04/23/2012

Stingray Traffic Manager Version 8.1r1 released

We are pleased to announce the release of Stingray Traffic Manager v8.1r1, which is now available via customers’ download pages and for evaluation. All customers are recommended to upgrade to this version to take advantage of the security and availability enhancements in this release. Enhancements in 8.1r1 include:

 

Security and Availability:

This 8.1r1 release is fully up-to-date with currently available security enhancements for Stingray, and upgrade is recommended

Improved cluster monitoring and fault recovery allows additional failure modes to be detected and managed automatically

Support for an additional switch to control endpoint persistence of UDP traffic, which gives better performance and availability for DNS

 

Virtual Appliance:

The Stingray Traffic Manager virtual appliance now has an upgraded 2.6.24-31.100 kernel, which includes recommended enhancements for security and availability

 

Usability:

This release includes improvements to the user interface to improve usability particularly for complex configurations, which resolves problems such as an unresponsive license management page 

 

Developer License:

Developer licenses are available at no cost, and provide access to a full-featured Stingray Traffic Manager, with certain limitations on performance and use, by completing the online developer license form.

 

For a complete list of all changes, please read the release notes on the Stingray documentation pages.

 

Contacting support

Please contact support on support@riverbed.com.

Upgrading

Customers with valid maintenance and support contracts will be able to download this release from their customer page. See the relevant instructions for upgrading your Riverbed Stingray or Zeus installation.

 

The documentation for Stingray Traffic Manager 8.1r1 is unchanged from 8.1, and may be found here.

 

Kind regards,

Riverbed Technology

 

Posted at 02:29 PM in Installation | | Comments (0)

Technorati Tags: , ,

|

04/11/2012

Stingray Traffic Manager Version 8.1 released

Stingray Traffic Manager released on Monday January 23, 2012 via customers’ download pages and is available for evaluation.

Stingray Traffic Manager 8.1 is an important revision of the Stingray product family, containing a number of performance and functionality enhancements and bug fixes. Customers are recommended to upgrade to this version to take advantage of the changes. For more details of the changes, take a look at the Release Notes.

Major Features in 8.1

SNMPv2c

Support for SNMPv2c bulk requests and 64-bit counters has been added. The SNMPv1 solution of splitting 64-bit counters into two 32-bit counters is still available for backward compatibility with v1 clients. An SMIv2-compatible MIB has been added for use by SNMPv2c and SNMPv3 clients. The previous MIB is still supported for backward compatibility. SNMPv2c Notifications can be emitted in addition to SNMPv1 Traps.

SNMPv3

A single SNMPv3 user can now be configured to allow authenticated and encrypted requests and responses to be sent. For authentication, MD5 and SHA-1 are supported; DES-CBC is used as the symmetric cipher for encryption and decryption.

Integration with Cloud Steelhead Discovery Agent on EC2 and ESX

Stingray v8.1 includes the Cloud Steelhead discovery agent software, making it easy to apply Steelhead WAN optimisation to services delivered from cloud and virtual platforms.

Support for the Riverbed Services Platform (RSP)

Stingray Virtual Appliance is fully supported on VMware, Xen and Oracle platforms, and now also Steelhead RSP.

Other changes in 8.1

For the full list of changes in 8.1, please refer to the Release Notes.

Contacting support

Please contact support on support@riverbed.com.

Upgrading

Customers with valid maintenance and support contracts will be able to download this release from their customer page. See the relevant instructions for upgrading your Riverbed Stingray or Zeus installation.

Documentation

The documentation for Stingray Traffic Manager 8.1 may be found here.

Updated 11th April 2012 to change link to release notes

 

Posted at 12:46 PM in Installation | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

|

10/26/2011

Stingray Traffic Manager Version 8.0 released

Stingray Traffic Manager was released on October 24, 2011 via customers’ download pages and is available for evaluation.

Stingray Traffic Manager 8.0 is a major revision of the Stingray product family, containing a number of performance and functionality enhancements and bug fixes. 

Customers are recommended to upgrade to this version to take advantage of the changes. For more details of the changes, take a look at the Release Notes.

 

Major Features in 8.0

  • Branding Refresh

In July 2011 Zeus Technology was acquired by Riverbed Technology. This release features branding changes and a UI and documentation refresh that brings the product family into line with other Riverbed offerings.

