How Can You Screw up a Network? 87
aztektum asks: "Like a lot of Slashdot readers, I have setup my own home network. It isn't tricked out with all the fanciest hardware, but I do have a switch, BSD based firewall, I have configured e-mail (again on BSD), NFS and Samba, as well as remote access services like SSH and FTP. Now my line of work isn't networking or computer related at all. This is a personal hobby and a fairly new one for me (relatively speaking compared to others). I'm looking to learn more about managing problems with networks, but have no idea where to start. With such a small setup and only supporting two users (myself and a roommate) this isn't exactly enterprise level with enterprise level ups and downs. What are some ways I can screw up my network to troubleshoot problems and gain some insight? Also, what are some reference materials that you have found to be educational with relation to network administration?"
2 dhcp servers (Score:2)
Better Yet, (Score:3, Funny)
Yes, I've seen it done.
Re:2 dhcp servers (Score:2)
Multiple dhcp servers is sensible.
Your roommate's computer (Score:3, Funny)
When done right, it will take a VERY long time for your roommate to realize why the network isn't working quite right.
Re:Your roommate's computer (Score:1)
Re:Your roommate's computer (Score:3, Funny)
Reference Materials (Score:3, Funny)
This [amazon.com] should help with Windows networks.
Re:Reference Materials (Score:1)
Re:Reference Materials (Score:1)
Re:Reference Materials (Score:1)
I'd probably just go for something strong and undiluted. (If it weren't for the fact that I don't drink alcohol.)
Re:Reference Materials (Score:1)
This problem can be fixed with a screwdriver, but I am all out of orange juice.
Re:Reference Materials (Score:2)
Linksys router (Score:2)
Re:Linksys router (Score:2)
Re:Linksys router (Score:2)
Troubleshoot? (Score:1, Insightful)
Well, if you're the one who deliberately screwed it up in the first place you'd pretty much have to be an Alzheimer's victim for it to require "troubleshooting".
Real advice: Ask someone else to screw it up for you.
Re:Troubleshoot? (Score:1)
And by posting on AskSlashdot, you probably have hundreds of thousands in the volunteer pool.
Clone some ethernet NICs (Score:3, Informative)
Give us access (Score:3, Funny)
That is bound to screw *something* up sooner or later.
Screw up networks (Score:4, Funny)
Install solaris 2.6 or 2.7, default install (full + OEM). Don't patch anything. Don't close any service.
Ditch the firewall.
Wait 10 minutes.
Presto.
But seriously, with a network that simple, the only problems you are likely to encouter are mis-configuration on the firewall and physical (wiring) trouble.
Re:Screw up networks (Score:2)
Humor (Score:4, Funny)
-You should have hosted a site on it and posted the link.
-Go buy some new Sony CDs
I couldn't decide which response was funnier, so you get them both.
Slashdot Effect (Score:3, Funny)
Duh.
Re:Slashdot Effect (Score:2)
My site [127.0.0.1]
Not any different... (Score:1)
Be wary of Vacuums! (Score:2)
That adage holds true to this day. Particularly if you have a roommate (or in my case a daughter), that happens to plug a vacuum into an overloaded electrical circuit. A breaker will trip, your servers/network will go down, and you'll ultimately learn the importance of UPS'es.
Unless of course, you're lucky enough to be off-grid.
In which cas
Re:Be wary of Vacuums! (Score:2)
Reminds me of a problem I had with NT for a while. I would come in to work in the morning and a large fraction of the time see the blue screen of death. Eventually I figure out that it happened when Norton Anti-Virus was starting an autoscan. Every time the autoscan started, up came the blue screen. If I ran it manually it behaved fine.
Re:Be wary of Vacuums! (Score:2)
Re:Be wary of Vacuums! (Score:2)
My little brother blew a UPS by plugging a vacuum cleaning into it.
--LWM
Re:Be wary of Vacuums! (Score:2)
Easy way (Score:2)
Take a electrical cord and cut it in half. Take an ethernet cord and do the same. Connect the live and ground wires from the electrical cord to any of the wires in the ethernet cord. Plug the ethernet cord into your switch and then plug the electrical cord into your router. You'll quickly get a screwed up network.
