Thursday, December 31, 2020

Using yabgp for Blackhole injection

 In this post I will demo a simple blackhole injection where a yabgp process sends /32 for blackholing 


The junos device is set to accept /32 only and with a bgp community of 2:666


set protocols bgp group yabgp import IMPORT_RTBH

set protocols bgp group yabgp export DENY

set protocols bgp group yabgp peer-as 65101

set protocols bgp group yabgp neighbor 192.168.1.108


set policy-options policy-statement IMPORT_RTBH term 1 from community BLACKHOLE

set policy-options policy-statement IMPORT_RTBH term 1 from route-filter 0.0.0.0/0 prefix-length-range /32-/32

set policy-options policy-statement IMPORT_RTBH term 1 then local-preference 999

set policy-options policy-statement IMPORT_RTBH term 1 then next-hop discard

set policy-options policy-statement IMPORT_RTBH term 1 then accept

set policy-options policy-statement IMPORT_RTBH term 999 then reject


set policy-options community BLACKHOLE members 2:666


1st let start a bgp session for establishment to our junos SRX

yabgpd --bgp-remote_as 2 --bgp-local_as 65101 --bgp-remote_addr 192.168.1.99 --rest-bind_port 8888 --verbose


Now with simple JSON we can push via the API our route-advertisement, withdraws and route_refresh


e.g. API entry  /v1/peer/x.x.x.x/send/update





sock:~ kfelix$ curl -X POST -d @advertise.json_file  -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/update

{"status":true}



You can also withdraw routes also 


e.g . API entry  /v1/peer/x.x.x.x/send/update



sock:~ kfelix$ curl -X POST -d @withdraw.json_file  -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/update

{"status":true}


For route refresh you have the following 





e,g API entry  /v1/peer/x.x.x.x/send/route-refresh






sock:~ kfelix$ curl -X POST -d @rrr.json_file  -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/route-refresh

{"status":true}



So with a open source bgp daemon you can easily build a route injector for RTBH and to drop traffic deem malicious 







Ken Felix 

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Thursday, December 24, 2020

fortios bgp route-maps do not work 100% as configured for BGP

I've been studying a issue in a BGP update message that's sent from fortios 6.2.x to a juniper SRX./ What I 've noticed are the following;

1: one the configure map metric value  is being ignored 


2:  A new update message is sent at 1+min and it some how decreases the metric with no reason or logic why. Here's a snippet of an BGP_UPDATE message 5 min after the above screenshot was taken ;


3: So the configure route-map value are not being honored in the fortiOS configuration. At 1st I thought it had to be related to the origin-type but that is not the case , since EGP , IGP &  INC all behaves the same.

4: The value received in the UPDATE does not make any sense or follow a set pattern from my monitoring. And yes, I've been studying this behavior for 2+ years and across multiple fortiOS versions.






So it looks like I might have to re-engage fortinet support on why metric received are not matching the configured value and also why the metric are counting down or why they are sporadic in value from what is configured.



As the metric are being UPDATE the route-age is reset back to zero just a tip


With one of the peer shutdown, I 've still the same behavior where the fortios configured metric is not be honored.







The pcap where also done to show the decrement of the metric vrs the configured router-map.





More to come and  I hope FTNT support can identify this behavior and give a solid answer.









Ken Felix 

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \







Monday, December 7, 2020

HOWTO run iperf client from fortigates

 The fortios has a iperf server/client. The documentation does not clearing tell you how to setup a test session.


1st identify the iperf server you want to test to.

e.g 

Public Iperf3 servers  ( in my test I 'm using scottlinux.com )

iperf.scottlinux.com
5201TCP/UDP


Now you need to first use the diag traffictest show command to see what interface are defined and the protocol and tcp/udp-port number.

