Bojie Li

On July 28, 2015, bind9, the most widely used DNS server in the world, exposed a serious denial of service vulnerability (CVE-2015-5477).

A bit of background knowledge: DNS is a service that maps domain names to IP addresses. When you visit google.com, your computer will ask the DNS server in your area, what is the IP address of google.com? If your neighbor happens to be visiting google.com, the DNS server will directly return its IP; otherwise, this DNS server will ask Google’s official DNS server, get the IP address of google.com, and return it to you. The DNS server in this area is called recursive DNS; if the recursive DNS is down, it will cause the area it serves to be unable to access the internet. Google’s official DNS server is called authoritative DNS; if the authoritative DNS is down, it will cause the websites it serves to disappear from the earth.

DNS Recursive Query (Image Source)

How serious is this vulnerability? Just send a UDP data packet, and you can take down a DNS server. Whether it’s recursive DNS or authoritative DNS, no matter what configuration bind9 has made, as long as this data packet is received by the bind9 process, it will immediately throw an exception and terminate the service.

In mid-May, LUG held a white hat competition, conducting white hat vulnerability testing on campus websites, and awarded prizes based on the vulnerabilities found. The event went relatively smoothly, and hundreds of vulnerabilities in the campus network system were found within a few days. However, for some unknown reason, it attracted hackers.

In the early morning of May 31, the alarms from the monitoring system broke the tranquility of the late night. Dozens of LUG servers unexpectedly failed one after another, and the shocking event of LUG servers being hacked began. From the email sent by server administrator gyf to the Network Information Center for the second time on June 1, one can vaguely feel the tense atmosphere of that year.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

按照事件第一次发生时间排序：

【blog.ustc.edu.cn、freeshell.ustc.edu.cn】202.141.{160,176}.99（网络信息中心虚拟机）
31日 01:43，具体详情见上一封邮件（服务器失联），至今未修复。

【mirrors.ustc.edu.cn】202.38.95.110/25，202.141.{160,176}.110（网络信息中心实体机）
31日 01:51，黑客登陆后执行了 sudo /bin/sh；（P.S. 黑客登陆IP来自128.199.203.28（DigitalOcean），但该IP已被注销）
31日 01:58，系统崩溃， 由于我们设置了内核崩溃后60秒重启，因此该机器重启
31日 02:01，黑客再次登录
1日 19:42，管理员在排查问题时卸载了tun内核模块，随后，所有vlan配置消失。服务器失联。
1日 20:03，我和崔灏进入网络信息中心机房，物理接触服务器
1日 20:30，该服务器所有网络服务恢复正常

【lug.ustc.edu.cn】202.141.162.123（西区图书馆实体机）
31日11:54，服务器失联，无法ping通
31日13:47，我进入西区图书馆机房，发现服务器花屏，故障原因未知
31日14:07，强制重启服务器后，服务恢复
1日 19:58，服务器再次失联，至今未修复

【gitlab.lug.ustc.edu.cn】202.141.{162,176},93、202.38.93.93（东区图书馆机房虚拟机）
1日中午，接到用户反馈部分git仓库故障。
登录服务器发现btrfs文件系统损坏。
尝试通过vSphere Data Protection恢复失败，正在查找原因。。。

【vpn.lug.ustc.edu.cn】202.141.{160,176}.95（网络信息中心虚拟机）
1日20:35，该服务器失联
随后，我们通过vCenter查看，发现该机器正在循环重启。现象与blog服务器极为类似。
且该服务器故障前半小时的auth.log被删除，我们从硬盘中恢复出了部分入侵前后的日志。
服务至今未恢复。

我们正在全力抢修服务器，但由于事情发生得非常集中，服务全部恢复可能需要较长时间。

It was later found out that the server was remotely logged in using my account. In mid-May, the hacker invaded my laptop with a virus spread through a USB drive, implanted a keyboard logger, and remotely controlled my browser to visit some web pages related to network intrusion through unknown means. Since my personal account has no access record and the Bitcoin wallet was not stolen, it is very likely that this was an Advanced Persistent Threat (APT) targeting LUG rather than me personally. In the following half month, the hacker did not make any rash moves, presumably collecting information about the LUG server through various channels. On the night of May 30, the hacker logged into a large number of servers with the server password stolen by the keyboard logger and inserted malicious kernel modules. The hacker also invaded the LDAP database, tampered with the password of an old member who had already left the school, and logged into the most strictly defended mirrors server. The hacker also stole the private key of a VPN user, accessed the server’s internal network, and further invaded servers that were not allowed to be accessed from outside the school.

