Events in the Packet World

Network Packets is a technical term over internetworking, however, this term now involves into the conflict of nations very frequently.

Recently, the noises about cyber attack appear during Georgia War. The Russia hackers are launching a large scale DDoS attack regarding to the Georgia government web site.  The result is much more significant than the real war. The Georgia government has to seek asylum for moving their hosting web to abroad at once. Personally, I hope this is not the final result of current Georgia government in reality.

Launching a Packet cyber war is quite simple, so an inconspicuous citizen may launch a very huge attack on any country wide target. The technology usually used is DDoS which means flooding a lot of packets from many machines to the victim.  The machines sending the packets usually are zombie, they are hacked by hackers and remotely controlled to do anything in commands.

It is not easy to stop the war-packets over the Internet, as they are hiding in billions of normal packets every minute. There are a few companies providing the solutions to see the War by monitoring the anomaly traffic across the Internet borders.  Maybe UN should employ more packet-war observers to manage the peace in the cyberspace.

Few hours later, the Beijing Olympic Games will begin. For the topic, this post is not to talk about package delivery by UPS or FedEx for Olympics. I’m always focusing on network packets, this time, with Beijing Olympic.

As led by communist party, China is famous by the clampdown. The monitoring and controlling for the communications moved from phone line to Internet for quite a few years. An unknown wise create a term “Great Firewall” to describe the technology and behaviors of China government to control and monitor the people speech and media publishing over Internet.

What is the Great Firewall (GFW)? The description on Wikipedia is not exactly. On the Wikipedia, The GFW is mixed up with Golden Shield Project in China which is a public internet security project announced led by Public Security Agency. Actually the GFW is managed by another independent department directly reports to central government which covers Internet Virus/Worm detection and censorship of the text, pictures and video on internet.

What GFW does?  In simple, if you travel to China and try to browse some international Web sites with sensitive content, the GFW will actively block your traffic.  What is sensitive?  It can be vary, anti-government reports, rumors of political leaders, sex taps and etc. What really interesting is, the Google becomes the most victim beside the Chinese people. Many sensitive keywords searching from China will immediately cause Google to be blocked for few minutes. That is one of the major reasons for Google failed, or let’s say not so successful, in China when competing with local searching providers.

How GFW implemented? From a trusted source, the GFW already scales up to more than 100,000 computers. Those computers work in parallel to analyze the Internet traffic leaving China. The censorship analysis focus on Web, Email and now moving to Video monitoring as many people reported YouTube (Google again) become unavailable in many locations in China. The mechanism behinds the blocking actually is sending manipulated TCP RST to victim IP to interrupt the connection. The mechanism is working just as IDS, so the GFW technically should be called Great IDS/GIDS. In a recent technical analysis for GFW, it is believed, more techniques are adopted by GFW includes DNS fraud and/or manually updating ACLs(access control lists) in Internet border routers.

The architecture of the GFW is reported consist of many Cisco/Juniper special designed monitoring equipments to forward traffics and Server computers running AMD/Intel CPUs to parse the packet payload inside of the traffic.  Yes, quite a few US vendors involved into this infrastructure. States always provide weapons to help tyrants and then claim to protect the rights of the victims after years.

The Beijing Olympic Games changes a lot on the censorship policy on GFW. The China government was reported commit to unblock most traffic during the Olympic Games.  During the Olympics Games, maybe it is another Internet surfing game for Chinese people to know the world changes during this time window. This change are mainly triggered by numerous complains by international travelers to China recently for Olympics, besides donate to quake-afflicted people and adoption of the Chinese orphans, maybe complains will help the Chinese people to get a better life too.

Most public company handling packet business announced their Q2 (April to June) results. Let’s summarize some of them here.

Logo	Company	STOCK	net income	Revenue	Revenue Increase  YoY
	RiverBed Technology	NASDAQ:RVBD	$3.9M	$44M	+ 61%
	NetScout	NASDAQ:NTCT	$1.5M	$60.6M	+ 17%
	OPNet	NASDAQ:OPNT	$1.2M	$30.1M	+29%
	F5	NASDAQ:FFIV	$19.1*	$165M	+25%
	SourceFire	NASDAQ:FIRE	$-3.1M	$16M	+ 42%
	Cisco	NASDAQ:CSCO	$2B	$10.4B	+ 10%

* FFIV net income reduce  by 13% comparing same period in 2007

OPNet acquired Network Physics last year,  the company shows a good performance for dealing with the expansion.

NetScout just completed the acquisition of Network General. From the revenue result, it seems that the company successfully have original Sniffer customers converted.

