Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:Friends don't let friends run factory firmware (Score 1) 52

I incidentally came up with a way to make remote compromise MUCH harder recently, but I don't know how to implement it in tcp. by default, emit replies to ssh/telnet/web requests with a TTL of 1, thus limiting all admin access to the local link.

Comment Friends don't let friends run factory firmware (Score 2) 52

The article recommends updating the firmware to the latest provided by the vendor - which is quite often, no help. First, check to see if that latest firmware is corrected... But preferably - install better 3rd party firmware - like openwrt - designed by people that care about your security, reliability, and uptime.

Submission + - DSLreports new bufferbloat test->

mtaht writes: While I have long advocated using professional tools like netperf-wrapper's rrul test suite to diagnose and fix your bufferbloat issues, there has long been a need for a simpler web based test for it. Now dslreports has incorporated bufferbloat testing in their speedtest. What sort of bloat do slashdot readers experience? Give the test a shot at http://www.dslreports.com/speedtest

Has anyone here got around to applying fq_codel against their bloat?

Link to Original Source

Submission + - Virgin Media censors talk of "bufferbloat" on their discussion forums->

mtaht writes: Given that bufferbloat is now fixed by fq_codel and the sqm-scripts for anyone that cares to install openwrt and derivatives on their home routers (or use any random linux box for the job), AND standardization efforts for the relevant algorithms near completion in the IETF, I went and posted a short, helpful message about how to fix it on a bufferbloat-related thread on Virgin Media's cable modems... And they deleted the post, and banned my IP... for "advertising". I know I could post again via another IP, and try to get them to correct their mistake, but it is WAY more fun to try to annoy them into more publically acknowledging their enormous bufferbloat problems and to release a schedule for their fixes. Naturally I figured the members of slashdot could help out Virgin and their customers understand their bufferbloat problems better. My explanations of how they can fix their bufferbloat, are now, here.
Link to Original Source

Submission + - Gogo airline network blocks youtube.. when they could just fix their bufferbloat-> 1

mtaht writes: David Reed (best known for the e2e argument) rants at Gogo Inflight's interception of https and suggests that: "It is the wrong solution... there’s a technically better one. I use GoGo a lot. I’ve discovered that their system architecture suffers from “bufferbloat” (the same problem that caused Comcast to deploy Sandvine DPI gear to discover and attack bittorrent with “forged TCP” packet attacks, and jump-started the political net neutrality movement by outraging the Internet user community). Why does that matter? Well, if GoGo eliminated bufferbloat, streaming to the airplane would not break others’ connections, but would not work at all, with *no effort on Gogo’s part* other than fixing the bufferbloat problem. [The reason is simple — solutions to bufferbloat eliminate buffering *in the network*, thereby creating "fair" distribution of capacity among flows. That means that email and web surfing would get a larger share than streaming or big FTP's, and would not be disrupted by user attempts to stream YouTube or Netflix. At the same time, YouTube and Netflix connections would get their fair share, which is *not enough* to sustain video rates — though lower-quality video might be acceptable, if those services would recode their video to low-bitrate for this limited rate access]."
Link to Original Source

Submission + - Help stamp out CVS and SVN in our lifetime->

mtaht writes: ESR is collecting specifications and donations towards getting a new high end machine to be used for massive CVS and SVN repository conversions, after encountering problems with converting the whole of netbsd over to git.

What he's doing now sort of reminds me of holding a bake sale to build a bomber, but he's well on his way towards Xeon class or higher for the work.

What else can be done to speed up adoption of git and preserve all the computer history kept in source code repositories?

Link to Original Source

Comment netperf-wrapper from bufferbloat.net (Score 1) 294

Over at bufferbloat.net we have developed several pretty accurate bandwidth and latency measurement tests, that work at speeds up to 40GigE. We wrap the popular with the linux-netdev's "netperf" tool with something that can aggregate and plot the results, called "netperf-wrapper". The most popular test in the suite is called "rrul" which stands for "Realtime Response Under Load", but there are many others in the suite. It has been used to extensively tune several fair queuing and aqm algorithms, notably "fq_codel" which is in cerowrt, openwrt, and many other 3rd party firmwares. Its been used to debug network hardware, wifi, cablemodems, and most recently during the 40GigE batch-bql patchset now entering the linux kernel. Some examples of use to tune a smarter queue management system against modern day cable modems: http://burntchrome.blogspot.co... http://snapon.lab.bufferbloat.... There are also netperf-wrapper results for 40GigE, DSL, and wifi spread around the Internet. The intermediate format netperf-wrapper uses to store its results are in json and parsable by anything, and I keep hoping someone will get around to writing a web interface for the datafiles... Nothing else I've ever seen even comes close to netperf-wrapper for finding good, accurate, long term numbers and multiple forms of anomoly. Pretty much all the web based tests get increasingly inaccurate above 20Mbits. Single threaded TCP tests are bad also as they generally result in someone defeating TCP congestion avoidance in pursuit of the best benchmark numbers. [2] Far more important to the debloaters is not the bandwidth attained but the latency induced while getting it. [1] We maintain several public servers for netperf-wrapper, all connected via a gigE connection to the internet. Thus far we haven't overloaded them (nor advertised them widely), but if you want to give netperf-wrapper a try, and can't set up your own netperf server on the other side, feel free to ping us on the bloat mailing list for some addresses on various continents. [1] A brief rant: Bandwidth != speed. Bandwidth is capacity/interval. Real perceived speed is obtained via low latency. [2] I really hate that all the web network measurement tests don't simultaneously measure ping while running their upload and downloads. IF ONLY those tests would do that, people would start to realize that there is a huge tradeoff between good latency and high bandwidth, and that they are doing their networks in, by optimizing for bandwidth only. Networks engineered for speedtest's current test, *suck* for voip and gaming. I'd like to petition them to at least report ping times under load to the 98th percentile.

