Jason Rahm

Come Join DevCentral for the Seattle DotNetNuke User Group Meeting

Jason Rahm — Thu, 02 Feb 2012 16:07:20 GMT

If you didn’t know, the DevCentral platform runs on DotNetNuke, the leading open source ASP.Net CMS. It’s a great development platform for turning out rich sites, and we’re excited to be hosting the next Seattle DNN User Group meeting next Wednesday, February 8th, beginning at 6pm at 401 Elliot Ave West, Seattle, WA.

Agenda

6:00 - Arrive Sign in
6:10 - Tour F5 facilities
6:30 – Presentation Begins

Steven – Introductions and DC/DNN Overview
April – Managing a Community
Jason – Overview of the infrastructure we run

7:20 – Q & A
7:30 – Social Hour – Buckley’s

We’re super excited to be involved in this next DNN user group, hope to see you there!

Technorati Tags: F5 DevCentral,DotNetNuke,DNN,Seattle DNN User Group,Buckley's

Juice-Jacking Revisited

Jason Rahm — Tue, 31 Jan 2012 16:22:09 GMT

It’s a crazy world out there. I ran (well, by “ran” I mean jogged slowly enough to pass the old ladies on the track) this morning at the YMCA, lifted weights for a little while, and then hit the elliptical for 20 minutes before heading home. My gym’s ellipticals have the Nike+ package where you can store your workouts on your iPhone/iPod, and without thinking I jacked in. Approximately 38 ms later (my internal meter is not calibrated) I facepalmed and disconnected my iPhone in shame. Have I learned nothing?

Turns out, after closer inspection, the cable was a standard cable plugged into a standard elliptical trainer, but I didn’t inspect it initially. I just trusted that everything was as it should be. Josh wrote about this trust back in December. This offense, of course, would be fine if it was my iPod, which holds nothing of value on it. But my iPhone? Well, it has quite a bit more I’d rather not share with Mr. or Mrs. Hacker. So what am I worried about?

Juice-Jacking is another physical security attack vector. With smartphones battery charging capabilites tied also to the data access port, any maliciously minded individual could stand up a charging booth, offer it up for free, and the lambs would willingly head to the slaughter. As power surges into their batteries, their data surges into the hands of the enemy. Such was the case at DefCon this year, where at least 360 attendees, made acutely aware of connecting in any way to anything within a 2 mile radius of the conference, still powered up. Brian Krebs had a good post-DefCon write-up on Juice-Jacking you should check out. Be careful out there.

Technorati Tags: F5 DevCentral,Security,Juice-Jacking,Jason Rahm,Josh Michaels

BIG-IP Configuration Object Naming Conventions

Jason Rahm — Mon, 28 Nov 2011 23:19:02 GMT

George posted an excellent blog on hostname nomenclature a while back, but something we haven’t discussed much in this space is a naming convention for the BIG-IP configuration objects. Last week, DevCentral community user Deon posted a question on exactly that. Sometimes there are standards just for the sake of having one, but in most cases, and particularly in this case, having standards is a very good thing. Señor Forum, hoolio, and MVP hamish weighed in with some good advice.

[app name]_[protocol]_[object type]

Examples:

www.example.com_http_vs
www.example.com_http_pool
www.example.com_http_monitor

As hoolio pointed out in the forum, each object now has a description field, so the metadata capability is there to establish identifying information (knowledge base IDs, troubleshooting info, application owners), but having an object name that is quickly searchable and identifiable to operational staff is key. Hamish had a slight alternative format for virtuals:

[fqdn]_[port]

For network virtuals, I’ve always made the network part of the name, as hamish also recommends in his guidance:

network VS's tend to be named net-net.num.dot.ed-masklen. e.g. net-0.0.0.0-0 is the default address. Where they conflict (e.g. two defaults depending on src clan, it gets an extra descriptor between net- and the ip address. e.g. net-wireless-0.0.0.0-0 (Default network VS for a wireless VLAN). I don't currently have any network VS's for specific ports. But they'd be something like net-0.0.0.0-0-port

Your Turn

What standards do you use? Share in the comments section below, or post to the forum thread.

Technorati Tags: F5 DevCentral,Standards,Nomenclature,BIG-IP,George Watkins,Jason Rahm,hoolio,hamish

Stop that F5 Key From Refreshing the Page

Jason Rahm — Wed, 16 Nov 2011 22:08:23 GMT

No, not “us” F5, the F5 key on the keyboard. You know, the one you hit relentlessly to refresh the page (well, the one I hit relentlessly during NFL games to update my fantasy football stats). Anyway, I was perusing the forums today, trying to catch up from a week attending our very excellent annual sales conference, and I noticed a thread that had to be shared.