Primary changes to note include:

  • Change of product name from Zeus Traffic Manager to Stingray Traffic Manager.  Similarly the Application Firewall Module is now the Stingray Application Firewall.
  • Administration server (Web User Interface) design refresh.
  • Updated EULA and copyright information.
  • Application Firewall Integration

Version 4.1 of the Stingray Application Firewall (formerly Zeus Application Firewall Module, or "AFM") is now available for use with the traffic manager software.   The Application Firewall is now built into the Traffic Manager distribution and, if licensed, can be installed and enabled without uploading a separate package.

IMPORTANT: Existing users of the Zeus Application Firewall Module will require an updated traffic manager license to use the Application Firewall with version 8.0 onwards.  Please contact your support provider to obtain a new license.  This must be done before upgrading, as the Stingray Application Firewall will not function without a new licence key. When upgrading from a previous version of the traffic manager with the Application Firewall installed it is recommended that the updated license be installed before the upgrade is attempted.

Access to the Application Firewall administration interface is no longer separate from the Traffic Manager administration interface. Traffic manager users can now access the Application Firewall administration interface by clicking on the "Application Firewall" link on the toolbar.
Customers who use a variety of groups for their ZTM and AFM admin users should read the section on User Management on p. 93 of the Stingray User Manual before upgrading, to understand how Single Sign On will affect them.

 

Other changes in 8.0

For the full list of changes in 8.0, please refer to the Release Notes.

Contacting support

Please continue to use the support@zeus.com address to contact support until 1st November 2011. Thereafter, please use support@riverbed.com.

Upgrading

Customers with valid maintenance and support contracts will be able to download this release from their customer page. See the relevant instructions for upgrading your Zeus software or appliance.

Documentation

The documentation for Stingray Traffic Manager 8.0 may be found here.

Posted at 04:30 AM in Customers | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

10/14/2011

How does Zeus' clustering and fault tolerance work?

This article provides an introduction to the clustering and fault tolerance mechanisms used by Zeus Traffic Manager. It describes:

  • Clusters and configuration sharing
  • Data synchronization between cluster members
  • Health Checks
  • Traffic Sharing across the cluster:
    • Traffic distribution
    • Single-Hosted Traffic IPs
    • Multi-Hosted Traffic IPs
    • EC2 Traffic IP Groups

The Zeus architecture is highly distributed, with no master cluster member and hence no single point of failure. This improves reliability and reduces intra-cluster traffic.

Clusters and Configuration Sharing

A Zeus cluster is a group of Traffic Managers, possibly globally distributed, that acts as a single configurable unit. There is no hard limit on the size of a cluster, but issues of latency impose a limit of several tens of devices.

Traffic managers in a cluster share configuration automatically. If you make a configuration change on one device (using the UI, API or CLI), it is automatically replicated out to the other machines in the cluster, and if you use the UI on one device to view status or diagnostics, it aggregates all of the information from all machines in the cluster (the API and CLI just gathers the local data - how to aggregate data using the API).

Synchronization between cluster members

In order to maximize reliability and performance, as little data as possible is synchronized across the cluster:

  • Session Persistence Information: Where possible, session persistence information is stored in a client-side cookie, but this is not possible in some cases. Session data for methods such as IP-based and SSL session-id persistence is automatically replicated across the cluster so that if a client connection 'flips' to a second traffic manager, that traffic manager is aware of the back-end server the client's request should be routed to.
  • Bandwidth Data: Bandwidth management classes which are configured to be effective on a 'cluster-wide' basis will share data periodically across all of the cluster members to ensure that each member takes a fair share of the total bandwidth allocation.

There is no cluster 'master' - the Zeus design allows all cluster members to operate as peers. This avoids a single point-of-failure with a complex re-election process, and avoids any bottlenecks in configuration or state sharing.

Health Checks

The devices in the cluster frequently broadcast health heatbeats, and monitor each other for these heartbeat messages. The devices also run internal tests (network connectivity and software watchdogs) and will voluntarily declare themselves as 'failed' if any of these tests are unsuccessful.

