I will share a study based on incoming traffic to our darknet which is just monitoring and discarding packets. So basically there is no user traffic, but still we are observing many incoming traffic. Mostly those are scanning but also we found many interesting activities.
The same might be happing to every Internet facing host, and it's important to understand the current situation of the Internet.
This session will provide mod_perl users with various ways to
identify and solve performance problems with mod_perl 2.0
application code.
Covering a variety of tips and techniques including:
persistent DB connections, cached DBI statements, reducing memory usage by
deploying shared memory, module preloading techniques, avoiding
importing of variables and global variables in general, forking and
subprocess overhead, memory leakages detection and prevention,
tuning Apache configuration directives for best performance by
benchmarking the scripts, object method calls vs. functions, sending
compressed HTML, performance of print calls and buffer flushing.
This session will provide mod_perl users with various ways to
identify and solve performance problems with mod_perl 2.0
application code.
Covering a variety of tips and techniques including:
persistent DB connections, cached DBI statements, reducing memory usage by
deploying shared memory, module preloading techniques, avoiding
importing of variables and global variables in general, forking and
subprocess overhead, memory leakages detection and prevention,
tuning Apache configuration directives for best performance by
benchmarking the scripts, object method calls vs. functions, sending
compressed HTML, performance of print calls and buffer flushing.
Presentation given at SIP Conference 2004, Paris - a proposal to define telephony charging plans using XML in a fashion similar to CPL (Call Processing Language)
Building a queueing system in MongoDB and monitoring your cluster. Presentation by David Mytton at MongoSF May 2011 and MongoDB London User Group July 2011.
Building a queueing system in MongoDB and monitoring your cluster. Presentation by David Mytton at MongoSF May 2011 and MongoDB London User Group July 2011.
Presentation given at SIP Conference 2004, Paris - a proposal to define telephony charging plans using XML in a fashion similar to CPL (Call Processing Language)
Building a queueing system in MongoDB and monitoring your cluster. Presentation by David Mytton at MongoSF May 2011 and MongoDB London User Group July 2011.
Building a queueing system in MongoDB and monitoring your cluster. Presentation by David Mytton at MongoSF May 2011 and MongoDB London User Group July 2011.
Implementing a home gateway with Linux - Firewall - Router - Proxy server - D...Geert Van Pamel
Security, speed and instant availability are important for the internet access at Home. Although there exist commercial solutions this presentation proves that implementing a home router with Red Hat Linux using standard components and a Pentium II might make sense. It gives the user an unlimited freedom and flexibility.
The first building block is the iptables firewall. Iptables are standard in modern Linux kernels and allow filtering and logging incoming and outgoing traffic.
The HTTP Squid proxy server allows to filter web traffic and locally caching a huge amount of frequently accessed files. Main advantages of a proxy server is to limit internet bandwidth usage, and to speed up web access. Parental control and offensive or dangerous URL blocking becomes very easy. Centrally blocking of advertisements or dangerous downloads is very cost effective and transparent for the browser and the enduser.
The DNS caching server is used by the proxy server and the client PCs on the intranet to translate names to ip addresses. You might also administer your own local machines and configure a DHCP server. Another option could be a Samba disk server. An NTP server can be added for time synchronisation.
We will also show how the system can be monitored and where to investigate (rare) problems. My router is running already for more than 11 months. Its biggest advantage are stability, security, fast and instant internet access, modularity, configurability. Configure security only once on a central server and all your PC's at home are immediately protected.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1. Background noise of
the Internet
Matsuzaki ‘maz’ Yoshinobu
<maz@iij.ad.jp>
bdNOG10 maz@iij.ad.jp 1
2. I receive a packet because it’s:
• A part of my communication (^_^)
• Something else (T_T)
• Those ‘something else’ are considered as
background noise of the Internet, mostly unwanted
traffic.
• Every internet facing host is receiving such packets
Today’s topic
bdNOG10 maz@iij.ad.jp 2
3. PPP-EXP
• This study is conducted by Pool Protection Project
(PPP-EXP)
• PPP-EXP was started by IIJ and JPNIC to protect the
JPNIC free IPv4 pool from abuse
• https://www.attn.jp/ppp/
• The setup
• Announcing prefixes by AS2522
• Monitoring and discarding packets to the prefixes
• Simple zone file for the reverse zones
• only SOA and NS (no PTR records)
bdNOG10 maz@iij.ad.jp 3
4. Classifications of noises
• The sender is an initiator
• Scanning
• Virus spreading
• Attacking
• Something mistake
• The sender is a reflector
• Victim of IP spoofing attack
• SYN-Flooding and etc.
