I’ve overseen the installation of two Mitsubishi 9900-series UPS systems. In the US, Mitsubishi Electric Power Products, Inc (MEPPI) sells the systems. I believe that in other parts of the world, Toshiba sells the same UPS systems as the G9000-series through their TMEIC joint venture with Mitsubishi. We use the optional external “NetCom 2” SNMP modules to monitor the MEPPI UPS systems using our internal management systems. Finding the correct MIB to use proved to be a challenge!

Continue reading

Using (Abusing?) AWK For Rudimentary DoS Detection

sFlow(R)InMon’s sflowtool comes with an sample script, ipTopTalkers that uses awk to provide a list of toptalkers based on sflow sampled packets. All I’ve done here is build on their ipTopTalkers sample code to find which addresses are receiving >10,000 pps or >80 Mb/s, and send that information to a log file and reporting-script (not shown).

Converting the binary sflow feed to text, then piping it through awk to do basic math and sorting functions, is not exactly the most elegent solution. But hey, it works!

#!/usr/bin/mawk-cur -f

# ALK 2013-01-10
# for performance reasons, mawk is preferred to gawk
# newer versions of mawk include things like strftime that tradionally had been
# gawk-only features. code and builds of mawk-cur (cutting edge) can be found at:
# (the features of mawk-cur aren't available in official debian packages of mawk)
# based on ipTopTalkers from InMon:
# Copyright (c) 2001 InMon Corp. Licensed under the terms of the InMon sFlow licence:

# usage: sflowtool | DoSTargets

  lastInt = 0;
  report = "tee -a /var/log/ddos-report.log |";
  interval = 60; #1 minute window
  BPSthreshold = 83886080; # alert threshold in bits per second i.e. 80 Mb/s
  PPSthreshold = 10000; # alert threshold in packets per second i.e 10kpps
  currentInt = $2 - ($2 % interval);
  if(currentInt != lastInt) {
    for(i = 1; i < = 1000; i++) { # consider up to 1000 simultaneous targets
      BPSmaxCount = 0;
      BPSmaxKey = "";
      for(BPSkey in BPScount) {
        if(BPScount[BPSkey] > BPSmaxCount) {
          BPSmaxCount = BPScount[BPSkey];
          BPSmaxKey = BPSkey;
      if(BPSmaxCount > (BPSthreshold * interval)) printf("%d %s %d %s", strftime("%s", lastInt), BPSmaxKey, sprintf("%d",(BPSmaxCount/1024/1024/interval)),"mbps\n") | report;
      delete BPScount[BPSmaxKey];

      PPSmaxCount = 0;
      PPSmaxKey = "";
      for(PPSkey in PPScount) {
        if(PPScount[PPSkey] > PPSmaxCount) {
          PPSmaxCount = PPScount[PPSkey];
          PPSmaxKey = PPSkey;
      if(PPSmaxCount > (PPSthreshold * interval)) printf("%d %s %d %s", strftime("%s", lastInt), PPSmaxKey, sprintf("%d",(PPSmaxCount/interval)),"pps\n") | report;
      delete PPScount[PPSmaxKey];
    fflush(stdout); # write out stdout buffer
    close(report); # send the alert email
    lastInt = currentInt;
    delete BPScount;
    delete PPScount;
/meanSkipCount/{ samplingInterval = $2; }
/sampledPacketSize/{ sampledPacketSize = $2; } 
/dstIP/{ BPScount[$2] = BPScount[$2] + ( samplingInterval * sampledPacketSize * 8); PPScount[$2] = PPScount[$2] + samplingInterval; }

U-Turn: Reverse Traceroute Using Scapy

Thug means never having to say you're sorry..

I’ve always wanted to write a reverse-traceroute system. However, writing my own Linux NetFilter module was daunting – I’m not a C programmer, let alone a kernel hacker. Then I came across Scapy.

While intercepting and mangling the packets in userspace does add some artificial latency, it is a good proof-of-concept. And of course, it supports both IPv4 and IPv6:

Continue reading