Consequently, each device in the cluster knows which of its peers are working and which have failed, and all the working members of the cluster quickly settle on a common, shared consensus of health. You can regard this as another item of shared state, though one that is converged on rather than explicitly synchronized.

Traffic Sharing across the cluster

Incoming traffic is directed to one or more Traffic IP addresses (generally, the DNS resolves to the traffic IP address); these IP addresses ‘float’ across the cluster and the cluster ensures that they are always available. Traffic IP addresses are not permanent IP addresses; rather they are raised by one or more traffic managers according to the configuration and health of the devices in the cluster.

Configuration is achieved using ‘Traffic IP Groups’ – a set of IP addresses that are managed by a nominated set of devices in the cluster. Provided that at least one of the devices is running (healthy), the traffic IP addresses will be up and ready to accept incoming traffic.

Traffic Distribution

Traffic IP Groups work in one of three different ways - Single-Hosted Traffic IP groups, Multi-Hosted Traffic IP groups and Amazon EC2 Traffic IP groups.

Single Hosted Traffic IP groups

Each IP address in the group is raised on one of the traffic managers that is responsible for that group.

If there are many IP addresses in the group, they are distributed evenly across the traffic managers. If one traffic manager fails, then the remaining traffic managers in the group will raise the IP addresses that were dropped, seeking to ensure that they are evenly distributed so that no traffic manager takes more than its fair share of IP addresses. When traffic IP addresses are raised, the traffic managers explicitly transmit several ARPs to tell the upstream router that the IP has moved.

This method is simple, but the traffic is not always shared evenly across the traffic managers. If incoming traffic is only directed to one IP address, only one traffic manager will be busy; you need to use round-robin DNS to direct traffic to multiple IP addresses, or run several services with different IP addresses.

The method is described in more detail in the following description of fault tolerance.

Multi-Hosted Traffic IP groups

Each IP address is raised on all of the traffic managers that are responsible for that group.

Each traffic manager ARPs the IP addresses with the same multicast MAC address. This means that upstream switches and routers will send all of the incoming traffic for that IP address to all of the traffic managers in the group.

The traffic managers filter incoming traffic (using a kernel module that hashes IP data) and ignore traffic that does not match the local filter. For example, if there are four traffic managers in the traffic IP group, each traffic manager will handle 1/4 of the traffic and ignore the remaining 3/4. Consequently, TCP and UDP traffic is evenly distributed and all connections and datagrams are accounted for by precisely one traffic manager.

If one of the traffic managers fails, then its portion of the traffic is shared evenly between the remaining traffic managers in the group. In every situation:

  • The hash space is always balanced perfectly equally between the running traffic managers

  • When a traffic manager fails or recovers, the only part of the hash space that is redistributed is the portion relating to that traffic manager (i.e. it’s not necessary to move any of the hash space between running traffic managers to rebalance)

  • The distribution method is fully deterministic and only depends on the instantaneous state of the cluster – there is no shared state and no cluster master, making the algorithm more reliable

The only ‘synchronization’ is the shared view of the health of the cluster, and traffic distribution is guaranteed to be statistically even across the cluster members of the traffic IP group. The method for distribution is described in more detail in the following document.

Amazon EC2 Traffic IP groups

EC2 Elastic IP addresses are mapped to a running Zeus Traffic Manager that is a member of the Traffic IP group.

Elastic IP addresses are permanent, publicly-routable IP addresses that are associated with an Amazon account. The Zeus Traffic Manager cluster takes control of nominated elastic IP addresses and maps them to a traffic manager. The net result is very similar to the Single-Hosted Traffic IP group approach described above, with the additional limitation (imposed by EC2) that you cannot map multiple elastic IP addresses to a single traffic manager.

Consequently, the number of Elastic IP addresses in a group must not exceed the number of active traffic managers responsible for that group. If there are no sufficient traffic managers, then one or more of the elastic IP addresses will not be mapped to a running instance.

Controlling traffic distribution

Traffic IP groups give you a lot of flexibility to control how traffic is distributed. You can assign IP addresses to a subset of your traffic managers, and within a group you can nominate traffic managers to be ‘passive’; i.e. they are not used in that group unless one of the active traffic managers has failed. Traffic IP groups can overlap, i.e. a traffic manager can be a part of several groups. This flexibility gives you more control over how traffic is distributed in various scenarios and for various protocol/IP addresses.

