Border Gateway Protocol
Running an AS
Getting an ASN
- BGP Design and Implementation (Cisco Press)
- BGP Table Growth
- Internet Peering Playbook
- Should I Block ICMP?
list listening ports
Alarm when ping is successful
ping -i 60 -a IP_address
get external ip
curl ipecho.net/plain curl ifconfig.me
IPv4 - subnetting
|First bits of address||default mask||Decimal|
|0 x x x||8 bits long||< 128|
|1 0 x x||16 bits long||128-191|
|1 1 0 x||24 bits long||192-223|
|1 1 1 0||multicast||224-239|
Greater than 239 the address is reserved
Link local: FE80::/10 Site local: FEC0::/10 (Deprecated)
Reverse DNS nibble 4-bit boundaries
Named Data Networking
Have a formal grammar for parsing
Don’t rely on institutional memory - a person with fresh eyes should know where and what everything is just by reading the records
Don’t use vendor type/make/model in DNS name
Use CNAMEs to wean off old names
Pre-derive all current names before committing to a name scheme
Note that STP predates LAN switches, hence mention of bridges
Failed/shutdown interfaces are placed into an STP disabled state.
The bridge ID is an 8-byte value, unique to the switch. 2 byte priority field, and 6-byte for the MAC address.
Root switch is whatever has lowest priority, and in a tie, the lowest bridge ID.
If a switch hears a Hello with a lower BID, it stops advertising and forwards the superior Hello.
For best root cost tiebreakers,
- lowest neighbor bridge ID.
- lowest neighbor port priority.
- lowest neighbor internal port number.
STP root switch sends a new Hello BPDU every 2 seconds by default. When a switch hasn’t received a Hello (MaxAge is 10xHello, so 20 seconds by default) or gets different details, it reacts to the topology change. When transitioning from blocking to forwarding, it goes through Listening state (no forwarded frames, removes stale MAC table entries), then Learning (no forwarded frames, but learns MAC addresses of frames sent to interface). Forward delay state changes are 15 seconds each (so 30 seconds from blocking to forwarding). In summary, a topology change could lead to a 50 second delay using STP.
RSTP (IEEE 802.1w originally, 802.1Q today) is an improvement of STP, where network convergence can happen in a few seconds (10 seconds in worst case). It allows switches to replace their root parts without the blocking->forwarding transition wait time in some cases, the ability to replace a designated port without waiting for forwarding state, and lower wait times on the timers. MaxAge for Hello is 3 times the Hello timer. There are also messages that can be sent to neighboring switches asking if problems are occuring, reducing wait times. There is a concept of Alternate port (which can replace the root port when failing), and a Backup port (when the designated port is failing)
Bridge Protocol Data Units
Has root bridge ID, sender’s bridge ID, sender’s root cost, and timers on the root switch
Spanning Tree Algorithm
Elect a root switch, all ports in forwarding
Non-root switches determine which port has least cost to root switch (root cost). That “root port” is put in forwarding state.
With two switches on a link, the one with the lowest root cost is placed in a forwarding state. That switch is the “designated switch,” and the interface the “designated port”
Any leftover interfaces are put in a blocking state.
Spanning Tree - IEEE 802.1D Rapid Spanning Tree - IEEE 802.1w Multiple Spanning Tree - IEEE 802.1s all incorporated into 802.1Q-2014
# get POC info from ARIN whois 'p ! + NAME-ARIN'
Hot Standby Router Protocol
Simple Object Access Protocol
Use curl to send a request
curl -d @request.xml -H "Content-Type: application/soap+xml;charset=UTF-8" http://localhost:9090/thing
Home Network Administration Protocol
Get modem details
arpwatch -i <interface> -u <non-root username>
Use a static ARP table
# Single address: arp -s <ip> <mac> # File: arp -f <filepath>
# Reverse lookup dig -x [ip addr] # get root servers dig NS com # Get nameserver glue records dig NS example.com @b.gtld-servers.net # Get SOA (serial, refresh, retry, expiry, minimum) dig +short example.com soa
Query name server for IP addresses
nslookup [name] [dns server]
Add Route53 subdomain to zone file
; drop this in the example.com zone file $ORIGIN subdomain.example.com. @ IN NS ns-x.awsdns-x.net. @ IN NS ns-x.awsdns-x.com. @ IN NS ns-x.awsdns-x.co.uk. @ IN NS ns-x.awsdns-x.org.