The Question

Is there a way of preventing users from using the F5 button to refresh a web page? – DevCentral user ringoseagull (nice handle, btw!)

The Solution

F5er and very active forum patrolman nitass posted back within 30 minutes with a solution, featuring iRules of course! We’ve seen javascript insert iRules before, but this is a pretty handy use case, so I thought I’d share.

when HTTP_REQUEST {
STREAM::disable
if {[HTTP::version] eq "1.1"} {
    if { [HTTP::header is_keepalive] } {
      HTTP::header replace "Connection" "Keep-Alive"
    }
    HTTP::version 1.0
}
}
when HTTP_RESPONSE {
if {[HTTP::header Content-Type] starts_with "text/"} {
    STREAM::expression "@</\[Hh]\[Ee]\[Aa]\[Dd]>@<script language=javascript>function document.onkeydown() { if (event.keyCode==116) { event.keyCode=0; event.cancelBubble=true; return false; } }</script></head>@"
    STREAM::enable
}
}
when STREAM_MATCHED {
STREAM::disable
}

This iRule uses the stream profile to find the head tag and insert the javascript necessary to control the F5 keycode behavior. Curl testing shows the javascript successfully delivered:

[root@ve1023:Active] config # curl -i http://172.28.65.152
HTTP/1.1 200 OK
Dat e: Fri, 11 Nov 2011 15:24:33 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head><script language=javascript>function document.onkeydown() { if (event.keyCode==116) { event.keyCode=0; event.cancelBubble=true; return false; } }</script></head>
<body>
This is 101 host.
</body>
</html>

Nice work, nitass!

Related Articles

Technorati Tags: F5 DevCentral,iRules,Jason Rahm

BSidesMO Wrap-up

Jason Rahm — Tue, 25 Oct 2011 14:41:46 GMT

Last Friday I attended my first BSides event in Missouri’s capitol (literally in the capitol building!) Jefferson City. The BSides community exists to bring fellow security practitioners together to present and participate in a small-scale environment that encourages collaboration. I’m not the outgoing sort and I generally like to fade into the background and just learn, but this environment really lends itself well to establishing relationships with others. There were quite a few St Louis based individuals and the chatter is already taking off for setting up a BSides event closer to home in the Spring. Two tracks were offered at BSidesMO; I chose track 2. A brief review of a few of my favorite talks follows below. Many thanks to Jerry Gamblin (@jgamblin), Randy Raw (@randyraw), & Beth Young (@bethayoung) for putting on a great show.

The Evolution of Malware – Chris Quinn

I don’t spend any time studying malware, but I spend quite a bit of time cleaning it up. This talk was pretty eye opening on several levels. The increase of viruses (250k in 2007 –> 286M in 2010) is a shocking display of slope. The growth is primarily attributed to the mutating nature of most of the new viruses, targeting only a few dozen before mutating again. That narrowing of focus in targeting victims kind of reminds me of the scene in Jurassic Park where one of the raptors lays as bait while the other hides in the bushes ready to pounce: Clever Girl! The real payoff of the talk, however, was the discussion on Stuxnet. Some high level details on design:

Used seven distinct mechanisms to spread, six of which leveraged 0-day vulnerabilities)
Comprised of 15 modules
Five mechanisms to conceal itself
reprograms industrial PLCs w/ 10k lines of code (10k!)
rootkits for windows PC and the PLC
used two stolen certificates to sign its files making them look legitimate

For systems infected without the appropriate configuration, the virus did nothing. Otherwise, it would collect telemetry data for days and then replay to monitoring systems while then controlling the PLCs at will. Amazing stuff. Bruce Schneier has a nice summary of the knowns/unknowns (at time of writing), and you can read Symantec’s comprehensive dossier on the subject as well.

Make the World Go Away – Beth Young

Beth’s talk focuses on reducing your threat landscape. She discussed inbound reduction techniques like blocking ip ranges from areas of the world that would have no business accessing a particular resource. This was interesting as the legwork required to build this yourself and implement on the firewalls is fairly cumbersome, but worthwhile. F5 customers can tap the built-in Quova geo-location services in BIG-IP LTM to stop requests at the door using the iRules whereis command, performing the same function in minutes what probably took Beth and her team a considerably longer time to achieve. The most interesting part of the talk concerned protecting internal users and in turn the organization by poisoning the DNS for known bad domains. This is done either by routing said requests to a bit bucket (IP based) or redirecting the requests to an alternative web-server for stats collection and remediation (name based). Both are intriguing, and I expect I’ll write this solution up utilizing F5 gear in the next few weeks.

Web Exploitation Trends – Larry Battle

Larry had some great information, a lot of which was similar to Chris Quinn’s, so I won’t rehash that. The social engineering discussion was engaging, however. I don’t recall the place (Surprise Valley, Sunrise Valley?) but Larry described a place in Idaho that had an entire real-estate website for people wanting to relocate there, only the place didn’t even exist. The entire site was a scam, and when you clicked on the videos, a flash “upgrade” would be presented, at which time it appeared flash was updating (with real-looking flash screens) but actually malware was being downloaded instead. The craftiness of these criminals is amazing. The other uncool but fascinating part was the “You have a virus, pay $25 and we’ll clean it” scam. I always go straight to task manager and kill the processes as soon as these pop-up, but I wasn’t aware that they aren’t malware in the sense that they do damage to your system. It’s really just a scare tactic to get you to spend $25. The whole thing is a ruse, and does nothing to infect or clean your system. Fascinating stuff.

Related Articles

Technorati Tags: F5 Devcentral,BSides,BSidesMO,Chris Quinn,Beth Young,Larry Battle,Jerry Gamblin,Randy Raw,Jason Rahm,malware,security

Back in the Saddle

Jason Rahm — Mon, 01 Aug 2011 14:34:48 GMT

July was a busy month. I took the first three weeks off and drove much of what’s left of the “mother road” on Historic Route 66.with the family, our Ford Expedition, and way too many nights in our 31’ travel trailer. Great memories and stories for a lifetime out of that trip. I was home long enough to unpack, do laundry, and repack for a great week in Chicago with the DevCentral team. On Monday, we had a great time diving in to F5 technology goodness with the MVPs (and hoolio and Chris Miller!) at the Thinkubator. It was a great meeting place with a rooftop deck accessible only by a spiral staircase. The view of downtown was amazing:

It’s a good thing we all like each other ‘cause we spent the whole day together—three meals and some great content along the way. I particularly enjoyed the lightning talks from the MVPs, but the content from our product development/product management teams was great as well. Tuesday, THE Colin Walker and I taught a “Short Course” (7 hours!) on iRules and had a great session. The F5 Agility conference took place Wednesday and Thursday and the DevCentral booth was hopping with video interviews throughout. Check out DCTV for a great variety of partner/MVP interviews.

Anyway, circling back to my title for this post: I’m back in the saddle, baby. It’s a new week, a new month, and a new era for F5 with the announcement of BIG-IP v11. We here at DevCentral are getting the gears turning on all the content coming your way. There will be plenty, as there is an astounding amount of innovation coming in this release. I’m super excited, as are all the folks I’ve talked to that evaluated v11 during the beta windows. Much to learn, much to do, so I’m signing off for now…

Technorati Tags: F5 DevCentral,MVP,Thinkubator,BIG-IP,iRules,BIG-IP v11,Jason Rahm

So Yeah, Regex is Bad

Jason Rahm — Wed, 22 Jun 2011 21:12:00 GMT

Don’t get me wrong, regex is awesome, and entirely useful—sometimes it’s the only option, it’s just not the best tool of choice for wire speed applications. Often the sys-admin and network type converts to BIG-IP will find the regexp tcl command and go that route because it’s familiar. If that describes you, please let me introduce you to a couple more appropriate commands:

scan
string

These two commands will cover a great percentage of regexp’s use cases, and will save significant resources on the system. Don’t buy it? Here’s an example:

% set ip "10.10.20.200"

10.10.20.200

% time { scan $ip {%d.%d.%d.%d} a b c d} 10000

2.1713 microseconds per iteration

% time {regexp {([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})} $ip matched a b c d} 10000

34.2604 microseconds per iteration

Two approaches, same result. The time to achieve that result? The scan command bests regexp by far. I’ll save you the calculation…that’s a 93.7% reduction in processing time. 93.7 percent! Now, mind you, the difference between 2 and 34 microseconds will be negligible to an individual request’s response time, but in the context of a single system handling hundreds of thousands or even millions of request per second, the difference matters. A lot.

Thanks to (who else?) hoolio for the example. For other optimization considerations, check out the iRules Optimization 101 series.