The User Manual should be your next source for more detailed information on selecting and configuring traffic IP groups.

Posted at 05:23 AM | | Comments (0)

Technorati Tags: , ,

|

09/06/2011

Using Splunk to analyse Zeus Traffic Manager data

 

Splunk (http://www.splunk.com) is a popular tool for monitoring and analysing data. This article covers how to read your ZTM's SNMP and Historical Activity data with Splunk.

Requirements

  • Knowledge of Splunk, including a basic understanding of its configuration files (in particular inputs.conf, transforms.conf and props.conf)
  • Access to Splunk's host machine
  • Knowledge of SNMP, including basic understanding of OIDs
  • Access to your traffic manager's admin server

The following has been tested on Splunk 4.2.3 and Zeus Traffic Manager 7.4 using a Linux operating system. Unless otherwise stated, all steps are to be completed on Splunk's host machine.

Step 1: Installing net-snmp

The net-snmp project (http://www.net-snmp.org) provides a set of applications that can retrieve SNMP data and notifications. You will need a number of these applications for this guide. If you are unsure as to whether or not net-snmp is installed, open a terminal and type:

  1. snmpget -V

If you see text similar to "NET-SNMP version: 5.4.3" then it is installed and you are ready to proceed. If not, you can download it from http://www.net-snmp.org/download.html.

Step 2: Configuring net-snmp

We need to provide a Management information base (MIB) so that net-snmp can parse data from the traffic manager. The traffic manager provides a MIB file which you can download from the admin server at System > SNMP > View SNMP MIB. The easiest way to install this file is to put it in /usr/share/snmp/mibs. You must also add the following line to /etc/snmp/snmp.conf:

  1. mibs +ZXTM-MIB

To test if this has worked, run the following command:

  1. snmptranslate -On ZXTM-MIB::totalRequests

If it outputs ".1.3.6.1.4.1.7146.1.2.1.127" then everything is working and you can proceed to the next step. If you get any error messages then you might be missing other MIB files. The following table lists possible error messages and their corresponding missing MIB. Put the file in /usr/share/snmp/mibs to fix the problem.

Error message Missing file
Cannot adopt OID in ZXTM-MIB: zxtmtraps# ::= { zxtmtraps 0 } SNMPv2-SMI
Did not find 'DisplayString' in module #-1 (/usr/share/snmp/mibs/ZXTM-MIB) RFC1213-MIB
Cannot find module (INET-ADDRESS-MIB): At line 16 in /usr/share/snmp/mibs/ZXTM-MIB INET-ADDRESS-MIB

Step 3: Reading SNMP Traps

There are two types of SNMP data that you are going to send to Splunk. The first is an SNMP Trap. Splunk provides documentation for fetching this data, however the following amendments must be made for it to work:

1. Add the following option when calling snmptrapd. This will format snmptrapd's output into something that is easier to interpret.

  1. -F "%#t %q%#v\n"

NOTE: This also removes some information that snmptrapd logs by default. For a full list of possible format strings run man snmptrapd. Changes to this option might require reworking some of the regular expressions below.

2. In Splunk, set the sourcetype of the snmptrapd input to 'snmp-traps'. This will allow us to create extraction rules based on sourcetype.

3. In Splunk, add a field transformation:

  1. Regular expression: ZXTM\-MIB::([^ ]+) = STRING: "(.+?[^\\])"
  2. Format: $1::$2
 

4. In Splunk, add two field extractions. Both will apply to a sourcetype named 'snmp-traps'. The first uses the transform defined above, the second is inline (the trailing comma is important):

  1. ^[0-9]+ ZXTM\-MIB::(?[^ ]+),

The above instructions will result in your Splunk configuration files looking similar to the following, depending on how you named your transformation and extractions:

File Contents
props.conf 
1.[snmp-traps]
2.REPORT-snmp-trapValues = snmp-trapValues
3.EXTRACT-snmp-trapType = ^[0-9]+ ZXTM\-MIB::(?<trapType>[^ ]+),
inputs.conf 
1.[monitor://<snmptrapd log file>]
2.sourcetype = snmp-traps
transforms.conf 
1.[snmp-trapValues]
2.REGEX = ZXTM\-MIB::([^ ]+) = STRING: "(.+?[^\\])"
3.FORMAT = $1::$2

Finally you need to tell the traffic manager that you want to send SNMP Traps to Splunk. To do this, navigate to System > Alerting on the admin server. Click on 'Manage Actions' and add a new action of type 'SNMP Trap'. Set the traphost to the Splunk server.

