Developers Club geek daily blog

1 year, 4 months ago
Remarkable example of network solidarity are the numerous looking-glass services allowing to glance behind the scenes of very many big and small networks around the world. It is so surprising in the modern world hidden behind one hundred security systems just like that to take and execute commands on routers being one of the most critical devices of all infrastructure of data transmission.

looking-glass version6


It is only necessary to enter the IP address or a prefix in the field and to receive in reply the routing table or trace and results of work of the utility of ping. Therefore when you understand that it is possible to enter not only addresses, but also some other characters created in intelligent commands and to receive intelligent results, there comes the stupor. There is a wish to run and shout on all corners: "Yes what is it it is necessary to prohibit immediately what for absurdity?". All this effects of the last years when safety above openness and an udobnost and on it, undoubtedly, is the reasons.

It will be a question of very popular implementation of looking-glass from version6.net and that - it is possible to receive from this service.

If suddenly seems to you normal that the looking-glass interface allows to enter something except the IP address, then possibly you treat "old school" or you do not read news. It seemed to me it is unusual especially as other implementations of this service such do not allow.

  • At ReTN (rather popular implementation) all entered characters are perceived as domain name if it is not the IP address.
  • Everything is separated by MSX-IX into parts, it is possible to enter, but only there where it is provided and everything is interpreted rather strictly.
  • Data IX allows some freedom, though reports that not the IP address is specified: "The inadmissible argument is specified — there has to be IP or IP/n" — but birdc which reports about an error and filters all indecencies is all the same executed.
  • And VKontakte is resolved only ping and traceroute and only with IP addresses.

As it was for me unusual I even began to warn about it owners of services, but then glanced in a code and understood that and has to be is a feature, but not a bug. On the website version6.net which now is for some reason not available about functionality it is fairly written: "all BGP show commands, ping and traceroute".

We open lg.cgi which is read rather hard and Perl here does not help at all:

my %FORM = &cgi;_decode($incoming);
...
$FORM{addr} =~ s/\s.*// if (($FORM{query} eq "ping") || ($FORM{query} eq "trace"));
$FORM{addr} =~ s/[^\s\d\.:\w\-_\/\$]//g;

The command is transferred in $addr variable in which all characters except whitespace are removed (including taba, option \s), letters, digits, characters "-", "_"/," to $ ", ".", ":".

The condition with ping is considerable more strictly. As far as I see all input after whitespace character is wiped. Therefore to add something superfluous to the ping and traceroute command it is much more difficult.

my $command = sprintf($query_cmd, $FORM{addr});
...
if ($FORM{addr} !~ /^[\w\.\^\$\-\/ ]*$/) {
	if ($FORM{addr} =~ /^[\w\.\^\$\-\:\/ ]*$/) {
...
	} else {
		&print;_error("Illegal characters in parameter string");
	}
}

Then the team for direct execution from a template of $query_cmd is formed and check on input accessory to a few other character group is executed: taba because spaces are obviously specified, are excluded the character "_" remains included because gets under option \w together with digits, the character "^" appears. Additional check becomes on ":", who is possible only during the work with IPv6.

Here actually and everything, the remained checks only on blank line for some operation modes. The command for execution is already created earlier and it without changes leaves on the device:

$FORM{addr} = "" if ($FORM{addr} =~ /^[ ]*$/);
...
if ($query_cmd =~ /%s/) {
	&print;_error("Parameter missing") if ($FORM{addr} eq "");
} else {
	&print;_warning("No parameter needed") if ($FORM{addr} ne "");
}
...
&run;_command($FORM{router}, $router_list{$FORM{router}}, $command);

What can we? From useful lost quotes, characters "|", "?" and all brackets. But remained much, even very much. The template forming teams looks here so (for Cisco):

my %valid_query = (
	"ios"		=>	{
		"ipv4"			=>	{
			"bgp"			=>	"show ip bgp %s",
			"advertised-routes"	=>	"show ip bgp neighbors %s advertised-routes",
			"summary"		=>	"show ip bgp summary",
			"ping"			=>	"ping %s",
			"trace"			=>	"traceroute %s"
			},
...

Main show ip bgp, ping and traceroute commands. It is obvious that show ip bgp summary and show ip bgp neighbors %s advertized-routes, it is possible to create from show ip bgp %s.

show ip bgp


Our bread. It should be noted that on the different websites nevertheless additional filtering, or completion under other systems excellent from standard therefore not always input of any characters is possible is made. Rather even he is possible, but further execution of commands leads to errors. However if we have the basic devices provided in an original code that we can enter a wide range of commands. The website Cisco, we will stop on one vendor, offers many options. A little useful, for an example.

show ip bgp regexp


We watch all routes on the set AS-PATH. For example, to all Yandex networks from Stockholm, TTK (GET will send directly to results of request):

