Hashemian Blog
Web, Finance, Technology, Running

November 6, 2016

HTTP to HTTPS Migration

by robert hashemian @ 10:26 pm
Filed under: google,internet,web — Tags:

https-ssl-tlsA universally secure internet may have its defenders and detractors but like it or not, Google is going to force site encryption (https) across the board.

First it was the SEO penalty threat, supposedly giving higher scores to secure sites but it doesn't seem like that worked out great. I think Google recognized that just giving prominence to secure sites over plain ones might lead to low quality sites stealing rankings from reputable ones simply by going encrypted. That would have meant poor search results pages, possibly alienating users and driving them to competitors such a Bing.

Now Google is coming at this from another angle, the Chrome browser and this one may stick. As Chrome has the biggest browser market share on the market, they can shame non-encrypted sites right from the browser rather than jeopardizing the Google search engine money machine.

Beginning January 2017 Chrome will print a timid 'Not secure' next to a plain page's URL indicating it is not encrypted. But that is just the start. The plan is to make the label bolder and more colorful with the future versions of Chrome. I suspect that at some future point Chrome may require users to jump through warning messages to show a plain page. That would be much like the cumbersome steps needed today to show a page when browsing to a secure page with a broken or invalid certificate.

The process of migration from a plain site to an encrypted site starts with obtaining a site certificate. This used to be an expensive proposition but nowadays a basic one can be had for free. In terms of the web server there are 3 ways to migrate a site from plain to secure:

1- In-place migration of the web server application - Just about any web server on the market today can handle secure connections as well as plain ones. The process generally involves installing the certificate, making some configuration changes and the site goes encrypted. Servers with multiple domains may however need an upgrade. For that, check for SNI support. For example Microsoft's IIS below version 8 does not support SNI. And if you have users that are still on Windows XP, good luck. SNI isn't supported on that platform at all.

2- Using an https appliance - Here the web server infrastructure is left intact but instead it is fronted by another server or service known as an https appliance or SSL termination. There are many such appliances on the market that are relatively easy to set up. There are also open source products such a Nginx or HAProxy that require a bit more tech know-how. In both cases they are deployed by installing the corresponding domain certificates and exposing them to the internet traffic. Internally they access the actual web server via plain http and return the page to the users encrypted over https.

3- Using a CDN - This is similar to the 2nd method, except that the appliance is actually managed by another company, like CloudFlare (free), Akamai or  CloudFront among others, in the cloud. The benefit is that little administration is required and in some  cases, like CloudFlare, even the certificate is pre-handled. The downside is giving up a certain level control and trust which a business may not be comfortable with.

Going https is not a trivial task, specially for the less tech savvy. But at least there are a number of available migration choices, each with a number of product options. They have various degrees of convenience, efficiency, and precision but eventually one must be chosen as the https migration seems inevitable. How would this site migrate to https? Remains to be seen.

September 25, 2016

Online Ad to Block Online Ad

by robert hashemian @ 9:33 pm
Filed under: web

An online ad on YouTube for an application to block online ads. Oh the irony 🙂

online ad for no online ad

April 29, 2016

The Great SYN Flood of China

by robert hashemian @ 9:55 pm
Filed under: hacking,web — Tags: ,

china-syn-flood

I wake up yesterday morning and while still in bed I get the dreaded site-down alert from Pingdom on my smartphone. When a Web site goes down there are a number of simple preliminary steps one takes to pinpoint and fix the problem. Is the ISP having an outage? Are the modem and router up? Is the server up and is the Web service running?

The server was up but the Web service was unresponsive. The quick and dirty steps are restart the Web service, no dice there. Ok, reboot the server, still no good. It was time do drag myself over to my desk and login to the Linux server to investigate more. Going through a bunch of diagnostics steps, this is what I saw:

syn_recv

The Flood of The SYN-tury

Those familiar with the TCP handshake know that the session setup consists of a SYN packet from host to server, followed by a SYN-ACK packet from server to host and finally a ACK from the host to server and the connection is established. When one sees reams of SYN_RECV on the server it is indicative of a possible attack where a host or a group of them flood the server with the first SYN but they spoof their IP addresses or just snub the server's SYN-ACK packet saddling the server with these half-open connections, each one taking up a bit of the server's resources.

The server eventually cleans up the half-open connections but if the zombie connection numbers rise too fast, they exhaust the server and no more connections are accepted; the server goes offline. This is known as a SYN flood attack and it eventually leads to a condition known as DoS (Denial of Service) or the more dreaded form, DDoS (Distributed Denial of Service).

By now I was late for work, so I just blocked all traffic to the server and went to my day job. The server remained crippled all day (apologies to the users of my utilities) until I returned home and began the process of resolving the issue. I was hoping that by then the attackers had moved on to other targets, but no such luck.

The SYNs of China

I started opening up the permitted traffic little by little (by manipulating subnet rules in iptables), paying attention to the half-connections. With every little opening I would see a flood of SYNs barging in and I would block the IP addresses of some of the bigger offenders. This wasn't exactly helping and it was taking too long. There were just too many IP addresses.

Curious, I decided to look up some of these IP addresses on arin.net and unbelievably all of them had been assigned to China, hundreds of subnets consisting of thousands of Chinese IPs working diligently to knock my site offline. Now it is possible that attack itself hadn't originated in China and the IP's were spoofed, but I would give that a very low probability.

Rescuing the SYN-king Server

It was time for drastic measures to save my Web site and that meant blocking China completely. I hate blocking traffic, it goes against the very spirit of the Internet but at this point I had no option. Thankfully I was able to find a site (cited below) that had a list of IP addresses assigned to China. This is a big and dynamic list and I imported the whole list into my firewall block rules and with that hashemian.com was humming again. For added measure I also hardened the TCP/IP stack on my server a bit to better withstand SYN flood attacks (sources cited below).

As mentioned, it upsets me to have blocked so many addresses on my server and in doing so also taking up server resources. My site is insignificant, but if everyone blocked everyone else, imagine what this fragmented Internet would be like. At my day job I also see a lot of similar abuse coming from China. Other places such as Russia, Nigeria, and Estonia dish out their own abuses, but this sort of heavy-handed, fatal reconnaissance and attack is almost exclusive to China. Why was my site targeted? Was it some sort of a drive-by from a robot that got stuck and kept on hammering away?

I suppose I'll never know. But I know this won't be the end of it. Botnets and attackers are a lot more far-reaching than just China. They will be back with different attacks from different angles, but that's another day and another battle.

List of IP addresses assigned to China
http://www.okean.com/antispam/iptables/rc.firewall.china

Hardening TCP/IP
http://www.symantec.com/connect/articles/hardening-tcpip-stack-syn-attacks
https://www.ndchost.com/wiki/server-administration/hardening-tcpip-syn-flood

A little preview of TCP hardening on Linux:
# TCP SYN Flood Protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3

October 31, 2015

Bob Ross, The Master of Painting

by robert hashemian @ 1:39 pm
Filed under: Uncategorized — Tags:

Life as a young man in college can be wild sometimes but one of my greatest memories of peace and tranquility was watching Bob Ross paint on the PBS program, The Joy of Painting.

I don't know how I got hooked, but I loved The Joy of Painting from the first time I saw it and even had my roommates watch along on the old crappy TV that was part of every college kid's furnishing.

Bob Ross was truly skilled, but what set him apart from the others was his soft demeanor, his unmistakable sincerity and his devotion to the art, which was mostly paintings of natural settings like mountains, oceans, meadows and the like.

Ross has been gone for 20 years but his art and his lessons continue to impress the world and I am so happy that someone decided to put many of his programs on YouTube. I have never been artistic and very certain that I will never be. But watching one of his programs guarantees a magical and, dare I say, exciting time where blobs of paint are turned into a majestic masterpiece in half-hour.

Thankfully Bob Ross is now immortally on demand, continuing to inject a bit of peace and sanity into our chaotic and loud world. Happy little clouds to all.

September 24, 2015

Yahoo Mail Down Again

by robert hashemian @ 10:09 am
Filed under: business,email,web — Tags:

It is hard to say anything positive about Yahoo since Marissa Mayer took over the helm.

Useful services (e.g. Pipes) have either been eliminated or are just languishing (e.g. Mail).  Today Yahoo Mail is down again. Alibaba's stake hasn't turned out to be the savior it was once deemed.

At this point the stakeholders are surely kicking themselves for not taking Microsoft's buyout offer back in 2008.

The future isn't looking too bright for this once thriving vanguard of the Web. Perhaps it is time for new leadership.

September 4, 2015

Greece in Turkey

by robert hashemian @ 12:14 pm
Filed under: Uncategorized — Tags: ,

On a recent trip to Turkey I was astounded to find amazing Greek ruins in the Pamukkale area. That area is famous for its lime-deposited white hills and travertines, but what I found even more interesting were the Greek ruins beyond the hills and the spring-heads.

We sometimes forget how vast the Greek empire was at one time and there are so many remnants of those ancient times outside of Greece. I immensely enjoyed walking among the ruins and getting up close to the architecture and the detailed stone work. At times I was the only person walking in sections of the ruins, just imagining what the place must have looked like in those ancient times.

 

pamukkale5

pamukkale4

pamukkale3

pamukkale2

Pamukkale, Turkey

 

 

July 26, 2015

Can Jet Beat Amazon?

by robert hashemian @ 4:18 pm
Filed under: business,web — Tags: ,

jet amazonThe idea behind Jet, a new online marketplace site, is simple. Borrowing from Costco's concept, Jet charges its clients an annual fee and in return ships products to customers with no mark-ups and in many cases with substantial savings over other shops, including Amazon.

Being a Costco fan, I like Jet's model. Add to that a good dash of dislike for Amazon and I may actually try Jet at some point. Seems like Jet is having some success getting its name out.

Jet's founder, Marc Lore, was the man behind diapers.com, a once successful ecommerce company who got crushed under the weight of Amazon and finally what was left of it was assimilated by Amazon. Now Lore is back to take on Amazon again, only this time he's going after the entire retail side of the company. Amazon's CEO, Bezos, can't be too happy about this, but is he worried?

I doubt Bezos is losing much sleep and here's why. Amazon may be known for perfecting the online marketplace and for being uber-competitive but Amazon has become adept at thriving while swimming in failure. Which company can lose money for over 20 years and be handsomely rewarded for it? For the last quarter it reported a measly $90 million in profit and saw its market cap rocket up by $50 billion when stocks opened last Friday.

The point is that competing with Amazon is like competing with a bottom-less pit for the bottom. Amazon crushes its competition by spending nearly infinite amount of money knowing that the stake holders expect nothing but losses every year. When you are rewarded for losing money, it's not difficult to spend all the money in the world, and that's what Amazon does to stifle competition.

Of course Jet realizes this fact and it has dug in, preparing itself and its investors for years of losses as its competition with Amazon heats up. Will it find the same love and admiration from its backers and future shareholders? Doubtful, but I actually hope so. Not just because I dislike Amazon, but also because some day I'd like to start my own thriving business that is successful at losing money forever.

July 22, 2015

The Dawn of AWS Zombies

by robert hashemian @ 9:34 am
Filed under: hacking,internet — Tags: ,

awsOne of the less enviable tasks in a techie's life is identifying bogus robot traffic on their networks. Robots suck up bandwidth without giving anything in return and in most cases try to brute-force their way into systems and steal information and then assimilate their target hosts into new recruits in their army of zombie robots.

Identifying and neutralizing robots is hard enough, specially those hunting in packs causing DDoS headaches most of the time, but in past there used to be time, resources and funding barriers which moderated these attacks. With cloud services those barriers seem to have all but vanished and based on what I can see, AWS (Amazon Web Services) is one of the ugliest actors on the market. So how are AWS zombies created?

  • Hacker uses a stolen credit card to set up an account on AWS or hacks an existing AWS account.
  • Hacker spins up multiple virtual machines under this account. Or hacker breaks into a legitimate AWS virtual machine.
  • Hacker installs robot apps on one or more virtual machines and launches attacks.
  • Successful attacks bring more power to the hacker.
  • At some point AWS or the legitimate account holders notice high usages in processing, storage, and bandwidth and shut down the operation but by then the damage is done.

Could AWS be complicit in this type of activity? Perhaps not actively, but there is a passive element here as well. I'm sure they won't admit to it, but if a legit account is broken into and its cloud services are stolen, would AWS even care? They just blame the user for being careless and charge him for the usage. AWS may exercise more care in terms of blocking accounts with stolen credit cards because they may not be able to squeeze money out of those cases.

But even then, Amazon is so big with such vast resources that these cases may not even register as a blip on their radar. So the cycle of spawning AWS zombies will never cease and Amazon continues wasting our time, resources and bandwidth with impunity.

It may be an overkill to completely block AWS, but if partial blocking becomes necessary, a list of their public IP address ranges is published here and in json format here.

July 19, 2015

Remote Desktop Keyboard Malfunction Solution

by robert hashemian @ 2:58 pm
Filed under: microsoft — Tags:

I connect to the office often via Remote Desktop (RDP) from my Windows 7 machine at home. Most of the time this works fine but sometimes the keyboard goes insane when on the remote machine. A few keys work, some don't work at all, others cause strange behavior like closing windows or randomly opening new ones.

windows keyIn past only a reboot seemed to fix the problem, but today I learned that hitting the 'Windows' key while on the remote host resets the keyboard and all goes to normal.

The credit goes to 'dshreve' answer on the Super User forum and of course Google for pointing me there. Wish I could upvote the answer but don't have enough points there for that. Thanks for saving my sanity 🙂

June 27, 2015

Craigslist eBay Motors Car Scam

by robert hashemian @ 1:09 pm
Filed under: internet,web — Tags:

ebay-craigslist-car-scamI'd been in the market for a used car when a too good price on Craigslist caught my attention. I'd sold a street bike on Craigslist a few years ago and had a good experience so figured to go into this but with raised antennas.

An email later, the seller reveals a sob story about the car belonging to her dead husband and wanting to move on. The car's in a great shape with all paperwork in order. Sounds plausible, so can I see the car? Seller replies the car is in some eBay garage across the country in lot number so and so.

No worries, she just needs my info and eBay will contact me about payment. The money will remain with eBay until I receive the car and I have 10 days to inspect it. If any issues, I can return it at no cost to me.

So I ask for the eBay page where the car is listed. Seller says she took it down because of the fees. But really, eBay will make all arrangements.

Yeah, sure man. Of course at this point the full blown scam was obvious, but should have been obvious at Craigslist. A quick Google search revealed that this unholy Craigslist-eBay alliance bait and switch is in fact very popular and a few people have been victimized, buyers and sellers.

So why this post? Just adding one more page to Google's search results to raise the warning volume slightly more.

Read this and stay vigilant. There's plenty more info on this. Just Google it.

Older Posts »

Powered by


Read Financial Markets  |   Home  |   Blog  |   Web Tools  |   News  |   Articles  |   FAQ  |   About  |   Contact
Bitcoin: 1K9TzBvQ2oaEb4tX9t2vKDtZouMcpfV6QF
© 2001-2017 Robert Hashemian   Powered by Hashemian.com