tzlee.com/blog

Blog

  • Singaporean Style, Western Flavour – Bruschetta with Tomato

    I’ve had some request to post up my cooking experiments on my blog and so here’s my first. I’ve decided to call my experimental cooking series Singaporean Style, Western Flavour since I tend towards ingredients that are easily found in neighbourhood supermarkets. Looking for western ingredients can be quite a chore as these small supermarkets don’t carry such a wide variety. If the ingredients aren’t found easily, then I’ll use ingredients that you’ll find at larger supermarkets but can be kept for a long time (such as herbs and oils).

    I ate Bruschetta in a restruant at Tampines today afternoon and decided to go home and give it a try. Ideally, Bruschetta is served on Baguette but I used a loaf of white bread instead.

    Ingredients

    • 6-8 slices of thick white bread or baguette
    • 2-3 cloves of garlic, finely chopped
    • 1-2 cloves of garlic, chopped in half (for rubbing on bread)
    • 1 teaspoon of balsamic vinegar
    • 2-3 ripe tomatoes
    • Extra virgin olive oil
    • Basil, salt and black pepper
    • Smoked salmon (optional)
    Ingredients for Bruschetta

    Where to Get Them

    • If you want to use baguette, Delifrance sells pretty decent ones.
    • White bread, garlic and tomatoes can be had at any neighbourhood supermarket.
    • Olive oil, balsamic vinegar and smoked salmon can be bought at Cold Storage or larger NTUC outlets such as those in Jurong Point. Buy a good bottle of olive oil and balsamic vinegar and keep them – they can be kept for a long time.
    • I use dried Basil from MasterFoods. They come in small bottles that costs around $5 and can be found similarly at Cold Storage or larger NTUC outlets. You may use fresh basil but they can’t be kept for more than a few days.
    • If you absolutely must, then buy pre-ground black pepper from MasterFoods. I use a cheap Ikea pepper grinder and grind the peppers when I need.

    Preparing the Tomato Topping

    • Optional – put the tomatoes in boiling water for about one minute and remove them. Remove the skin
    • Cut the tomatoes in quarters and remove the stem, seeds and juice from the center.
    • Optional – lighly fry the chopped garlic in some olive oil, otherwise it may taste too raw.
    • Chop the tomatoes then put them in a bowl together with the chopped garlic, balsmic vinegar and 1 tablespoon of olive oil. If you have smoked salmon, add them as well. Sprinkle in some basil, then a little bit of salt and pepper to taste and mix. (I tend to use less salt and more pepper.)

    Mixing the Bruchetta's Tomato Topping

    Preparing the Bread

    • If you’re using baguette, slice them as you normally would diagonally about half an inch thick.
    • If you’re using a loaf of white bread, cut the slices in half to make them smaller.
    • If you’re using baguette, toast the bread, then rub the garlic on the slice and drizzle half a teaspoon of olive oil on each half-slice.
    • If you’re using white bread, it would be easier to chop the garlic and then fry them with some olive oil for about a minute on low heat, then place the bread on top.
    • Either serve the bread and tomatoes separately or immediately before serving otherwise the bread will turn soggy.
    Frying the Bread in Olive Oil

    Serving Size

    • Serves 2 to 3 not-very-hungry adults busy playing Wii.
    White Bread Bruschetta with Tomato

  • The Life of a Working House Husband

    Somehow I think I’m living life on the soft side, or as the Chinese says, 吃软饭. I’m officially in a holiday mood as I write this blog entry while my wife (who’s just right beside me) bashes away at a PCI DSS audit report… I think she doesn’t even notice me blogging.

    I’m finally taking a real break from work with a weeks’ leave between Christmas and New Year. Not that I’m the first around here, but hopefully not the last. I spent the last working hours of 2009 actually back in office unpacking, installing and repacking servers each fully jam-packed with twelve 3.5″ SAS disks. They’re really quite heavy – weighing up to 30 kilos each. SAS disks are considerably heavier than SATA ones. Somehow, weight does matter? Shrugs. So if you think I’m really having a good time at work everyday, now you know it’s not always the case.

    But before I let myself run wild for the last few days of 2009, I’ll write a little about work… I’ve been at this job for a little over a year. It’s been pretty nice working around here and I’ve surely learnt a great deal. My colleagues are fantastic – I’ve got a great PM and one thing that touched me was that the sales folks gave us Christmas presents every year! Or at least for the two Christmas I’ve been through. I got cookies from Vivien last year and Winnie gave us Royce chocs this time round… I ate about half the box before I brought the remainder home. Oops, sorry dear.

    I’ve also gotten really lucky to have won lucky draw prizes at all the company dinners – I got a Dell Inspiron the last year and a Sony PSP Go this year. The Dell has been put to good use, but the PSP is not really my kind of toy, so it’s going to my sister if she behaves, or maybe eBay.