show ip bgp regexp of $13238
Router: sgm01rb 
Command: show bgp regexp 13238$


Sat Dec 19 16:30:21.141 UTC
BGP router identifier 10.146.0.1, local AS number 20485
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0   RD version: 0
BGP main routing table version 2995757495
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 20485:1 (default for vrf internet)
*>i5.45.192.0/18      10.78.0.6             1000     70      0 13238 i
* i                   10.99.0.8             1000     70      0 13238 i
*                     149.6.168.201         1000     70      0 174 13238 i
*                     166.63.220.185        1000     70      0 1273 9002 13238 i
*                     212.73.250.153        1000     60      0 3356 13238 i
*                     213.248.99.221        1000     70      0 1299 13238 i
*>i5.45.194.0/24      10.78.0.6             1000     70      0 13238 i
* i                   10.99.0.8             1000     70      0 13238 i
*                     212.73.250.153        1000     60      0 3356 13238 i
*                     213.248.99.221        1000     70      0 1299 13238 i
*>i5.45.196.0/24      10.78.0.6             1000     70      0 13238 i
* i                   10.99.0.8             1000     70      0 13238 i
*                     149.6.168.201         1000     70      0 174 13238 i
*                     166.63.220.185        1000     70      0 1273 9002 13238 i
*                     212.73.250.153        1000     60      0 3356 13238 i
*                     213.248.99.221        1000     70      0 1299 13238 i
*>i5.45.202.0/24      10.78.0.6             1000     70      0 13238 i
* i                   10.99.0.8             1000     70      0 13238 i
*                     212.73.250.153        1000     60      0 3356 13238 i
*                     213.248.99.221        1000     70      0 1299 13238 i
...

show ip bgp neighbors


Detailed information on the set neighbourhoods. The command is sometimes indirectly available in the illuminated output at execution of other commands. For example, detailed information on one of the neighbourhoods of Beeline in Stavropol:

show ip bgp neighbors 10.255.0.2
Router: len244-bb.stv 
Command: show ip bgp neigh


BGP neighbor is 10.255.0.2,  remote AS 3216, external link
  BGP version 4, remote router ID 79.104.32.226
  BGP state = Established, up for 1y5w
  Last read 00:00:40, last write 00:00:14, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:
    1 active, is not multisession capable
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Multisession Capability: advertised
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
    
                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                1        352
    Keepalives:        631466     635532
    Route Refresh:          0          0
    Total:             631468     635885
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Session: 10.255.0.2
  BGP table version 182470946, neighbor version 182470946/0
  Output queue size : 0
  Index 77
  77 update-group member
  Incoming update prefix filter list is B2B-BRAS-IN
  Outgoing update prefix filter list is DENY-ALL
  Slow-peer detection is disabled
  Slow-peer split-update-group dynamic is disabled
                                 Sent       Rcvd
  Prefix activity:               ----       ----
    Prefixes Current:               0          1 (Consumes 52 bytes)
    Prefixes Total:                 0        176
    Implicit Withdraw:              0          0
    Explicit Withdraw:              0        175
    Used as bestpath:             n/a          1
    Used as multipath:            n/a          0

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    prefix-list                       16426          0
    Well-known Community:         126392327        n/a
    Bestpath from this peer:            347        n/a
    Suppressed due to dampening:      15381        n/a
    Invalid Path:                   2886275        n/a
    Total:                        129310756          0
  Maximum prefixes allowed 500
  Threshold for warning message 75%, restart interval 3 min
  Number of NLRIs in the update sent: max 0, min 0
  Last detected as dynamic slow peer: never
  Dynamic slow peer recovered: never

Datagrams (max data segment is 1460 bytes):
Rcvd: 1268112 (out of order: 0), with data: 635885, total data bytes: 12089768
Sent: 1265174 (retransmit: 1 fastretransmit: 0),with data: 631468, total data bytes: 11997935

...

It is possible to expand to advertized-routes to look at what routes are announced towards a certain neighbor, often is present directly at the interface.

show ip bgp summary


The command is not always available directly therefore it is possible to try to execute around. For example, for PTKOMM:

show ip bgp summary
BGP router identifier 81.176.81.18, local AS number 8342 
RIB entries 1052472, using 64 MiB of memory 
Peers 2, using 5024 bytes of memory 
Peer groups 1, using 16 bytes of memory 

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 
195.161.1.10 4 8342 42323357 15458 0 0 0 01w3d17h 574623 
195.161.1.155 4 8342 43105981 15458 0 0 0 01w3d17h 574623 

Total number of neighbors 2

Ping and Traceroute


And these commands can be expanded: to increase packet size, to switch off fragmentation. But it is more difficult to make it because the code for filtering is more strict. Examples, however it is possible to find — Starnet, by the way here Juniper:

ping count 5 detail do-not-fragment size 1200 8.8.8.8
Router: MSK-IX MX480 
Command: ping count 5 detail do-not-fragment size 1200 8.8.8.8


PING 8.8.8.8 (8.8.8.8): 1200 data bytes
1208 bytes from 8.8.8.8 via xe-3/3/0.0: icmp_seq=0 ttl=60 time=1.041 ms
1208 bytes from 8.8.8.8 via xe-3/3/0.0: icmp_seq=1 ttl=60 time=0.964 ms
1208 bytes from 8.8.8.8 via xe-3/3/0.0: icmp_seq=2 ttl=60 time=0.959 ms
1208 bytes from 8.8.8.8 via xe-3/3/0.0: icmp_seq=3 ttl=60 time=32.190 ms
1208 bytes from 8.8.8.8 via xe-3/3/0.0: icmp_seq=4 ttl=60 time=1.038 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.959/7.238/32.190/12.476 ms
...

Looking-glass the remarkable tool, even the excellent, solving many problems and closing ranks of network specialists worldwide, very accurate sign of a maturity of the company. Having mentioned several different companies, in the I did not decide to expose similar service outside yet.

It is possible to experiment long, well there is a lot of LG services worldwide and enough is constructed of them on the version of the offered version6.net. But any tool has to be predictable, some of not filtered commands awfully resource-intensive, some open slightly more than it is possible to allow in the modern world. Glance in the code and make as to you will be enough. Be attentive to each other, mutual assistance and openness allowed to construct the Internet, we will not destroy it.

This article is a translation of the original post at habrahabr.ru/post/273517/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus