ZTE VDSL with Any Router

I’ve configured the ZTE 931Dll VDSL modem to be used with our standard DD-WRT router. This required modifying the ZTE settings to perform VLAN bridging for the DD-WRT router.

The general steps are outlined in another blog.

However, the critical last step is different. I tried the steps at the blog but it didn’t work. Using my head, I decided to try a different setting, which worked.

Set the LAN4 trunking to:
Enable VLAN trunk: Checked
Supported VLAN Number: 0
PVID: 500

Then, configure the DD-WRT router to perform PPPoE as normal.

That’s all!

Unifi is Unstable

Seriously, there is something wrong with the Unifi setup at my office. While the line is currently working, it’s stability is in question. With a 37% packet loss to Google servers, there is definitely something going wrong here. I have made a report (1-1864549262) and this is the second time it is exhibiting the same unstable symptoms.

I’ve got even more ping results but they all reflect the same problem – about 40% packet loss. Even connecting to Google is a problem. And this is the Business package, where we are paying more for less service. I really do not understand why I always have these problems.

It took them a month to sort out my Streamyx problems previously too.

Unifi Speed Test

I had Unifi installed at home today. The whole process was rather cumbersome but the contractors managed to get things done in about 2-hours or so. Instead of drilling holes in the wall, I had them thread the fibre through the ceiling into my server rack. This cost me RM200 extra.

After that, the contractor showed me the speedtest results with OOKLA.

I had ordered the VIP5 package, which comes with a 5Mbps line. Seeing that OOKLA reported a 4.8Mbps speed was quite a good sign. However, instead of just trusting OOKLA, I decided to do a little test of my own. I ran my own iperf tests against my servers in the UK, US and Germany.

The results are a mixed bag but generally, it averages above 3Mbps.

I won’t really complain much at the moment until I complete testing it further. One thing that I’m not quite happy with though, is the need to use the supplied DIR-615 router. I will need to investigate the possibility of using my own router further.

PS: I noticed that the results depend on the network that I get to connect to. This is another result that I obtained later in the night. Look at the speeds and ping latency!

Region and Country

I recently realised that there are a lot of corporate websites out there that will ask a user for region/country when visiting, and then forward the user to a different landing page depending on the geographical location of the user. With the technology available today, I sometimes wonder why any of this is necessary at all.

There is such a thing called GeoIP. While it is not 100% accurate, it is largely accurate and is used by certain people like Google analytics to work out where a site’s visitor comes from. It occurred to me that these websites should just use GeoIP to redirect the user to the appropriate landing page instead of asking the user a bunch of useless questions.

This is just a random thought.

Streamyx Modem Hack

I recently installed a new Streamyx package at my office. It came with a free Riger WL108 modem which was quite limited. The configuration options available were appalling and the security of the device was non-existent. It was just using WEP and it took me under 2-minutes to crack the keys.

However, what is not often documented is that the modem is capable of much more as there is a hidden administrative function. Just login to the modem as tmadmin:tmadmin and the system will expose all sorts of goodies.

Wireless Security
Look under Wireless – Security and we can enable WPA2, both the PSK and EAP versions are available. I set mine to PSK as I wanted to use it as a public access wifi for authorised personnel.

DMZ
Look under Advanced Setup – NAT – DMZ Host and we can specify a DMZ host to use. I love this option as it will allow me to remotely login to my office network and access certain services from anywhere in the world. This will be very useful as a VPN entry for road-warriors.

Dyamic DNS
Look under Advanced Setup – DNS – Dynamic DNS and we can configure it to talk to any of the dynamic DNS services available. As my office network is on a dynamic IP, this will be handy to access my office network using a domain name instead.

There is a lot more stuff that can be configured and a lot of capabilities are actually built into the modem, just not enabled nor accessible from the regular user access menu.

So, I was able to get a lot of advanced features working without going out to buy a new modem. I was actually contemplating this and am glad that I will be able to save up the RM100 or so instead.

Mulling over DDoS

The Wikileaks fracas is escalating, with hacktivists on both sides of the divide working to take down sites that are seen to be on the wrong side of the issue. Personally, I do not have any political opinion on either the Wikileaks issue or the attacks. I leave that to less technical authors to write on. Personally, I just like mulling over the whole problem of DDoS attacks.