To test if everything is working up to this point, click 'Update and test' on the action's page. You should see events in Splunk with a key/value trapType=testaction.

In the main System > Alerting section you can now set which type of event should trigger an SNMP Trap. If you want all events to be reported, select the newly created action from the dropdown box next to All Events.

Step 4: Polling SNMP values

The traffic manager provides a wealth of information that you might want Splunk to use. This step covers setting up a script to poll your traffic manager at regular intervals and parse the information in a way that Splunk can then interpret.

First, you must enable SNMP on your traffic manager. To do this go to the System > SNMP section on the admin server and ensure that snmp!enabled is set to Yes. You must also set a community string, which will be used shortly.

Next, to create scripted data inputs in Splunk, download the script snmppoll.py (NOTE: for security reasons the server renames the script, remove the _.txt suffix when saving) to $SPLUNK_HOME/bin/scripts and make it executable. The script takes the following arguments:

  1. snmppoll.py <server> <communitystring> <subidentifier>

You must create a separate script input for each subidentifier that you want to poll. A list of subidentifiers can be found in the ZXTM-MIB file. As an example, below is a scripted input that will poll your traffic manager for data about its nodes every three minutes:

  1. Command: $SPLUNK_HOME/bin/scripts/snmppoll.py <server> <communitystring> nodes
  2. Interval: 180
  3. Source name override: snmppoll.py
  4. Sourcetype: snmp-nodes

NOTE: Substitute $SPLUNK_HOME with the directory in which splunk is installed (normally /opt/splunk)

By default Splunk assumes that any output from a script is a multi-line event. To stop this, add the following source entry to your props.conf:

  1. [source::snmppoll.py]
  2. SHOULD_LINEMERGE = false
 

Step 5: Parsing Historical Activity data

The last type of data you can make available to Splunk is Historical Activity data, which can be downloaded from the Activity > Historical Activity page of the admin server. This data is largely superflous if you are collecting SNMP data as well, but it might still be useful for generating reports or if SNMP is disabled.

Splunk can read many data formats, however it requires some assistance to read the Historical Activity data stored by the traffic manager. Download the script historyparse.py (NOTE: for security reasons the server renames the script, remove the _.txt suffix when saving) - Splunk will not use this directly so you can put it anywhere. The script will convert the data you download from the admin server into a format Splunk can understand. The script should be invoked as follows:

  1. ./historyparse.py < ztm_data_in > splunk_data_out
 

You can then upload and index the splunk_data_out file in Splunk. Depending on what group you chose when downloading the data from the Historical Activity tab, the following keys will be made available:

Group by Splunk keys
Virtual server virtualserverName, value
Node nodeName, value
Pool poolName, value

The value key will always correspond to the data you chose to plot (data read from client, data to sent to client or hits)

As an example, if you upload a file to Splunk (with sourcetype=historical-data) containing the Hits per Virtual server, you might want to generate a timechart for a specific virtual server using the following search command:

1. sourcetype="historical-data" virtualserverName="name" | timechart avg(value)

Step 6: Using the data in Splunk

Now all the information is in Splunk you can use its powerful analytical tools to interpret the data in different ways. As an example of what can be done, here are a couple of example reports with search strings visible:

Number of connection errors

Connerror

 

Bytes received since 9:30am
Bytesrecv

Appendix A: Example Splunk configuration files

The following configuration files include script inputs for all ZXTM-MIB subidentifiers and a monitor for snmptrapd. The files are provided as a reference only.

Posted at 10:56 AM | | Comments (1)

Technorati Tags: ,

|

08/31/2011

Zeus Traffic Manager 7.4 released

Zeus Traffic Manager and Zeus Load Balancer 7.4 was released on 31st August 2011 via customers' download pages and is available for evaluation.

Version 7.4 is a major revision to the Zeus Traffic Manager and Zeus Load Balancer product family, containing several new features and a number of bug fixes and improvements.

We recommend that all customers upgrade to the latest version. For more details of the changes, take a look at the 7.4 Release Notes.

New features in 7.4

Autoscaling support for VMware

Zeus can automatically scale the size of a pool of servers running on VMware virtual infrastructure, managed by vCenter server. Zeus monitors the response time from the pool, and if it falls outside the configured service level, Zeus will communicate with the vCenter management platform and request that it runs additional instances of the virtual machines in order to deliver greater capacity.

When the service level is comfortably achieved, Zeus may request that one or more virtual machines are terminated to release resources.

This capability extends Zeus' existing Autoscaling capability to support VMware vSphere (as well as Amazon EC2 and Rackspace), and requires the additional-cost Autoscaling option for Zeus Traffic Manager.

OCSP (Online Certificate Status Protocol) support

Many organizations use client certificates to identify users who are accessing a service. They may choose to verify the validity of a client certificate using a variety of techniques: CRLs (Certificate Revokation Lists) is one basic method (supported by Zeus Traffic Manager); OCSP (Online Certificate Status Protocol) may also be used to verify a certificate in real-time when it is presented.

Zeus 7.4 adds built-in support for OCSP (replacing the Java-extension based support).

This capability is available in Zeus Load Balancer and Zeus Traffic Manager at no additional cost.

Client Authentication (using LDAP)

Version 7.4 adds a built-in capability to query an external LDAP database to authenticate user traffic or retrieve other data. This capability is provided by an additional trafficscript function (auth.query()) that can take various data and submit a query to a database.

For example, an organization may wish to verify username:password credentials, or wish to verify authentication data in client certificates. This feature replaces and extends the Java-based LDAP authentication solution.

This capability requires TrafficScript and is available in Zeus Traffic Manager at no additional cost.

Upgrading

Customers with valid maintenance and support contracts will be able to download this release from their customer page. See the relevant instructions for upgrading your Zeus software or appliance.

Posted at 01:46 PM in Multi-Site Manager | | Comments (2)

|

08/25/2011

Range header DoS vulnerability in Apache HTTPD | Zeus Technology

If you're running Apache HTTPD, you might have seen the recent advisory of an attack which can cause "significant CPU and memory usage" by abusing the HTTP/1.1 Range header. If you're using Zeus Application Firewall Module (AFM), simply update your baseline rules and you will be immediately protected. Otherwise, you can use TrafficScript to block this attack. Updated from the new advisory.

 

  1. # Updated: Remove (if present) an old name that Apache accepts, MSIE 3 vintage
  2. http.removeHeader("Request-Range");
  3. $r = http.getHeader("Range");
  4. if( ! string.len($r) ) {
  5.    # No Range, let the request through
  6.    break;
  7. }
  8. if( string.count($r,",") >= 5 ) {
  9.    # Too many ranges, refuse the request
  10.    http.sendResponse( "403 Forbidden", "text/plain", "Forbidden\n", "" );
  11. }


This simply returns a 403 Forbidden response for any request asking for more than 5 ranges (at least 5 commas in the Range header). This is in line with the advisory's suggested mitigation: we don't block multiple ranges completely because they have legitimate uses, such as PDF readers that request parts of the document as you scroll through it, and the attack requires many more ranges to be effective.

Posted at 01:54 PM | | Comments (1)

|

07/29/2011

BIND 9 Exploit in the Wild....

...Zeus customers protected! When I got in to the office this morning, I wasn't expecting to read about a new BIND 9 exploit!! So as soon as I'd had my first cup of tea I sat down to put together a little TrafficScript magic to protect our Zeus customers.

BIND Dynamic Update DoS

The exploit works by sending a specially crafted DNS Update packet to a zones master server. Upon receiving the packet, the DNS server will shut down. ISC, The creators of BIND, have this to say about the new exploit:

"Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert."

"This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround."

Sounds Nasty, but how easy is it to get access to code to exploit this vulnerability? Well the guy who found the bug, posted a fully functional perl script with the Debian Bug Report.

TrafficScript to the Rescue

I often talk to customers about how TrafficScript can be used to quickly patch bugs and vulnerabilities while they wait for a fix from the vendor or their own development teams. It's time to put my money where my mouth is, so here's the work around for this particular vulnerability:

  1. $data = request.get( 3 ); 
  3. if ( string.regexmatch($data, "..[()]" ) ) {
  4.    log.warn("FOUND UPDATE PACKET");
  5.    connection.discard();
  6. }

The above TrafficScript checks the Query Type of the incoming request, and if it's an UPDATE, then we discard the connection. Obviously you could extend this script to add a white list of servers which you want to allow updates from if necessary. However, you should only have this script in place while your servers are vulnerable, and you should apply patches as soon as you can. Be safe!

Posted at 09:13 AM | | Comments (0)

|

06/01/2011

Zeus Traffic Manager 7.3r1 released

Zeus Traffic Manager and Zeus Load Balancer 7.3r1 was released on 1st June 2011 via customers' download pages and is available for evaluation.

Version 7.3r1 is a minor revision to the Zeus Traffic Manager and Zeus Load Balancer product family, containing a number of bug fixes and improvements.

We recommend that all customers upgrade to the latest version. For more details of the changes, take a look at the 7.3r1 Release Notes.

Upgrading

Customers with valid maintenance and support contracts will be able to download this release from their customer page. See the relevant instructions for upgrading your Zeus software or appliance.

Posted at 01:56 PM | | Comments (0)

|

05/16/2011

Mirroring Layer-7 Traffic Using the Generic-Streaming Protocol

Introduction
To help introduce the new Generic Streaming protocol, I've written an article to illustrate what it can be used for.  I'm going to showcase a real-world solution that does two things:
  1. Mirrors SMTP traffic across two mail servers
  2. Rewrites responses to make the client believe that the message has been accepted for delivery
Note: This article assumes that you have very-good working knowledge of the SMTP protocol and of how mail systems work in general!
 
The goal of this system is to facilitate the migration of users from a cluster of legacy mail servers to a cluster of new ones.  The users and their mailboxes were being migrated in chunks from one system to the next.  So, a very generic configuration had to be devised that would allow both groups of servers to receive the same SMTP traffic.  Each MDA (Mail Delivery Agent) would know which users they should accept mail for.  During the planning stage, it was deemed unnecessary that the origin/client MTA (Mail Transport Agent) be informed when a message was not delivered due to the recipient being unknown, because messages to valid users will get accepted for delivery by one server and rejected by the other.  The logic required to detect when a message gets rejected by both servers was not worth the performance penalty that implementing it would impose.

Background

Prior to the addition of the Generic Streaming Protocol, this kind of functionality was extremely limited by the way that Zeus Traffic Manager handles connections.  This article explains how to use TrafficScript to interact with the SMTP protocol, but it is limited when large attachments come into play.  In that example, you needed to buffer the entire attachment, which is extremely memory-intensive.  Additionally, there was no way to actually mirror or split the traffic.  So, what I have done is leveraged the useful bits from that article and combined them with ZTM's new (as of version 7.1) generic-streaming protocol.
 

Here be Dragons!

Splitting SMTP traffic (like most operations this complicated) does not come free.  At least with this example, there are certain risks that you must be prepared to accept.  You should be aware that any MTA attempting to relay mail through this solution will believe that it's message has been accepted for delivery, even if the primary (non-mirror) SMTP MDA returns a 550 User Unknown response (because we will rewrite it).  Also, we can not guarantee that either the primary pool or the mirrored pool will be up/healthy when we attempt to forward mail to them.  When this solution was devised, some amount of data loss (i.e. the occasional undelivered email) was deemed to be an acceptable risk.
 
That aside, here is a picture that illustrates how the system works:
 
Smtp-mirror_0

 
 
