Search
Jason Rahm - Jason's Blog
You are here: DevCentral > Weblogs

Thursday, February 02, 2012 #


If you didn’t know, the DevCentral platform runs on DotNetNuke, the leading open source ASP.Net CMS. It’s a great development platform for turning out rich sites, and we’re excited to be hosting the next Seattle DNN User Group meeting next Wednesday, February 8th, beginning at 6pm at 401 Elliot Ave West, Seattle, WA.

Agenda

  • 6:00 - Arrive Sign in
  • 6:10 - Tour F5 facilities
  • 6:30 – Presentation Begins
    • Steven – Introductions and DC/DNN Overview
    • April – Managing a Community
    • Jason – Overview of the infrastructure we run
  • 7:20 – Q & A
  • 7:30 – Social Hour – Buckley’s

We’re super excited to be involved in this next DNN user group, hope to see you there!

Tuesday, January 31, 2012 #


It’s a crazy world out there. I ran (well, by “ran” I mean jogged slowly enough to pass the old ladies on the track) this morning at the YMCA, lifted weights for a little while, and then hit the elliptical for 20 minutes before heading home. My gym’s ellipticals have the Nike+ package where you can store your workouts on your iPhone/iPod, and without thinking I jacked in. Approximately 38 ms later (my internal meter is not calibrated)  I facepalmed and disconnected my iPhone in shame. Have I learned nothing?

Turns out, after closer inspection, the cable was a standard cable plugged into a standard elliptical trainer, but I didn’t inspect it initially. I just trusted that everything was as it should be. Josh wrote about this trust back in December. This offense, of course, would be fine if it was my iPod, which holds nothing of value on it. But my iPhone? Well, it has quite a bit more I’d rather not share with Mr. or Mrs. Hacker. So what am I worried about?

Juice-Jacking is another physical security attack vector. With smartphones battery charging capabilites tied also to the data access port, any maliciously minded individual could stand up a charging booth, offer it up for free, and the lambs would willingly head to the slaughter. As power surges into their batteries, their data surges into the hands of the enemy. Such was the case at DefCon this year, where at least 360 attendees, made acutely aware of connecting in any way to anything within a 2 mile radius of the conference, still powered up. Brian Krebs had a good post-DefCon write-up on Juice-Jacking you should check out. Be careful out there.

Monday, November 28, 2011 #


George posted an excellent blog on hostname nomenclature a while back, but something we haven’t discussed much in this space is a naming convention for the BIG-IP configuration objects. Last week, DevCentral community user Deon posted a question on exactly that. Sometimes there are standards just for the sake of having one, but in most cases, and particularly in this case, having standards is a very good thing. Señor Forum, hoolio, and MVP hamish weighed in with some good advice.

[app name]_[protocol]_[object type]

Examples:

www.example.com_http_vs
www.example.com_http_pool
www.example.com_http_monitor

As hoolio pointed out in the forum, each object now has a description field, so the metadata capability is there to establish identifying information (knowledge base IDs, troubleshooting info, application owners), but having an object name that is quickly searchable and identifiable to operational staff is key. Hamish had a slight alternative format for virtuals:

[fqdn]_[port]

For network virtuals, I’ve always made the network part of the name, as hamish also recommends in his guidance:

network VS's tend to be named net-net.num.dot.ed-masklen. e.g. net-0.0.0.0-0 is the default address. Where they conflict (e.g. two defaults depending on src clan, it gets an extra descriptor between net- and the ip address. e.g. net-wireless-0.0.0.0-0 (Default network VS for a wireless VLAN). I don't currently have any network VS's for specific ports. But they'd be something like net-0.0.0.0-0-port

Your Turn

What standards do you use? Share in the comments section below, or post to the forum thread.

 

Wednesday, November 16, 2011 #


No, not “us” F5, the F5 key on the keyboard. You know, the one you hit relentlessly to refresh the page (well, the one I hit relentlessly during NFL games to update my fantasy football stats). Anyway, I was perusing the forums today, trying to catch up from a week attending our very excellent annual sales conference, and I noticed a thread that had to be shared.