Acquired by Bluecoat, the Packeteer is missed from the list. The merges and acquisitions are quite frequent in packet industry recently. Most people expected more acquisitions will happen soon.

Cisco submit a record revenue for the first quarter surpass 10B. Their profit rate and revenue number really over expectation. It is impressive that the packet giant keeps strong growth ability despite of the economic worry.

( Click above graph for larger view)

If we compare these trends in last 4 days, I added F5, RiverBed, NetScout, NetApp into the watch list. What we can see is the only strong growing is NetScout. All other vendors’ prices stay in marsh. Especially RiverBed, after the finance call, the price jumped by a 15% increase, however, just 72 hours later, the price now is lower than the number before announcing results.

  + 

Storage networking company Brocade Communications Systems Inc. last week agreed to acquire Foundry Networks Inc., a maker of enterprise LAN technology, for about $3 billion in cash and stock.

Foundry has 20 years history, a specialist in enterprise Ethernet LANs, have 1100 employees. The company didn’t disclose the number of staffs to lay off.

The acquisition purposed to merge the 2 companies power to fight with Cisco. Cisco has been the only company with both the vision and technology to create a FCoE unified fabric. Brocade, on the other hand, has had the FCoE vision but not the Ethernet goods. So after the acquisition completes, there will be 2 vendors in the market have the FCoE and Ethernet solution.

if you have an iPhone, you may already play iTunes Remote which is a tool released by Apple to remote control the Apple TV and iTunes from the iPhone/iPod Touch directly.  If you didn’t tried that, I suggest you go to AppStore to download one, it is free and very easy to use.

The remote control has no limit on distance, in theory, even at Office, you can directly remote control your home iTunes in real time. How it implemented? Is that a magic? Let’s look into the actual packets.

My iPhone got a LAN address at 172.16.0.102, the iTunes PC got 172.16.0.106.  When the iPhone remote starts, it began to send  a Multicast-DNS packet to 224.0.0.251. This is a multicast which means the devices and computers in the same group will hear this packet.

The computer with iTunes installed will reply packets if it received the multicast packet. The reply is a multicast-DNS response too which provides the information about the iTunes version and capacities.

One of the replies indicates the service port of the iTunes, by default , it uses TCP port 3689. Then, the iPhone will happily connect to iTunes talking through a protocol similar to Digital Audio Access Protocol. More information about RAOP can be seen http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol

iPhone also send some discardable broadcast packet in the meanwhile which seems not make any sense.

Here, we are not going to dig into the protocol specification, but just go through the packets payload roughly, we can see the protocol is actually encapsulated by HTTP.

the login sequence is as below

iPhone   –>     iTunes       :             GET /server-info HTTP/1.1
iTunes   –>      iPhone      :                         HTTP/1.1 200 OK
iPhone   –>     iTunes       :             GET /login?pairing-guid=* HTTP/1.1
iTunes   –>      iPhone      :                         HTTP/1.1 200 OK

After the login, the iTunes and iPhone will exchange some library information. if you play a song remotely on iTunes, many calls related to  /ctrl-int are involved.

The implementation is compact and efficient. The multicast implementation is quite good and adaptive even to a routed complex network.

iPhone 2.0 Firmware was come around 2 weeks ago. It was a good news for all apple fans. Well, after the DEV team released the unlock tool for iPhone. It becomes the good news for packet fans.

Applied the pwnagetool, you can receive many applications which can never be seen in apple iTunes store. The applications includes
Tcpdump - a famous packet capture tool
ngrep - a packet payload seach tool
nmap - exellent network scanning tool
And many more

The iPhone hacker team ships the libpcap, de facto packet capture library, into iPhone also. This is really amazing which simply convert the iPhone to be a network packet processor over the wifi interface.

So you must realize a young guy with an iPhone standing beside you might be a hacker equipped by the handheld Sniffer and scanner. Hacker anywhere

As you may know, Snort, the most famous open source IDS(Intrusion detection System) are now promoting snort 3.0. The new software release currently still in beta. However, through the design and the description posted, the open source giant intends to be a total platform of all packet based software.

The Snort 3.0 emphasized the lower level native support for IPv6, MPLS and GRE. This helps the carrier users have a chance to put snort into the newest networks for wired and wireless data. To be a platform, this is necessary. 

Inline snort previously is an independent project, now the inline feature integrated into Snort 3.0 as standard offering. The multi-threading and subsystem architecture shows ambitious to let plugins or component from 3rd parties to easily port to.

So the snort 3.0 is actually called SnortSP 3.0 which means Snort Security Platform.