P.S. If you actually do this, don't blame me for any of the consequences.
Re:Easy way (Score:2, Funny)
Re:Easy way (Score:2)
* A PIX.
* A no-name switch.
* An Intel on-board NIC.
* An Apple iMac (the original) NIC.
I wired the cable such that every other pin was hot, and the rest were ground. You'd think it would at least cause some trouble, but it didn't.
Re:etherkiller myths (Score:3, Interesting)
Re:etherkiller myths (Score:2)
The next time you run into an issue like this get an isolating transformer, two switches with fiber ports, and a short length of fiber. Problem solved. People like to think fiber is expensive. It isn't.
More shops should use fiber. Once in place fibe
Re:etherkiller myths (Score:2)
Oh, yes. Whatever was going on there indicated a serious problem. Each wing of the building was on a single phase of the 3-phase building supply. Each wing was isolated by a little walkway between the buildings, so in theory you couldn't have a secretary touching the chassis of a PC in one building at the same time as one in another building. They never counted on a bunch of shielded twisted pair cables being pulled to complete the circuit. The only NIC
stupid ideas (Score:1)
mess your local DNS up and install some software like a proxy.
install a windows box and dont patch up and put it in the DMZ and then once its good an infected you will have lots of traffic to track down
fact of the matter is. If you know what your doing your network isn't going to be that bad. I talk to people all day at the enterprise level and see issues that can be nobo
Google (Score:1)
just a few thoughts (Score:3, Interesting)
Run an ethernet cable (yours perhaps) next to a space heater/box fan/large electric motor of your choice. Periodicaly turn that motor on and off. Instant link loss due to a spike on the line. WARNING, this one could jack up your switch/computer so be sensible.
If you are really green, give your roommate and your computer the same IP.
Take a short ethernet cable and untwist it (take it out of its shielding and untwist the wires). Put it back together in various ways and see how fast/slow your download rates become.
Re:just a few thoughts (Score:2)
While this might BRIEFLY cause the NIC's link detection to fail (not likely), it will have little to no effect on data transfer through the line.
10/100/1000BaseT uses differential signaling for a reason.
Re:just a few thoughts (Score:2)
Re:just a few thoughts (Score:1)
Run an ethernet cable (yours perhaps) next to a space heater/box fan/large electric motor of your choice. Periodicaly turn that motor on and off. Instant link loss due to a spike on the line. WARNING, this one could jack up your switch/computer so be sensible.
You need a really poor equipment for that to be effective. Ethernet signals are differentially signalled, and the PHY should be subtracting the common mode noise to improve reliability. I deal with big electric motors all the time (50-500HP) and
I can screw it up! (Score:1)
Re:I can screw it up! (Score:1)
Re:I can screw it up! (Score:2)
Thanks
You are welcome. The bill is in the mail.
the AC
How to screw up your network... (Score:2)
Build and use one of these guys [fiftythree.org]. That should do the trick.
Just wait, it'll screw itself up. (Score:5, Informative)
Always keep good backups. If someone comes to you and says they deleted an important file last week, be able to get it back without a full restore. Also, be able to do a full restore of a server, and know it'll work. If the server catches fire, have a plan to replace it within the hour.
Make some ethernet cables. Buy some raw cable, and end plugs, and put them together the right way. The ordering is very important. Not only must each end match, but the color coded twisted wire pairs must be arranged in a certain, non-obvious way or else you'll experience severe noise and crosstalk problems.
Mix older (bargain) gigabit hardware, different brands. Some card-switch or switch-switch combinations have slightly hard to diagnose problems. If you ping, you'll have zero packet loss. But if you transfer a file, sometimes speed will drop down to 20kb/s or so, and it'll only happen in one direction. I've seen buggy drivers cause this too. When packets are sent in rapid sequence, every other packet is lost, and the send window shrinks until it's sending only one packet at a time, and waiting for an ack before sending the next.
Get a really, really long ethernet cable and use it to plug a windows pc to a switch. Let it autodetect the speed. If it's long enough, it'll still detect 100mbit or 1 gigabit, and then fail to connect. You'll have to force it to 10mbit, or get better cabling, or use a switch, hub, or some other repeater to break it into two short connections.
Again, get a really long ethernet cable, and put a sharp kink in it. You do this by making a small loop, then trying to force it straight by pulling instead of carefully undoing the loop. Line quality will suffer dearly, even though you may still be able to connect. The best fix is often to buy a new cable. Any sort of sharp bend will cause problems.
Have fun with Windows name resolution. Windows PC's seem to be able to find each other pretty well just using WINS or broadcasts, but only after checking DNS first, which goes out to your ISP's servers if you don't have your own DNS server(s) set up. These requests tend to fail almost immediately without delay, so the issue can go unnoticed. This allows your network to be hacked a bit more easily from the outside, and also allows internet problems to translate into delays in local name resolution. This sort of problem is easy to create and easy to fix, and plagues some small businesses that lack experienced or knowledgeable IT staff.
Re:Just wait, it'll screw itself up. (Score:1)
Used to be if you did "ssh user@bob" where bob was a local machine in your local DNS server, Linux would do "AAAA bob." (notice the dot on the end) which would get sent to the root DNS servers asking for a TLD named bob. Then it would do "A bob.", another root query that would always fail. Finally it would add your search domain and do "AAAA bob.yourdomain.com.", which would also fail because no one runs IPv6. Then it would finally do the right thing and do "A bob
Re:Just wait, it'll screw itself up. (Score:1)
Re:Just wait, it'll screw itself up. (Score:1)
Re:Just wait, it'll screw itself up. (Score:2)
ARP matches IP addresses (not names) to MAC addresses.
Too bad AC'
build a DNS server (Score:2)
The problem with managing problems... (Score:3, Informative)
Is you need more nodes and more complexity -- your network is too simple, so there is fairly little that can go wrong compared to real networks.
Try reinstalling and switching your systems' OSes, especially the BSD firewall's -- provided your hardware and wiring are good, the OS is the most likely thing to mess up anyways.
I.E. Are you sure BSD is the best OS to use for that firewall? Maybe trying to run the fireewall of of VMS or something else could have interesting results.
Increase the demand on your network is the main thing; if you don't get to have problems, you can always try to tune for performance, stability, security, by switching things around and changing configurations --- try to find as many configurations that work as possible and figure out what works best.
Figure out the way to add as many units as possible and to make the network arrangement as complex and spread out as possible --- the more complexity, the more devices, nodes, etc, involved -- the more likely _something_ will go wrong; find a way to get 3 or 4 windows machines in there with serious demands on them, and something's almost certain to break.
WiFi (Score:2)
Cable tricks and other tricks (Score:4, Interesting)
Two DHCP servers on the same LAN is fun.
Plug a crossover cable between two ports on your switch. See what happens (most should disable both ports, but some freak out).
Crimp your own ethernet cables. That leads to all kinds of fun the first few times you try it.
Meh.. I'm not good at breaking stuff, that's all I can think of.
Re:Cable tricks and other tricks (Score:3, Interesting)
I have a box of subtly bad ethernet cables from a reputable commercial source (its now marked "special cables for special lusers"), nice molded strain reliefs with tab protectors.
Normal straight through ethernet cables are wired like this:
1->1
2->2
3->3
6->6
These cables are wired similar to:
1->1
2->2
3->6
6->3
There are also some crossovers with similar polarity problems.
With just one of the directions having the wrong polarity, depending on which brands of NIC
Try building a firewall script... by hand... (Score:4, Interesting)
The first time I tried to setup a really locked down network (i.e. better than a NAT by allowing specific outgoing traffic only) I screwed up royally. Actually, I still would have significant difficulties without a good GUI.
For a crash course in the difference between UDP and TCP and how IP ports work and what NATs do, IMHO, there's nothing better than actually trying to create a "secure" firewall that still lets you do the stuff you normally expect. E.g. email, web, P2P (take your pick), streaming media, DNS resolution (which is way more complex than I would have imagined).
setup a honeynet and queueing (Score:3, Interesting)
guest account (Score:5, Interesting)
I have created "guest" account on my Linksys router three days ago. Someone from Romania discovered this account next morning. They downloaded some binary files and tried to run them. Idiots! Binaries were for i386 but Linksys router is MIPS
Re:guest account (Score:1)
UPS (Score:2, Funny)
Did anyone else read that as Uninterruptible Power Supply?
