Sockets Infra Bw

7/30/2019 Sockets Infra Bw

1/21

2001 Ken Gottry 1www.gottry.com

SocketsInfrastructure Perspective

Ken Gottry

May - 2001


2/21


Table of Contents

Overview

netstat Command

Sample Infrastructure

Firewalls and Load Balancers

Miscellany


3/21


Socket Overview


4/21


What is a Socket?

A socket is a way for two programs (processes) to communicate.

Socket = IP Address + Port Number

Uniquely identifies every program in the world

192.168.1.200:80 -- web server (port 80) on 192.168.1.200

UNIX domain sockets client and server on same computer. Much faster

Internet domain sockets most commonly used. Client and server canbe on same or different computers.

Computer B

66.66.34.202

Program X

Port 23

Program Y

Port 1521

Computer A

192.168.1.200

Program X

Port 23

Program Y

Port 7001

Program Z

Port 80

Overview


5/21


Types of Ports

Well-known ports between 0-1024. Same on all UNIX computers aroundthe world. For example, ftp=21, telnet=23, smtp=25, http=80, ldap=389

Commonly-used ports 1024-65535. Usually less than 32767. Generallyaccepted defaultport numbers. OracleSQL=1521, WebLogic=7001, iPlanet

Admin=8888

Anonymous (ephemeral) ports the socket at the client end has tohave a port number also. The TCP/IP stack assigns one temporarily. When the

socket is closed, this port becomes available for use by another program

Computer B

66.66.34.202

Web ServerPort 80

Computer A

192.168.1.200

Web BrowserPort 33186

Web server LISTENing on

port 80 on Computer B

Browser asks for socketconnection to port 80 on

66.66.34.202 by saying:(http://ComputerB)

The PC on which the

browser is running assigns

an anonymous port (33186)

that the browser can use

Overview


6/21


What is a Server?

Some people call the computer a server (e.g. print server). Some

people call the process a server (e.g. iPlanet web server).

If there is little or no chance of confusion, or if little is to be gained

from stressing the distinction, then I just say server. For example,

The browser connects to the web server. Otherwise, Ill use the phrases server computerorserver

process. For example, the web server process is listening on port

443 on the web server computer.

It can get complicated WebLogic app server process running on

the app server computer contains a web server process.

Overview


7/21


As David Once Told Me

When discussing IP you are either a host or a piece of wire

A host is anything that can establish a socket connection actively or

passively client or server. If its not a piece of wire, then I can telnet to it; I can point my browser at

it. I can ftp to it. It can run a JVM with a JDBC connection pool. And so

on. It may not have any or all of these services running on it but it

could

Examples of hosts: an IBM mainframe, a Sun E10000, your laptop, a

router, your cell phone, your microwave, your refrigerator, your Tivo box,the lock on a hotel door, the Toyota Prius

Examples of pieces of wire: anything thats not a host J

Overview


8/21


netstat Command


9/21

2001 Ken Gottry9www.gottry.com

Description of Command

netstat has lots of arguments. netstat -a shows the state of

all sockets. netstat f inet shows Internet domain sockets.

netstat P tcp shows TCP protocol.

-n suppresses DNS lookup. So, use netstat na

The next slide contains sample output from netstat na

127.0.0.1 refers to localhost

Output shows client end and server end of the connection.

For example, the line in red shows that port 23 (telnet) on

192.168.1.200 (server) is connected to port 1714 (anonymous)

on 192.168.1.150 (client)

If both the client process and the server process are running onthe same server computer, then netstat will show 2 lines for

that connection.

