Centroid.EU Blog

(this blog is mostly encrypted - adults only)
  

Previous Page


I shaved my beard off

August 29th, 2019

Today I got shaving foam and razor at the supermarket. Then in the late morning I shaved it all off. There is a red area on my chin, I may have to seek a skin doctor if this doesn't naturally go away. It was probably the area that I had dandruff on. It won't be snowing on my shirts anymore.

0 comments

Server replaced after a 48 hour downtime

August 29th, 2019

My provider has replaced the server (except harddrives). I am so sorry for the downtime, but we have more RAM now and overall a speedier server. Hopefully the problem was not software related, but we couldn't even get on console of the old one it was frozen up every time. Time will tell.

0 comments

Longer outtage on centroid.eu

August 28th, 2019

I just restored the computer, the provider put new RAM in it. Let's hope it stays up now. Sorry for the inconvenience according to my records the box was down since 9:01PM yesterday.

0 comments

Downtime on centroid.eu

August 27th, 2019

Sorry for any inconvenience this has caused. The server went down at 9:47AM and was restored at 12:49PM in the afternoon, a three hour outtage.

0 comments

Safari is scary

August 24th, 2019

I was browsing Wetter.com for the weather stats and it automatically downloaded something (a supposed anti-virus) in my Downloads directory. I'm reinstalling my Mac OS come Monday. What a PITA (pain in the ass). Oh yes I immediately turned off javascript.

0 comments

A week of synfloods

August 24th, 2019

Since about the 16th I've noticed a subtle synflood emanating from up to 160 /24's on mostly cloud providers. For the last day or so this has gone down to a trickle and I assume it's only testing the water or so.

I learned a lot about netfilter and pf this week. For one in pf when you do a os fingerprinting there is no statistics in a pfctl -srules -vv on fingerprinted packets. Finally I applied the synproxy rules on my openbsd servers with:

pass in quick on em0 proto tcp from any to $kite_ip port { 53 }  synproxy state

On Linux the story is a bit different. At first I applied the hosts that were synflooding me with a small script, such as this:

#!/bin/sh

netstat -na | awk '/SYN_REC/ {print $5}' | awk -F: '{a = split($1, b, "."); prin
tf("%s.%s.%s.0/24\n", b[1], b[2], b[3]); }' | sort -u |\
        while read i; do
                iptables -L -v -n | awk '{ print $8 }' | grep -q $i
                if [ $? -eq 1 ]; then
                        iptables -A SYNNERS --proto tcp -s $i  --dport 53 -j DRO
P
                        iptables -A SYNNERS --proto tcp -s $i  --dport 80 -j DRO
P
                        iptables -A SYNNERS --proto tcp -s $i  --dport 443 -j DR
OP
                fi
        done

exit 0
But that can only go so far, then I analysed the SYNflood packets closer, immediately I realized that the window size was 29200 bytes. This is the window size of some Linux'es. But they differ in that this synflood did not apply any options (making it a 1st generation exploit), making it easy to filter. I have made another script to install the filters:
iptables -F INPUT
iptables -F NORMALIP
iptables -A INPUT --proto tcp --dport 53 -m u32 --u32 "0&0x0f000000>>24=5" -j NO
RMALIP
iptables -A NORMALIP --proto tcp --dport 53 -m u32 --u32 "0&0x000000ff=0x28 && 3
2&0x0000ffff=0x7210" -j DROP
iptables -A INPUT --proto tcp --dport 53 --j SYNNERS
What the first u32 rule does is it finds "normal" IPv4 headers that don't have options, (and are thus) of 20 bytes length. This allows it to traverse into the NORMALIP table where IP length of 40 bytes is checked and the window size of 29200 bytes. For most Linux'es that use a win size of 29200 bytes this is ok because they add the TCP MSS option on SYN when connecting, thus increasing their IP length beyond 40 bytes.

While this was a great way to spend time with colleagues and friends on IRC (because they had synfloods as well), I got little delphinusdnsd programming done this week (which I had originally planned). Oh well.. maybe next week!

As far as the synflooder it's hard to know what it is. I suspect it's a worm that uses spectre to break into other cloud hosts and then installs a syn- flooder. But it's only a guess.

0 comments

EuroBSDCon 2019 in Lillehammer, Norway

August 18th, 2019

In almost exactly one month is Eurobsdcon in beautiful Norway. Unfortunately I won't be going. But I recommend anyone who thinks they are somewhat good with the BSD's to go meet the people that frequent BSDCon's. A lot can still be learned, and getting together in Norway makes a nice setting.

0 comments

Ice Polar caps an endangered thing

August 18th, 2019

Slashdot turned off it's anonymous coward posting so I'm posting this here. Elon wake up! Polar caps endangered.

0 comments

RIP MrBill

August 16th, 2019

The news has reached me that mrbill died. Sad. 1990's Efnet IRC is where we all sat and chatted. Best of times! You can compare now with then and back then everyone was just ok. I'm sure someone has logs of those days, but it was one thing to read logs and another to have a socket connected and view things in real time.

0 comments

Laniakea and the great attractor

August 13th, 2019

In conversation on IRC today I likened the universe like a prairie grass. Going back to youtube I then re-found this good clip (youtube.com) 4 min. Enjoy.

0 comments

Next Page

Search

RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries


Powered by BCHS