    I’m packing my schedules up for the next week to catch up with some looooooooong lost friends, some of whom I’ve completely lost contact with since we left primary school. Thanks to the power of the Internet and social networking, I’m finally meeting them again after fifteen years! Unbelievable.

    And of course in my free time I shall religiously clean the house which has been neglected for the past two months. I also need to learn how to cook more variety of dishes. I’ve been preparing fish dishes so far.

    Well, that’s the life of a working house husband. At least for now.

  • Happy Holidays, Welcome 2010

    Welcome back…

    I know you have been faithful readers.

    See? You’re smiling. Stop denying it. You love my blog, don’t you?

    It has been a crazy month. I’m part of a small team of three and two of my colleagues went away – one to Turkey and another to reservist so he could help weed out terrorist. I was, of course, left all alone to take on some good amount of work that, well,  came all at the same time. Screw Murphy. Hate that guy.

    So it’s December and everybody’s in a holiday mood. I wish I was too, but it’s not quite easy with a fucking noisy neighbour living right upstairs. They make so much noise and vibration by dragging furniture, slamming their doors and let their kids run about into the wee hours that even my window grilles rattle at times. After approaching them three times and calling the cops once, I decided to approach them one last time which ended in a yelling session, with the typical remark from these inconsiderate bastards like “this is my house, I’ll do whatever I want” or “go buy a condo“. Things improved a bit after the yelling, but it still happens. When the night’s all quiet, these sudden bumps and squeaks really make you to jump.

    So it seems nothing really changed in 2009 other than my marital status and an empty bank from a property purchase and renovation. It’s time to work out something new in 2010. My public list of items goes like this:

    • Get back on track with some research/dev type projects. I’ll be meeting an NUS professor before 2009 ends, so I’ll post an update here.
    • Learn to cook now that I’ve got a kitchen to myself. I’ve also promised to post some of my successful attempts out of many other unsuccessful ones.
    • Get the wedding banquet done.
    • Build new sources of revenue. I’ll start small, but aim big.
    • Get back to flying R/C occasionally as a hobby. I’ve stopped flying for the entire of 2009 without even realizing it.

    And of course, before 2009 ends, here’s a short to do list.

    • Pack up the study room. It’s in an absolute mess now.
    • Get another two sets of Wii Remote + Nunchuck since the two I ordered from HK over a month ago didn’t arrive at all.
    • Get my old Cello bows rehaired. Already sent and will only be done in January 2010.

  • Hardening Linux and Apache Servers for DDoS

    In my earlier entry I discussed an interesting topic on firewalls and why we don’t need them. I put a small LAMP server to the test and got my results.

    Attack Information:

    • Type: TCP SYN flood
    • Max performance: 26Kpps (8Mbps)
    • Source IP Spoofing: Yes

    Victim A Specifications:

    • VMware Guest on a Single Core Opteron 1.8GHz Sun X2100
    • CentOS 4.x + Apache 2.x
    • 768MB RAM
    • Tuned (see below)

    Here’s what I’ve added to tune the Linux TCP stack in /etc/sysctl.conf:


    net.ipv4.tcp_abort_on_overflow = 1
    net.ipv4.tcp_fin_timeout = 15
    net.ipv4.tcp_low_latency = 1
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_max_syn_backlog = 2048
    net.ipv4.tcp_synack_retries = 3
    net.ipv4.tcp_sack = 0
    net.ipv4.ip_conntrack_max = 65535
    net.core.rmem_max = 16777216
    net.core.wmem_max = 16777216
    net.ipv4.tcp_rmem = 4096 87380 16777216
    net.ipv4.tcp_wmem = 4096 65536 16777216
    net.ipv4.ip_local_port_range = 1024 65000
    net.ipv4.tcp_keepalive_intvl = 15
    net.ipv4.tcp_keepalive_probes = 4
    net.ipv4.tcp_keepalive_time = 1800

    Here’s what I’ve added to the top of my iptables configuration in /etc/sysconfig/iptables as well:


    -N SYN
    -A SYN -m limit --limit 20/s --limit-burst 50 -j RETURN
    -A SYN -j DROP
    -A INPUT -p tcp --syn -j SYN

    * Note: During my testing, I added a log entry before dropping the packet as this floods the logs and kills the CPU and I/O so I highly discourage doing so.

    I repeated the same test on another VM running in a much more powerful Dell 2850 and with no modifications to the kernel or iptables.

    Victim B Specifications:

    • VMware Guest on a 2 x Dual Core Xeon 3.2GHz Dell 2850
    • CentOS 5.x + Apache 2.x
    • 256MB RAM
    • No Tuning

    Results:

    • Victim A held up to 16Kpps SYN flood (approx 5Mbps) but slowed down a little
    • Victim A held up to respond at 26Kpps SYN flood (approx 8Mbps) but was extremely slow
    • Victim B held up to 26Kpps SYN flood (approx 8Mbps) and did not slow down at all

    At this point in time, I couldn’t generate any more SYN packets as I lacked the hardware to do so, but it has given some conclusive results that a reasonably powerful LAMP hardware could take on modest DDoS attacks if configured correctly. I would expect a bare metal hardware with decent CPU performance to hold up much much more than what I’ve tested.