• Something mistake
bdNOG10 maz@iij.ad.jp 4
5. The sender is an initiator
• Intentionally sending traffic to ‘us’
bdNOG10 maz@iij.ad.jp 5
sender
=
initiator
6. The sender is a reflector
• The original sender sends an IP spoofing packet to a
host, and the host then send *back* a reply to ‘us’
The source address of
the packet is spoofed
as ‘us’
bdNOG10 maz@iij.ad.jp 6
sender
=
reflector
7. Disclaimer
• I don’t know the actual intent of the packets, so the
most of reasons mentioned in this slides are my
‘guess’
• The fact
• We receive some amount of packets on the Internet
facing hosts
• Guesses
• Scanning
• Reflections
• Weird implementations
• Mistake
bdNOG10 maz@iij.ad.jp 7
8. The data
• Duration: 2019/01/10 00:00~24:00(JST)
• Fully captured incoming packets toward the
prefixes
• many pcap files
• about 6 hunreds million packets
• 2758 packets/host/day
bdNOG10 maz@iij.ad.jp 8
14. A few hosts sending a lot of
packets
• Ukrainian IP (31609992 packets)
• TCP-SYN to TCP/1025-10000
• USA IP (10793632 packets)
• TCP-SYN to TCP/52869
• Dutch IP (10572421 packets)
• TCP-SYN to TCP/52869
• HongKong IP (7330971 packets)
• TCP-SYN to TCP/3031 and other 546 ports
• Ireland 8 IPs (total 51607564packets)
• TCP-SYN to TCP/53601-60800
bdNOG10 maz@iij.ad.jp 14
16. Security services based on
scanning results
• Many others, and each of them is scanning you
• More new services means more scanning packets
to your network
bdNOG10 maz@iij.ad.jp 16
17. Many hosts sending a few
$%. . # % b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb%$
$]$$$$.bb $b$$, b Kb $$$b $%%b $ %bIK Mb $,bb6### ;2#$# #####
$]$$%$.bbK $%b$II%b K b% ,b$$ $b b %b %bb######### #K%.
$]$$ $.bb b b b $ b M $b$L b ,bM%L bbK .PK $.U # C ##
$]$$ $.bbL, MbM%% b I MbIL $b , bK MLb b Lbb##### ##]### .PT
$]$$ $.bb Mb M ,b % b , b $ b M $b$L%Mb % bbMU O O $.U ## A
$]$$ $.bbI, Lb%$,,bI$L,bI b I Lb$M $b M b %bb#a#####.DT#$##L%
$]$$ $.bb %b b b Mb $ b b %b bb.W . LZ LLX %.Z
$]$$ $.bb b b % b b b $%b$% %b bb .#4%.[ .: ##%.
$]$$,$.bb % b % bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb%.WL
$%. . # ,%%b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb $
$]$$$$.bb $b$$ $b $ b $$$b $%%b L MbIK Mb $,bb6##$ #2#$#T ####
$]$$%$.bbK $%b$II%b K b% ,b$$% bIL%$b %$$b L bb############3#T#
$]$$ $.bb,KL b b$$$$b$$$$b$$$$b$$$$b % b$$$$bb##_ ######## ###
$%. . $# , b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW
%, %% b¥PTb bU ZPUT bDS % , <9 >b[ , bL X $ TU ¥ Lb F b
LT ZOb$
$]$$$$.bb $$b$$ b I b $$$b $$ b M KbIK Mb $,bb6##0 2#$##F####
$]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T######
$]$$ $.bb $$ bMMMM K b$$$$b$ $ b$ ,b$ $ b$,$ bb####FP##########
$]$$ $.bb$$ bM I b$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ##########
$%. . %#,% %b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW
%, %% b¥PTb bU ZPUT bDS % , <9 >b[ bL X $ TU ¥ Lb F b
LT ZOb$
$]$$$$.bb $$b$$ b I b $$$b $$ b M bIK Mb $,bb6##0 2#$##E####
$]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T######
$]$$ $.bb $$ bMMMM K$ b$$$$b$ $ b$ ,b$ $ b$,$ bb####F###########
$]$$ $.bb$$ bM %Ib$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ##########
They send UDP packets, and then send TCP-SYN to the same destination port
Probably... BitTorrent!
bdNOG10 maz@iij.ad.jp 17
19. Many hosts sending a few
• There might be a wrong node information in the P2P
network.
• Based on that, many hosts are trying to connect the *nodes*
• I guess users of the senders are not aware of this
• Why such a wrong node information?
• Someone made mistake on his/her configuration?
• Someone is attacking the P2P network by injecting wrong
nodes?
• The number of unique senders might be indicating the
number of P2P users
bdNOG10 maz@iij.ad.jp 19
20. Packets distribution: Receiver
bdNOG10 maz@iij.ad.jp 20
Average 2758 packets/host
A few hosts are
receiving a lot
Thenumberofoccurrences
The number of packets received by a host
21. A few hosts receiving the most of
many packets from the many hosts
Probably by a P2P application based on wrong nodes
information
bdNOG10 maz@iij.ad.jp 21
Thenumberofoccurrences
The number of packets received by a hostThe number of packets sent by a sender
22. Oh, yes. I see IP6 (41) packet
0, 3 00) " , 0 ) , -.,0, 2
) 0
) 30 " . 2 - 4), "
) 0 " " - 1 ,(
.,10 . ,) 0 0 , ) 0
3 "
3 "
3 "
3 " 2
3
The PTR record of the sender looks like a HTTP server -> www134.cs.uic.edu
Seems like it’s searching a router
bdNOG10 maz@iij.ad.jp 22
24. IP6 (41) 6to4 packet
(,1'.1')&(-..)-]8 ] ' '$] ),($]KF]((0-)$] ]'$] CI ] 57 $] T ]8 X-] ( $]
PI ]0)
(0)& &00&(]2](, &)''& )& 1]8 -] CD ' ).-- $] KO () $]P CF T] 4 ] - ]
C[ CF] PI 1] ) ]) ' 1- ''1 '',1 '011)'' & ]2])'')10 E 1)')E110 E 1)')E&-,)- 1]
7 CI ] & $]E O ' )-E(] E TT E $] S ')(),-'.$]CE ]).,00,.,(,$] KP]).)''$] K P ]
O ( -'$P $P $ CE :9$P $ EC ] $] PI ]'
' ''''1 ,'']'',E]) DC] '''] D)0]- .']E', ]- '( 6&&@&&3&& P &>E&
' ''('1 0 E ])')E]-'')].-- ]'')']'-.E]) ' ]- '' &&&$ &XP&&&¥ & &
' '')'1 '',]' '0]'''']'''']''''])'' ])'')]0 E 3&&&&&&&&&&&&&&&
' '' '1 )')E]'''']'''']'''']0 E ])')E]'(DD] &$&&&&&&&&&$&&&&
' '' '1 (. .] ).]C (]0E'D] '()]-C '])-E(]'''' &&& &&&&&& 3 &&&
' '','1 ')' ]',,']'('(]' ')]'(' ]' ' &&& &&&&&&&&
bdNOG10 maz@iij.ad.jp 24
25. 6to4 reflections
• Someone is using 6to4 with an IPv4 address from our
prefix, and we got a reply
Using 6to4
with wrong IPv4 address
configuration
6to4 relay
bdNOG10 maz@iij.ad.jp 25
26. 6to4 reflections
• Guesses
• Configuration error and weird implementation made
6to4 enabled, and the host tried to access the Internet
through it?
• Someone using 6to4 space for IPv6 SYN-flooding?
• We also observe ’ICMP6 TTL expired’ packet related
to 6to4
bdNOG10 maz@iij.ad.jp 26
27. Sudden traffic
• 300Mbps toward a single destination
• Many sources from different countries and economies
• UDP, random source and destination port
• Don’t fragment, 1052 bytes
bdNOG10 maz@iij.ad.jp 27
28. The sudden traffic
• Firstly I assumed a P2P, but it looks strange
• I couldn’t feel the intent of ‘commutation’ from the
payloads
• That’s just my feeling
• So I counted
• The byte distribution of the payload
bdNOG10 maz@iij.ad.jp 28
31. Analysis of the sudden traffic
• The payload is totally random
• No intention for communication
• OK, I suppose this a DDoS attack
• But to the destination that is not serving anything?
• Just mistake?
• Lesson learned
• Without any particular reason, sometimes you suddenly
become a target of DDoS
bdNOG10 maz@iij.ad.jp 31
32. There was this kind of packet as
well..
- - , P45P , P0P , -P625 P D I P
-PP P , P< P P> P > P <P9 9<PP3 E 8
-PP<: P ;9P P< 9 P 9P P P PP > 11
-PP P P P P > P < P ;P ; PP1111 ;< I
-PP P >P P >P P P ; ;P PP;< 9 D ;
/ DA 0
-PP P P P P P P P : PP< I>I .
-PP P P P P P :P P PP I>I . >I
-PP P P < P <P P P > P , <PP I 9DED
-PP > P P < P P >P ,P < >P PPE 9DED E
-PP <P P P P P P P PP 5
-PP P P P P P P P PP >I >
-PP P P P : P P P P PPI . >I
-PP P P P P P P P PP I>I I>I
, -PP P P P P P P 9PPPPPPP >I
;<P I P P;<P 9 DP P;<P DIP P;<P EEIP P;< .
IP II - 777 :AD .
; E< P:AD .
P:AD .
I>I P 777 ; I I>I .
; E<P PI>I .
PI>I .
I>I P PI>I P 777.
; E<P PI>I .
I>I .
>I P IP P P9DED E P P9DED E P 5P P 777P
>I P>I .
>I PI>I PI>I P>I
bdNOG10 maz@iij.ad.jp 32
33. Summary
• We have background noise in the Internet (IPv4)
• Malicious activities are observed
• Yes, of course
• Security service providers are also scanning you
• Some other non-intentional or aftereffect-ish
activities are also happening in the Internet
• If you are unlucky, you might receive many packets
without any particular reason
bdNOG10 maz@iij.ad.jp 33