Any reader of this blog should be familiar with what a DDoS attack is. But to me, the problem of a DDoS attack is similar to that of an arms race – the side with the bigger gun or bullet wins. In the case of the initial attack, Wikileaks moved over to AWS and was able to hold off attacks for a while. This is because Amazon had bigger pipes and defenses than the attackers. However, the attacks have taken a turn and secondary sites such as credit cards and law-firms are being hit as well. It seems like certain parties are taking this opportunity to settle some beef.

But back to the whole problem with DDoS.

I’ve mulled over this with my former boss and some co-workers, for the purpose of a clandestine project that I was working on. The conclusion that I came to is that a DDoS is effective in its simplicity – the side with the bigger pipes win. The company that I used to work for, has one of the biggest pipes in Malaysia and we could take people down, single-handedly, if we wanted to.

However, there are strategies to mitigate a DDoS attack.

Bigger pipes
Wikileaks moving to Amazon was in effect, buying bigger pipes. This mitigated attacks for a while until they got booted off Amazon. If it is not possible to buy pipes from a single provider, it would make sense to buy pipes from multiple providers and distributing the site across the globe. This is what Wikileaks has now done – distribute its content over a list of hundreds of worldwide mirrors operated by volunteers.

Faster software
DDoS attacks exploit the fact that a computer is kept busy by servicing network packets (either at the application or networking layers). Obviously, the solution to this problem would be to have bigger machines – this means having faster processors, larger memories, lighter operating systems. Surprisingly, some people do not realise that the TCP/IP stack plays an integral role in these attacks and if the OS has a more efficient stack, it would be able to withstand more punishment. Not all web-servers are created equal and some are able to handle concurrency better.

IPv6
One method that is not often thought of, is moving infrastructure over to IPv6. Most of the internet still runs on IPv4 today. In fact, many network providers simply do not cater to IPv6 and simply drop the packets from their network. Therefore, moving a site over to IPv6-only could help mitigate DDoS attacks by limiting the available sources of attack. Compromised botnets would be less effective if most of their machines were still on IPv4 only.

Future clouds
What would have been interesting would be if the attackers had shifted to launching attacks from cloud service providers. In fact, this was one of the queries that I raised once, in a meeting with a local cloud provider – launching attacks from within the cloud provider itself. If the provider is not careful, attackers could buy network and computing resources in order to launch attacks within the cloud itself. This would be difficult to detect because most cloud providers put their metering on external traffic, not internal ones. Imagine the attackers buying EC2s to attack Wikileaks from the inside of Amazon infrastructure. The attack would only need to be bad enough to take down the Wikileaks machines, without compromising the rest of Amazon’s infrastructure. Therefore, it is important for cloud providers to think about isolating their internal machines from each other.

Of course, there are many more considerations that could fit this little blog, but these were just some thoughts that I felt like writing down.

Weird TLD in China

I was reading about a recent Gmail hack from China and they actually showed the IP used to access the account. Since I was fairly curious, I decided to take a look into the IP – 125.45.96.89 – and I was surprised with the result.

inetnum: 125.40.0.0 - 125.47.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: WW444-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HA
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20051011
changed: [email protected] 20051020
changed: [email protected] 20090507
changed: [email protected] 20090508
source: APNIC

Nothing surprising here since the IP reports itself as being allocated to a Chinese ISP – China Unicom in Henan.

; <> DiG 9.7.0-P1 <> -x 125.45.96.89
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60982
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;89.96.45.125.in-addr.arpa. IN PTR

;; ANSWER SECTION:
89.96.45.125.in-addr.arpa. 85865 IN PTR hn.kd.ny.adsl.

;; Query time: 23 msec

Now, this totally caught my eye. Notice the PTR record shows that the name for that IP is hn.kd.ny.adsl – an uncommon TLD. So, I checked Wikipedia for a list of available TLDs and fair enough, the ADSL TLD does not seem to exist. If I were to try to ping hn.kd.ny.adsl, the address would not even resolve through the normal DNS system.

ping: unknown host hn.kd.ny.adsl

Now, this indicates to me that China is running its own root-servers, which does not surprise me one bit as it uses it to implement the Great Firewall of China. Since it does this, it is free to implement its own list of TLDs that nobody else uses in the rest of the world. This is all fine and dandy until ICANN decides to approve the use of an ADSL TLD in the future.

With the recent WikiLeaks fiasco, people are already talking about fragmenting the Internet. This is proof that the Internet is already fragmented – we just need to take it to the next level. Zero-One-Infinity, anyone?