lost and found ( for me ? )

Capture data of Android 4.4.2 Nexus 7 ( DNS queries and TCP SYN packets )

just for my memo.
Here are packet dumps of my Nexus 7 tablet connected to Wifi.

[ DNS queries ]

does not add EDNS0 option.

Android 4.4.2 ( Nexus 7 )
Domain Name System (query)
   Transaction ID: 0x4602
   Flags: 0x0100 Standard query
       0... .... .... .... = Response: Message is a query
       .000 0... .... .... = Opcode: Standard query (0)
       .... ..0. .... .... = Truncated: Message is not truncated
       .... ...1 .... .... = Recursion desired: Do query recursively
       .... .... .0.. .... = Z: reserved (0)
       .... .... ...0 .... = Non-authenticated data: Unacceptable
   Questions: 1
   Answer RRs: 0
   Authority RRs: 0
   Additional RRs: 0
   Queries
       www.bing.com: type A, class IN
           Name: www.bing.com
           Type: A (Host address)
           Class: IN (0x0001)

[ TCP SYN packet ]

Android 4.4.2 ( Nexus 7 )
enable window scaling and selective ack.. I didn’t know that.
   Options: (20 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale
       Maximum segment size: 1460 bytes
           Kind: MSS size (2)
           Length: 4
           MSS Value: 1460
       TCP SACK Permitted Option: True
           Kind: SACK Permission (4)
           Length: 2
       Timestamps: TSval 532510, TSecr 0
           Kind: Timestamp (8)
           Length: 10
           Timestamp value: 532510
           Timestamp echo reply: 0
       No-Operation (NOP)
           Type: 1
               0... .... = Copy on fragmentation: No
               .00. .... = Class: Control (0)
               ...0 0001 = Number: No-Operation (NOP) (1)
       Window scale: 6 (multiply by 64)
           Kind: Window Scale (3)
           Length: 3
           Shift count: 6
           [Multiplier: 64]

install netstress NG on ubuntu 12.04 32bit ( network stress tool )

about netstress NG
In short, netstress is DoS testing tool.
You can generate SYN flood, UDP flood, HTTP flood, DNS flood etc.

Please note that netstress source code seems to be for 32bit OS.
In my case, I can’t build netstress on 64bit OS.

# tail -1 /etc/lsb-release ;uname –ri
DISTRIB_DESCRIPTION="Ubuntu 12.04.3 LTS"
3.8.0-34-generic i386

install libcurses packages which are required to build netstress ng.
# apt-get install libncurses5 libncurses5-dev

build netstress
# tar xzvf netstress-3.0.7.tar.gz
# cd netstress-3.0.7/
# make menuconfig
# make
# sh compile_all.sh

# ./netstress.ful
lrandom  --help

               Metin KAYA <kayameti@gmail.com> from EnderUNIX SDT [http://www.EnderUNIX.org]
                       NETSTRESS a.k.a SALDIRAY v3.0.7

               --saddr,     -s:  source address
               --sport,     -p:  source port
               --daddr,     -d:  destination address
               --dport,     -P:  destination port
               --file,      -f:  the full path for the file of dns server list for ampdns flood
               --attack,    -a:  type of attack (ack, syn, fin, udp, dns, ampdns, igmp, winbomb, win98,
                                 get, post, syncook, isssyn)
               --process,   -n:  number of processes
               --buffer,    -b:  size of UDP packet
               --dnsqname,  -N:  hostname which will be queried
               --dnsqtype,  -t:  type of dns query (a, ns, cname, soa, wks, ptr, hinfo, minfo, mx, txt)
               --useragent, -u:  user agent parameter for http get flood
               --help,      -h:  shows this message

let’s use netstress

DNS attack
# ./netstress.fullrandom -d 192.168.100.100 -P 53 -a dns -n 1 -t a

cap date collected on the target server
sending random A queries from spoofed source IP addresses.
# tshark -r a.pcap -R '(udp.port==53)' | head -10
Running as user "root" and group "root". This could be dangerous.
 1 0.000000000 192.168.100.100 -> 139.230.11.100 DNS 149 Standard query response 0xaa17 No such name
 2 0.000013000 192.168.100.100 -> 39.65.243.34 DNS 148 Standard query response 0x7517 No such name
 3 0.000025000 192.168.100.100 -> 41.147.253.72 DNS 148 Standard query response 0xd317 No such name
 4 0.000037000 192.168.100.100 -> 25.247.251.34 DNS 149 Standard query response 0xaf17 No such name
 5 0.000045000 192.42.93.30 -> 192.168.100.100 DNS 151 Standard query response 0x2838 No such name
 6 0.000048000 192.35.51.30 -> 192.168.100.100 DNS 151 Standard query response 0xe243 No such name
 7 0.000050000  79.217.7.43 -> 192.168.100.100 DNS 76 Standard query 0xf517  A mk1330537033.net
 8 0.000053000 192.42.93.30 -> 192.168.100.100 DNS 152 Standard query response 0xda7e No such name
 9 0.000055000 192.42.93.30 -> 192.168.100.100 DNS 151 Standard query response 0xad4d No such name
10 0.000057000 221.158.6.41 -> 192.168.100.100 DNS 75 Standard query 0xa117  A mk619198569.net

