing so but at a HUGE COST per month and frankly they have their
reasons on not protecting against such attacks as why would ISPs do
the filtering for free as they are making money because of the
attack.  That is charging the customer for bandwidth usage.  Lets get
realistic they would never do that unless it becomes so much of a
problem that all their customers start seeing the ill effects of that
attack.

Bandwidth issue can be sort of tackled separately where as you are
finding command and control servers and eliminating them that way but
that's another topic.  Also when the device is sending ACKs back , you
are sort of also in another way or form ATTACKING BACK but that's just
a zombie system out there where the person is just wondering why he
cannot even google know nothing that his bandwidth is choked because
of the attack.

I just thought to throw this out to the group and see if  there was a
person/group of people who have implemented such a solution using
combination of technologies (both open source and/or monetary).  I
already see OpenBSD/PF a very good combination in defending companies
from such attacks.

Any comments are welcome :)

/Parvinder Bhasin

Kaminsky's DNS bug: PF workaround

[Mark Shroyer]

Suppose:

 1. Dan Kaminsky's recently announced DNS cache poisoning vulnerability
is anywhere near as serious as he and others have made it out to be,
and

 2. Simple UDP source port randomization of DNS requests is indeed
sufficient to mitigate the vulnerability.

I think we have little reason to doubt the first point, given the
response to this bug of those credible individuals and companies already
privy to its details.  If we assume the second point as well, then users
of OpenBSD's named may be interested a simple workaround that uses PF to
implement source port randomization on behalf of named, until OpenBSD
has the chance to release a patch of the usual quality  reliability.
Such a workaround can be implemented with a single NAT rule in pf.conf,
as Jon Hart has described:

http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with-pf.html

The configuration line in question:

nat on $WAN_IF inet proto { tcp, udp } from a.b.c.d to any \
port 53 - a.b.c.d

Or, if you have a dynamic IP address on a cable modem, etc.:

nat on $WAN_IF inet proto { tcp, udp } from ($WAN_IF) to any \
port 53 - ($WAN_IF)

Of course, this won't help at all if your resolver is behind a NAT on
another box that performs source port rewriting; in that case, you'll
need to take a look at your outermost NAT instead and make sure its port
rewriting is random enough to keep you safe.  PF is fine, for
instance, but many consumer-oriented NAT routers -- e.g., the D-Link
WBR-1310 -- rewrite port numbers sequentially, which is Bad.  Linux
iptables NAT is a special case: it does not rewrite source port numbers
by default, unless a collision occurs.

-- 
Mark Shroyer
http://markshroyer.com/contact/

Re: OpenBSD and SYNFlood / DDoS protection

[ropers]

 On Jul 19, 2008, at 1:26 AM, ropers wrote:

 I don't mean to be impolite, but considering that these guys
 http://www.rayservers.com/ddos-protection are the first Google hit
 for firewall ddos protection openbsd (w/o quotation marks), it would
 seem to me that you maybe didn't Use Teh Google.

2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:

 Perhaps I didn't make it clear..maybe but yeah..I totally know that there
 are PAY solutions, like I mentioned that I know of many devices that can
 achieve this.  I have done research on these devices and was thinking maybe
 something ( open source - openbsd baseddevice?? maybe) can be made to
 prevent this attack upstream.

I personally believe that some people are unable to do so because, uh,
some people out there on our list don't have man pages and, uh, I
believe that our, uh, Internets like such as in, uh,
www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere
like such as, and I believe that they should, uh, see how OpenBSD is
mentioned over there on the rayservers page should help the people,
uh, should help find man pages and should help Iraq and the Asian
countries, so we will be able to build up our dDoS protection for our
children.

--ropers

Re: OpenBSD and SYNFlood / DDoS protection

[Henning Brauer]

* Parvinder Bhasin [EMAIL PROTECTED] [2008-07-19 23:12]:
 Perhaps I didn't make it clear..maybe but yeah..I totally know that
 there are PAY solutions, like I mentioned that I know of many devices
 that can achieve this.  I have done research on these devices and was
 thinking maybe something ( open source - openbsd baseddevice?? maybe)
 can be made to prevent this attack

yes, sure. I have used OpenBSD to fight various forms of (D)DoS
multiple times.
How?
Different each and every time.
It depends on the form of the attack.

These plug that in and you don't have DDoS devices cannot work.
There are some that do clever things to detect anomalies and help you
fighting back. Some are even OpenBSD based. Just fiighting abck
doesn't require these usually, but an experienced and clueful person.
That you still need even with these kind of devices.