The Question

Is there a way of preventing users from using the F5 button to refresh a web page? – DevCentral user ringoseagull (nice handle, btw!)

The Solution

F5er and very active forum patrolman nitass posted back within 30 minutes with a solution, featuring iRules of course! We’ve seen javascript insert iRules before, but this is a pretty handy use case, so I thought I’d share.

when HTTP_REQUEST {
  STREAM::disable
  if {[HTTP::version] eq "1.1"} {
    if { [HTTP::header is_keepalive] } {
      HTTP::header replace "Connection" "Keep-Alive"
    }
    HTTP::version 1.0
  }
}
when HTTP_RESPONSE {
  if {[HTTP::header Content-Type] starts_with "text/"} {
    STREAM::expression "@</\[Hh]\[Ee]\[Aa]\[Dd]>@<script language=javascript>function document.onkeydown() { if (event.keyCode==116) { event.keyCode=0; event.cancelBubble=true; return false; } }</script></head>@"
    STREAM::enable
  }
}
when STREAM_MATCHED {
  STREAM::disable
}

This iRule uses the stream profile to find the head tag and insert the javascript necessary to control the F5 keycode behavior. Curl testing shows the javascript successfully delivered:

[root@ve1023:Active] config # curl -i http://172.28.65.152
HTTP/1.1 200 OK
Dat e: Fri, 11 Nov 2011 15:24:33 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head><script language=javascript>function document.onkeydown() { if (event.keyCode==116) { event.keyCode=0; event.cancelBubble=true; return false; } }</script></head>
<body>
This is 101 host.
</body>
</html>

 

Nice work, nitass!

Related Articles

Tuesday, October 25, 2011 #


Last Friday I attended my first BSides event in Missouri’s capitol (literally in the capitol building!) Jefferson City. The BSides community exists to bring fellow security practitioners together to present and participate in a small-scale environment that encourages collaboration. I’m not the outgoing sort and I generally like to fade into the background and just learn, but this environment really lends itself well to establishing relationships with others. There were quite a few St Louis based individuals and the chatter is already taking off for setting up a BSides event closer to home in the Spring. Two tracks were offered at BSidesMO; I chose track 2. A brief review of a few of my favorite talks follows below. Many thanks to Jerry Gamblin (@jgamblin), Randy Raw (@randyraw), & Beth Young (@bethayoung) for putting on a great show.

The Evolution of Malware – Chris Quinn

I don’t spend any time studying malware, but I spend quite a bit of time cleaning it up. This talk was pretty eye opening on several levels. The increase of viruses (250k in 2007  –> 286M in 2010) is a shocking display of slope. The growth is primarily attributed to the mutating nature of most of the new viruses, targeting only a few dozen before mutating again. That narrowing of focus in targeting victims kind of reminds me of the scene in Jurassic Park where one of the raptors lays as bait while the other hides in the bushes ready to pounce: Clever Girl! The real payoff of the talk, however, was the discussion on Stuxnet. Some high level details on design:

  • Used seven distinct mechanisms to spread, six of which leveraged 0-day vulnerabilities)
  • Comprised of 15 modules
  • Five mechanisms to conceal itself
  • reprograms industrial PLCs w/ 10k lines of code (10k!)
  • rootkits for windows PC and the PLC
  • used two stolen certificates to sign its files making them look legitimate

For systems infected without the appropriate configuration, the virus did nothing. Otherwise, it would collect telemetry data for days and then replay to monitoring systems while then controlling the PLCs at will. Amazing stuff. Bruce Schneier has a nice summary of the knowns/unknowns (at time of writing), and you can read Symantec’s comprehensive dossier on the subject as well.