As linux unified the core of many operating system distribution, can SnortSP 3.0 unify the core of security systems?

Keep walking…

From some history data, I found the Network General revenue reports. We can see during 5 years (1992~1997), Network General revenue increase from 64M to 240M.  Now, Solarwinds filing the IPO request which mentioned its revenue reach more than 60 million. Will Solarwinds be another NGC for a rocket boost?

10G is not a new word which stands for a network type  carrying 10 times of Gigabits traffic in each second, it can be 10 Gigabits Ethernet or OC192 POS link. A few customers already implemented 10G at their backbone and the price per port for 10G is going to be affordable.

The high volume of network traffic means many packets. On 10G, one direction may have up to 15 million packets in each second. Most x86 based systems are not ready for processing over 10 million data pieces in a single second. So to provide an analysis solution, the 10G means nightmare to most packet analysis vendors.

The Packet analyzing companies are now fighting with the challenge. The solution are mainly for 10Gigabits Ethernet.

NetScout released a 10GE probe around 1 or 2 years ago which bases on their Gigabits probe platform. The 10GE probe can process around 1 million packets per second which means around 5G ~ 8G bits traffic can be handled well in a real network condition with larger average packets size. However, if dealing with some small packets like syn flood, the NetScout probe can only work well till 1 Gigabits level.

Network General previously launched a 10GE portable analyzer, the product was almost just for show without enough real customer cases.  BTW, Network General developed many “just for show” products such as a Sniffer Wireless for PDA and a web performance management product in the year of 2000.

A japanese vendor called ClearSight offers a 10 Giga capture box which can be called first real design-for-10G packet analysis product. The 10G analyzer is designed to capture packets in line rate and featured mainly offline analysis facilities.  By applying to Forensics purpose, the product maybe useful; however, lacking of the realtime expert systems and protocol inspection features, the product cannot support real traffic analysis in 10G condition very well.

After that, Network Instruments and WildPackets tap into 10GE area by their own ways as well.  Both Network Instruments and WildPackets are software only vendors in around 7 years ago. They began to be  more hardware/appliance vendors after the revenue paused to increase fast by providing software only solution. Network Instruments directly runs into traffic storage market with Gigastor product line which is successful. The OEM partnership between NetQoS and Network Instruments strengthen the market share of the Gigastor products.

WildPackets focused into Wireless in the beginning, the wireless analysis product bring them good revenue stream and reputation. However, the wireless analysis market grows slow. So now WildPackets emphasize the traffic storage and analysis solution with several important releases on a product line called Omnipliance.

Both Network Instruments and WildPackets had the strength in analysis with many decodes and expert systems as Network General. So the performance of their systems are not very good. Their products can provide a good realtime view into 10GE environment, however, they are not able to delivery good user experience on the 10G as well as they have done good on the lower bandwidth networks.

Till today, there is no perfect packet analysis solution for 10G, the coming WildPackets SuperCore maybe worth to see the actual performance. However, limited by the computer bus speed and analysis complexity, the analysis software plus a high-end server still cannot indicate a great future of 10G packet analysis.

There are a few FPGA/ASIC players entered this market as well, Endace, a New Zealand based company, provides 10G capture network card to offload the x86 cpu computing pressure. GigaMon provides a solution base on one-to-many  distribution purpose to share the analysis work on multiple machines.  Napatech, who was Xyratex, recently announced a 20G pattern match card beside their famous multiple port giga/10G analysis cards.

Eventually, the 10G analysis will come to reality and be common,  let’s wait and see how long it’s gonna happen.

 The Network management and Application performance management vendor PacketBone, releases a new style network analysis product.

  July 1, 2008 — The network management and application performance management vendor PacketBone today releases a new product called BoneLight.

PacketBone claims the product is a start of revolutions in the network analysis area. BoneLight will not rely on traditional independent GUI to analyze the traffic, instead, BoneLight integrate deeply into Microsoft Windows and Office systems to provide seamless analysis features inside of Operating Systems.

BoneLight provide  trace file conversions among libpcap/winpcap, cisco ids traces, Sniffer Pro cap, WildPackets pkt and Observer bfrs. The Wireshark and Endace Dag ERF are supported either.  BoneLight can convert the trace files into an Excel xlsx/xls result, it does provide a brand new experience for the network analysis people.

BoneLight is not only a trace file tool but also bringing benefits to the communication and collaboration for the network guys troubleshooting problem. The integrated Outlook preview handler provides a chance for people using Email and Exchange directly see and input ideas about traffic inside of Office software.