But there is no plug and play solution, in any way.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: OpenBSD and SYNFlood / DDoS protection

[Parvinder Bhasin]

On Jul 19, 2008, at 2:31 PM, ropers wrote:


On Jul 19, 2008, at 1:26 AM, ropers wrote:


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it
would
seem to me that you maybe didn't Use Teh Google.


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:


Perhaps I didn't make it clear..maybe but yeah..I totally know that
there
are PAY solutions, like I mentioned that I know of many devices
that can
achieve this.  I have done research on these devices and was
thinking maybe
something ( open source - openbsd baseddevice?? maybe) can be made to
prevent this attack upstream.


I personally believe that some people are unable to do so because, uh,
some people out there on our list don't have man pages and, uh, I
believe that our, uh, Internets like such as in, uh,
www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere
like such as, and I believe that they should, uh, see how OpenBSD is
mentioned over there on the rayservers page should help the people,
uh, should help find man pages and should help Iraq and the Asian
countries, so we will be able to build up our dDoS protection for our
children.

--ropers


 LoL:) didn't get a word out of it but yeah I think you took my
suggestion of all comments are welcome to the next level

Cheers!

Re: OpenBSD and SYNFlood / DDoS protection

[Parvinder Bhasin]

btw:  Ropers Thanks for the link.

On Jul 19, 2008, at 2:31 PM, ropers wrote:


On Jul 19, 2008, at 1:26 AM, ropers wrote:


I don't mean to be impolite, but considering that these guys
http://www.rayservers.com/ddos-protection are the first Google hit
for firewall ddos protection openbsd (w/o quotation marks), it
would
seem to me that you maybe didn't Use Teh Google.


2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]:


Perhaps I didn't make it clear..maybe but yeah..I totally know that
there
are PAY solutions, like I mentioned that I know of many devices
that can
achieve this.  I have done research on these devices and was
thinking maybe
something ( open source - openbsd baseddevice?? maybe) can be made to
prevent this attack upstream.


I personally believe that some people are unable to do so because, uh,
some people out there on our list don't have man pages and, uh, I
believe that our, uh, Internets like such as in, uh,
www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere
like such as, and I believe that they should, uh, see how OpenBSD is
mentioned over there on the rayservers page should help the people,
uh, should help find man pages and should help Iraq and the Asian
countries, so we will be able to build up our dDoS protection for our
children.

--ropers

Re: svnd questions (encrypting all of a partition or disk)

[Ted Unangst]

On 7/19/08, Chris Kuethe [EMAIL PROTECTED] wrote:
  - svnd backed by a whole slice on disk

I know some people have done this, but the code doesn't like it.  I'd
stick with normal files.

Re: svnd questions (encrypting all of a partition or disk)

[Ted Unangst]

On 7/19/08, Tobias Ulmer [EMAIL PROTECTED] wrote:
   [4] # mount -o softdep /dev/sd0a /mnt
   [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=...


 prepare to wait a few days... there is known plaintext at specific
  locations anyway, disklabel, filesystem metadata,...

very little really.  especially if you create the inner
filesystem/disklabel with anything other than the default of all space
in one partition.  it's easy to verify a correctly guessed key, but
probably not enough to perform any interesting attacks.

   3. What are the error propagation properties of the svnd encryption?
  That is, for example, if a disk/USB/memory error corrupts a single
  512-byte block in the middle of /dev/sd0a, will that show up as
  512 bytes of corruption in /dev/svnd0c, or will the entire
  /dev/svnd0c be corrupted from that point onwards?


 Afaik it uses blowfish in CBC mode, so you're fscked... Otoh modern
  disks make quite some noise before they start running out of spare blocks.

CBC only for disk blocks.  Each disk block is independent, otherwise
you get the seek performance of a tape drive.

   4. Is there any upper size limit to the size of an encrypted image
  apart from the kernel 8TB limit and fsck time and memory usage?
  For example, is there any problem with using the above on (say) a
  250GB disk?


 No problem, for the paranoid however you might want to read up on the
  birthday paradox ;)

Not sure what you mean here.  There's only 23 hard drives? :)

Unable to connect to Xvfb using sshd

[Anathae Townsend]

I am running an HP Vectra VL400 system under OpenBSD 4.4 beta 2007-07-11.

 

When I attempt to connect using ssvnc from my windows box using the ssh

option I am getting connection refused by server: Administratively
prohibited

 

When I check authlog, the error message is

July 19 23:19:22 kendra sshd[4501]: error: connect to 127.0.0.1 port 5900
failed: Undefined error: 0

 

/etc/ssh/sshd_config is set to defaults which appears to allow for port
forwarding.

 

Any additional information or suggestions on how to resolve this issue?

 

Anathae