Make the World Go Away – Beth Young

Beth’s talk focuses on reducing your threat landscape. She discussed inbound reduction techniques like blocking ip ranges from areas of the world that would have no business accessing a particular resource. This was interesting as the legwork required to build this yourself and implement on the firewalls is fairly cumbersome, but worthwhile. F5 customers can tap the built-in Quova geo-location services in BIG-IP LTM to stop requests at the door using the iRules whereis command, performing the same function in minutes what probably took Beth and her team a considerably longer time to achieve. The most interesting part of the talk concerned protecting internal users and in turn the organization by poisoning the DNS for known bad domains. This is done either by routing said requests to a bit bucket (IP based) or redirecting the requests to an alternative web-server for stats collection and remediation (name based). Both are intriguing, and I expect I’ll write this solution up utilizing F5 gear in the next few weeks.

Web Exploitation Trends – Larry Battle

Larry had some great information, a lot of which was similar to Chris Quinn’s, so I won’t rehash that. The social engineering discussion was engaging, however. I don’t recall the place (Surprise Valley, Sunrise Valley?) but Larry described a place in Idaho that had an entire real-estate website for people wanting to relocate there, only the place didn’t even exist. The entire site was a scam, and when you clicked on the videos, a flash “upgrade” would be presented, at which time it appeared flash was updating (with real-looking flash screens) but actually malware was being downloaded instead. The craftiness of these criminals is amazing. The other uncool but fascinating part was the “You have a virus, pay $25 and we’ll clean it” scam. I always go straight to task manager and kill the processes as soon as these pop-up, but I wasn’t aware that they aren’t malware in the sense that they do damage to your system. It’s really just a scare tactic to get you to spend $25. The whole thing is a ruse, and does nothing to infect or clean your system. Fascinating stuff.

Related Articles

Monday, August 01, 2011 #


July was a busy month.  I took the first three weeks off and drove much of what’s left of the “mother road” on Historic Route 66.with the family, our Ford Expedition, and way too many nights in our 31’ travel trailer.  Great memories and stories for a lifetime out of that trip.  I was home long enough to unpack, do laundry, and repack for a great week in Chicago with the DevCentral team.  On Monday, we had a great time diving in to F5 technology goodness with the MVPs (and hoolio and Chris Miller!) at the Thinkubator.  It was a great meeting place with a rooftop deck accessible only by a spiral staircase.  The view of downtown was amazing:

mvpsummit_pic1

It’s a good thing we all like each other ‘cause we spent the whole day together—three meals and some great content along the way. I particularly enjoyed the lightning talks from the MVPs, but the content from our product development/product management teams was great as well.  Tuesday, THE Colin Walker and I taught a “Short Course” (7 hours!) on iRules and had a great session.  The F5 Agility conference took place Wednesday and Thursday and the DevCentral booth was hopping with video interviews throughout.  Check out DCTV for a great variety of partner/MVP interviews.

Anyway, circling back to my title for this post: I’m back in the saddle, baby.  It’s a new week, a new month, and a new era for F5 with the announcement of BIG-IP v11. We here at DevCentral are getting the gears turning on all the content coming your way.  There will be plenty, as there is an astounding amount of innovation coming in this release.  I’m super excited, as are all the folks I’ve talked to that evaluated v11 during the beta windows.  Much to learn, much to do, so I’m signing off for now…

Wednesday, June 22, 2011 #


Don’t get me wrong, regex is awesome, and entirely useful—sometimes it’s the only option, it’s just not the best tool of choice for wire speed applications.  Often the sys-admin and network type converts to BIG-IP will find the regexp tcl command and go that route because it’s familiar.  If that describes you, please let me introduce you to a couple more appropriate commands:

These two commands will cover a great percentage of regexp’s use cases, and will save significant resources on the system.  Don’t buy it?  Here’s an example:

% set ip "10.10.20.200"
10.10.20.200
% time { scan $ip {%d.%d.%d.%d} a b c d} 10000
2.1713 microseconds per iteration
% time {regexp {([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})} $ip matched a b c d} 10000
34.2604 microseconds per iteration

Two approaches, same result.  The time to achieve that result?  The scan command bests regexp by far.  I’ll save you the calculation…that’s a 93.7% reduction in processing time.  93.7 percent! Now, mind you, the difference between 2 and 34 microseconds will be negligible to an individual request’s response time, but in the context of a single system handling hundreds of thousands or even millions of request per second, the difference matters.  A lot.

