tzlee.com/blog

Blog

  • Being Ignorant About DDoS and Why Firewalls Suck

    I’ve just attended a one day “seminar” with folks at Arbor Networks and it has been insightful.

    It seems people are still pretty ignorant about DDoS attacks. Unlike the 1999 CIH virus that was programmed to take out a computer by corrupting it’s BIOS EEPROM, most of the viruses, worms, malwares and whatnots on the Internet today are around for one simple reason – money. Obviously if you’re good enough to write worms, you’d think “why write a worm for fun, when I can make money?” These worms infect computers to build Botnets, and Botnets are sold for real money on the black market to take down sites (via a DDoS), send spam, and all sorts of other things.

    There was one point in particular though that caught my attention, and it was that firewalls (or in fact any type of inline device such as load balancers) are potentially targets for DDoS attacks. To make matters worse, the higher the OSI layer the firewall capability goes, the worse it gets in terms of performance and reliability.

    Believe it or not, firewalls are vulnerable to serious security issues like buffer overflows just like any other server or appliance with an IP address. So it turns out that firewalls are the biggest marketing scam in the history of IT security because companies have spent millions and millions of dollars on these stuff that don’t offer much protection than say, iptables.

    Just about a month ago, I spoke to one of our customers who experienced a DDoS attack launched towards their co-location in the USA. The DDoS traffic was approximately 500Mbps and it completely took out the firewall. This site provided online payment services to customers and was up and down for days. Their firewall was tiny in comparison to the DDoS they got – on paper specs states performance capabilities of 90Mbps or 30Kpps at 2.8K sessions/sec with a max of 8K sessions at any time. Of course, these are lab specifications and real world traffic wouldn’t be as forgiving.

    A simple DDoS attack that’s merely 10Mbps in traffic volume would have generated millions of packets per second with a 1-byte  UDP or ICMP packet. Taking down such a firewall would be a breeze. In fact, a single modern day computer on a broadband connection could probably do the job.

    If it was a TCP SYN flood, it would have been way easier. Sending 2K TCP SYN packets per second is child’s play, so filling the firewall’s state table really takes no more than 10 seconds.

    I had a chat with my wife who audits financial institutions (FIs) based on the PCI-DSS standard. Most FIs providing payment card services will have to conform to this standard. This standard, however, mandates that a firewall is required to comply. Unfortunately, most FIs have a pretty average Internet connectivity pipe – somewhat in the range of 20Mbps to 100Mbps. They scale their firewalls to their connectivity, so what they have, well, closely resembles the one I described earlier.

    So why were firewalls invented?

    Early operating systems didn’t provide packet filtering capabilities, so the early firewalls were really just stateless packet filters that basically routed (not NAT’ed) traffic and dropped unwanted requests based on simple IP, protocol and port numbers to services that weren’t supposed to be public. Then the idea of NAT came about (remember the days of WinRoute) to allow multiple computers on a LAN to share a single IP address on a WAN link. Some smart guy then figured, “oh well, let’s put servers on a private subnet and use the NAT technology to map public and private address spaces. This way, we’re safer!” Agreeably, that was the dumbest idea ever and is a PITA to manage, but millions of servers are configured this way today. Over time, these features were slowly incorporated into the all-in-one junkbox we now call the Firewall. Sweet.

    Personally, I don’t have a firewall sitting in front of my servers. All my servers are individually configured to run iptables (or ipfilter on Solaris, etc.). I am going to test the Linux TCP stack with Apache from a default CentOS install to see how much SYN flood it can hold up before giving up and maybe post some results here, including what I tweaked in the kernel.

  • Three Week Summary

    Renovation has officially completed; we made our final payment last Thursday and the final touches were done yesterday. All the furniture are in as well. Mode Studio didn’t screw up and delivered the remaining furniture as scheduled.

    I pay a lot of attention to detail and there were some minor issues with the renovation (as usual). Carpentry, plumbing and electrical works needed personal supervision but overall we rate our interior designer highly for their design creativity and project management. We are especially pleased with their flooring, painting and solid surface works.

    I’ve been very busy but I will post some photos of the completed work soon.

    Work as usual, hamsters are still alive and kicking. I’m trying to find some time to pick up my R/C hobby again as the sloping season’s back but my time has been all tied up by the house renovation. Cleaning a new house has proved to be quite a chore as the dust settles each day.

    I have also attempted cooking. BTW, it’s not exactly cheap for two persons to cook at home. Breakfast is easy but I haven’t been very successful with my first dinner dish. However, the wife makes nice Chinese soup dishes!

    It’s just one more month before the year comes to an end. Time to close yet another chapter and kick start 2010. It will be a very exciting new year!

  • Mode Studio and Red Apple Furniture Woes

    We bought furnitures from Mode Studio, a subsidary of Red Apple Furniture on Aug 24, 2009. It has been exactly two months and we have yet to recieve full shipment of our order.