netstat


10/21

2001 Ken Gottry10www.gottry.com

Sample Output

UDP

Local Address Remote Address State

-------------------- -------------------- -------

*.42 Idle

*.512 Idle

127.0.0.1.53 Idle

192.168.1.200.53 Idle

TCP

Local Address Remote Address Swind Send-Q Rwind Recv-Q State

-------------------- -------------------- ----- ------ ----- ------ -------

*.21 *.* 0 0 0 0 LISTEN

*.23 *.* 0 0 0 0 LISTEN

*.80 *.* 0 0 0 0 LISTEN

192.168.1.200.23 192.168.1.150.1714 8732 1 9520 0 ESTABLISHED

192.168.1.200.80 192.168.1.150.1716 9400 0 9520 0 TIME_WAIT

192.168.1.200.80 192.168.1.150.1717 9315 0 9520 0 TIME_WAIT

192.168.1.200.80 192.168.1.150.1718 9400 0 9520 0 TIME_WAIT

192.168.1.200.80 192.168.1.150.1719 9300 0 9520 0 ESTABLISHED

Active UNIX domain sockets

Address Type Vnode Conn Local Addr Remote Addr

30000a2bba8 stream-ord 00000000 00000000

30000a2bd48 stream-ord 30000374300 00000000 /tmp/.X11-unix/X0

netstat


11/21

2001 Ken Gottry

11www.gottry.com

Ways to use netstat

What server processes are running on a server computer?

netstat na | grep LISTEN | more

How many connections are active on a server computer?

netstat na | grep ESTABLISH | wc -l

How many connections are in some other state?

netstat na f inet P tcp | grep v ESTAB | grep v LISTEN

What users are connected to my secured web server? (veryimportant to use n because DNS lookup of all the connected

browsers may time-out or fail)

netstat na | grep 443 | more

How is my JDBC connection pool doing?

netstat na | grep 1521 | more

Note: The v option ofgrep says all lines except those that contain the string.

netstat


12/21

2001 Ken Gottry

12www.gottry.com

Sample Infrastructure


13/21

2001 Ken Gottry

13www.gottry.com

Port Architecture SampleInfrastructure

Web Server

192.168.1.100

getAccess

Authorization

App Server

192.168.30.50

WebLogic

App Server

getAccess

Authentication

DB Server

192.168.30.51

Oracle LDAP

443

iPlanet

Web Server28004

28010

389

7001

1521

Go to any computer with aninbound arrow and netstat

should show

1) a process that is LISTENing

on the indicated port

2) a socket in the

ESTABLISHed state

Go to any computer with anoutbound arrow and netstat

should show a socket in

ESTABLISHed state

Go to the Web Server computer

and netstat | grep 28004should show 2 lines

representing the client end and

server end of the socket


14/21

2001 Ken Gottry

14www.gottry.com

Firewalls

and

Load Balancers


15/21


Firewall Ruleset Firewalls

SQLTCP1521DB1App2

SQLTCP1521DB1App1

WebLogicTCP7001App2Web1

WebLogicTCP7001App1Web1

UseProtocolPortTargetSource

Web Server #1

App Server #2App Server #1 DB Server #1

Firewall

7001 7001 1521

443

Test with ttcp utility

Web1 cant access DB1 on port 1521

Do we want to allow telnet and ftp?We know port numbers. What about

Source and Target?

What about DNS (port 53)?


16/21


What is a Load Balancer?

Load Balancer is a network device (host) that

listens for requests and passes them to 1-to-n

servers in an attempt to evenly distribute the

workload

Load Balancer Configuration:1. Port and IP on which to LISTEN

2. Port and IP of each server across which the load should be

balanced

3. Algorithm used to select server

a) Round-robin

b) Least number of connections

c) Least CPU utilization

d) etc

Load

Balancers

ClientBrowser

Web Server #2Web Server #1 Web Server #3

LoadBalancer

www.gottry.com

66.66.34.202

port 80

10.3.22.15

port 8080

10.3.22.13

port 8080

10.3.22.14

port 8080


17/21


Miscellany


18/21


Socket States

Actively trying to establish conenctionSYN_SENT

Wait after close for remote shutdown retransmissionTIME_WAIT

Remote shutdown; then closed; awaiting acknowledgmentLAST_ACK

Listening for incoming connectionsLISTEN

Initial synchronization of the connection underwaySYN_RECEIVED

Idle; opened, but not boundIDLE

Socket closed; waiting for shutdown from remoteFIN_WAIT_2

Socket closed; shutting down connectionFIN_WAIT_1

Connection has been establishedESTABLISHED

Remote shutdown; waiting for socket to closeCLOSE_WAIT

Closed; then remote shutdown; awaiting acknowledgmentCLOSING

Socket is closedCLOSED

Socket issued bind( ) callBOUND

ExplanationState

The active end requests the connection, passive end accepts it.

