Skip to content

Instantly share code, notes, and snippets.

Avatar

Marek Vavruša vavrusa

View GitHub Profile
View gist:b7037e03044cff59a23543e5f7f98049
$ kdig @9.9.9.9 akamai.com +subnet=111.111.111.0/24
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 9698
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; CLIENT-SUBNET: 73.231.144.0/20/0
;; QUESTION SECTION:
;; akamai.com. IN A
@vavrusa
vavrusa / console.lua
Last active Mar 31, 2018
Fun with BPF
View console.lua
$ sudo luarocks install https://raw.githubusercontent.com/iovisor/bcc/master/src/lua/bpf-scm-1.rockspec
$ cat bpf_ttl.lua
local S = require('syscall')
local bpf = require('bpf')
-- Kernel-space part of the program
local map = bpf.map('array', 256)
local prog = assert(bpf(function ()
local net = pkt.net_off -- Socket filter on TCP starts from TCP otherwise
if net.ver == 4 then -- Check for IPv4
@vavrusa
vavrusa / build.log
Created Aug 17, 2017
clickhouse build failure
View build.log
[22:54:07] : [build] CMAKE_FLAGS_ADD="-DENABLE_MYSQL=OFF" REVISION=54276-cf0 AUTHOR=mvavrusa@cloudflare.com DEB_CLANG=$(which clang-3.8) DEB_CXX=$(which g++-6) DEB_CC=$(which gcc-6) THREAD_COUNT=4 ./release && \
[22:54:07] : [build] mv ../*.deb /build/clickhouse/pkg
[22:54:07] : [build]
[22:54:07] : [build] Current revision is 54276-cf0
[22:54:08] : [build] dpkg-buildpackage -rfakeroot -us -uc -b
[22:54:08] : [build] dpkg-buildpackage: info: source package clickhouse
[22:54:08] : [build] dpkg-buildpackage: info: source version 1.1.54276-cf0
[22:54:08] : [build] dpkg-buildpackage: info: source distribution unstable
[22:54:08] : [build] dpkg-buildpackage: info: source changed by mvavrusa@cloudflare.com <builder@yandex-team.ru>
[22:54:08] : [build] dpkg-source --before-build clickhouse
@vavrusa
vavrusa / poc-dnsmasq.py
Last active Jan 23, 2021
PoCs for CVE-2015-7547 (different attack vectors)
View poc-dnsmasq.py
#!/usr/bin/python
#
# Copyright 2016 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
@vavrusa
vavrusa / cve-2015-7547-mitigation.md
Last active Feb 17, 2016
cve-2015-7547-mitigation
View cve-2015-7547-mitigation.md

Mitigating with local resolver

There are two preconditions for the attack:

  1. One of the queries results in 2k valid answer
  2. One of the queries soft-fails and will be retried

Mitigating (1) with UDP is simple: set maximum UDP buffer size to <2048B [1] That leaves TCP.

@vavrusa
vavrusa / appender.lua
Created Oct 13, 2015
Small module that appends SOA for NS queries.
View appender.lua
local mod = {}
mod.layer = {
consume = function (state, req, answer)
if state == kres.FAIL then
return state
end
answer = kres.pkt_t(answer)
req = kres.request_t(req)
if answer:qtype() == kres.type.NS then
local qry = req:push(answer:qname(), kres.type.SOA, kres.class.IN)
@vavrusa
vavrusa / dhcp.lua
Last active Mar 4, 2021
Lua/C DHCP example#2
View dhcp.lua
-- C definitions
local ffi = require('ffi')
local csym = ffi.C
ffi.cdef[[
/* DHCP header format */
struct __attribute__((packed)) dhcp_msg {
/* Header */
uint8_t op;
uint8_t htype;
uint8_t hlen;
@vavrusa
vavrusa / ldhcp-ex1.c
Last active Aug 29, 2015
Lua/C DHCP example #1
View ldhcp-ex1.c
#include <stdio.h>
#include <string.h>
#include <lua.h>
#include <lualib.h>
#include <lauxlib.h>
#include <arpa/inet.h>
/* Get/set opcode */
static int msg_op(lua_State *L)
{
@vavrusa
vavrusa / slowdrip.lua
Last active Aug 29, 2015
DNS slowdrip
View slowdrip.lua
local slowdrip = {
tracked = {},
blocked = {},
window = 60, -- Length of the tracking window
threshold = 100, -- Number of NXDOMAINs before blocking
-- Track suffixes of names leading to NXDOMAIN
layer = {
finish = function(state, req, answer)
local parent = answer:qname()
parent = parent:sub(parent:find('.',0,true), -1)
View gist:3e13267dcc9c4f0ded62
Near-stretch ideas
------------------
* I *quite* like how it's built, but it's too much *PowerDNS*-y, hacking on it is a pain (if you work on cheap virtuals like me) because of long build times and dependencies (I know, but try it yourself on the budget DigitalOcean droplet...), I'd say lose the legacy and make it really a standalone thing.
* The configuration is sometimes confusing, like if I set it up to listen on local interfaces, it happily does so but it silently drops all queries because the ACL allows localhost only (uhm, maybe it needs to say something in verbose mode or documentation update).
* The config format for IPv6 has a poor choice of ':' as a separator, it's not possible to forward to IPv6 address on a custom port.
Far-stretch ideas
-----------------