Protect domain that doesn’t use email
- an SPF record that says you do not have any sending servers
- TXT record,
@ : "v=spf1 -all"
- TXT record,
- a DMARC record to reject any email from your domain
- TXT record,
_dmarc : "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:firstname.lastname@example.org"
- TXT record,
- an empty DKIM key record
- TXT record,
*._domainkey : "v=DKIM1; p="
- TXT record,
- (optional) null MX record
Check the SPF record of a domain
dig -t TXT example.com +short | grep spf
SPF null record
If the domain should not be sending any email
www.example.com. IN TXT "v=spf1 -all"
- Rate limiting is set in the options
- Recursion is disabled on the authoritative servers
- Zone transfers are locked down
Look for UDP packet loss
|ssl-enum-ciphers||get list of available SSL/TLS headers|
|http-trace||see if server has a TRACE method|
|http-server-header||get details from the Server: header|
Get list of available server ciphers
nmap --script ssl-enum-ciphers -p PORT SERVER
# Input from list nmap -iL file ...
# Grepable nmap -oG file ... # XML nmap -oX file ...
List scan -sL # does reverse DNS lookup Aggressive scan -A # equal to -sV -sC -O --traceroute -T4 # intensity (1-5, 4+ if on broadband) -O # OS detection
svn co https://svn.nmap.org/nmap
Doesn’t redirect UDP or FTP
bindaddress bindport connectaddress connectport
0.0.0.0 binds to any every available local IP address
Get all ICMP packets
See what’s connecting to a port
tcpdump dst port <PORT>
See what’s coming from an IP
tcpdump src 126.96.36.199
# blank lines and lines starting with '#' ignored <daemon list> : <client list> [: <option> : <option> : ...]
|ESTABLISHED||connection up and passing data|
|SYN_SENT||TCP; session has been requested by us; waiting for reply from remote endpoint|
|SYN_RECV||TCP; session has been requested by a remote endpoint for a socket on which we were listening|
|LAST_ACK||TCP; our socket is closed; remote endpoint has also shut down; we are waiting for a final acknowledgement|
|CLOSE_WAIT||TCP; remote endpoint has shut down; the kernel is waiting for the application to close the socket|
|TIME_WAIT||TCP; socket is waiting after closing for any packets left on the network|
|CLOSING TCP||our socket is shut down; remote endpoint is shut down; not all data has been sent|
|FIN_WAIT1||TCP; our socket has closed; we are in the process of tearing down the connection|
|FIN_WAIT2||TCP; the connection has been closed; our socket is waiting for the remote endpoint to shut down|
- Team Cymru NTP hardening guide
Setting up an OpenVPN server
# Set up a cert. authority cd /etc/openvpn/easy-rsa/ # Edit the vars file . ./vars ./clean-all ./build-ca # Create server certs ./build-key-server server # Create client certs ./build-key client1 # Build Diffie Hellman parameters ./build-dh
- Explicitly set the server
- Use at least 2048-bit RSA keys
tls-authto mitigate DDoS
- Keep CA PKI secure. If the CA key is compromised, you’ll need to reissue
- Generate private keys on the target system
- Use strong key passphrases
- Avoid sharing keys across targets
- Generate a CRL at the creation of a VPN
- Use Diffie-Hellman parameters of 2048-bit+
- Set the
script-securitylevel to what is appropriate
- If you’ve got servers+clients greater than OpenVPN 2.3.2, set
# See list of supported ciphers openvpn --show-ciphers # See list of supported HMACs openvpn --show-digests # See list of supported TLS cipher-suites openvpn --show-tls
Using a static key
# generate static key openvpn --genkey --secret static.key
In configuration files:
secret static.key # or <tls-auth> Key contents </tls-auth>
When connecting to a telco, ask for:
- Serial IP addresses
- circuit ID
- customer #
- line encapsulation
- Ethernet IP address
Registration Data Access Protocol (RDAP)
Machine-readable successor to WHOIS
# Convert raw packet capture wpacap2john cap.raw > cap.john john -form wpapsk cap.john
|RFC Style Guide||7322|
|RFC Series and RFC Editor||8729|
document | # — | — 30 Years of RFCs | 2555
ssh desthost -L 5900:localhost:5900 x11vnc -display :0 -nopw vncviewer :0
Testing a connection