    Time to ditch that firewall!

  • Being Ignorant About DDoS and Why Firewalls Suck

    I’ve just attended a one day “seminar” with folks at Arbor Networks and it has been insightful.

    It seems people are still pretty ignorant about DDoS attacks. Unlike the 1999 CIH virus that was programmed to take out a computer by corrupting it’s BIOS EEPROM, most of the viruses, worms, malwares and whatnots on the Internet today are around for one simple reason – money. Obviously if you’re good enough to write worms, you’d think “why write a worm for fun, when I can make money?” These worms infect computers to build Botnets, and Botnets are sold for real money on the black market to take down sites (via a DDoS), send spam, and all sorts of other things.

    There was one point in particular though that caught my attention, and it was that firewalls (or in fact any type of inline device such as load balancers) are potentially targets for DDoS attacks. To make matters worse, the higher the OSI layer the firewall capability goes, the worse it gets in terms of performance and reliability.

    Believe it or not, firewalls are vulnerable to serious security issues like buffer overflows just like any other server or appliance with an IP address. So it turns out that firewalls are the biggest marketing scam in the history of IT security because companies have spent millions and millions of dollars on these stuff that don’t offer much protection than say, iptables.

    Just about a month ago, I spoke to one of our customers who experienced a DDoS attack launched towards their co-location in the USA. The DDoS traffic was approximately 500Mbps and it completely took out the firewall. This site provided online payment services to customers and was up and down for days. Their firewall was tiny in comparison to the DDoS they got – on paper specs states performance capabilities of 90Mbps or 30Kpps at 2.8K sessions/sec with a max of 8K sessions at any time. Of course, these are lab specifications and real world traffic wouldn’t be as forgiving.

    A simple DDoS attack that’s merely 10Mbps in traffic volume would have generated millions of packets per second with a 1-byte  UDP or ICMP packet. Taking down such a firewall would be a breeze. In fact, a single modern day computer on a broadband connection could probably do the job.

    If it was a TCP SYN flood, it would have been way easier. Sending 2K TCP SYN packets per second is child’s play, so filling the firewall’s state table really takes no more than 10 seconds.

    I had a chat with my wife who audits financial institutions (FIs) based on the PCI-DSS standard. Most FIs providing payment card services will have to conform to this standard. This standard, however, mandates that a firewall is required to comply. Unfortunately, most FIs have a pretty average Internet connectivity pipe – somewhat in the range of 20Mbps to 100Mbps. They scale their firewalls to their connectivity, so what they have, well, closely resembles the one I described earlier.

    So why were firewalls invented?

    Early operating systems didn’t provide packet filtering capabilities, so the early firewalls were really just stateless packet filters that basically routed (not NAT’ed) traffic and dropped unwanted requests based on simple IP, protocol and port numbers to services that weren’t supposed to be public. Then the idea of NAT came about (remember the days of WinRoute) to allow multiple computers on a LAN to share a single IP address on a WAN link. Some smart guy then figured, “oh well, let’s put servers on a private subnet and use the NAT technology to map public and private address spaces. This way, we’re safer!” Agreeably, that was the dumbest idea ever and is a PITA to manage, but millions of servers are configured this way today. Over time, these features were slowly incorporated into the all-in-one junkbox we now call the Firewall. Sweet.

    Personally, I don’t have a firewall sitting in front of my servers. All my servers are individually configured to run iptables (or ipfilter on Solaris, etc.). I am going to test the Linux TCP stack with Apache from a default CentOS install to see how much SYN flood it can hold up before giving up and maybe post some results here, including what I tweaked in the kernel.

  • Three Week Summary

    Renovation has officially completed; we made our final payment last Thursday and the final touches were done yesterday. All the furniture are in as well. Mode Studio didn’t screw up and delivered the remaining furniture as scheduled.

    I pay a lot of attention to detail and there were some minor issues with the renovation (as usual). Carpentry, plumbing and electrical works needed personal supervision but overall we rate our interior designer highly for their design creativity and project management. We are especially pleased with their flooring, painting and solid surface works.

    I’ve been very busy but I will post some photos of the completed work soon.

    Work as usual, hamsters are still alive and kicking. I’m trying to find some time to pick up my R/C hobby again as the sloping season’s back but my time has been all tied up by the house renovation. Cleaning a new house has proved to be quite a chore as the dust settles each day.

    I have also attempted cooking. BTW, it’s not exactly cheap for two persons to cook at home. Breakfast is easy but I haven’t been very successful with my first dinner dish. However, the wife makes nice Chinese soup dishes!

    It’s just one more month before the year comes to an end. Time to close yet another chapter and kick start 2010. It will be a very exciting new year!