Comment The home router market is a an ongoing disaster (Score 5, Interesting) 228

It's not just simple backdoors like the dlink one that are a problem.

There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.

Start with crypto - no hwrng and a known "less than ideal" version of /dev/random to feed your "secure" wpa and ssh sessions.

Worse:

There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:

http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp

Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:

http://www.dcwg.org/

or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.

What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 2.6.36.4 and dnsmasq 2.15, according to their R7000 gpl code drop -

http://kb.netgear.com/app/answers/detail/a_id/2649

Brand new hardware - 4+ and 10 year old software respectively.

It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.

Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?

Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)

How can the dysfunctional edge of the Internet be fixed?

Comment Dedications help (Score 3, Interesting) 186

I lost two friends and my father this year. I dedicated this release of cerowrt ( http://cero2.bufferbloat.net/cerowrt/credits.html ) to them. Most of the machines we have are named after someone that has passed, for example our main build box is named after http://en.wikipedia.org/wiki/John_Huchra It helped a lot to channel them all as we struggled to get the releases out. And, surprisingly, making ice cream, with liquid nitrogen as the coolant, has got to be a healing ritual, around here.
Linux

Submission + - Linux-3.3: Making a dent in bufferbloat?->

mtaht writes: "Has anyone, besides those that worked on byte queue limits, and sfqred, had a chance to benchmark networking using these tools on the linux 3.3 kernel... in the real world? A dent, at least theoretically, seems to be have made in bufferbloat, and now that the new kernel and new iproute2 are out, should be easy to apply in general (e.g. server/desktop) situations..."
Link to Original Source

Comment Re:Easy solution? (Score 1) 124

What Jim and the bufferbloat.net's group of volunteers have accomplished in a year - on nearly no money - boggles my mind.

Today's commentary on slashdot is a hundred times more clueful than it was last year - and a few days back Byte Queue Limits went into linux's net-next tree, which fixes much of the bloat problems that exist at the ethernet driver layer.

What has been discussed as 'Time in Queue' limits in the higher level schedulers is still awaiting a clean way to avoid layer violations. I've been too distracted by the BQL merge to pursue that next phase of fixes.

What we could have done this year with *some money* - nowhere near the amounts you describe above! - could have been amazing, and as for the next year, well, who knows? It is going to take many man-years worth of effort to make the internet responsive again.

And even with that said, to have harnessed the powers of hundreds first, now thousands, of talented minds, to help solve the bufferbloat problem - has been a far more effective - and wonderful! thing than all the money in the world.

Comment Re:Use a real DNS server (Score 3, Informative) 212

Nearly every Linux machine ships with named (bind9) available and often, even turned on, in a caching-only configuration. To use it by default you just disable /etc/dhcp/dhclient's domain-name-servers request and point your resolv.conf to localhost. By doing this you get NXdomain back, too... and your local cache of dns entries is likely to be more performant than an ISPs 10s of ms away for cached entries. You can also run dnssec, if you so choose. Latest versions of bind can do dnssec, you can enable it with one line in the conf file. Ever since multiple services started messing with DNS a decade ago... returning broken queries, pointing to ad sites, not doing ipv6, not returning mx records, etc... I've run my own dns server. Now that dns is being mis-used for censorship, perhaps more will rebell. As servers go, in memory it's rather small...

Comment Re:Buffer Bloat (Score 3, Interesting) 99

The original gatech study showed not only bufferbloat, but enormous variation of base latencies in the first mile for different brands of cable modem as well as for different kinds of DSL and wireless technologies.

Slides: http://www.caida.org/workshops/isma/1102/slides/aims1102_ssundaresan.pdf

Some commentary: http://gettys.wordpress.com/2011/02/17/caida-workshop/

I look forward to the followup!

The nicest thing about the Alto is that it doesn't run faster at night.

Working...