I actually pondered for a brief second on what a "down" was...
How do I screw up a network? (Score:5, Informative)
Your question is really "How do I introduce layer 1 and 2 problems into my home LAN, since all layer 3 routing is limited to a NAT box with a single default route?". The lower layers are a good place to start, since half of all your problems come from there, save the routing problems for a future ask/. question.
Others have already pointed out the joys of having dueling DHCP servers, subtly mis-configured DNS servers, overlength cables and the like. Keep an eye out for others throwing out bad ethernet cables with broken catch-tabs, frayed insulation, sharp kinks or intermittent wiring, and put them into critical places in your network. They may not fail right away, but will wait until you host a lan party at your place or you have a few hours to get a report done. Her name is Murphy, she's a bitch and she'll gladly pay you a visit when you least want her around.
Start to learn what kind of traffic is on your local network. Get ethereal, snort and ntop running, and see what the packets look like. Chances are you'll find some things that look suspicious, you'll learn a lot by figuring out how DHCP handshakes work, how often ARPs happen, what other protocols are on your net besides IP. Since you are running a BSD, you can pretty safely put the box on the outside of the firewall (it probably is the firewall) and watch all the constant crap scanning the internet. That's a great way to learn how to tune firewall rules by hand, and you will break things along the way.
To really start to learn how layer 2 networking almost works, grab some old cisco kit off of eBay. I've seen 2900 switches for US$20. Plug something slightly pro into your network, start simple, just get a cheap used cisco/hp/3com switch off eBay that can do 802.1q vlans, spanning-tree, and snmp. Your BSD ethernet card can be configured to do
To break things in subtle and non-obvious ways, try changing your address ranges from the usual 192.168.0.0/24 to something unusual like 172.31.255.16/29, doing the netmask/subnet/broadcast calculations in your head for practice. Then misconfigure the netmasks on each device, notice how one machine can ping another, but not the other way around. Try building multiple separate segments rather than multiple subnets on a single wire, this will force traffic to use your router, and really show netmask problems more clearly.
To really break things, instead of using reserved RFC1918 addresses behind your NAT box, use a public network range like 66.35.250.0/24. Sure, it will break one major site, but you shouldn't be wasting your time there
Since you already have a BSD running, do you leave it on 24/24? If so, its time to start loading up the real tools like cacti [cacti.net], nagios [nagios.org], and smokeping [ee.ethz.ch]. It helps if you have an SNMP capable switch on your network, but configuring your own SNMP [sourceforge.net] can be quite a learning experience as well. With graphs showing what is happening on your net and the internet over time, you will start to see the cycles of congestion every evening and maintenance times every sunday at wee hours. The most frustrating problems in networkin
Combine your ssh remote login with poor passwords (Score:4, Informative)
Another thing you could do to allow attackers to gain access is to completely ignore security bulletins and never install updates.
Depends... (Score:2)
If you want to get beyond that (CCNP or CCIE), you need some real network gear (i.e., real routers and switches). I'm not saying that Cisco certs are the end-all of network knowledge, but if your goal is to really learn about networks, then they're good guideposts.
Another fine thing to digest is Stevens' classic
Easiest Way To Screw It Up. (Score:1)
Start from the bottom, and work your way up. (Score:5, Informative)
You want to know what makes a network tick? Start from the bottom and work your way up. That is, follow the OSI Protocol Stack Model, and start from Layer 1, the Physical Media, and learn why it is that Ethernet (or your choice of PHY) works the way it does. Then move up to Layer 2, the Data Link Layer, which in the case of Ethernet would be CSMA/CD, then move up to Layer 3, the Network Layer, which in most cases these days is TCP/IP (though TCP/IP really sort of covers Layer 4, the Transport Layer, as well).
Allow me to suggest the many excellent books by O'Reilly that will tell you everything you need to know.
