Disable ISATAP / 6to4 / teredo Adapters

Did you even wonder about those tunnel adapters appearing in ipconfig? You need them as soon as you’re working in a dual ip stack like using IPv4 and IPv6 addresses the same time. Ok, thats a very basic version of what it does, but if you consider details just read the following articles:

If you don’t need them, use the following commands to disable those adapters and remove’m from ipconfig.

  • netsh int isa set state disabled
  • netsh in 6to4 set state disable
  • netsh in teredo set state disable

Example:

isatap

Advertisements

The “isc.org” DNS attack

An attack on DNS udp port 53 is been spreading out these days. The attacker uses botnets to send out UDP packets using a fake SRC IP address for a DNS request. When the DNS server replies to this query, he sends it to that false address.

Pakets look like this:

SRC: 178.33.2.*:any
DST: yourdnsserver:53
QUERY: ANY? isc.org

The source IP is a fake, but every DNS servers configured with root hints will answer to this paket. Problem here:

Request size: 78 bytes
Answer size: 3656 bytes

So this is a 46x multiplier for DDOS attacks. Nice idea, bad for DNS server owners. There are a lot of websites talking about this issue:

Protection against isc.org any attack
http://www.minihowto.eu/…

How to block DNS Amplification Attack isc.org any attack
http://www.junkemailfilter.com/…

How to Launch a 65Gbps DDoS, and How to Stop One
http://blog.cloudflare.com/…

Is Your Open DNS Resolver Part of a Criminal Conspiracy?
https://www.isc.org/…

[issue-1] Routers don’t follow BCP38

So the problem has two sources; first the internet routers that allow pakets being transported with source addresses that aren’t from ranges behind those routers. Or in other words: Why should a router forward a packet from a source he already knows for a different gateway in his routing table? There’s a routing “best common practice” no. 38 that describes this as follow:

IF packet's source address from within [its assigned space]
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

Thanks to Chip Marshall from dyndns.org for publishing this information. His post is here.

More Information about BPC38 can be found here:
http://www.bcp38.info/index.php/Main_Page

[issue-2] DNS recursion

The other reason is, a DNS server published in the internet should only answer queries for his zones. But most DNS servers are configured to perform recursive DNS queries on behalf of its clients. This is the reason, why this attack has spreaded out.

To disable recursion on Windows DNS Servers:

  • Right-click the DNS server and click Properties
  • Select the advaned tab
  • under Server options, select “Disable recursion” check box
  • Save using the OK button

More Information in TechNet: http://technet.microsoft.com/en-us/library/cc771738.aspx

Another way could be removing all root hints and forwarders from the config. But disable recursion is the easiest and most common.

Other Links:

Alert from US-CERT: http://www.us-cert.gov/ncas/alerts/TA13-088A

VMs over WLAN without NAT

In a Hyper-V for Windows 8 Blog post, a guy of Microsoft wrote about “Supporting VM communication through wireless NICs”. In his Blog Post, he describes a solution where Hyper-V uses a MAC address proxy to enable VM communications over Wireless LANs.

I recommend you read this article by yourself, original post here:
http://blogs.msdn.com/b/b8/archive/2011/09/07/bringing-hyper-v-to-windows-8.aspx

TCP/UDP Checksum Offload on RealTek NIC

I just wanted to do my cousin a favor and take look at his new computer he bought at a local IT store. He told me it’s kinda slow. Unfortunately, tt wasn’t just taking a look…

Characteristics of the problem

Newly installed, and also installed again using a recovery DVD, the computer had hangs by surfing the internet. Slow speed, some Websites did not load, mostly HTTPS SSL sites. In his case it was the eBanking software that didn’t work.

Troubleshooting

My first tought was Anti-Virus software, Firewalls: no success. Anti-Virus is not scanning traffinc, Windows Firewall has rules that allow all out- and the right incoming traffic.

Second tought:Computer is slow because he’s downloading over 100 windows updates in background. I took the time and downloaded all updates, installed them. Maybe one of the updates solves the problem. No success.