Thanks to (who else?) hoolio for the example.  For other optimization considerations, check out the iRules Optimization 101 series.

Related Articles

Monday, June 20, 2011 #


DevCentral community member geffr had a problem. The BIG-IP Application Security Manager module logs to the local3 facility but he needs to send them to the local7 facility on a remote server. Before giving up entirely, he posted to this thread in the Monitoring & Management group forum, where user nitass helped him jump through the syslog-ng hoops (click here for tips & tricks on syslog-ng) to the working solution posted below. It’s pretty straight forward. Define a template, a filter, and a destination, and then put the pieces together in a log statement.

b syslog include '"

filter f_local3a {
   facility(local3);
};

template t_asm {
   template(\"<190> $MSGHDR$MSG\n\");
   template_escape(no);
};

destination d_loghost5a {
udp(\"2.2.2.2\" port (514) template(t_asm));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_loghost5a);
};

"'

Note: The b syslog include ‘ “ “ ‘ wrapper around the custom configuration is merely for importing the configuration, it’s note part of the configuration itself.

Related Articles

 

Tuesday, June 14, 2011 #


I’ve posted on this before (Host that Sorry Page on your BIG-IP!) but it’s been a while and there have been a few updates.  Besides, narrowing the application to only sorry pages is a bit myopic—I’m sure my BIG-IP is offended that I treated it so callously.  Anyway, I got an inquiry a week or so ago about the images in tables not being picked up by the script.  The images in the table were referenced as such:

#<table background="genericofflinebackground.gif" align="center" width="1024" height="768" >

I reached out to the author, Kirk Bauer, and he gave me some pointers as where to look.  There’s a function in the perl script that parses the html to look for items of interest:
 
sub start {

   my ($self, $tag, $attr, $attrseq, $origtext) = @_;

   # print out original text

   if ($tag eq 'img') {

      if ($attr->{'src'}) {

         $attr->{'src'} = &handle_object($tag, 'src', $attr->{'src'});

      }

   }

Modifying the if ($tag..) conditional to match the table wasn’t that hard at all:

sub start {

   my ($self, $tag, $attr, $attrseq, $origtext) = @_;

   # print out original text

   if ($tag eq 'img') {

      if ($attr->{'src'}) {

         $attr->{'src'} = &handle_object($tag, 'src', $attr->{'src'});

      }

   }

   if ($tag eq 'table') {

      if ($attr->{'background'}) {

         $attr->{'background'} = &handle_object($tag, 'background', $attr->{'background'});

      }

   }

That solved problem number one.  The second problem with the script was that it wasn’t asking about partition preference, rather it just dumped the iRule and datagroups into the last partition defined in bigip.conf.  This was strange, as the code to handle partitions was in place:

my @partitions;

open (CONF, "/config/bigip.conf") or die "Could not read /config/bigip.conf: $!\n";

while (my $line = <CONF>) {

   if ($line =~ /^partition (.+) {/) {

      push @partitions, $1;

   }

}

The problem is that the regex is trying to match “partition <my partition> {“ and that is (at least in 10.2.1 HF3) no longer in the bigip.conf file.  It has been moved to bigip_sys.conf.  Updating the code as shown below solved the issue and now the user is asked for the appropriate partition and the iRule and datagroup gets deployed as expected.

      my @partitions;

      open (CONF, "/config/bigip_sys.conf") or die "Could not read /config/bigip_sys.conf: $!\n";

      while (my $line = <CONF>) {

         if ($line =~ /^partition (.+) {/) {

            push @partitions, $1;

         }

      }

For the full script, head to the iRules wiki entry LTM Maintenance Page Generator and grab version 2.2.

