January 2013 – The ongoing struggle

Recently, someone fairly well known in certain circles committed suicide. People commit suicide all the time of course, but this person could fairly be described as a form of genius, a polymath, hero to many. Since their sphere of influence was (is!) strongly Internet-based, the net has been alive for weeks with people feeling the need to comment upon it.

I haven’t made a comment upon it because I didn’t know this person. I knew of them, of many of their great works and deeds and philosophies. Didn’t agree with some of them, but there you go. Anyone who knew anything about this person knows that the world is much worse off to not have them in it, so no one needs to hear that from me. Speaking about their circumstances specifically though is something I still don’t feel comfortable about. It feels to me a bit too much like some sort of leveraging of grief in order to just make statements about oneself.

Yes, I do realise that by just saying that stuff I have passed comment and now you all know something of my politics and beliefs so I’m really cool for how much I care right? Well, I couldn’t avoid it as otherwise it ends up coming across like, “I don’t care that they died; I didn’t know them.”

This particular incident though, being fodder for Internet discussion by persons not closely emotionally tied to the deceased, has lead to me now seeing quite a few people expressing views like, “don’t hero-worship someone who killed themselves, they’re weak and selfish.” Or, “I’m so disappointed in them that they felt this was necessary.” Like, publicly expressing them, for the world to see. Some influential people.

I still, weeks later, can’t quite put into words how much I am disgusted with these sorts of comments, or even exactly why I am. This is my best attempt so far and it’s not really going very well is it?

This is not about the individual concerned; these are views that some people express whenever there is a suicide that is notable enough to be a topic of discussion, but emotionally remote enough from them that they feel able to “speak their minds.”

There is just some shocking level of arrogance involved when you say that someone was weak, selfish, acted shamefully, disappointed you (YOU, for fuck’s sake!) by ending their own life.

I don’t entirely (thankfully) know what goes through someone’s mind when they decide to end it all but I am pretty sure that they are in such a bad place that any thought of what other people will think has long ago ceased to have any positive effect and probably has the opposite instead.

I don’t know how to stop people killing themselves through despair. I don’t know what the best strategies are. But please just stop acting like suicidal people feel they have some sort of choice, that if they would just not let everyone down so much it would go better for them. I can’t begin to imagine that helps.

Their action must have come from a place where they truly believe no choice exists, and if you can’t sympathise with that then please at least maintain a respectful silence.

A few days ago we unfortunately had some abuse reports regarding customers with DNS resolvers being abused in order to participate in a distributed denial of service attack.

Amongst other issues, DNS servers which are misconfigured to allow arbitrary hosts to do recursive queries through them can be used by attackers to launch an amplified attack on a forged source address.

I try to scan our address space reasonably often but I must admit I hadn’t done so for some time. I kicked off another scan and found one more customer with a misconfigured resolver, which has since been fixed.

After mentioning that I would do a scan I was asked how I do that.

I use a Perl script I’ve hacked together over the last couple of years. I took a few minutes to tidy it up and add a small amount of documentation (run it with --man to read that), so here it is in case anyone finds it useful:

Update: This code has now been moved to GitHub. If you have any comments, problems or improvements please do submit them as an issue and I will get to it much quicker. The gist below is now out of date so please don’t use it.