Third tought: there must be any tool blocking the traffic. I’ve unstalled mostly everything I didn’t know until today, disabled every senseless service. No success.

Fourth tought: Network issues. BANG! Success. Here’s how I analyzed that.

Analyze the unsuccessful network connections

Because Teamviewer didn’t work too, I decided to use that tool to produce the example traffic that will be analyzed. But that will work with an HTTPS site as well, I’m sure.

Network Traffic logging:

  • download Wireshark, install directly on Computer
  • Start Wireshark with no filters, without promisc. mode
  • start Teamviewer and wait until connections is established
  • stop Wireshark logging
  • set and apply a filter “ip.addr == my.computers.ip.address”

Teamviewer normally quickly connects to his servers and gives you a green light on the left bottom pane to tell you it’s ready to get help. On the computer with the issue, Teamviewer started with a red light, went to orange and tried to connect. Some seconds later it went back to red, then orange and finally green.

The analyzed traffic in Wireshark had a lot of black lines from local IP to an Internet IP of Wireshark. If I selected such a packet and opened the TCP part in the middle pane, it looked like this:

Nice from Wireshark, it tells me directly what’s wrong here. But what’s checksum offload?! After a search on Wikipedia:

TCP offload engine or TOE is a technology used in network interface cards (NIC) to offload processing of the entire TCP/IP stack to the network controller. It is primarily used with high-speed network interfaces, such as gigabit Ethernet and 10 Gigabit Ethernet, where processing overhead of the network stack becomes significant.

Source: http://en.wikipedia.org/wiki/TCP_offload_engine

Nice, but my NIC is a default 1GBit/s one connected to my DSL (5MBit/s). Don’t need that stuff here. How does that come, a manufacturer thinks it’s neccessary to implement such Server / Datacenter Features on a normal Workstation? Yes for IT Guys it’s nice to have, but shall that be enabled by default?

Disable TCP Checksum Offload

To disable Offloading, I opened the Network Card’s Advanced Settings

Step 1, open Network Properties:

and then press “configure” (“Konfigurieren” in the German Snapshot).

Step 2, in the next dialog go to advanced (“Erweitert”) and search for TCP offloading. There’s a lot about offloading, but what we need is TCP and UDP checksum offloading on IPv4.

Left side “Eigenschaft” means “Property” and right side “Wert” means “Value”. The value of “TCP Prüfsummenabladung” (means TCP checksum offloading) is set to “Rx & Tx aktiviert” (Rx & Tx activated).

After setting this to disabled for both TCP and UDP, everything went back to normal. Teamviewer works, eBanking works, everything. Wireshark also just logs valid successful connections from now on.

Weird experience.

Configuring VTP on a Cisco Switch

The VLAN Trunking Protocol is a very helpful Tool if you’re too lazy to create and maintain description on every switch manually for each VLAN.

Wikipedia:

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the whole local area network.[1] To do this, VTP carries VLAN information to all the switches in a VTP domain. VTP advertisements can be sent over ISL, 802.1q, IEEE 802.10 and LANE trunks. VTP is available on most of the Cisco Catalyst Family products.

The comparable IEEE standard in use by other manufacturers is GVRP or the more recent MVRP.

Source: http://en.wikipedia.org/wiki/VTP

HowTo Configure VTP

Enter the configuration terminal, this enables more options to configure.

conf t
vtp mode client
vtp domain mydomain
vtp password mypassword

If you’re not sure what password is defined on the master, just go to another switch or the master itself and use this command to get it:

show vtp password

To check if VTP is running and receives the VLAN information, simply hit the following command on the terminal to show up configured VLAN’s and their description.

show vlan

To add another vlan with name, you must first enter the “vlan database” (not in conf-t) to configure it:

vlan database
vlan 123 name MyNewVLAN

.

HowTo Setup a Brocade Switch (DS-300B)

Introduction
As a first step, a Broadcom Fibre Channel Switch has to be configured using a serial cable to set it’s IP address. After this step, all further configuration can be done using a Java Applet over any existing network connection.

Setup Assistant: http://ipaddress/ezsetup.html
Switch Manager (basic view): http://ipaddress/
Web Tools (advanced view): http://ipaddress/switchExplorer.html

Network Setup
Until August 2011, Brocade has no Windows 7 compatible Setup Software available.

  • Connect the Swich to Power Input
  • Connect WinXP Notebook with Serial Cable to Serial Port
  • Connect Notebooks LAN and Brocade Management LAN to Management Switch
  • Use the CD from the Brocade Package Box to install the Setup Software
  • Setup Software starts automatically after Installation
  • Choose Serial Connection to Setup Switch, this takes about 3 minutes to find
  • Set IP address, subnet and gateway
  • Software sends configuration to the Switch and finishes

At the end, it is not necessary to use the wizard to proceed, so select custom and exit.

Switch Setup

  • Browse to the Web Tools URL for advanced view (see Introduction of this document)
  • Login using USER “admin” and PASS “password”
  • Select “Switch Admin” to open the switch configuration menu

Enter the following information:

  • Tab “Switch”, Field “Name” à Switchname like “HOUSW9x”, click “Apply”
  • Tab “Network” à check if IP configuration is configured right
  • Tab “User”, User Name “admin” à “Change Password”, after change click “Apply”
  • Click on “Close”

Fabric Zoning

  • Browse to the Web Tools URL for advanced view (see Introduction of this document)
  • Login using USER “admin” and PASS “password”
  • Select “Zone Admin” to open the switch configuration menu
  • Expand “Ports & Attached Devices”
  • Click on “New Alias” and create an Alias for each Port using this naming scheme:
  • A_HOUESX001_PCI1 à means “Alias for HOUESX001 HBA in PCI Slot 1”
  • Select the WWN for each Port by expanding the Port multiple times, Add the last member with a WWN to the Alias
  • Select the “Zone” Tab
  • Click on “New Zone” and create an Alias for each Zone using this naming scheme:
  • Z_HOUESX001_PCI3_CX_SPA1 à means “Zone for HOUESX001 PCI1 to CX SPA Port 1”; you have to create two zones per server to connect each SP.
  • BZ_NS_Blade2_ML6000_TapeDRV0 à means “BackupZone for NS Blade 2 to Tapelibrary Drive 0”; you have to create zone each Blade to each Drive.
  • Select the “Zone Config” Tab
  • Click on “New Zone Config” and create a config with the following name convention:
  • C_SAN_Houston_20110809_comment
  • Click on “Save config” and when commited “enable config” and select the new created configuration from the dropdown list

Zoning done.

Network Location Awareness NLA

Many time I have already tried finding a way to change the network location in Server 2008. On Windows 7 Computers, you get asked for the Network type on the first time of a connection. Server 2008 decides this by an automatic calculation.

If you connect a crossover cable from one server to another – for example on configuring a Cluster – the network is automatically configured as public. And this means, the firewall blocks almost all incoming traffic by default.

I found further information in the TechNet basics about NLA and the following Technet Forum Post about this issue:

 

By default, Windows Server 2008 and Windows Server 2008 R2 useNetwork Location Awareness service (nlasvc) to identify networks and find the associated saved settings for the network, the NLA service will use a Default Gateway or SSID to identify a network. This identification is conducted by system automatically due to security consideration. We cannot change the network profile manually. Otherwise, the server will be unsafe if a local administrator right is leak even we have domain group policy to define firewall settings in public profile. A hacker can change a public profile to domain profile to allow unwanted traffic.

In Windows 7 and Windows Server 2008 R2, more than one profile can be active at the same time according to which networks the computer is connected. As a result, if the server cannot contact the domain via the public NIC, it will not be identified to connect to domain network.

But also good to know, there’s a Group Policy about NLA, but only valid for Clients (if I right understood).

…group policy to allow the editing of locations (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Network List Manager Policies, All networks, network location -> User can change location)

I found further Tricks in Kurt Roggens Blog:

Because you will be connecting to many different networks, Windows stores network profiles of each network using the network’s DNS suffix and gateway MAC address. These are stored in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures as Managed (domain) and Unmanaged (non-domain) networks.