    The initial delivery was expected before the end of  September (one month from the date of order). When we called to confirm our delivery, the sales person denied having agreed to such a date and told us we would only receive our order by mid October. Our sales person then went MIA after the first week of October and we had to follow up with another guy.

    Our sofa and dining table arrived two weeks ago. We’re still waiting for our dining chair and coffee table. Oh, it’s the China holidays, it’s the bad weather, order’s not submitted, order went missing, communication problem, shipping delay, wrong container. It’s just excuses and delays after delays.

    Their logistics company called to schedule the remainder of our order to be delivered yesterday but I won’t be home, so I asked to have them shipped tomorrow morning.

    Anyway, there’s a thread in HardwareZone Forums discussing some other customers’ experience with Red Apple Furniture and I would recommend that you read it.

    This is what I wrote about my sales experience:

    I didn’t ask for a ridiculous discount. In fact, I was “offerred” a package when I stepped in. A dining table, 4 chairs, L sofa and coffee table. All for approx $3.2k. Then the sales person added a GST after we agreed to the price. BTW, this is a sales gimmick. If you have ever visited my retail store www.whymobile.com, you will know that I am very familiar with these sales tricks especially in my trade. If you want more info, read the Mission Statement under “About Us”.

    Anyway, after giving them a weird face (I almost wanted to walk out), they said they will waive the delivery charge. IMHO, $3.2k is not a ridiculous price. You get about that kind of prices for china made furniture everywhere. ($1.4k sofa, $800 dining table, $400 for 4 chairs, $400 for coffee table, with some spare change for delivery.) I credit them for better design but certainly if you were to compare Ikea’s prices, product quality and after-sales service, they’re no where near.

    Here’s another thread at RenoTalk.

    I never had a hiccup with Ikea’s logistics. Their products are of great quality considering the prices. I never really had an Ikea thing fail on me like many others said they would. I have a 10+ year old Ikea study table still straight and solid. Like Ikea furnitures today, it’s made of the same MBF 10 years ago. There’s also an Ikea bookshelve at the back of WhyMobile. It’s battered day in and out in a busy retail store and it’s still stands straight.

    I’m happy to have spent over $2k on Ikea furnitures for my new home with no hiccups at all. After all these fiasco, I declare myself a supporter of Ikea furnitures and food.

    If you’re buying Ikea, don’t expect your $39 table to last a lifetime, duh. Buy something of higher quality at Ikea.

  • Flash Sites are Passé; The DOs and DON’Ts of Web Design

    I’m surprised to find Renoma Paris’s site (in English) made entirely out of Flash. While it took ages to load, it also played an annoying music that I couldn’t turn off unless I turned down my speakers.

    Once the page loaded, I was presented with a scrolling marquee of images. They were so small that I couldn’t figure out what they were, so I clicked on any random image that passes and it brought me to yet another page that required loading. I sat waiting and stared at the red squares in the middle of the screen as more of them appeared after several seconds.

    Frustrated, I closed my browser tab. I was on the site for barely two minutes.

    This is a classic example of how your site can literally drive people away. Try it yourself – go visit that site.

    Many business owners don’t understand that what they like to have on their own site isn’t necessarily what people want to see.

    Here’s some of my personal DOs and DON’Ts of web design.

    • DON’T use flash for your entire site. It’s not only slow and heavy on a computer’s CPU, it doesn’t scroll well within a browser, it renders fonts differently from browsers making them difficult to read at times, the back and forward buttons don’t work, etc. The list of problems are endless. Oh, and did I mention that those Flash guys charge an arm and two legs? Don’t use flash. Period.
    • DON’T embed audio into your pages. It might give an old lady a heart attack, or simply just piss young people off by distorting whatever Wonder Girls track they’re listening to at the moment.
    • DON’T use a splash page. They only serve to delay a user’s entrance into your site. 9 in 10 splash pages I’ve seen have no real purpose other than the intent to create a “grand entrance” to a site. People visit web sites in search for content and will gladly click on the first sight of an “ENTER” button.
    • DON’T upload full resolution photos and simply use the HTML width and height attributes to resize your images. Resize  images using an image editing program like Adobe Photoshop or GIMP to achieve optimal image quality and file size.
    • DON’T underestimate the power of image compression. Choose wisely between GIF, JPEG and PNG compression and experiment which works best for you. GIF generally works well with text, JPEG works well with photos and PNG works well if transparency is involved. When used incorrectly, your images will not only look bad, it will consume unnecessary storage and bandwidth.
    • DON’T pop shit windows up. It’s not only annoying but confusing. Open the next page in the same window – people know how to use the back button on the browser.
    • DON’T use FORM POSTs excessively. This is what most Java and ASP.NET developers don’t quite understand. FORM POSTs (or POSTBACKs) not only prevent the back button on the browser from working, they also prevent caches from doing their jobs.
    • DO engage a third party to check for grammar, spelling and content accuracy. Badly written content translates to a bad user experience.
    • DO test your web site over a real Internet connection at home to check its loading time. Most sites load in a split second over a LAN but not over the Internet.
    • DO read up on how to make your site cache friendly, especially if your site handles lots of traffic. ISPs spend tonnes of money on web caches to conserve their bandwidth and yet web caching is one of the most misunderstood technology on the Internet. When your site is made cache friendly, ISP caches will greatly improve your users’ experience especially if they are far away.
    • DO add more line spacing. It’s easier on the eyes.