#!/usr/bin/perl use warnings; use strict; use Net::IP; use Net::DNS; use IO::Select; use Getopt::Long; use Pod::Usage; my $verbose = 0; my $help = 0; my $man = 0; my $at_once = 100; my $retries = 2; my $timeout = 1; my $fqdn = 'www.xyzzy.net'; GetOptions( 'verbose|v' => \$verbose, 'help|h|?' => \$help, 'man' => \$man, 'queries|q=i' => \$at_once, 'retries|r=i' => \$retries, 'timeout|t=i' => \$timeout, 'fqdn|f=s' => \$fqdn, ) or pod2usage(2); pod2usage(1) if ($help); pod2usage(-exitstatus => 0, -verbose => 2) if ($man); my %state; my $range = $ARGV[0]; if (not defined $range) { print STDERR "Expected IP range as first argument\n"; pod2usage(2); } if (! sanity_check($fqdn)) { print STDERR "Can't seem to resolve '$fqdn' from here." . " Does it still exist and is the local nameserver working? Pick" . " another FQDN with --fqdn if you need to.\n"; exit 1; } my $ip = new Net::IP($range); if (not defined $ip) { print STDERR "That ($range) doesn't look like a valid IP range\n"; pod2usage(2); } my $sel = IO::Select->new; my $queried = 0; my $start = time(); logger("Launching queries against " . $ip->print . ", $at_once at a time..."); $ip = launch_queries($ip, $sel, $at_once); if ($verbose) { logger("Got " . $sel->count . " queries in flight..."); } my @ready; # All the sockets we're waiting on are kept in %state. while (keys %state) { @ready = $sel->can_read(2); if (@ready) { # There's some sockets ready to read. foreach my $sock (@ready) { handle_result($sock); $queried++; # Now it's been read, get rid of it. $sel->remove($sock); $sock = undef; if ($verbose) { logger((scalar keys %state) . " queries remain"); } } } else { # There's nothing ready to read, so do a check to see if any of them # have been waiting around for too long, in which case get rid of them. my $now = time(); foreach my $sock ($sel->handles) { if ($now - $state{$sock}{when} > ($timeout * 2)) { my $their_ip = $state{$sock}{ip}; if ($verbose) { logger("Query for $their_ip timed out"); } $queried++; $state{$sock}{dns} = undef; $sel->remove($sock); delete $state{$sock}; } } if ($verbose) { logger("Timed out waiting for DNS results - " . (scalar keys %state) . " queries remain"); } } # Launch some more queries if necessary. $ip = launch_queries($ip, $sel, $at_once); } logger("$queried IPs queried in " . (time() - $start) . "s"); exit 0; # Launch DNS queries. # # ip - Net::IP object to work on # sel - IO::Select set to add sockets to when the query is launched # at_once - How many queries to have in flight at once sub launch_queries { my ($ip, $sel, $at_once) = @_; while ($ip and ($sel->count < $at_once)) { check_resolver($ip, $sel); $ip++; } return $ip; } # Launch a query against a single IP address. # # ip - the Net::IP object to test against # sel - the IO::Select set to add the socket to sub check_resolver { my ($ip, $sel) = @_; logger("Checking " . $ip->ip . "...") if ($verbose); my $dns = new Net::DNS::Resolver; # Use only this nameserver. $dns->nameservers($ip->ip); # Do recurse. $dns->recurse(1); # Ignore any search list. $dns->dnsrch(0); # Don't append anything to the end. $dns->defnames(0); # Allow 1 second retransmit. $dns->retrans($timeout); # Allow 2 retries. $dns->retry($retries); # Go. my $sock = $dns->bgsend($fqdn, 'A'); # Record the IP address, Net::DNS::Resolver object and starting time # against this socket. $state{$sock}{ip} = $ip->ip; $state{$sock}{dns} = $dns; $state{$sock}{when} = time(); $sel->add($sock); } # Read a DNS response from a socket that is ready. # # sock - the socket to read. sub handle_result { my ($sock) = @_; if (not exists $state{$sock}) { die "Socket $sock somehow is not present in our state hash"; } # Look up the IP address and Net::DNS::Resolver object corresponding to # this socket. my $ip = $state{$sock}{ip}; my $dns = $state{$sock}{dns}; my $packet = $dns->bgread($sock); # If there's an immediate failure then the packet will be undef. The packet # might also be empty. Both of those are okay, but if there i any sort of # response other than that then it's probably an open resolver. if (defined $packet and $packet->answer) { print "!!! Got answer from $ip - possible open resolver!