Now set your criteria using the interface that you are going to use;



You can run these test for a long time just keep in mind that you should do this during low bandwidth periods, use UDP if you want to avoid tcp-window size and buffering issues if the iperf server supports it.


this is a test using udp for connectivity;

brooklyn01 # diag traffictest proto 1
proto:  UDP

brooklyn01 # diag traffictest show
server-intf:    wan1
client-intf:    wan1
port:   5201
proto:  UDP

 
brooklyn01 # diag traffictest run -c 177.125.27.122
Connecting to host 177.125.27.122, port 5201
[  9] local 182.xx.xx.111. port 15859 connected to 177.125.27.122 port 5201
[ ID] Interval           Transfer     Bandwidth       Total Datagrams
[  9]   0.00-1.02   sec   120 KBytes   966 Kbits/sec  15
[  9]   1.02-2.02   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   2.02-3.02   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   3.02-4.02   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   4.02-5.02   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   5.02-6.02   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   6.02-7.02   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   7.02-8.02   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   8.02-9.02   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   9.02-10.02  sec   128 KBytes  1.05 Mbits/sec  16
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Jitter    Lost/Total Datagrams
[  9]   0.00-10.02  sec  1.24 MBytes  1.04 Mbits/sec  0.092 ms  1/159 (0.63%)
[  9] Sent 159 datagrams





Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \



Wednesday, December 2, 2020

Running a python3 http and ftp-server

When working in a all MSwindows environment, you will find sometime you need to upload or download config file via ftp or http to the device. If you have python3 installed, these 2 examples will show you how to run a local server for http and ftp on your window host.

1st you need to install the module pyftpdlib




Once you have install it, you can run the ftpserver in anonymous 




Or set a user+password  if you want to enable passwords




For the http.server, you have a module name http.server and upon http.requests, you will have a simple log output to standard screen and with status.codes



In this example it's python version 2.x


https://socpuppet.blogspot.com/2017/01/python-http-server.html



Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Tuesday, December 1, 2020

junos SRX protect the junos config via slax script

Here's a simple slax  commit script that expect a minimum junos config items. Any part of these items missing will prevent a successful commit action. 


This will help if you do any accidental "delete" from a top hierarchy. This is a good practice if you have numerous admins and do not want them to delete critical parts of the junos configuration. You will have add what part of the configuration must be present.


kfelix@HOMESRX> file show  protection.slax

version 1.0;


ns junos = "http://xml.juniper.net/junos/*/junos";

ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";

ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";


import "../import/junos.xsl";



param $user;


        /*        Alerts on missing cfgs

         */

        match configuration {

            call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet/address, $statement = "interfaces lo0 unit 0 family inet address");

            call error-if-present($must = interfaces/interface[name == "lo0"]/disable | interfaces/interface[name == "lo0"]/unit[name == "0"]/disable)  

               

 call error-if-present($must = security/policies/default-policy/permit-all) {

                with $message = {

                    expr $user;

                    expr ", we do not want to enable permit-all. This over-ride the default action of a firewall which is to inplicit deny-all unless permitted .";

                 }

            }


             /* check for my mandatory admin users */

 

            call error-if-missing($must = system/login/user/[name == "fwadmin1"], $statement = "missing a critical local admin account");

                 call error-if-missing($must = system/login/user/[name == "fsocadmin1"], $statement = "missing a critical local admin account");

            /*  check for missing syslog  system syslog */

            call error-if-missing($must = system/syslog, $statement = " missing syslog config ");


            /* check for routing-protocols  */

            call error-if-missing($must = protocols/bgp, $statement = "protocols bgp");

            call error-if-missing($must = protocols/ospf, $statement = "protocols ospf");

            call error-if-missing($must = protocols/ospf3, $statement = "protocols ospf3");

            call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet6/address, $statement = "interfaces lo0 unit 0 family inet6 address");

            call error-if-missing($must = routing-options, $statement = "[edit routing-options]") {

        with $message = {

            expr "The [edit routing-options] is missing !!! ";

                        }

                    }

        }


        template error-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") {


            if (not($must)) {

                <xnm:error> {

                    <edit-path> {

                        copy-of $statement;

            }

            <message> {

                copy-of $message;

                    }

                }

            }

        }


        template error-if-present ($must = 1, $message = "invalid configuration statement") {

            /* give error if param missing */


            for-each ($must) {

                <xnm:error> {

                    call jcs:edit-path();

                    call jcs:statement();

                    <message> {

                        copy-of $message;

                    }

                }

            }

        }


You just add the critical parts to the check for what you expect to be installed in the SRX firewall and give it a test run


kfelix@HOMESRX> configure

Entering configuration mode


[edit]

kfelix@HOMESRX# delete routing-options


[edit]

 

kfelix@HOMESRX# commit check

[edit routing-options]

  The [edit routing-options] is missing !!!

error: 1 error reported by commit scripts

error: commit script failure


[edit]





Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \