Nah, don't worry. If no firewalls are present, UDP spoofing is trivial anyway, so you are not making the UDP gmond comms materially less secure.
kind regards, richard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeyemi Adesanya Sent: 08 May 2006 18:32 To: [EMAIL PROTECTED] Cc: ganglia-developers@lists.sourceforge.net; Steven A. DuChene; Yaroslav Halchenko Subject: Re: [Ganglia-developers] Host spoofing for SNMP Positive response from folks so far! Sounds like we should see this feature in an upcoming release. Does anyone have any concerns regarding possible abuse of this feature? Maybe I'm worrying over nothing. Gmond already has decent access controls to accept/deny messages from hosts. I'd probably pay greater attention to this in my configuration files to ensure that unauthorized spoof messages don't get processed. ------- Yemi On May 8, 2006, at 3:20 AM, Martin Knoblauch wrote: > Yemi, > > COOL. I have seen others to comment on it. When you are ready with > the > "final" patch just open an bugzilla entry and attach the patch to it > (diff -udpr). Post the bugzilla # and someone will take care of the > thing. > > Martin > > --- Adeyemi Adesanya <[EMAIL PROTECTED]> wrote: > >> >> OK, >> >> To those of you who have been waiting for my Ganglia host spoofing >> mod/hack - I'm sorry! Time to put the powers of open source >> development to work. This modification of mine will allow you to send >> >> gmetric messages on behalf of another host. This host may be real or >> >> imaginary. No steps are taken to verify the host name and IP you >> provide to gmetric!!! >> >> Example: >> >> gmetric --conf=/var/ganglia/gmond.conf -- >> spoof=123.456.678.901:YemiAbstractDevice --name=speed --value=35 -- >> units=mph --type=uint8 >> >> Will cause recipient gmond daemons to insert the metric update under >> >> the host name "YemiAbstractDevice" with the IP address >> 123.456.678.901 . >> >> This may prove to be invaluable for monitoring SNMP devices or >> anything else you cannot run gmond on directly. >> >> To implement this feature I added a spoof gmetric message structure >> to the xdr protocol. The spoof data consists of the fake name and IP >> >> address along with the regular gmetric data. Nothing fancy. When >> gmond gets this message it uses the spoof data instead of taking the >> >> info from the IP header. Once the data is inserted into the gmond >> hash table it is indistinguishable. You can see this by querying the >> >> XML port. >> >> This is a first attempt and I hope that we can revise and improve >> this code in order to get it into a future release. We should >> consider the security implications of this feature. I suggest you >> restrict your user's access to this patched implementation for now. >> >> >> Below are patches for the ganglia-3.0.3 source code files: >> >> lib/protocol.x >> lib/libgmond.c >> lib/ganglia.h >> gmond/gmond.c >> gmetric/gmetric.c >> >> Save the patches to patchfiles and use the patch command: >> >> patch <originalfile> <patchfile> >> >> The only other mod required is to gmetric/cmdline.sh . Just add the >> following option line to this file and run gengetopt: >> option "spoof" S "IP address and name of host/device (colon >> separated) we are spoofing" string default="" no >> >> I think gmetric/cmdline.sh may only be available from the CVS source >> >> tree. >> >> That's it. recompile and try sending a spoof message to a modified >> gmond. I look forward to your feedback. Let's see if we can get this >> >> (or something like it) in an upcoming release. >> >> ------- >> Yemi >> >> >> >> >> ===== Use the following to patch lib/protocol.x ========== 26a27,33 >>> /* Yemi */ >>> struct Ganglia_spoof_message { >>> string spoofName<>; >>> string spoofIP<>; >>> struct Ganglia_gmetric_message gmetric; >>> }; >>> >> 95c102,104 >> < GANGLIA_NUM_25_METRICS /* this should always directly follow the >> >> last 25 metric_* */ >> --- >>> GANGLIA_NUM_25_METRICS, /* this should always directly follow >> the last 25 metric_* */ >>> /* Yemi */ >>> spoof_metric >> 100a110,112 >>> /* Yemi */ >>> case spoof_metric: >>> Ganglia_spoof_message spmetric; >> ===== Use the following to patch lib/libgmond.c ========== >> 702a703,750 >>> // Yemi >>> int >>> Ganglia_gmetric_send_spoof( Ganglia_gmetric gmetric, >> Ganglia_udp_send_channels send_channels, char* spoof_info) >>> { >>> int len; >>> XDR x; >>> char gmetricmsg[1500]; >>> Ganglia_message msg; >>> char *spoofName; >>> char *spoofIP; >>> char *buff; >>> int spoof_info_len; >>> int result; >>> >>> spoof_info_len = strlen(spoof_info); >>> buff = malloc(spoof_info_len+1); >>> strcpy(buff,spoof_info); >>> spoofIP = buff; >>> if( !(spoofName = strchr(buff+1,':')) ){ >>> fprintf(stderr,"Incorrect format for spoof argument. >> exiting. >> \n"); >>> exit(1); >>> } >>> *spoofName = 0; >>> spoofName++; >>> if(!(*spoofName)){ >>> fprintf(stderr,"Incorrect format for spoof argument. >> exiting. >> \n"); >>> exit(1); >>> } >>> printf(" spoofName: %s spoofIP: %s \n",spoofName,spoofIP); >>> >>> msg.id = spoof_metric; >>> >>> msg.Ganglia_message_u.spmetric.spoofName = spoofName; >>> msg.Ganglia_message_u.spmetric.spoofIP = spoofIP; >>> msg.Ganglia_message_u.spmetric.gmetric = *(gmetric->msg); >>> >>> // memcpy( &(msg.Ganglia_message_u.gmetric), gmetric->msg, >> sizeof >> (Ganglia_gmetric_message)); >>> >>> /* Send the message */ >>> xdrmem_create(&x, gmetricmsg, 1500, XDR_ENCODE); >>> xdr_Ganglia_message(&x, &msg); >>> len = xdr_getpos(&x); >>> result = Ganglia_udp_send_message( send_channels, gmetricmsg, >> len); >>> free(buff); >>> return result; >>> >>> } >>> >> ===== Use the following to patch lib/ganglia.h ========== 60a61,62 >>> // Yemi >>> int Ganglia_gmetric_send_spoof( Ganglia_gmetric gmetric, >> Ganglia_udp_send_channels send_channels, char* spoof_info); ===== Use >> the following to patch gmond/gmond.c ========== 581c581 >> < >> --- >>> // Yemi >> 583c583 >> < Ganglia_host_get( char *remoteip, apr_sockaddr_t *sa, >> Ganglia_message *fullmsg) >> --- >>> Ganglia_host_get( char *remIP, apr_sockaddr_t *sa, Ganglia_message >> >> *fullmsg) >> 589c589,590 >> < >> --- >>> char *remoteip = remIP; >>> >> 593a595,599 >>> >>> if(fullmsg->id == spoof_metric){ >>> hostname = fullmsg->Ganglia_message_u.spmetric.spoofName; >>> remoteip = fullmsg->Ganglia_message_u.spmetric.spoofIP; >>> } >> 741a748,756 >>> // Yemi >>> static Ganglia_metric * >>> Ganglia_message_find_spmetric( Ganglia_host *host, Ganglia_message >> >> *message) >>> { >>> /* Keyed on the name element of the gmetric sent */ >>> return (Ganglia_metric *)apr_hash_get( host->gmetrics, >>> message- >>> Ganglia_message_u.spmetric.gmetric.name, >>> APR_HASH_KEY_STRING); >>> } >> 756c771 >> < >> --- >>> >> 764a780,784 >>> // Yemi >>> else if(message->id == spoof_metric) >>> { >>> metric = Ganglia_message_find_spmetric( host, message); >>> } >> 787a808,812 >>> // Yemi >>> if(message->id == spoof_metric) >>> { >>> metric->name = apr_pstrdup( metric->pool, message- >>> Ganglia_message_u.spmetric.gmetric.name ); >>> } >> 796c821,823 >> < memcpy(&(metric->message), message, sizeof(Ganglia_message)); >> --- >>> // Yemi >>> if(message->id == spoof_metric){ >>> // Store data as regular gmetric in hash table!! >> 798c825,833 >> < if(message->id == metric_user_defined) >> --- >>> metric->message.id = metric_user_defined; >>> metric->message.Ganglia_message_u.gmetric = message- >>> Ganglia_message_u.spmetric.gmetric; >>> >>> >>> }else{ >>> memcpy(&(metric->message), message, >> sizeof(Ganglia_message)); >>> } >>> >>> if(message->id == metric_user_defined || message->id == >> spoof_metric) >> ===== Use the following to patch gmetric/gmetric.c ========== >> 75c75,81 >> < rval = Ganglia_gmetric_send(gmetric, send_channels); >> --- >>> //Yemi >>> if(!strlen(args_info.spoof_arg)) >>> { >>> rval = Ganglia_gmetric_send(gmetric, send_channels); >>> }else{ >>> rval = Ganglia_gmetric_send_spoof(gmetric, >> send_channels,args_info.spoof_arg); >>> } >> ==== end of patches ======= >> >> >> >> ------------------------------------------------------- >> Using Tomcat but need to do more? Need to support web services, >> security? Get stuff done quickly with pre-integrated technology to >> make your job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >> > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> Ganglia-developers mailing list >> Ganglia-developers@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/ganglia-developers >> >> > > ------------------------------------------------------ > Martin Knoblauch > email: k n o b i AT knobisoft DOT de > www: http://www.knobisoft.de > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Ganglia-developers mailing list > Ganglia-developers@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/ganglia-developers ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------