Do not use the Cisco or Microsoft books. While most of the information there will be correct, some of it will be specific to Cisco and Microsoft's proprietary implementations. I feel it is always best to learn the generic, standardized protocols before branching out into proprietary protocols.
Check out these books from your library, or buy them. Used or new doesn't really matter all that much, as the basic protocols have not changed much in the past 15 years or so.
1. O'Reilly - Ethernet: The Definitive Guide
2. O'Reilly - Internet Core Protocols: The Definitive Guide
3. O'Reilly - TCP/IP Network Administration
4. O'Reilly - Building Internet Firewalls
That will get you started. Then, you might want to know something about other types of networks:
5. O'Reilly - 802.11 Wireless Networks: The Definitive Guide
6. O'Reilly - T1: A Survival Guide
With those six books, you'll have a solid grounding in how networks network, and how internetworks, internetwork. Once you have that, you'll have a pretty good idea of how to screw up a network. You'll also have a pretty good idea of what more advanced topics you'd like to know more about.
One old book that is out of print and difficult to find that I highly recommend is Inside AppleTalk, 2nd. Edition, from Addison-Wesley. It's the definitive book for AppleTalk, and you might want to know about AppleTalk, even though it is falling out of favor.
Re:Start from the bottom, and work your way up. (Score:2)
Your response to overly complicated answers is to suggest that he read six books? Wow, I'd hate to have to deal with something that you actually find "complicated!"
Re:Start from the bottom, and work your way up. (Score:1)
Re:Start from the bottom, and work your way up. (Score:2)
And even though those books are
Different MTU (Score:2)
It is quite difficult to troubleshot because simple pings, telnet, etc. works just fine. Any larger transfer that uses full-size ethernet packets will not work. The symptoms are.. interesting and erratic. "ls" on NFS drives works unless there is too many files. telnet usually works until something sends more than 1500 bytes in one go. ping works fine. arp works fine. nslookup works fine.
Another way: play packet WTF (Score:3, Insightful)
For the advanced version of the game, do something specific (bring a DHCP machine up; do an FTP transfer; surf a web site) and write down what you think goes on on the network. Then capture the packets and see how close you can get.
By learning what a network looks like when it's working normally, you'll have a much better chance of figuring out problems when they happen.
Create New instead of Edit (Score:1)
The main server was Netware 3.12 (I assume there are some people who remember that). Anyway during my first week, I had to go in to make a small change to the server's autoexec file (autoexec.cnf?). To cut what could be a long story short, I created a new file rather than edited the current one.
Needless to say things didn't quite work after that. It took me about 1/2 an hour to make enough floppies fo
Answering a different question... (Score:2)
If your ultimate goal is to learn more about networking, then I'd say you can learn a lot by running a network analyser (ethereal is a very good gui tool which understand a lot of protocols. It can also read tcpdump files, which is handy).
Look
Staple your cables (Score:3, Interesting)
Just as simple as that.... In stapling up your cables to walls, joists, studs or whatever, drive a staple through the cable.
I did that at least two times while setting up my home network. The first one shorted out a pair, and the cable was fine as soon as I removed the staple. The second one apparently severed a conductor, but then bridged it. That cable worked just fine until I removed the staple.
Needless to say, I have since acquired a cable-safe staple gun. It has a wire guide on its tip (you straddle the cable with the guide and it keeps the cable out of the way of the outcoming staple) and it uses rounded staples.
Here's a few ideas (Score:2)
* Use the wrong netmask on your network on a few random devices (really hard to find if really done by accident)
* Create a bad static route at your firewall
Start a benchmarking service game giveaway. (Score:1)
post a java applet that measures bandwidth to your *clients* and list below the speedometer (which shows aggregate bandwidth used)
the highest sustained throughput for say the top 30 users.
then post it to slashdot and boing boing as a contest, with the top rated clients winning a nintendo revolution, xbox 360 and playstation3 dream system.
after the above (a hard days work) go to sleep and when you wak
Real problems I've run into (Score:2)
Another customer had installed CAT5 cabling. No jacks; he terminated it with plugs. NICs would link up, you could ping anything all day long, but as soon as you tried to do anything that put a load on the netwo