syn flood
# ./netstress.fullrandom -d 192.168.100.100 -P 80 -a syn -n 1

HTTP GET flood
# ./netstress.fullrandom -d 192.168.100.100 -P 80 -a get -n 1 -u test

cap data
Hypertext Transfer Protocol
   GET /334049107 HTTP/1.1\r\n
       [Expert Info (Chat/Sequence): GET /334049107 HTTP/1.1\r\n]
           [Message: GET /334049107 HTTP/1.1\r\n]
           [Severity level: Chat]
           [Group: Sequence]
       Request Method: GET
       Request URI: /334049107
       Request Version: HTTP/1.1
   User-Agent: test\r\n
   Host: 127.0.0.1:80\r\n
   Connection: keep-alive\r\n
   \r\n
   [Full request URI: http://127.0.0.1:80/334049107]

Puppet Enterprise 3.1 part3: install puppet modules and apply modules to agent nodes.

Here are trial and error logs when installing puppet modules and applying the module to agent nodes.


There is one master and one agent in my lab environment.
master: master.example.com
agent: agent01.example.com

install puppet modules on the master. ( not agent nodes )
To use puppet modules, there are two options.
download existing puppet modules from Puppet forge http://forge.puppetlabs.com/ or write puppet modules yourself.

[ download puppet modules from Puppet forge ]

install puppetlabs-motd module. this module displays contents of /etc/motd file.

to search modules, issue “puppet module search <keyword>” on the master
[root@master ~]# puppet module search motd
Notice: Searching https://forge.puppetlabs.com ...
NAME                      DESCRIPTION  AUTHOR            KEYWORDS
alkivi-motd               Controls motd file on unix sy...  @alkivi           motd    
attachmentgenie-motd      Puppet motd Mo...  @attachmentgenie  motd    
boogy-motd                Motd Mo...   @boogy            motd    
chris3-my_motd            Just my motd module, do not use...  @chris3                   
dhoppe-motd               MOTD Mo...   @dhoppe           motd    
gdsoperations-updatemotd  Manage update-motd(5) on Ubuntu sys...  @gdsoperations    motd    
jeffmccune-motd           Manages the message of the...  @jeffmccune       motd    
kreczko-motd              A simple module to demonstrate managing /etc/motd as a temp...  @kreczko                  
puppetlabs-motd           A simple module to demonstrate managing /etc/motd as a temp...  @puppetlabs               
rcoleman-motd             Manages the message of the...  @rcoleman                 
saz-motd                  UNK...       @saz              motd    
thias-cosmetic            Cosmetic changes mo...  @thias            motd  

search openstack-related puppet modules,
[root@master ~]# puppet module search openstack
Notice: Searching https://forge.puppetlabs.com ...
NAME                         DESCRIPTION  AUTHOR         KEYWORDS
davidcollom-raxmonitoragent  Rackspace Server Monitor...  @davidcollom   openstack
ekarlso-quantum              Puppet module for OpenStac...  @ekarlso       openstack
<snip>

Let’s install puppetlats-motd module.

on the master,
as for motd module, there is one class “motd”.
[root@master ~]# puppet module install puppetlabs/motd
Notice: Preparing to install into /etc/puppetlabs/puppet/modules ...
Notice: Downloading from https://forge.puppetlabs.com ...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/puppet/modules
└── puppetlabs-motd (v1.0.1)
[root@master ~]#

[root@master ~]# ls /etc/puppetlabs/puppet/modules/motd/
files  manifests      Modulefile  spec     tests
lib    metadata.json  README  templates


[root@master ~]# cat /etc/puppetlabs/puppet/modules/motd/manifests/init.pp
# Class: motd
#
# This module manages the /etc/motd file using a template
#
# Parameters:
#
# Actions:
#
# Requires:
#
# Sample Usage:
#  include motd
#
# [Remember: No empty lines between comments and class definition]
class motd {
 if $kernel == "Linux" {
   file { '/etc/motd':
     ensure  => file,
     backup  => false,
     content => template("motd/motd.erb"),
   }
 }
}

add motd class

on the master,
PE console -> Classes -> add new classes



select motd class and click “add selected classes”





add class “motd” to the agent01.example.com

Nodes -> node name ( in this case, agent01 ) -> Edit


add class “motd” and click “Update”



trigger a puppet on both master and agent01.
PE console -> Live management -> control puppet -> runonce ( select both master and agent01 ) -> Run
This will configure the nodes using the newly-assigned classes. Wait one or two minutes.



