Sockets Infra Bw
-
Upload
priya-vaidyanathan -
Category
Documents
-
view
218 -
download
0
Transcript of Sockets Infra Bw
-
7/30/2019 Sockets Infra Bw
1/21
2001 Ken Gottry 1www.gottry.com
SocketsInfrastructure Perspective
Ken Gottry
May - 2001
-
7/30/2019 Sockets Infra Bw
2/21
2001 Ken Gottry 2www.gottry.com
Table of Contents
Overview
netstat Command
Sample Infrastructure
Firewalls and Load Balancers
Miscellany
-
7/30/2019 Sockets Infra Bw
3/21
2001 Ken Gottry 3www.gottry.com
Socket Overview
-
7/30/2019 Sockets Infra Bw
4/21
2001 Ken Gottry 4www.gottry.com
What is a Socket?
A socket is a way for two programs (processes) to communicate.
Socket = IP Address + Port Number
Uniquely identifies every program in the world
192.168.1.200:80 -- web server (port 80) on 192.168.1.200
UNIX domain sockets client and server on same computer. Much faster
Internet domain sockets most commonly used. Client and server canbe on same or different computers.
Computer B
66.66.34.202
Program X
Port 23
Program Y
Port 1521
Computer A
192.168.1.200
Program X
Port 23
Program Y
Port 7001
Program Z
Port 80
Overview
-
7/30/2019 Sockets Infra Bw
5/21
2001 Ken Gottry 5www.gottry.com
Types of Ports
Well-known ports between 0-1024. Same on all UNIX computers aroundthe world. For example, ftp=21, telnet=23, smtp=25, http=80, ldap=389
Commonly-used ports 1024-65535. Usually less than 32767. Generallyaccepted defaultport numbers. OracleSQL=1521, WebLogic=7001, iPlanet
Admin=8888
Anonymous (ephemeral) ports the socket at the client end has tohave a port number also. The TCP/IP stack assigns one temporarily. When the
socket is closed, this port becomes available for use by another program
Computer B
66.66.34.202
Web ServerPort 80
Computer A
192.168.1.200
Web BrowserPort 33186
Web server LISTENing on
port 80 on Computer B
Browser asks for socketconnection to port 80 on
66.66.34.202 by saying:(http://ComputerB)
The PC on which the
browser is running assigns
an anonymous port (33186)
that the browser can use
Overview
-
7/30/2019 Sockets Infra Bw
6/21
2001 Ken Gottry 6www.gottry.com
What is a Server?
Some people call the computer a server (e.g. print server). Some
people call the process a server (e.g. iPlanet web server).
If there is little or no chance of confusion, or if little is to be gained
from stressing the distinction, then I just say server. For example,
The browser connects to the web server. Otherwise, Ill use the phrases server computerorserver
process. For example, the web server process is listening on port
443 on the web server computer.
It can get complicated WebLogic app server process running on
the app server computer contains a web server process.
Overview
-
7/30/2019 Sockets Infra Bw
7/21
2001 Ken Gottry 7www.gottry.com
As David Once Told Me
When discussing IP you are either a host or a piece of wire
A host is anything that can establish a socket connection actively or
passively client or server. If its not a piece of wire, then I can telnet to it; I can point my browser at
it. I can ftp to it. It can run a JVM with a JDBC connection pool. And so
on. It may not have any or all of these services running on it but it
could
Examples of hosts: an IBM mainframe, a Sun E10000, your laptop, a
router, your cell phone, your microwave, your refrigerator, your Tivo box,the lock on a hotel door, the Toyota Prius
Examples of pieces of wire: anything thats not a host J
Overview
-
7/30/2019 Sockets Infra Bw
8/21
2001 Ken Gottry 8www.gottry.com
netstat Command
-
7/30/2019 Sockets Infra Bw
9/21
2001 Ken Gottry9www.gottry.com
Description of Command
netstat has lots of arguments. netstat -a shows the state of
all sockets. netstat f inet shows Internet domain sockets.
netstat P tcp shows TCP protocol.
-n suppresses DNS lookup. So, use netstat na
The next slide contains sample output from netstat na
127.0.0.1 refers to localhost
Output shows client end and server end of the connection.