Related Articles

Technorati Tags: F5 DevCentral,regex,regexp,scan,string,tcl,iRules,performance,Jason Rahm

Changing the BIG-IP Default Syslog-NG Facilities

Jason Rahm — Mon, 20 Jun 2011 15:44:26 GMT

DevCentral community member geffr had a problem. The BIG-IP Application Security Manager module logs to the local3 facility but he needs to send them to the local7 facility on a remote server. Before giving up entirely, he posted to this thread in the Monitoring & Management group forum, where user nitass helped him jump through the syslog-ng hoops (click here for tips & tricks on syslog-ng) to the working solution posted below. It’s pretty straight forward. Define a template, a filter, and a destination, and then put the pieces together in a log statement.

b syslog include '"

filter f_local3a {
facility(local3);
};

template t_asm {
template(\"<190> $MSGHDR$MSG\n\");
template_escape(no);
};

destination d_loghost5a {
udp(\"2.2.2.2\" port (514) template(t_asm));
};

log {
source(local);
filter(f_local3a);
destination(d_loghost5a);
};

"'

Note: The b syslog include ‘ “ “ ‘ wrapper around the custom configuration is merely for importing the configuration, it’s note part of the configuration itself.

Related Articles

LTM 9.4.2+: Custom Syslog Configuration > DevCentral > F5 ...

setting up syslog? - DevCentral - F5 DevCentral > Community ...

DevCentral Wiki: Syslog NG Email Configuration

Configuring syslog-ng to email messages > DevCentral > F5 ...

Syslog Priority Translation > DevCentral > F5 DevCentral > Tech Tips

Deb Allen - syslog

Customizing syslog-ng f_local0 filter - DevCentral - F5 DevCentral ...

Syslog locally and remote with specific facility level ...

Duplicate syslog traffic to multiple destinations - DevCentral ...

Custom syslog-ng facility - DevCentral - F5 DevCentral > Community ...

Technorati Tags: F5 DevCentral,BIG-IP,ASM,Application Security Manager,syslog,syslog-ng,Jason Rahm

Hosting Sorry, Error, or Maintenance Pages on BIG-IP LTM with iRules

Jason Rahm — Wed, 15 Jun 2011 01:04:50 GMT

I’ve posted on this before (Host that Sorry Page on your BIG-IP!) but it’s been a while and there have been a few updates. Besides, narrowing the application to only sorry pages is a bit myopic—I’m sure my BIG-IP is offended that I treated it so callously. Anyway, I got an inquiry a week or so ago about the images in tables not being picked up by the script. The images in the table were referenced as such:

#<table background="genericofflinebackground.gif" align="center" width="1024" height="768" >

I reached out to the author, Kirk Bauer, and he gave me some pointers as where to look. There’s a function in the perl script that parses the html to look for items of interest:

sub start {
my ($self, $tag, $attr, $attrseq, $origtext) = @_;
# print out original text
if ($tag eq 'img') {
if ($attr->{'src'}) {
$attr->{'src'} = &handle_object($tag, 'src', $attr->{'src'});
}
}

Modifying the if ($tag..) conditional to match the table wasn’t that hard at all:

sub start {
my ($self, $tag, $attr, $attrseq, $origtext) = @_;
# print out original text
if ($tag eq 'img') {
if ($attr->{'src'}) {
$attr->{'src'} = &handle_object($tag, 'src', $attr->{'src'});
}
}
if ($tag eq 'table') {
if ($attr->{'background'}) {
$attr->{'background'} = &handle_object($tag, 'background', $attr->{'background'});
}
}

That solved problem number one. The second problem with the script was that it wasn’t asking about partition preference, rather it just dumped the iRule and datagroups into the last partition defined in bigip.conf. This was strange, as the code to handle partitions was in place:

my @partitions;
open (CONF, "/config/bigip.conf") or die "Could not read /config/bigip.conf: $!\n";
while (my $line = <CONF>) {
if ($line =~ /^partition (.+) {/) {
push @partitions, $1;
}
}

The problem is that the regex is trying to match “partition <my partition> {“ and that is (at least in 10.2.1 HF3) no longer in the bigip.conf file. It has been moved to bigip_sys.conf. Updating the code as shown below solved the issue and now the user is asked for the appropriate partition and the iRule and datagroup gets deployed as expected.

my @partitions;
open (CONF, "/config/bigip_sys.conf") or die "Could not read /config/bigip_sys.conf: $!\n";
while (my $line = <CONF>) {
if ($line =~ /^partition (.+) {/) {
push @partitions, $1;
}
}

For the full script, head to the iRules wiki entry LTM Maintenance Page Generator and grab version 2.2.