on the agent01, check syslog ( /var/log/messages )

nnn, error..
Dec  8 02:00:47 agent01 puppet-agent[1122]: Caught USR1; calling reload
Dec  8 02:00:53 agent01 puppet-agent[8721]: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to parse template motd/motd.erb:
Dec  8 02:00:53 agent01 puppet-agent[8721]:   Filepath: /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/parser/templatewrapper.rb
Dec  8 02:00:53 agent01 puppet-agent[8721]:   Line: 81
Dec  8 02:00:53 agent01 puppet-agent[8721]:   Detail: Could not find value for 'domain' at /etc/puppetlabs/puppet/modules/motd/templates/motd.erb:3
Dec  8 02:00:53 agent01 puppet-agent[8721]:  at /etc/puppetlabs/puppet/modules/motd/manifests/init.pp:20 on node agent01
Dec  8 02:00:54 agent01 puppet-agent[8721]: Using cached catalog
Dec  8 02:01:02 agent01 puppet-agent[8721]: Finished catalog run in 8.49 seconds

master’s syslog
Dec  8 02:05:02 master puppet-agent[1631]: Caught USR1; calling reload
Dec  8 02:05:05 master puppet-master[19808]: Could not retrieve fact fqdn
Dec  8 02:05:07 master puppet-master[19636]: Could not retrieve fact fqdn
Dec  8 02:05:07 master puppet-master[19808]: Host is missing hostname and/or domain: agent01
Dec  8 02:05:08 master puppet-master[19636]: Host is missing hostname and/or domain: master
Dec  8 02:05:09 master puppet-master[19808]: Variable access via 'operatingsystem' is deprecated. Use '@operatingsystem' instead. template[/etc/puppetlabs/puppet/modules/motd/templates/motd.erb]:1
Dec  8 02:05:09 master puppet-master[19808]:    (at /etc/puppetlabs/puppet/modules/motd/templates/motd.erb:1:in `block in result')
Dec  8 02:05:09 master puppet-master[19808]: Variable access via 'memoryfree' is deprecated. Use '@memoryfree' instead. template[/etc/puppetlabs/puppet/modules/motd/templates/motd.erb]:2
Dec  8 02:05:09 master puppet-master[19808]:    (at /etc/puppetlabs/puppet/modules/motd/templates/motd.erb:2:in `block in result')
Dec  8 02:05:09 master puppet-master[19808]: Failed to parse template motd/motd.erb:
Dec  8 02:05:09 master puppet-master[19808]:   Filepath: /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/parser/templatewrapper.rb
Dec  8 02:05:09 master puppet-master[19808]:   Line: 81
Dec  8 02:05:09 master puppet-master[19808]:   Detail: Could not find value for 'domain' at /etc/puppetlabs/puppet/modules/motd/templates/motd.erb:3
Dec  8 02:05:09 master puppet-master[19808]:  at /etc/puppetlabs/puppet/modules/motd/manifests/init.pp:20 on node agent01
Dec  8 02:05:09 master puppet-master[19808]: Failed to parse template motd/motd.erb:
Dec  8 02:05:09 master puppet-master[19808]:   Filepath: /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/parser/templatewrapper.rb
Dec  8 02:05:09 master puppet-master[19808]:   Line: 81
Dec  8 02:05:09 master puppet-master[19808]:   Detail: Could not find value for 'domain' at /etc/puppetlabs/puppet/modules/motd/templates/motd.erb:3
Dec  8 02:05:09 master puppet-master[19808]:  at /etc/puppetlabs/puppet/modules/motd/manifests/init.pp:20 on node agent01
Dec  8 02:05:09 master puppet-master[19808]: Failed to parse template motd/motd.erb:
Dec  8 02:05:09 master puppet-master[19808]:   Filepath: /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/parser/templatewrapper.rb
Dec  8 02:05:09 master puppet-master[19808]:   Line: 81
Dec  8 02:05:09 master puppet-master[19808]:   Detail: Could not find value for 'domain' at /etc/puppetlabs/puppet/modules/motd/templates/motd.erb:3
Dec  8 02:05:09 master puppet-master[19808]:  at /etc/puppetlabs/puppet/modules/motd/manifests/init.pp:20 on node agent01

Seen from the log, the problem seems to be caused by hostname or domain name configuration.

on the master
[root@master ~]# hostname
master.example.com
[root@master ~]# hostname --fqdn
master
[root@master ~]# hostname --domain
[root@master ~]# domainname
(none)
[root@master ~]# cat /etc/hosts
192.168.11.123 master master.example.com
192.168.11.124 agent01 agent01.example.com