For example, the line in red shows that port 23 (telnet) on
192.168.1.200 (server) is connected to port 1714 (anonymous)
on 192.168.1.150 (client)
If both the client process and the server process are running onthe same server computer, then netstat will show 2 lines for
that connection.
netstat
-
7/30/2019 Sockets Infra Bw
10/21
2001 Ken Gottry10www.gottry.com
Sample Output
UDP
Local Address Remote Address State
-------------------- -------------------- -------
*.42 Idle
*.512 Idle
127.0.0.1.53 Idle
192.168.1.200.53 Idle
TCP
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
*.21 *.* 0 0 0 0 LISTEN
*.23 *.* 0 0 0 0 LISTEN
*.80 *.* 0 0 0 0 LISTEN
192.168.1.200.23 192.168.1.150.1714 8732 1 9520 0 ESTABLISHED
192.168.1.200.80 192.168.1.150.1716 9400 0 9520 0 TIME_WAIT
192.168.1.200.80 192.168.1.150.1717 9315 0 9520 0 TIME_WAIT
192.168.1.200.80 192.168.1.150.1718 9400 0 9520 0 TIME_WAIT
192.168.1.200.80 192.168.1.150.1719 9300 0 9520 0 ESTABLISHED
Active UNIX domain sockets
Address Type Vnode Conn Local Addr Remote Addr
30000a2bba8 stream-ord 00000000 00000000
30000a2bd48 stream-ord 30000374300 00000000 /tmp/.X11-unix/X0
netstat
-
7/30/2019 Sockets Infra Bw
11/21
2001 Ken Gottry
11www.gottry.com
Ways to use netstat
What server processes are running on a server computer?
netstat na | grep LISTEN | more
How many connections are active on a server computer?
netstat na | grep ESTABLISH | wc -l
How many connections are in some other state?
netstat na f inet P tcp | grep v ESTAB | grep v LISTEN
What users are connected to my secured web server? (veryimportant to use n because DNS lookup of all the connected
browsers may time-out or fail)
netstat na | grep 443 | more
How is my JDBC connection pool doing?
netstat na | grep 1521 | more
Note: The v option ofgrep says all lines except those that contain the string.
netstat
-
7/30/2019 Sockets Infra Bw
12/21
2001 Ken Gottry
12www.gottry.com
Sample Infrastructure
-
7/30/2019 Sockets Infra Bw
13/21
2001 Ken Gottry
13www.gottry.com
Port Architecture SampleInfrastructure
Web Server
192.168.1.100
getAccess
Authorization
App Server
192.168.30.50
WebLogic
App Server
getAccess
Authentication
DB Server
192.168.30.51
Oracle LDAP
443
iPlanet
Web Server28004
28010
389
7001
1521
Go to any computer with aninbound arrow and netstat
should show
1) a process that is LISTENing
on the indicated port
2) a socket in the
ESTABLISHed state
Go to any computer with anoutbound arrow and netstat
should show a socket in
ESTABLISHed state
Go to the Web Server computer
and netstat | grep 28004should show 2 lines
representing the client end and
server end of the socket
-
7/30/2019 Sockets Infra Bw
14/21
2001 Ken Gottry
14www.gottry.com
Firewalls
and
Load Balancers
-
7/30/2019 Sockets Infra Bw
15/21
2001 Ken Gottry 15www.gottry.com
Firewall Ruleset Firewalls
SQLTCP1521DB1App2
SQLTCP1521DB1App1
WebLogicTCP7001App2Web1
WebLogicTCP7001App1Web1
UseProtocolPortTargetSource
Web Server #1
App Server #2App Server #1 DB Server #1
Firewall
7001 7001 1521
443
Test with ttcp utility
Web1 cant access DB1 on port 1521
Do we want to allow telnet and ftp?We know port numbers. What about
Source and Target?
What about DNS (port 53)?
-
7/30/2019 Sockets Infra Bw
16/21
2001 Ken Gottry 16www.gottry.com
What is a Load Balancer?