    There’s much more to web design than this short list though. Here’s my golden rule – humans like control. Give it to them.

    On a side note, I provide consultation for web marketing. Feel free to drop me a (private) message.

  • Second Trip to Ikea

    Believe it or not, we spent $1,090.55 at Ikea last Saturday. This is our second trip to Ikea, so it’s almost $2,000 worth of Ikea stuff if we added up the first trip!

    I’ve decided to bring my Olympus DSLR along, so enjoy the photos that follow.

    Every Ikea trip starts with food…

    Meatball Spaghetti
    Meatball Spaghetti

    That’s Yanpo’s dish.

    Stuffed Salmon
    Stuffed Salmon

    Dear’s dish.

    Swedish Meatballs
    Swedish Meatballs

    I’m having the most popular dish at Ikea.

    Herring Plate
    Herring Plate

    Fish, to share. Unfortunately, I’m the only one who likes it.

    Fried Chicken Wings
    Fried Chicken Wings

    Who can resist these crispy, oily, golden brown wings.

    Feasting in Ikea
    Feasting in Ikea

    Look at these guys. They’re certainly enjoying the good food.

    Last Three Balls
    Last Three Balls

    The last of the balls before Yanpo had them all.

    HZ after a satisfying meal
    HZ after a satisfying meal
    Dear's new hair!
    Dear's new hair!

    Yes! Dear got a new haircut on Friday. Looks so cute!

    After a very satisfying meal, we went on to shop till we almost dropped. Here’s what we got this round…

    • Another small table as an extension to the current one for the study room.
    • Another table lamp to go with the new table above.
    • A 1 x 4 book shelve to go into the window recess in the study room.
    • Another 4 x 4 book shelve for the study room.
    • A floor protector for the study room. Expensive but hopefully useful.
    • A wine rack! YES! More reasons to stockpile Shiraz at home.
    • An armchair. It should stay in the master bedroom for now.
    • A small TV console for the master bedroom.
    • A sturdy step-stool to reach higher places. This is VERY useful for $29.
    • A mirror for the common bathroom. Expensive.
    • A water jug for cold water.
    • A temporary coffee table, which will become my tool table next time. Pretty cool table for $17.
    • Dustbins for the rooms, kitchen and toilets.
    • Some toilet accessories.
    Three Trolleys of Goodies
    Three Trolleys of Goodies

    That’s a lot of stuff! The shelves and armchair are the most expensive stuff of them all. The others are less than $50 items.

    Finally, I’m getting a Wii to keep us entertained on weekends!

  • SingTel Misleads Customers with iPhone Tethering

    I’ve been having problems trying to establish PPTP VPNs using my iPhone over my SingTel 3G connection. After quite a bit of troubleshooting, I found out that using the e-ideas APN assigns the iPhone a private IP address. I switched to the internet APN and the VPN worked right away.

    However, when I switched to the internet APN, the tethering option disappeared. So either way, I can’t establish a VPN using my laptop. Effectively, this means I’m having a 3G service that doesn’t work.

    So, I called SingTel’s helpdesk at 1626.

    I asked if I could use the internet APN for tethering. They said I can’t, and gave me some bullshit about the internet APN being billed differently from e-ideas.

    I asked if they could file a complaint for VPN issues over the e-ideas APN and they were so quick to disclaim their responsibility the moment I mentioned VPN; quicker than you can finish saying “boomz!” In fact, the customer service dude told me to call Apple when it’s obvious this wasn’t Apple’s problem.

    VPNs are common in enterprises and I believe a lot of people out there need it to work. I cannot believe that SingTel would just disclaim responsibility to support VPN over the iPhone.

    Worse even, some users in the HardwareZone Forum found out that using the e-ideas APN caps your transfer rates. This is something that’s not made known publicly, so if you are going to buy an iPhone with the SingTel iFlexi plans, please be aware.

    This is not the first time SingTel has played punk with its’ customers. Last year, SingTel added Value Added Services (VAS) to customers’ accounts. The unaware customer gets the service free for a short period of time, and then they are later changed.

    No, this is not the typical free service you get when you sign up for a new contract. SingTel actually added the services to existing customers!

    Such a business practice known as negative option billing is not only unethical, but also against IDA’s policies.

    When my wife called to cancel the service and asked for a refund, they rebutted and asked rudely if she had read her contract!

    I have already written a formal complaint to IDA, but have yet to receive a response from them.

    Think I whine a lot? Why not type SingTel Sucks into Google and read for yourself.