The order of events are thus:
  1. Client MTA opens a TCP connection to the Stage 1 SMTP listener
  2. Request rule Synchronizer runs.  This detects when an SMTP session switches  to the DATA context and stores that state in a connection-specific hash table
  3. Stage 1 VS forwards traffic to the Stage 2 Tee Plug VS via the Loop to Generic Streaming pool
  4. The Tee Plug VS runs the Tee Socket rule.  This rule first checks to see if there is an existing TCP socket open with the Stage 2 Tee Socket VS (directly, from within TS) and opens one if there is not. The Tee Socket rule writes all request data received to the Tee Socket VS (this is the data tee or splitter). Once the Tee Socket rule completes, all request data is streamed to the Legacy Server Mail Delivery Agent pool (which provides fault tolerance, etc.).
  5. The “teed” traffic traverses the Stage 2 Tee Socket VS and goes on to the New Server MDAs  pool (which provides fault tolerance)
  6. Response data follows the same path out and is processed by the Stage1 SMTP listener’s Rosy Glasses rule.  The Rosy Glasses rule  does two things:
    • Rewrites any 550 (recipient rejected) messages to a 250 (accepted for delivery) message – thereby informing the Client MTA that all is well and that they can report to the origin user that the message has been delivered.  
    • Treats any response as a single that we should switch from the DATA context back to the HEADER context, and updates the state in the connection-specific hash table.

What it Does

  • Splits or “mirrors” SMTP traffic destined for a single server to multiple servers.
  • Provides fault tolerance for back-end systems – this can be tuned using priority lists if required.
  • Provides front-end HA, provided the Stage 1 VS is configured to listen on at least 1 Traffic IP group
  • Works with attachments!
 

What it Does NOT

Make a decision as to which pool of mail servers that a message should go to.  It was deemed for the first PoC for this use-case, because all MDAs know which users are valid, that there is no harm in delivering all mail to all servers, as long as the origin MTA is informed that the message was delivered.
 

Conclusion

Works for me!  The development team and I would be keen to know who else might be interested in this solution, so please get in touch or leave a comment if you found this article interesting/useful.

Code Samples

Synchronizer

  1. # SMTP Synchronizer 
  2.  
  3. $STATE_HEADERS = "\r\n";
  4. $STATE_BODY    = "\r\n\\.\r\n";
  5.  
  6. # Initialise STATE if this is the first request on a new connection
  8. if (! connection.data.get("STATE")) {
  9.     connection.data.set("STATE", $STATE_HEADERS);
  10. }
  12. if (connection.data.get("STATE") == $STATE_HEADERS) {
  13.    $request = request.endsWith(connection.data.get("STATE"));
  14. }
  16. if (string.regexmatch($request, "^DATA\r\n")) {
  17.    connection.data.set("STATE", $STATE_BODY);
  18. }

Rosy Glasses

  1. # Rewrite all 550 messages to 250 messagees - IOW - pretend that we accept all recipients.
  3. if ( connection.data.get( "STATE" ) == "\r\n" ){
  4.   
  5.    $response = response.get();
  6.   
  7.    if ( string.startswith( $response, "550" ) ){
  8.      
  9.       response.set("250 2.0.0 OK\r\n");
  10.      
  11.    }
  12.   
  13. }
  15. # If we are currently in the DATA state, and we get a response,
  16. # switch back to the HEADER state.
  18. if ( connection.data.get( "STATE" ) == "\r\n.\r\n" ){
  19.   
  20.    connection.data.set( "STATE", "\r\n" );
  21.      
  22. }

TeeSocket

  1. # For fault tolerance, we use a second loop-back SMTP server, listening on localhost:3025.
  3. if (! $sock = connection.data.get("socket")){
  4.   
  5.    $sock = tcp.connect( "127.0.0.1", 3025);
  7.    # Read some data - just to check that the server is alive and speaking SMTP.
  8.    $sockdata = tcp.read($sock,1024);
  9.   
  10.    if ( string.startswith($sockdata, "220")){
  11.         
  12.       log.info("Connection to second server established.\n" . $sockdata . "\n");
  13.      
  14.       connection.data.set("socket", $sock);
  15.      
  16.    }
  17.   
  18. }
  21. if ($sock){
  22.   
  23.    $data = request.get();
  24.   
  25.    tcp.write($sock, $data);
  27. } else {
  28.   
  29.    log.warn("Failed to get a socket!\n");
  30.   
  31. }
* The origin-user now only sees positive things, and could be thought of as wearing a pair of "rose-tinted glasses".

Posted at 02:02 PM in Duplicate, Generic Streaming, Mirror, Tee | | Comments (0)

|

Next »

Become a Fan

Search

Archives

Bob Gilbert
Bob Gilbert
1 Following
0 Followers
The TypePad Team