Load Balancer is a network device (host) that
listens for requests and passes them to 1-to-n
servers in an attempt to evenly distribute the
workload
Load Balancer Configuration:1. Port and IP on which to LISTEN
2. Port and IP of each server across which the load should be
balanced
3. Algorithm used to select server
a) Round-robin
b) Least number of connections
c) Least CPU utilization
d) etc
Load
Balancers
ClientBrowser
Web Server #2Web Server #1 Web Server #3
LoadBalancer
www.gottry.com
66.66.34.202
port 80
10.3.22.15
port 8080
10.3.22.13
port 8080
10.3.22.14
port 8080
-
7/30/2019 Sockets Infra Bw
17/21
2001 Ken Gottry 17www.gottry.com
Miscellany
-
7/30/2019 Sockets Infra Bw
18/21
2001 Ken Gottry 18www.gottry.com
Socket States
Actively trying to establish conenctionSYN_SENT
Wait after close for remote shutdown retransmissionTIME_WAIT
Remote shutdown; then closed; awaiting acknowledgmentLAST_ACK
Listening for incoming connectionsLISTEN
Initial synchronization of the connection underwaySYN_RECEIVED
Idle; opened, but not boundIDLE
Socket closed; waiting for shutdown from remoteFIN_WAIT_2
Socket closed; shutting down connectionFIN_WAIT_1
Connection has been establishedESTABLISHED
Remote shutdown; waiting for socket to closeCLOSE_WAIT
Closed; then remote shutdown; awaiting acknowledgmentCLOSING
Socket is closedCLOSED
Socket issued bind( ) callBOUND
ExplanationState
The active end requests the connection, passive end accepts it.
Some states refer to the active end, and some to the passive end.
Passive End
Active End
Passive End
Active End
Process A
Process B
Process C
Miscellany
-
7/30/2019 Sockets Infra Bw
19/21
2001 Ken Gottry 19www.gottry.com
lsof
l sof command displays list (ls) of open files (of). List shows
which process (PID) has the file open. Sockets are files as far as
UNIX is concerned so they show in the list. Helpful when you
have lots of instances of the same process all listening on the
same port (e.g. ATG Dynamo DRPs or Broadvision IMs)
ns-httpd 2037 nobody cwd VDIR 136,0 512 111005 / (/dev/dsk/c0t0d0s0)
ns-httpd 2037 nobody txt VREG 136,4 3692 16116 /usr/local (/dev/dsk/c0t0d0s4)
ns-httpd 2037 nobody txt VREG 136,4 4862 16294 /usr/local --
o_kgottryu10_dnlc_ref_per_per_s-daily.png
ns-httpd 2037 nobody 260u inet 0x30001081938 0t0 TCP *:80 (LISTEN)
in.telnet 8371 root txt VREG 136,0 17256 280771 /usr/platform/sun4u/lib/libc_psr.so.1
in.telnet 8371 root txt VREG 136,0 19876 71721 /usr/lib/libmp.so.2
in.telnet 8371 root 0u inet 0x300008307b0 0t101 TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED)
in.telnet 8371 root 1u inet 0x300008307b0 0t101 TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED)in.telnet 8371 root 2u inet 0x300008307b0 0t101 TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED)
jmeter-se 24915 root cwd VDIR 136,0 512 243203 / (/dev/dsk/c0t0d0s0)
jmeter-se 24915 root txt VREG 136,0 91668 137706 /usr/bin/sh
java 24919 root cwd VDIR 136,0 512 243203 / (/dev/dsk/c0t0d0s0)
java 24919 root txt VREG 136,0 25820 336296 / (/dev/dsk/c0t0d0s0)
java 24919 root txt VREG 136,0 27884 71751 /usr/lib/nss_files.so.1
java 24919 root 15u inet 0x30000830670 0t0 TCP *:33239 (LISTEN)
Miscellany
-
7/30/2019 Sockets Infra Bw
20/21
2001 Ken Gottry 20www.gottry.com
Promiscuous Mode
Promiscuous mode (sniffers) listen for any port any IP address
Miscellany
Router
Web Server Web Server
Promiscuous
ModeSnifferClient PC
App Server DB Server
Subnet A
Subnet B
Socket traffic between Client PC and
Web Server travels over Subnet A.
The sniffer in promiscuous mode can
see all socket traffic on Subnet A
Therefore, the sniffer can seeeverything the Client PC sends to the
Web Server and everything the Web
Server sends to the Client PC
Socket traffic between Web Server and
App Server travels over Subnet B.
The sniffer in promiscuous mode cant
see any socket traffic on Subnet B
-
7/30/2019 Sockets Infra Bw
21/21
2001 Ken Gottry 21www.gottry.com
Everything Else
Use telnet host port (e.g. telnet www.nervewire.com 80) to establish
a socket connection to any host on any port. If you omit port (i.e. justuse telnet host) it will use the well-known telnet port 25
Windows has netstat command
Open DOS window and try netstat na
See some LISTENing ports that hackers might attack?
Use your browser to open some web sites. Then jump to DOS windowand try netstat na. See some ESTABLISHed sockets? See some
TIME_WAIT?
Denial of Service (DoS) attacks start to make a socket connection from afake location, thus the connection can never be completed
Miscellany