Submitted for your approval…one Xbox 360 with a defective wired NIC.  I knew this fact as soon as I began troubleshooting his console, because, great gaming consoles though they may be, the quality with which they are assembled (as well as the parts used therein) is abysmal.

That’s okay.  We already know that your console’s hardware blows.  I have an Xbox 360, and I love it.  I’d buy another one.  Of course, it’s been collecting dust in my sock drawer for 3 months, because all my recent gaming has been on my MacBook Pro, but regardless, my Xbox 360 retains a special place in my heart.  Probably because I waited in line all fucking night for it.  In November 2005.  In the freezing rain.  HAPPY TIME!

But I digress.  The reason for my (current) displeasure with Microsoft lies in the solution provided by an Xbox 360 phone rep (CSR) when asked about the aforementioned wired NIC.

I am a university residential network technician.  Basically, I fix shit when it breaks.  When I was called out the other day to investigate an Xbox 360 that wasn’t connecting to the network, I knew, immediately, that the problem was not with the network, but with the NIC on the Xbox.  When an Xbox gets a network connection, much like in Windows, the Xbox OS will tell you that the physical connection is active.  The connection was working on this gentleman’s laptop, on the same port, with multiple cables.  XBox?  Multiple cables?  Nada.  No link light, no connection, nothing on the switch.  Bad wired Ethernet.

I am okay with CSRs assuming complete customer ignorance.  I sat and listened while my customer worked with the CSR, and went through all of the same troubleshooting steps I went through, also to no avail.  I began to assume that the CSR was going to go ahead and authorize the repair on the Xbox, when he made one last suggestion.

“Sir, do you have a PC nearby?”
“Yes, we tried connecting it to the same port, and it was working fine.”
“Can you go to your PC please and tell me the operating system?”

At this point, I did the raise-one-eyebrow thing.  I’m pretty good at it.

“Sir,” the CSR said, “can you please open your command prompt?”

At this point, I knew exactly what the “solution” was going to be, and sat and watched, in horror, as the CSR explained to my customer how to spoof his PC’s MAC address onto his Xbox, on my network.  I have multiple problems with this solution.

1: The solution didn’t work.  In fact, the computer working on the same Ethernet port that the Xbox was not getting a connection on should’ve been a red flag to the CSR, indicating that the problem was with the Xbox.  They call it the “physical” layer because you know there is something “physically” wrong with the device when it doesn’t show a “physical” connection, capice?

2: Our network, like many university networks, uses MAC authentication and bypassing, and trying to “fool” it causes problems.  Our equipment does not take kindly to multiple devices acting like one device, and our CSRs are not trained, nor should they be, to look for this issue if someone is being continually kicked off the network because our management server doesn’t know what the fuck, which brings me to my next and most important point.

3: The user doesn’t know what they’re doing.  There was no explanation on the part of Microsoft on what the user was actually doing with their actions.  If the user doesn’t understand what they’re doing in the first place, there’s no way they’re going to know how to undo it, which creates more problems than it solves.  This “solution” is actually a terrible, terrible customer service philosophy.

Let’s say, for example, one of my customers called Microsoft support, not knowing for some reason that they can register their device online, or call our call center, and the CSR led him through the spoofing process.  Great!  It works!  For…a few minutes.  Then he calls us because he keeps getting kicked off, and we look like crap because our CSRs cant figure out the problem, because they’re not trained to, and the customer doesn’t know or understand what he did, and ends up even more frustrated.

So now both companies look bad, and he has a broken Xbox, which, I think, is the price of putting a bandaid on a bullet hole.

4: Maybe it’s the “networking guy” part of me, but telling students to spoof their MAC addresses generally doesn’t sit right with me.  If this is really what Microsoft thinks about network security, why should I buy their products?

Or, maybe I’m just becoming paranoid.  Fuck it, I’m moving to Wyoming.  NOBODY CAN GET ME THERE.

Note: Not IIS

In most large-scale production environments, there is some sort of load balancing or proxy-ing going on, which will prevent the site from becoming completely unreachable. Small and medium scale environments will probably not have this. While there are some options for lessening the impact of this attack, none are entirely effective at preventing it due to its nature. (You can read about those options here.) While this idea is not original, the way it was packaged is bad news. This script is kind of a big deal for the following reasons:

• Pretty much all standard Apache installations are vulnerable
• There is no patch, as it takes advantage of how Apache is suppose to work
• It’s hella easy to use (enough so that “script kiddies” can use it.)
• One person on one laptop can bring down a website. Not botnet required!

The original script is written in perl. There is also a python implementation called “PyLoris” available here. This is a classic denial-of-service attack running over HTTP against APACHE. This means it will not affect SSH or FTP or whatever else you are running on that server. For the most part, it won’t even eat up system resources too much. For reasons beyond my knowledge, this does not affect Microsoft’s web server, IIS.

HOWEVER:

Any server running iptables (linux) can add the following lines:

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP

These two lines drop any new connections after more than 20 connections have been made by the same source to port 80 within the last 60 seconds. These are pretty arbitrary numbers, and could take some tuning, but they prevent this attack from bringing down a website. (At least it prevents one person from doing it)

There is also a way to limit the number of sockets per IP in Apache, but I do not know how. That would probably be a better solution that the one proposed above. If someone know how to do it, please add to the comments.