Related Articles

Host that Sorry Page on your BIG-IP!

about i-rule sorry page configuration - DevCentral - F5 DevCentral ...

DevCentral Wiki: Automatic_maintenance_page___ Sorry_page_with_images

DevCentral Wiki: Sorry Page I Rule Generator_ Perl

DevCentral Wiki: LTM Maintenance Page Generator

DevCentral Wiki: CodeShare

Sorry Page when Severs are down - DevCentral - F5 DevCentral ...

Site Dwon Page form https virtual server - DevCentral - F5 ...

Technorati Tags: F5 DevCentral,sorry page,error page,maintenance page,perl,iRules,Jason Rahm,Kirk Bauer

Removing A Strange HTTP Header with iRules

Jason Rahm — Tue, 31 May 2011 20:24:33 GMT

User Ralph Hoflich dropped an interesting problem off in the forums for his first post evah…he had a wireshark capture with a highly unusual header name:

Yes, the header name was “:”. This is interesting as it is also the separator in headers between the field name/value pair as described in rfc 2616 section 4.2. Thankfully, it’s just another character and is parsed out as such with iRules. So the simple task of removing a header like this is completed painlessly (as Ralph suspected in his own question). I added a couple logging statements to check before/after request headers:

when HTTP_REQUEST {

log local0. "[HTTP::header names]"

HTTP::header remove :

}

when HTTP_REQUEST_SEND {

clientside {

log local0. "[HTTP::header names]"

}

}

The HTTP::header remove command will not error out if the header isn’t present, so there’s no need for a conditional check.

Testing

From the browser, I couldn’t generate the load as desired with the Firefox modify headers plugin, but I was able to insert the header with cURL:

root@jrahm-dev:~# curl -v -H ':: /r/n' http://10.10.20.50/
* About to connect() to 10.10.20.50 port 80 (#0)
* Trying 10.10.20.50... connected
* Connected to 10.10.20.50 (10.10.20.50) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: 10.10.20.50
> Accept: */*
> :: /r/n
>
< HTTP/1.1 200 OK
< Date: Tue, 31 May 2011 20:02:57 GMT
< Server: Apache/2.2.14 (Ubuntu)
< Last-Modified: Thu, 24 Jun 2010 14:26:22 GMT
< ETag: "381fef-b1-489c77054eef8"
< Accept-Ranges: bytes
< Content-Length: 177
< Vary: Accept-Encoding
< Content-Type: text/html
< X-Pad: avoid browser bug
<
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
* Connection #0 to host 10.10.20.50 left intact
* Closing connection #0

And the resulting log statements:

May 31 15:27:45 local/tmm info tmm[4972]: Rule header_remove <HTTP_REQUEST>: User-Agent Host Accept :
May 31 15:27:45 local/tmm info tmm[4972]: Rule header_remove <HTTP_REQUEST_SEND>: User-Agent Host Accept

Update – hoolio pointed out my error above with the slashes facing the wrong way and that the CRLF wouldn’t technically be part of the field value. He recommended an alternative approach (to the same results)

[root@golgotha:Active] config # echo -e "GET / HTTP/1.0\r\nHost: test\r\n: \r\nConnection: close\r\n\r\n" | nc 10.10.20.50 80
HTTP/1.1 200 OK
Date: Tue, 31 May 2011 23:15:00 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Thu, 24 Jun 2010 14:26:22 GMT
ETag: "381fef-b1-489c77054eef8"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>

And the updated results:

May 31 18:39:50 local/tmm info tmm[4972]: Rule header_remove <HTTP_REQUEST>: Host : Connection
May 31 18:39:50 local/tmm info tmm[4972]: Rule header_remove <HTTP_REQUEST_SEND>: Host Connection

Related Articles

I am in your HTTP headers, attacking your application

DevCentral Wiki: HTTP::header

Working around client-side limitations on custom HTTP headers

Add http header of Server IP address? - DevCentral - F5 DevCentral ...

Syntax for http header manipulation - DevCentral - F5 DevCentral ...

iRule persistance based on HTTP header - DevCentral - F5 ...

redirect base on HTTP header - DevCentral - F5 DevCentral ...

http header inserts - DevCentral - F5 DevCentral > Community ...

Error on HTTP::header insert - DevCentral - F5 DevCentral ...

Technorati Tags: F5 DevCentral,iRules,HTTP::header,Jason Rahm