In the age of the Internet, there’s no point in deleting embarrassing content from past. For better or worse it will live on forever. Therefore, instead of deleting all the posts I’m just gonna keep them around for purely nostalgic reasons along with this disclaimer.

I do not blog anymore. I still write occasionally on Quora but I gradually have much lesser stuff to say and much fewer things to feel strongly about.

To those who I have offended in the past with my crass words or behavior, I apologize.

Somehow, my busted knee, still-recovering-from-a-tear quad muscle and I all managed to crawl across the line at 26.2 miles.

“The marathon can humble you”. — Bill Rodgers

Anyways, this time I’ve tried to keep track of the changes I’ve been making along the way. The full set of updated Makefiles and patches is maintained in the openwrt-bro repo. Also, the compiled ipk packages for Atheros and Lantiq routers are available on the release page.

Now that I have a reasonably updated Buildroot on my system and an organized set of patches, feel free to request an ipk package for your router. While I can’t guarantee that the clusterfuck of patches will compile smoothly for your platform, I’ll still give it a try.

I had created an updated version of the port which I hadn’t posted on the blog. Digging in my archived files I finally found it today along with its sources:

• openwrt-bro-2.3.1.tar.gz
• bro_2.3.1-1_ar71xx.ipk

Word of caution though, my notes indicate that one of the default scripts was leaking memory and I never got around to figuring out which one. The workaround was to launch Bro in barebone mode with -b switch, which would prevent loading of default scripts.

# cat test.bro

event bro_init()
{
	print "Hello World!";
}

event new_connection(c: connection)
{
	print "New connection created";
}

# bro test.bro

Hello World!

# bro -C -b -i br-lan test.bro

Hello World!
New connection created
New connection created

If someone has cycles to spend and figure out which default script is leaking memory we can update the package to address the bug.

Title: Rapid and Scalable ISP Service Delivery through a Programmable MiddleBox

Abstract: With only access billing no longer ensuring profits, an ISP’s growth now relies on rolling out new and differentiated services. However, ISPs currently do not have a well-defined architecture for rapid, cost-effective, and scalable dissemination of new services. We present iSDF, a new SDN-enabled framework that can meet an ISP’s service delivery constraints concerning cost, scalability, deployment flexibility, and operational ease. We show that meeting these constraints necessitates an SDN philosophy for a centralized management plane, a decoupled (from data) control plane, and a programmable data plane at customer premises. We present an ISP service delivery framework (iSDF) that provides ISPs a domain-specific API for network function virtualization by leveraging a programmable middlebox built from commodity home-routers. It also includes an application server to disseminate, configure, and update ISP services. We develop and report results for three diverse ISP applications that demonstrate the practicality and flexibility of iSDF, namely distributed VPN (control plane decisions), pay-per-site (rapid deployment), and BitTorrent blocking (data plane processing).

Published in: ACM SIGCOMM Computer Communication Review (Volume 44 Issue 3, July 2014)

Combined with the paper in IEEE COMST about botnet detection that was published last year, this yields a grand-total of 2 publications more than I thought would ever bear my name. In any case, my former colleagues are continuing their excellent work on the project which can be tracked at the iSDF wiki-page.

• Understanding Cryptography by Christof Paar
• Practical Common Lisp by Peter Seibel (also available as a free eBook)

To ramp-up on both subjects with one shot I wrote an implementation of Elliptic Curve Crypto in Lisp. So far, it does EC versions of Diffie-Hellman, ElGamal and DSA. Some rudimentary testing was performed using the NIST-P192 curve and its corresponding ECDSA test vectors.

The package is available at GitHub in the krkhan/cl-ecc repository. Here’s a quick snippet of what the code looks like:

(defconstant *p17-curve*
  (make-instance
    'Curve
    :a 2
    :b 2
    :p 17
    :g (make-instance
         'Point
         :x 5
         :y 1)
    :n 19))

And an ECDSA with this curve:

(def-positive-test test-ecdsa ()
  (let* ((c *p17-curve*)
         (bob-priv 3)
         (bob-pub (ecdh-gen-pub c bob-priv))
         (msghash 8)
         (k 7)
         (sig (ecdsa-gen-sig c msghash bob-priv k)))
    (assert (sig-equalp sig (make-instance 'ECDSASig :r 0 :s 12)))
    (ecdsa-verify-sig c msghash sig bob-pub)))

As a disclaimer — even though I know no one would be stupid enough to do so — please do not use this code in a production environment. It was written for recreational purposes by a hobbyist who is bad with cryptography and even worse with Lisp. On the other hand, if you have any suggestions/patches, feel free to create an issue/pull-request on GitHub.

There are three parts to the process:

The bash script

First, a script which:

1. Constructs and adds the iptables rule to the FORWARD chain.
2. Constructs the corresponding deletion rule.
3. Creates a temporary bash script, writes the rule to it, makes the new script self-deleting.
4. Schedules a launch of the temporary script with at command.