A NOTE: It rankles me when people use the term “script kiddie.” This term is extremely dismissive, and is used mostly by crotchety IT professionals who forgot what it’s like to have three months off. I understand that there is a difference between “script kiddies” and “teenager hackers” but for the most part, the two are lumped together. People learn by looking at the examples of others. These kids will use these scripts this summer, but next summer, or the year after, they will be writing them, and making even more work for these same “hardened” IT “professionals.” So, bored teenager: go nuts. Have fun. Learn as much as you can. Just don’t be a douche about it.

ANOTHER NOTE: Yes, in case you are wondering, I do make the “quotations gesture” while I talk “IRL.”

ONE FINAL NOTE: I fully support people writing tools like this. There is nothing wrong with a little more awareness. I do find the timing amusing though.

If you have anything to add, or you find something wrong with my solution, please feel free to leave a comment so that I can take your ideas as my own.

P.S. I tried hard, but I couldn’t find any other suitable images to put here. Sorry.

Look familiar?

This little devices sits between your cable modem and your computer. It basically is your “network.” Most people just plug them in, and configure only as much as it takes for it to work. These devices are, at a basic level, computers themselves, and as such have an “operating system” that provides a interfaces for you to tell the hardware what to do (like all operating systems.) Usually, you are stuck with the OS that shipped with the device.

Cut to June, 2003, when some neckbeards on the Linux Kernel Mailing List discovered that Linksys had included components of the Linux operating system in the firmware of their router. Due to the way those borrowed components were licensed, Linksys was legally obligated to release the entire source code for that OS. By studying this code, developers were able to create new operating systems that ran on the same hardware. Several projects aiming to replace the often-buggy stock operating system firmware sprang into existence, all adding new features. The dust has settled since then, and there are many mature firmware flavors to choose from.  I will focus on three, because I’ve used two, and Sam is currently using the third.

DD-WRT: I had pretty good luck with this one, and  have used it on my primary router. I was able to play Diablo 2 with some VPN’ed in while talking to them on Skype with no problems, although I wasn’t able to do anything else while bittorrent was running (this was probably due to limitations of the hardware i.e. it ran at 200 mhz) The DD-WRT project itself has weird issues with trying to make money, and their last stable release was almost a year ago. That being said, it runs on a lot of different consumer-grade routers, and it runs pretty well.

OpenWRT: “Linux is free if your time is worth nothing.” That saying sums up my experience with OpenWRT pretty well. Getting this installed and running was a pain in the ass. That’s not saying it isn’t a good product, but the project itself was in the process of un-forking when I looked at it, and I found the whole thing generally confusing. I was new to the Linux scene when I tried it, and was barely able to get it working. I have not looked at it in a couple years, so maybe it has improved. The OpenWRT also supports a side project called X-Wrt which aims to improve the usability of OpenWRT.

Tomato: I had moved beyond consumer devices by the time I discovered Tomato. But from what I read and heard from Sam, this would probably be my first choice in upgrading my router to new firmware. The most recent update was less than a month ago. As I have never used it, I asked Sam for his thoughts:

Sam here. I’ve been using Tomato for quite a while now, on a WRT54GL (which Edwin gave to me, no less). It has served me well. I don’t think I’ve ever had to power cycle the router. The programmers did a great job, especially with the web interface (think AJAX gizmos).

Some of my favorite features are the usual port forwarding, static DNS, spiffy real-time bandwidth graphs, and tables of daily/weekly/monthly bandwidth usages. You also get SSH and telnet access. You can even write custom scripts that execute when you press the Cisco button on the front of the router.

There’s a lot of other stuff that I have no clue about. My only complaint is that the firmware is updated pretty frequently, yet there is no auto notification of any updates.

There’s definitely enough features here to satisfy even the most hardcore network nerds. But it also works for someone like me, who just wants more than the commercial firmware.

There are a couple other distributions of home router software that deserve mention. The aforementioned firmwares run on hardware people already are using as routers. But if you need something with a little more horsepower, you could recycle an old PC and run m0n0wall (or it’s derivative, pfSense) on it.

m0n0wall: A modified barebones version of FreeBSD with a slick web interface. It provides an amazing amount of features, including VPN and QoS. And as it’s FreeBSD, it can run on probably any older computer you have just lying around, or a specially designed system such as the PCengines ALIX. The m0n0wall platform has also been used as a base for other projects, such as FreeNAS, AskoziaPBX, and….

pfSense: A modified version of m0n0wall, and my current favorite. Not intended as a competitor to m0n0wall, it boast more features, as well as a much larger footprint. I would suggest that you start with m0n0wall and upgrade to pfSense if you feel the need.

NOTE: The first three flavors mentioned are intended to run on your standard home router, and include immediate support of the wireless functionality you expect out of your home router. m0n0wall and pfSense are intended to run on actual computers, so other arrangements will have to be made to add wireless, such as adding a separate wireless access point behind the router.

I’m not going to give instructions here on upgrading your home router. Each project mentioned has extensive documentation on their website, along with a hardware compatibility list and installation instructions.

Some warnings: Installing new firmware on a home router can be a marginally harrowing process, involving TFTP, blinking lights, and properly timed hard resets. Also, there is potential to completely brick the device (render the device as useful to you as a brick.) So if you are curious about any of these, spend some time on their wikis and forums. Make sure your home router is supported, or, better yet, get a new home router based on the project community’s recommendations. This way, if you mess up, you will still have internet access with your old router.

My Setup: “The K’nexus”

This took me 25 minutes in Gimp.

On a completely unrelated note, if anyone with computer graphics skillz would like to join our team, please do so. There is no application process. You are now a member. Get to work.