tzlee.com/blog

Category: Technology

  • Aspiration 5: My Friends All Hate Me

    Just for laughs 😀

    http://apps.facebook.com/ajsdfasfj/aspiration5.php

    BTW, fb:wallpost tag is broken (it does not show up as it’s supposed to)

  • Teaming and Waving

    Looks like I’ve gotten my first team for the Facebook assignment and am still trying to figure out a team for the second Seminar assignment. Hopefully I can get that settled as well so I can get this off my back and concentrate on the actual work rather than kay-pohing about people’s lives.

    Meanwhile I’m poking around Google Wave. Actually not really very excited yet. I’m more confused than excited – I can’t seem to find a practical use for it at the moment. I will try to explore it more. It looks useful as an internal Wiki kind of thing. I won’t use it to replace my regular IM though. Problem here is, Wave is invite-only and I have limited invites so I cannot realize the full collaborative power of this tool yet. :S

    Short and sweet post. I need to get back to work. Sigh.

  • First Peek at Amazon EC2

    I just got my Amazon EC2 account today and poked around a bit. Technically, it’s just a super cluster of virtualized servers running a (very likely) hacked copy of the open source Xen with a AJAX-enabled web management interface. The servers are undoubtedly Intel Xeons.

    [root@domU-12-31-39-09-2E-31 ~]# uname -a
    Linux domU-12-31-39-09-2E-31 2.6.18-xenU-ec2-v1.2 #2 SMP Wed Aug 19 09:04:38 EDT 2009 i686 i686 i386 GNU/Linux
    [root@domU-12-31-39-09-2E-31 ~]# cat /proc/cpuinfo
    processor    : 0
    vendor_id    : GenuineIntel
    cpu family    : 6
    model        : 23
    model name    : Intel(R) Xeon(R) CPU           E5430  @ 2.66GHz
    stepping    : 10
    cpu MHz        : 2666.760
    cache size    : 6144 KB
    fdiv_bug    : no
    hlt_bug        : no
    f00f_bug    : no
    coma_bug    : no
    fpu        : yes
    fpu_exception    : yes
    cpuid level    : 13
    wp        : yes
    flags        : fpu tsc msr pae mce cx8 apic mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc up pni monitor ds_cpl vmx est tm2 cx16 xtpr lahf_lm
    bogomips    : 5335.77

    There’s nothing technically amazing here but it’s interesting how Amazon put it together into a pay-per-use revenue model. It seems like they got the billing portion right.

    Personally, I don’t quite like the management of it though. If you’ve used VMware ESX or Citrix XenServer you might agree with me.

    For example, I couldn’t alter my firewall configuration once my instance was deployed. I created my first instance with a default firewall rule that drops everything, so in desperation I created another one.

    Then I realized I couldn’t delete an instance either. It took me a while to figure out that there is actually a command line client tool written in Java that allows me to delete an instance. In fact, the client tool has way more capabilities than the funky AJAX web interface.

    Here’s the Getting Started Guide. You need to read this to learn how to set up the authentication mechanisms. I presume most of us here can set up the Java environment variables no problem.

    Here’s the EC2 Command Line Tools Reference.

    It took me quite a while to find these links so do bookmark them.

    ***

    Just a quick start for everyone here since the authentication part is a hassle. The documentation had a bunch of talk cock before they got to the point.

    1. You’ll need to login to AWS, then go under the Your Account > Security Credentials menu on the top right hand corner.
    2. Scroll down and look under the Access Credentials heading.
    3. Click the X.509 Certificates tab.
    4. Click Create a new Ceritificate.
    5. Download both the Private Key File and Certificate File.
    6. Get down to your command prompt.
    7. Change to the directory where you unzipped the EC2 API tools.
    8. Make sure JAVA_HOME and PATH are both set.
    9. Set EC2_HOME to the directory in step 7 above.
    10. Change to the bin directory within the EC2 API tools directory.

    You’re all ready to go run the .cmd files (for Windows) or the non .cmd files (for MacOS/Linux guys).

    ***

    Update: Here’s a freebie for the MacOS X users – paste these into ~/.bash_profile so you don’t have to specify your key and cert all the time. (Edit where necessary.)

    export JAVA_HOME=/Library/Java/Home
    export EC2_HOME=~/Downloads/ec2-api-tools-1.3-46266
    export EC2_PRIVATE_KEY=~/Downloads/pk-XXXX.pem
    export EC2_CERT=~/Downloads/cert-XXXX.pem
    export PATH=$PATH:$EC2_HOME/bin

  • Hardening Linux and Apache Servers for DDoS

    In my earlier entry I discussed an interesting topic on firewalls and why we don’t need them. I put a small LAMP server to the test and got my results.

    Attack Information:

    • Type: TCP SYN flood
    • Max performance: 26Kpps (8Mbps)
    • Source IP Spoofing: Yes

    Victim A Specifications:

    • VMware Guest on a Single Core Opteron 1.8GHz Sun X2100
    • CentOS 4.x + Apache 2.x
    • 768MB RAM
    • Tuned (see below)

    Here’s what I’ve added to tune the Linux TCP stack in /etc/sysctl.conf:


    net.ipv4.tcp_abort_on_overflow = 1
    net.ipv4.tcp_fin_timeout = 15
    net.ipv4.tcp_low_latency = 1
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_max_syn_backlog = 2048
    net.ipv4.tcp_synack_retries = 3
    net.ipv4.tcp_sack = 0
    net.ipv4.ip_conntrack_max = 65535
    net.core.rmem_max = 16777216
    net.core.wmem_max = 16777216
    net.ipv4.tcp_rmem = 4096 87380 16777216
    net.ipv4.tcp_wmem = 4096 65536 16777216
    net.ipv4.ip_local_port_range = 1024 65000
    net.ipv4.tcp_keepalive_intvl = 15
    net.ipv4.tcp_keepalive_probes = 4
    net.ipv4.tcp_keepalive_time = 1800

    Here’s what I’ve added to the top of my iptables configuration in /etc/sysconfig/iptables as well:


    -N SYN
    -A SYN -m limit --limit 20/s --limit-burst 50 -j RETURN
    -A SYN -j DROP
    -A INPUT -p tcp --syn -j SYN

    * Note: During my testing, I added a log entry before dropping the packet as this floods the logs and kills the CPU and I/O so I highly discourage doing so.

    I repeated the same test on another VM running in a much more powerful Dell 2850 and with no modifications to the kernel or iptables.

    Victim B Specifications:

    • VMware Guest on a 2 x Dual Core Xeon 3.2GHz Dell 2850
    • CentOS 5.x + Apache 2.x
    • 256MB RAM
    • No Tuning

    Results:

    • Victim A held up to 16Kpps SYN flood (approx 5Mbps) but slowed down a little
    • Victim A held up to respond at 26Kpps SYN flood (approx 8Mbps) but was extremely slow
    • Victim B held up to 26Kpps SYN flood (approx 8Mbps) and did not slow down at all

    At this point in time, I couldn’t generate any more SYN packets as I lacked the hardware to do so, but it has given some conclusive results that a reasonably powerful LAMP hardware could take on modest DDoS attacks if configured correctly. I would expect a bare metal hardware with decent CPU performance to hold up much much more than what I’ve tested.

    Time to ditch that firewall!

  • Being Ignorant About DDoS and Why Firewalls Suck

    I’ve just attended a one day “seminar” with folks at Arbor Networks and it has been insightful.

    It seems people are still pretty ignorant about DDoS attacks. Unlike the 1999 CIH virus that was programmed to take out a computer by corrupting it’s BIOS EEPROM, most of the viruses, worms, malwares and whatnots on the Internet today are around for one simple reason – money. Obviously if you’re good enough to write worms, you’d think “why write a worm for fun, when I can make money?” These worms infect computers to build Botnets, and Botnets are sold for real money on the black market to take down sites (via a DDoS), send spam, and all sorts of other things.

    There was one point in particular though that caught my attention, and it was that firewalls (or in fact any type of inline device such as load balancers) are potentially targets for DDoS attacks. To make matters worse, the higher the OSI layer the firewall capability goes, the worse it gets in terms of performance and reliability.

    Believe it or not, firewalls are vulnerable to serious security issues like buffer overflows just like any other server or appliance with an IP address. So it turns out that firewalls are the biggest marketing scam in the history of IT security because companies have spent millions and millions of dollars on these stuff that don’t offer much protection than say, iptables.

    Just about a month ago, I spoke to one of our customers who experienced a DDoS attack launched towards their co-location in the USA. The DDoS traffic was approximately 500Mbps and it completely took out the firewall. This site provided online payment services to customers and was up and down for days. Their firewall was tiny in comparison to the DDoS they got – on paper specs states performance capabilities of 90Mbps or 30Kpps at 2.8K sessions/sec with a max of 8K sessions at any time. Of course, these are lab specifications and real world traffic wouldn’t be as forgiving.

    A simple DDoS attack that’s merely 10Mbps in traffic volume would have generated millions of packets per second with a 1-byte  UDP or ICMP packet. Taking down such a firewall would be a breeze. In fact, a single modern day computer on a broadband connection could probably do the job.

    If it was a TCP SYN flood, it would have been way easier. Sending 2K TCP SYN packets per second is child’s play, so filling the firewall’s state table really takes no more than 10 seconds.

    I had a chat with my wife who audits financial institutions (FIs) based on the PCI-DSS standard. Most FIs providing payment card services will have to conform to this standard. This standard, however, mandates that a firewall is required to comply. Unfortunately, most FIs have a pretty average Internet connectivity pipe – somewhat in the range of 20Mbps to 100Mbps. They scale their firewalls to their connectivity, so what they have, well, closely resembles the one I described earlier.

    So why were firewalls invented?

    Early operating systems didn’t provide packet filtering capabilities, so the early firewalls were really just stateless packet filters that basically routed (not NAT’ed) traffic and dropped unwanted requests based on simple IP, protocol and port numbers to services that weren’t supposed to be public. Then the idea of NAT came about (remember the days of WinRoute) to allow multiple computers on a LAN to share a single IP address on a WAN link. Some smart guy then figured, “oh well, let’s put servers on a private subnet and use the NAT technology to map public and private address spaces. This way, we’re safer!” Agreeably, that was the dumbest idea ever and is a PITA to manage, but millions of servers are configured this way today. Over time, these features were slowly incorporated into the all-in-one junkbox we now call the Firewall. Sweet.

    Personally, I don’t have a firewall sitting in front of my servers. All my servers are individually configured to run iptables (or ipfilter on Solaris, etc.). I am going to test the Linux TCP stack with Apache from a default CentOS install to see how much SYN flood it can hold up before giving up and maybe post some results here, including what I tweaked in the kernel.

  • Flash Sites are Passé; The DOs and DON’Ts of Web Design

    I’m surprised to find Renoma Paris’s site (in English) made entirely out of Flash. While it took ages to load, it also played an annoying music that I couldn’t turn off unless I turned down my speakers.

    Once the page loaded, I was presented with a scrolling marquee of images. They were so small that I couldn’t figure out what they were, so I clicked on any random image that passes and it brought me to yet another page that required loading. I sat waiting and stared at the red squares in the middle of the screen as more of them appeared after several seconds.

    Frustrated, I closed my browser tab. I was on the site for barely two minutes.

    This is a classic example of how your site can literally drive people away. Try it yourself – go visit that site.

    Many business owners don’t understand that what they like to have on their own site isn’t necessarily what people want to see.

    Here’s some of my personal DOs and DON’Ts of web design.

    • DON’T use flash for your entire site. It’s not only slow and heavy on a computer’s CPU, it doesn’t scroll well within a browser, it renders fonts differently from browsers making them difficult to read at times, the back and forward buttons don’t work, etc. The list of problems are endless. Oh, and did I mention that those Flash guys charge an arm and two legs? Don’t use flash. Period.
    • DON’T embed audio into your pages. It might give an old lady a heart attack, or simply just piss young people off by distorting whatever Wonder Girls track they’re listening to at the moment.
    • DON’T use a splash page. They only serve to delay a user’s entrance into your site. 9 in 10 splash pages I’ve seen have no real purpose other than the intent to create a “grand entrance” to a site. People visit web sites in search for content and will gladly click on the first sight of an “ENTER” button.
    • DON’T upload full resolution photos and simply use the HTML width and height attributes to resize your images. Resize  images using an image editing program like Adobe Photoshop or GIMP to achieve optimal image quality and file size.
    • DON’T underestimate the power of image compression. Choose wisely between GIF, JPEG and PNG compression and experiment which works best for you. GIF generally works well with text, JPEG works well with photos and PNG works well if transparency is involved. When used incorrectly, your images will not only look bad, it will consume unnecessary storage and bandwidth.
    • DON’T pop shit windows up. It’s not only annoying but confusing. Open the next page in the same window – people know how to use the back button on the browser.
    • DON’T use FORM POSTs excessively. This is what most Java and ASP.NET developers don’t quite understand. FORM POSTs (or POSTBACKs) not only prevent the back button on the browser from working, they also prevent caches from doing their jobs.
    • DO engage a third party to check for grammar, spelling and content accuracy. Badly written content translates to a bad user experience.
    • DO test your web site over a real Internet connection at home to check its loading time. Most sites load in a split second over a LAN but not over the Internet.
    • DO read up on how to make your site cache friendly, especially if your site handles lots of traffic. ISPs spend tonnes of money on web caches to conserve their bandwidth and yet web caching is one of the most misunderstood technology on the Internet. When your site is made cache friendly, ISP caches will greatly improve your users’ experience especially if they are far away.
    • DO add more line spacing. It’s easier on the eyes.

    There’s much more to web design than this short list though. Here’s my golden rule – humans like control. Give it to them.

    On a side note, I provide consultation for web marketing. Feel free to drop me a (private) message.