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@master ~]#
[root@master ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=master.example.com
[root@master ~]#
[root@master ~]# cat /etc/host.conf
multi on
[root@master ~]#

[root@master ~]# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4

[root@master ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
   certname = master
   dns_alt_names = master,puppet
   vardir = /var/opt/lib/pe-puppet
   logdir = /var/log/pe-puppet
   rundir = /var/run/pe-puppet
   modulepath = /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules
   server = master
   user  = pe-puppet
   group = pe-puppet
   archive_files = true
   archive_file_server = master

[master]
   certname = master
   ca_name = 'Puppet CA generated on master at 2013-12-05 01:59:42 +0900'
   reports = http,puppetdb
   reporturl = https://localhost:443/reports/upload
   node_terminus = exec
   external_nodes = /etc/puppetlabs/puppet-dashboard/external_node
   ssl_client_header = SSL_CLIENT_S_DN
   ssl_client_verify_header = SSL_CLIENT_VERIFY
   storeconfigs_backend = puppetdb
   storeconfigs = true

[agent]
   report = true
   classfile = $vardir/classes.txt
   localconfig = $vardir/localconfig
   graph = true
   pluginsync = true
   environment = production
[root@master ~]#

on the agent01
[root@agent01 ~]# hostname
agent01.example.com
[root@agent01 ~]# hostname --fqdn
agent01
[root@agent01 ~]# hostname --domain
[root@agent01 ~]#
[root@agent01 ~]# cat /etc/hosts
192.168.11.123 master master.example.com
192.168.11.124 agent01 agent01.example.com
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@agent01 ~]#
[root@agent01 ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=agent01.example.com
[root@agent01 ~]#
[root@agent01 ~]# cat /etc/host.conf
multi on
[root@agent01 ~]# domainname
(none)
[root@agent01 ~]#
[root@agent01 ~]#

[root@agent01 ~]# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4

[root@agent01 ~]# cat /etc/puppetlabs/puppet/puppet.conf
[main]
   certname = agent01
   vardir = /var/opt/lib/pe-puppet
   logdir = /var/log/pe-puppet
   rundir = /var/run/pe-puppet
   modulepath = /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules
   server = master
   user  = pe-puppet
   group = pe-puppet
   archive_files = true
   archive_file_server = master

[agent]
   report = true
   classfile = $vardir/classes.txt
   localconfig = $vardir/localconfig
   graph = true
   pluginsync = true
   environment = production
[root@agent01 ~]#

Googling this error, the following post could help solve this..

edit /etc/resolv.conf on both the master and agent01.

on the master
[root@master ~]# cat /etc/resolv.conf
domain example.com  <- add this
nameserver 8.8.8.8
nameserver 8.8.4.4

on the agent01
[root@agent01 ~]# cat /etc/resolv.conf
domain example.com  <- add this
nameserver 8.8.8.8
nameserver 8.8.4.4

do the following again.
trigger a puppet on both master and agent01.
PE console -> Live management -> control puppet -> runonce ( select both master and agent01 ) -> Run

logs on the master
Dec 11 23:14:06 master puppet-agent[1714]: Caught USR1; calling reload
Dec 11 23:14:15 master puppet-master[1764]: Variable access via 'domain' is deprecated. Use '@domain' instead. template[/etc/puppetlabs/puppet/modules/motd/templates/motd.erb]:3
Dec 11 23:14:15 master puppet-master[1764]:    (at /etc/puppetlabs/puppet/modules/motd/templates/motd.erb:3:in `block in result')
Dec 11 23:14:15 master puppet-master[1764]: Compiled catalog for agent01 in environment production in 1.27 seconds
Dec 11 23:14:29 master puppet-master[1764]: Compiled catalog for master in environment production in 10.73 seconds
Dec 11 23:14:58 master puppet-agent[2872]: Finished catalog run in 18.58 secon


logs on the agent01
Dec 11 23:14:05 agent01 puppet-agent[1142]: Caught USR1; calling reload
Dec 11 23:14:16 agent01 puppet-agent[1462]: (/Stage[main]/Motd/File[/etc/motd]/content) content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}02d261d753f3b3456738257139b5e469'
Dec 11 23:14:17 agent01 puppet-agent[1462]: Finished catalog run in 1.38 seconds

Events logs.
I was able to apply motd class to agent01 box.

on the agent node
You can see some messages in /etc/motd file, because motd class was applied to this agent.
[root@agent01 ~]# cat /etc/motd
The operating system is CentOS
The free memory is 322.03 MB
The domain is example.com

on the master, there are no messages in /etc/motd, because I have not applied motd class to this box.
[root@master ~]# cat /etc/motd
[root@master ~]#