 

Related Articles

 

Tuesday, May 31, 2011 #


User Ralph Hoflich dropped an interesting problem off in the forums for his first post evah…he had a wireshark capture with a highly unusual header name:

Yes, the header name was “:”.  This is interesting as it is also the separator in headers between the field name/value pair as described in rfc 2616 section 4.2.  Thankfully, it’s just another character and is parsed out as such with iRules.  So the simple task of removing a header like this is completed painlessly (as Ralph suspected in his own question).  I added a couple logging statements to check before/after request headers:

when HTTP_REQUEST {
 log local0. "[HTTP::header names]"
 HTTP::header remove :
}
when HTTP_REQUEST_SEND {
    clientside {
      log local0. "[HTTP::header names]"
    }
}

The HTTP::header remove command will not error out if the header isn’t present, so there’s no need for a conditional check. 

Testing

From the browser, I couldn’t generate the load as desired with the Firefox modify headers plugin, but I was able to insert the header with cURL:

root@jrahm-dev:~# curl -v -H ':: /r/n' http://10.10.20.50/
* About to connect() to 10.10.20.50 port 80 (#0)
*   Trying 10.10.20.50... connected
* Connected to 10.10.20.50 (10.10.20.50) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: 10.10.20.50
> Accept: */*
> :: /r/n
>
< HTTP/1.1 200 OK
< Date: Tue, 31 May 2011 20:02:57 GMT
< Server: Apache/2.2.14 (Ubuntu)
< Last-Modified: Thu, 24 Jun 2010 14:26:22 GMT
< ETag: "381fef-b1-489c77054eef8"
< Accept-Ranges: bytes
< Content-Length: 177
< Vary: Accept-Encoding
< Content-Type: text/html
< X-Pad: avoid browser bug
<
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
* Connection #0 to host 10.10.20.50 left intact
* Closing connection #0

And the resulting log statements:

May 31 15:27:45 local/tmm info tmm[4972]: Rule header_remove <HTTP_REQUEST>: User-Agent Host Accept :
May 31 15:27:45 local/tmm info tmm[4972]: Rule header_remove <HTTP_REQUEST_SEND>: User-Agent Host Accept

Update – hoolio pointed out my error above with the slashes facing the wrong way and that the CRLF wouldn’t technically be part of the field value. He recommended an alternative approach (to the same results)

[root@golgotha:Active] config # echo -e "GET / HTTP/1.0\r\nHost: test\r\n: \r\nConnection: close\r\n\r\n" | nc 10.10.20.50 80
HTTP/1.1 200 OK
Date: Tue, 31 May 2011 23:15:00 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Thu, 24 Jun 2010 14:26:22 GMT
ETag: "381fef-b1-489c77054eef8"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>

And the updated results:

May 31 18:39:50 local/tmm info tmm[4972]: Rule header_remove <HTTP_REQUEST>: Host : Connection
May 31 18:39:50 local/tmm info tmm[4972]: Rule header_remove <HTTP_REQUEST_SEND>: Host Connection

Related Articles

Links

  
Are you interested in:
Search DevCentral to get answers to your questions.

Blog Stats

Posts:86
Comments:108
Stories:0
Trackbacks:0
  

Tags

  

Post Categories

  

Archives

  

82,243 Members in 102 Countries and Growing!

Join DevCentral Today!

About DevCentral

DevCentral has been a successful, thriving community for many years. We have always strived to bring you the best technical documentation, discussion forums, blogs, media and much more that we can.

So dive in, get familiar with DevCentral. We hope you like it, we hope it makes your job easier, and lets you get that much more power out of the community. To learn more, make sure to check out the Getting Started section. And if you have any problems, or think something could be easier to use, drop us a line to let us know.

Got It !

We've received your comment and transmitted it directly to DevCentral HQ.

Thanks for taking time to let us know what's on your mind. At DevCentral | Community Matters!

Get In Touch With Us

Have questions, suggestions or just want to get something off your chest?

Use our handy form below to Direct Connect with DevCentral Mission Control.

Send Us Feedback       or
Copyright 1996 - 2011 F5 Networks, Inc.

Powered by the DevCentral Crew  |  Privacy Statement   |  Terms Of Use  |  Code of Conduct

Page generated faster than you can blink!