Here’s the script:

#!/bin/sh

if [ $# -le 5 ] ; then
  echo "usage: $0 proto src sport dst dport timeout"
  exit 1
fi

proto=$1
src=$2
sport=$3
dest=$4
dport=$5
timeout=$6

echo "  proto: $1"
echo "    src: $2"
echo "  sport: $3"
echo "   dest: $4"
echo "  dport: $5"
echo "timeout: $6"

rule=""

if [ "$proto" != "any" ]; then
  rule="$rule --protocol $proto"
fi

if [ "$src" != "0.0.0.0" ]; then
  rule="$rule --source $src"
fi

if [ "$sport" != "0" ]; then
  rule="$rule --sport $sport"
fi

if [ "$dest" != "0.0.0.0" ]; then
  rule="$rule --destination $dest"
fi

if [ "$dport" != "0" ]; then
  rule="$rule --dport $dport"
fi

rule="$rule -j DROP"

echo "rule: $rule"

addcmd="iptables -I FORWARD $rule"
delcmd="iptables -D FORWARD $rule"

delscript=`mktemp`
echo "delscript: $delscript"

echo "#!/bin/sh" >>$delscript
echo $delcmd >>$delscript
echo "rm \"${delscript}\"" >>$delscript
chmod 755 $delscript

echo "adding iptable rule:"
echo $addcmd
`$addcmd`

atcmd="at -M -f $delscript now + $timeout min"
echo "creating at job for deletion:"
echo $atcmd
`$atcmd`

Given below is an example run. First, let’s print the default FORWARD chain:

# iptables -nL FORWARD

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Block a flow for 2 minutes:

# sh blockflow.sh tcp 50.50.50.50 50 60.60.60.60 60 2

  proto: tcp
    src: 50.50.50.50
  sport: 50
   dest: 60.60.60.60
  dport: 60
timeout: 2
rule:  --protocol tcp --source 50.50.50.50 --sport 50 --destination 60.60.60.60 --dport 60 -j DROP
delscript: /tmp/tmp.SAREJvtsK0
adding iptable rule:
iptables -I FORWARD --protocol tcp --source 50.50.50.50 --sport 50 --destination 60.60.60.60 --dport 60 -j DROP
creating at job for deletion:
at -M -f /tmp/tmp.SAREJvtsK0 now + 2 min
job 79 at Sun Jun 30 14:37:00 2013

Let’s check if the new rule was added:

# iptables -nL FORWARD

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  50.50.50.50          60.60.60.60          tcp spt:50 dpt:60
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

After 2 minutes, the temporary bash script shall remove the rule and then delete itself. To confirm:

# iptables -nL FORWARD

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

The Bro module

A simple module which exports just one function, i.e., BlockFlow::block which takes a conn_id and a count and calls the bash script with appropriate parameters:

module BlockFlow;

export {
  global block: function(id: conn_id, t: count);
}

function block(id: conn_id, t: count)
{
  print fmt("blocking %s:%d -> %s:%d for %d minutes", id$orig_h, id$orig_p, id$resp_h, id$resp_p, t);

  local protocol = get_port_transport_proto(id$resp_p);
  print fmt("protocol is: %s", protocol);

  local cmd: string = fmt("sh blockflow.sh %s %s %d %s %d %d", protocol
                                                             , id$orig_h, id$orig_p
                                                             , id$resp_h, id$resp_p, t);
  print fmt("executing: %s", cmd);
  system(cmd);
}

Bro module usage

And finally, using the module from a Bro script:

@load ./blockflow

event bro_init()
  {
    local id: conn_id;
    id$orig_h = 10.10.10.10;
    id$orig_p = 10/tcp;
    id$resp_h = 20.20.20.20;
    id$resp_p = 20/tcp;
    BlockFlow::block(id, 2);
  }

And the flow will be blocked for 2 minutes. Unfortunately, due to the way at command works the granularity of timeouts is limited to minutes. If you really want to block flows for only a few seconds a quick solution would be to use sleep in place of at before expiring the rule.

The OpenWRT OS was chosen as the target platform. Its SDK contained a cross-compile toolchain for CMake projects. However, during the compilation Bro tried to run the binpac and bifcl executables for processing intermediate files. The executables refused to run on the build platform if the target platform architecture was different (mostly the case, e.g., we were building on x86-64 and target was arm).

The (not-so-pretty ) workaround we used was to build Bro twice. Once for the host, and once for the target. The CMake files were then patched to first generate binpac and bifcl binaries if they weren’t provided and then use the provided binaries if they were defined at make time. The first compile generated the binaries on x86-64 and the second compile (for arm) used the earlier binaries to process the bif files.

The Makefile and patches are available in this tarball: openwrt-bro.tar.gz, while the compiled ipk package is also available for installation. Here is a test execution of Bro on OpenWRT:

# bro –v

bro version 2.0

# cat test.bro

event bro_init()
{
	print "Hello World!";
}

event new_connection(c: connection)
{
	print "New connection created";
}

# bro test.bro

Hello World!

# bro -i br-lan test.bro

Hello World!
New connection created
New connection created

# ls

conn.log           notice_policy.log  reporter.log       weird.log
dns.log            packet_filter.log  test.bro

A heap of thanks to Zaafar for dealing with my messy code and providing the links to hosted files :) !

However, open-source is out there and every once a while you’re bound to stumble across gems that make life easier (and fun) no matter which line of work you are in and that’s exactly what happened to me today. Let me admit first, I have a fetish for multiple screens. If it was up to me I would have a circle of screens and sit inside them all day long, just to make revolving chairs lot more exciting. Take that, 3D!

Anyways, the issue with multiple screens is not only having enough video outputs on your graphic card(s), but also the sharing of resources. I want three different machines with different processors, hard-disks, heck even different operating systems to share their I/O devices. One option would be the KVM switches, but that would restrict me to only one “active” machine at a time, plus the switching button is too much of a hindrance in the work flow. Aristotle famously claimed that the whole is greater than the sum of its parts, then cometh Synergy:

(Click on the thumbnail for larger version.)

Three different machines sharing the keyboard, mouse and clipboard across five different screens and it even works across different platforms! Granted, there are some issues with the configuration which you have to take care about (especially on Windows 7+ platforms with UAC) but once it gets going it becomes one of those cute plus practical toys that make you wonder how you ever lived without them.