Ads 468x60px

Featured Posts

22 de mayo de 2017

Troubleshooting network performance issues

Lately, I've come across with network performance issues in some data centers, which is usually a head breaker for networking engineers because when you see the bandwidth is enough but the throughput reached isn't what you expected, something is wrong. This is the time when solid networking knowledge is needed for the troubleshooting process and concepts like checksum, Frame Check Sequence (FCS) or overruns are required to analyse network performance issues and fix them.

Obviously, we can also have performance issues due to the fact that applications and services aren't configured properly or they've had a poor development process but I would like to highlight in this post what we can check with regard to networking.

We should look at networking interfaces and looking for the next attributes:
  • Errors: This is the first thing we should look for because it counts when there are CRC errors, or we have frames too-short or too-long (CRC, checksum mismatch).
  • Dropped: It counts when interfaces receive unintended VLAN tags or are receiving IPv6 frames when it isn't configured for IPv6.
  • Overruns: This is another important attribute to look for because it counts when buffer FIFO gets full and the kernel isn't able to empty it. For example, if the network interface has a buffer of X bytes and it is filled and was exceeded before the buffer could be emptied, then we have overruns.
  • Frame: It counts only when there are misaligned frames, it means frames with a length not divisible by 8. Therefore, that length isn't a valid frame and it is discarded. For instance, packets are going to fail if they are not ended on a byte boundary.
  • Carrier: When we have loss of link pulse, it counts. Sometimes is recreated by removing and installing the Ethernet cable. Therefore, if this counter is high, the link is flapping (up and down), the Ethernet chip is having issues or the device at the other end of the cable is having issues.
  • Collisions: This is another typical issue when we can't reach a good performance. Collisions may count when an interface is running as half duplex and the other end is running as full duplex. Therefore, the half duplex interface is detecting TX and RX packets at the same time and the half duplex device will terminate transmission. As a result, there are collisions, mismatch duplex, and we get very bad throughput. It is important to remember that switched environments always operate as full duplex and collision detection is disabled by default.
Next, we can see a mismatch duplex laboratory where Fa 0/1 of ASW1 is working as full duplex and it has FCS-Errors, which means “Frames with valid size with Frame Check Sequence (FCS) errors but no framing errors”. Consequently, throughput between PC1 and SRV1 is too bad.

And we can also see that Fa 0/1 of CSW1 is working as half duplex and it has Late-Collision, which means “Number of times that a collision is detected on a particular port late in the transmission process”. This is a big clue to realise that we have a duplex mismatch which should be fixed to have a good networking performance.

This post is being too long, I'm sorry, but I would like to leave some Linux commands as well like ethtool -S eth0 , netstat -s , netstat -i for troubleshooting network performance:

Regards my friends and remember, sometimes we have to go down to the physical layer to fix networking performance issues.

15 de mayo de 2017

Just another cyberattack

Today, I was thinking to write about errors, overruns, collisions, etc that we could have in network interfaces which are a mess for network engineers and, most times, these issues are difficult to resolve without a good troubleshooting process. However, this weekend has been a little bit interesting because we have seen how big companies like Telefonica, and many others, has been hit by Ransomware and it has been published to the media. Therefore, I must write about this issue.

First, I think it has been another spam and malware campaign, just another, but this time, many Spanish companies have been affected, which some of them are from the stock market IBEX35, and this has been the reason why the media has been speaking about cyberattacks. However, it's a pity that big companies like Telefonica hadn't applied the patch on time. Maybe, they didn't have enough time to test the patch MS17-010 published by Microsoft and they would rather take the risk to be infected. Unfortunately, this time, their internal desktops were compromised.

We are always speaking that small companies doesn't have enough resources to fight against cyberattacks but we can also see that big companies, with lots of resources, have the same issues but on a large scale.

Meantime, we have seen how shares were without any lost, which means investors don't mind this kind of news.

Telefonica shares
There are many Microsoft products affected in these cyberattacks like IE10, IE11, Edge, Microsoft .NET Framework, Adobe Flash Player, etc, etc and most of them are installed by default in most of the Microsoft Windows Operating Systems.

Due to the high risk of these vulnerabilities, if you don't want to be infected by HydraCrypter, which is a variant of WannaCry, you should applied next measures to your organization:
  • Limit the user connection to Internet and mail while your are applying patches and upgrading systems.
  • Upgrade signatures of your security systems like AntiSpam, IDS/IPS and Antivirus.
  • Apply security policies to Internet access with IPS and Antivirus profiles.
  • Install security monitoring sensors to analyse traffic on the wild.
  • Apply patches to fix the bugs published by Microsoft to desktops and servers.
  • Make sure you have backups.
More specific recommendations could be:
  • We can disable file execution with .WNCRY extension by GPO.
  • Isolate UDP 137/138 and TCP 139/445 communication inside the network.
  • Disable macros and scripts to mail received. We can use Office Viewer instead of Microsoft Office to open attachments.
If we have done the homework, we shouldn't be worried about this Ransomware anymore. Why? Because most security systems have already published signatures to block and detect this malware like, for instance, Fortinet or OTX from Alienvault.

WannaCry Indicators from OTX
Many people are wondering about why last Friday was the day when these vulnerabilities were exploited massively. Maybe, because last Friday was when WikiLeaks published “After Midnight” and “Assasin”, two CIA malware frameworks for the Microsoft platform and, maybe, the attackers have taken advantages of these frameworks to develop this new malware.

Two CIA malware frameworks

Regards my friends, pay attention, protect your assets and keep calm!!

More info:
Related Posts Plugin for WordPress, Blogger...

Entradas populares