Skip to main content

Posts

IPTables Magic

Blog Post after a long long time. Will be trying to write most of the crazy stuffs done in the past 1.5 years at the sad server

This post is going to cover a bunch of hacks done with iptables to improve / make the most out of linux systems' network performance

IPTables Tee
We are building a packet analysis team which does deep inspection of packets and determine anomalies in the system and determine the slowest performing component in the pipeline. Now sending the raw packets to centralized packet analysis system without affecting the performance of the production system is one of our requirements. We decided to use the iptables tee feature which takes a copy of the packet matching the rule and pass it on to the requested gateway in the same network by just changing the mac address on the cloned packet. The original packet follows the normal process

So lets create a similar setup, my laptop is going to forward a copy of http traffic to raspberry pi in the same network. Make sure i…
Recent posts

Custom AdBlock

This is not something new I am writing today. AdBlocker Plus plugin for chrome, and other browsers blocks ad requests based on the request's domain name or url pattern or some css pattern. The problem with this method is Chrome has no idea of including plugin support for android and therefore ABP as it is wont work. They support a proxy method where all HTTP Requests from browser will alone be routed via the proxy. All ads will be scrubbed by the proxy before sending response to the browser. But ads that are HTTPS and ads on other apps will not be blocked.
So I made a domainlist from https://easylist-downloads.adblockplus.org/easylist.txt. The domainlist is available at https://github.com/kalyanceg/adblock/blob/master/domains.
Note: This might have duplicates and false positives.
Now my thought was to return a servfail while the browser/app tries to resolve these domains. As I said a bunch of people has wrote blogs about it, But they were using named as their dns server. In named …

OAUTH and Javascript

I am surprised to see the careless implementation of OAUTH by almost all providers like Google, Facebook. I am pretty much sure that I might not be the only person who would have noticed it. By this time there could be atleast thousands of botnets which impersonate as a regular site and spam users' walls or create a social network graph as good as facebook. Probably there will be a separate Real Time Bidding auction by the impersonators. In short OAUTH+Javascript is like locking your door and leaving the key under your doormat.
Lets discuss about the differences between the client based OAUTH flow and server based OAUTH flow As per Google's documentation, the server loads the page on client(browser) with the app id(public name). On initiating OAUTH with Google servers, the appid and redirection_uri is passed. The Google server calls the redirection_uri with a code.The app's server has to cross check the code with client_secret to get the access_token which has the required…

Java Garbage Collection

This week we got a plenty of out of heap memory exceptions in Java. So I started looking on Java Garbage Collection, a revision of System Software Internals theory again.  Java has its heap divided into new gen and old generation. Java's garbage collection tries to take advantage of the fact that new object will be deleted sooner(objects will have smaller life time). So Java's heap is divided into 1)Young Generation(smaller in size) 2)Old Generation (larger chunk)
Young Generation: Young Generation is smaller in size. Traditional Recursive Garbage collection will be faster if the size to be collected is smaller. New Objects are created in Eden part of the Heap. Garbage Collector runs frequently in this space and marks objects that are referenced.  Objects that are not not referenced are removed in the second pass and the live objects are moved to Survivor Space. Survivor Space has two regions Survivor 0 and Survivor 1 which uses an algorithm similar to Copying Garbage Collecto…

Rootconf Flash Talk

Here is my RootConf Flash Talk. Pretty much unprepared. Agreed it has an artificial slang and it is technically incorrect at few places(look out for false negative)

Rootconf 2014 Review

Bad points to start with

Rootconf 2014 was filled with topics about docker. The speech selectors should have reduced the talks about docker as most of them are very much redundant

Then came the highlight of all, most of the talks compared their feature on traditional virtual machines, docker and lxc. For God's sake docker and lxc are the same technology with docker being a wrapper around lxc. Docker allows remote creation of containers. I personally like aufs rootfs of docker. Docker differs from lxc by principles. Docker's Philosophy is isolation of processes as separate containers. So based on use case select any one of them. If a system runs docker it can run lxc and they aren't entirely different technologies.

Good take away points are


Infrastructure code has to be tested. The talk was about test-kitchen for chef. On further exploring puppet land has beaker (https://github.com/puppetlabs/beaker/wiki) which allows us to test puppet codeDuring a talk about ha proxy, I came…

C++ After a Long Time

We were facing a weird issue on our almost stable dns infrastructure. We use PDNS servers and our custom backend to serve DNS requests. So the PDNS server pipes the request to custom backend, the backend reads from the pipe and puts the result back in the pipe which is served back to the client by the server. This intro is not at all useful to the post. So please ignore it.
The problem started since Monday where randomly our PDNS backend started using 100% CPU and the PDNS server started crashing. The backend was written in C++ and the debugging started. The backend had no debug mode to start with (!). So we attached all backend processes to strace. Strace showed a particularly crafted DNS request put the backend in infinite loop. We couldn't get the whole request in the strace as it was bigger than default 32 bytes. We started strace with -s 5000 to capture 5000 bytes. Now the dns request is found. The domain name is 312 bytes long. A full domain should not exceed 253 characters…