Some states refer to the active end, and some to the passive end.

Passive End

Active End

Passive End

Active End

Process A

Process B

Process C

Miscellany


19/21


lsof

l sof command displays list (ls) of open files (of). List shows

which process (PID) has the file open. Sockets are files as far as

UNIX is concerned so they show in the list. Helpful when you

have lots of instances of the same process all listening on the

same port (e.g. ATG Dynamo DRPs or Broadvision IMs)

ns-httpd 2037 nobody cwd VDIR 136,0 512 111005 / (/dev/dsk/c0t0d0s0)

ns-httpd 2037 nobody txt VREG 136,4 3692 16116 /usr/local (/dev/dsk/c0t0d0s4)

ns-httpd 2037 nobody txt VREG 136,4 4862 16294 /usr/local --

o_kgottryu10_dnlc_ref_per_per_s-daily.png

ns-httpd 2037 nobody 260u inet 0x30001081938 0t0 TCP *:80 (LISTEN)

in.telnet 8371 root txt VREG 136,0 17256 280771 /usr/platform/sun4u/lib/libc_psr.so.1

in.telnet 8371 root txt VREG 136,0 19876 71721 /usr/lib/libmp.so.2

in.telnet 8371 root 0u inet 0x300008307b0 0t101 TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED)

in.telnet 8371 root 1u inet 0x300008307b0 0t101 TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED)in.telnet 8371 root 2u inet 0x300008307b0 0t101 TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED)

jmeter-se 24915 root cwd VDIR 136,0 512 243203 / (/dev/dsk/c0t0d0s0)

jmeter-se 24915 root txt VREG 136,0 91668 137706 /usr/bin/sh

java 24919 root cwd VDIR 136,0 512 243203 / (/dev/dsk/c0t0d0s0)

java 24919 root txt VREG 136,0 25820 336296 / (/dev/dsk/c0t0d0s0)

java 24919 root txt VREG 136,0 27884 71751 /usr/lib/nss_files.so.1

java 24919 root 15u inet 0x30000830670 0t0 TCP *:33239 (LISTEN)

Miscellany


20/21


Promiscuous Mode

Promiscuous mode (sniffers) listen for any port any IP address

Miscellany

Router

Web Server Web Server

Promiscuous

ModeSnifferClient PC

App Server DB Server

Subnet A

Subnet B

Socket traffic between Client PC and

Web Server travels over Subnet A.

The sniffer in promiscuous mode can

see all socket traffic on Subnet A

Therefore, the sniffer can seeeverything the Client PC sends to the

Web Server and everything the Web

Server sends to the Client PC

Socket traffic between Web Server and

App Server travels over Subnet B.

The sniffer in promiscuous mode cant

see any socket traffic on Subnet B


21/21


Everything Else

Use telnet host port (e.g. telnet www.nervewire.com 80) to establish

a socket connection to any host on any port. If you omit port (i.e. justuse telnet host) it will use the well-known telnet port 25

Windows has netstat command

Open DOS window and try netstat na

See some LISTENing ports that hackers might attack?

Use your browser to open some web sites. Then jump to DOS windowand try netstat na. See some ESTABLISHed sockets? See some

TIME_WAIT?

Denial of Service (DoS) attacks start to make a socket connection from afake location, thus the connection can never be completed

Miscellany

Sockets Infra Bw

Documents

Transcript of Sockets Infra Bw