\n"; $packet->print if ($verbose); } else { logger("No answer from $ip") if ($verbose); } # Delete from state now we're finished with this socket. $state{$sock}{dns} = undef; delete $state{$sock}; return $packet; } sub logger { my ($msg) = @_; print STDERR "# ", scalar gmtime(), "| $msg\n"; } # Check that the FQDN that we're going to query is actually visible on the # Internet, otherwise this will be a waste of time. sub sanity_check { my ($fqdn) = @_; my $dns = Net::DNS::Resolver->new; my $query = $dns->search($fqdn, 'A'); return $query; } __END__ =pod =head1 NAME find_open_resolvers.pl -- Finds open DNS resolvers inside a given IP range =head1 SYNOPSIS find_open_resolvers.pl [options] [IP range] Options: --queries simultaneous queries to perform (100) --retries number of retries of DNS query (2) --timeout timeout for DNS query in seconds (1) --fqdn Fully Qualified Domain Name to query for (www.xyzzy.net) --verbose be verbose --help display brief help --man display full man page IP range Range of IPv4 or v6 addresses =head1 OPTIONS =over 4 =item B<IP range> B<Required>. Range of IPv4 or IPv6 addresses to check for open resolvers. Will iterate through them one by one. Accepts: =over 4 =item * A single address (192.168.0.1) =item * A CIDR range (192.68.0.0/24) =item * A range, enclosed in quotes, specifying start to finish ('192.168.0.4 - 192.168.1.2') =back =item B<-q>, B<--queries> How many simultaneous DNS queries to be working on at any one time. Defaults to 100. =item B<-r>, B<--retries> Number of retries to perform for each DNS query in the event of no response. Defaults to 2. =item B<-t>, B<--timeout> How long in seconds to wait for a response from each DNS query. Defaults to 1. =item B<-f>, B<--fqdn> Fully Qualified Domain Name (i.e., a host name) to query for. Should be something that no IP address is likely to be an authoritative DNS server for. Defaults to 'www.xyzzy.net'. =item B<-v>, B<--verbose> Operate verbosely. =item B<-h>, B<-?>, B<--help> Display a brief help message. =item B<--man> Display documentation in manual page format. =back =head1 DESCRIPTION Pings off a bunch of DNS queries against every IP address in the specified range in order to see if any of them are likely to be open DNS resolvers. Every IP address in the range is tested in batches of (by default) 100 in a select loop. Testing large ranges may take a very long time. By default this queries for the FQDN 'www.xyzzy.net' which is an arbitrary choice that is unlikely to be authoritatively served by any target IP. Should a target IP return actual results for this FQDN then it is likely to be an open recursive resolver. If 'www.xyzzy.net' no longer exists in the global DNS then you may wish to specify another FQDN. =head1 AUTHOR Andy Smith <andy@bitfolk.com> =head1 COPYRIGHT AND LICENSE Copyright © 2012-2013 Andy Smith <andy@bitfolk.com>. This program is free software; you can redistribute it and/or modify it under the terms of the Perl Artistic License. =cut

Using the default 100 concurrent queries it scans a /21 in about 80 seconds (YMMV depending upon how many hosts you have that firewall 53/UDP). That scales sort of linearly with how many you do, so using -q 200 for example will cut that down to about 40 seconds. It’s only a select loop though so it’ll use more CPU if you do that.

Two things I’ve noticed since:

It doesn’t handle failing to create a socket with bgsend so for example if you run up against your limit of file descriptors (commonly ~1024 on Linux) the whole thing will get stuck at 100% CPU.
One person reporting a similar situation (bgsend fails, stuck at 100% CPU) when they allowed it to try to send to a broadcast address. I haven’t been ale to replicate that one yet.

M	T	W	T	F	S	S
« Nov				Jul »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

The ongoing struggle

I'll get there one day.

Month: January 2013

If you think suicide is weak or shameful, you just don’t understand

Scanning for open recursive DNS resolvers