What this malicious kernel module does seems simple, it randomly modifies a byte on the hard disk every time a file operation is performed. This seemingly prank-like kernel module makes the server run normally when it is just invaded, but when key data is destroyed, system anomalies are discovered, and by this time a large amount of user data and system files have been destroyed. When the administrator tries to scan and repair these damaged files, a large number of file operations are generated, causing more files to be damaged, and they can never be repaired. Even when we NFS mount the backup server to copy backup data, the copied backup is also wrong, which is puzzling to us (fortunately, the backup server is NFS read-only mounted, otherwise the backup itself may also be damaged).

The interruption of the open-source software mirror (mirrors) service with over ten million daily visits, the interruption of the VPN service relied on by thousands of users in the school, the damage to the files in the freeshell virtual machine, the inability to access the blog, and even the LUG homepage cannot be opened, inquiry emails flew in like snowflakes, but the email server also hung up. This hacking incident even alarmed several Linux distributions and upstreams of open-source software. They all expressed that it was unheard of for open-source software mirrors to be hacked. The Freeshell service was terminated due to lack of backup, and the VPN service was no longer publicly run because it acted as an accomplice. This incident exposed many problems with the basic infrastructure of the LUG server, such as the public VPN service and the server using the same internal network, no two-step verification for password login, no alarm and defense for the dangerous operation of inserting kernel modules, and the account of the departed administrator was not disabled. Of course, the fundamental reason was that my laptop was hacked. Afterwards, LUG and teacher James treated me leniently and did not pursue my responsibility. I still feel very guilty to this day.

Background: Virtualbox virtual machine on Windows. Ubuntu 14.04.1 LTS, 3.13 kernel. ext4 file system.

Mistake: A few days ago, I was developing a website on this virtual machine, made N commits, thought I had git pushed, but in fact, the push failed.

Mystery: Today, my colleague git pulled and found no updates, then said I hadn’t been working these days.

Tragedy: Logged into the virtual machine and saw that a few newly written files in the project directory had become 0-byte empty files. (ext4 is so stable, it must be the evil NTFS and Virtualbox in the host machine that caused the trouble)
Many files in the .git directory also became 0-byte empty files. Git prompts that the repository is damaged.

1
2
3
4

$ git status
error: object file .git/objects/71/cbcbbc9d06a74f2fd8ea9109b81b88086f1430 is empty
error: object file .git/objects/71/cbcbbc9d06a74f2fd8ea9109b81b88086f1430 is empty
fatal: loose object 71cbcbbc9d06a74f2fd8ea9109b81b88086f1430 (stored in .git/objects/71/cbcbbc9d06a74f2fd8ea9109b81b88086f1430) is corrupt

1
2
3
4

$ git fsck
error: object file .git/objects/00/837a7e1f8afb8da8609369f7acf95fe9b7fc5b is empty
error: object file .git/objects/00/837a7e1f8afb8da8609369f7acf95fe9b7fc5b is empty
fatal: loose object 00837a7e1f8afb8da8609369f7acf95fe9b7fc5b (stored in .git/objects/00/837a7e1f8afb8da8609369f7acf95fe9b7fc5b) is corrupt

Has the code written in the past few days just vanished like this? We know that when you delete something, you just delete the reference to this thing in the current three-dimensional space, and the entity of this thing still exists in the four-dimensional space-time. Let’s time travel!

January 30, 2015, was the deadline for SIGCOMM 2015 paper submissions, but I went to Huangshan for a trip. IMG_20150130_083809

Preparations Before Departure {/examples/}

It was our first time going to Huangshan. As early as December 15, when our final exam schedule was confirmed, we started preparing.

Time {/examples/}

We set off the day after my final exams ended. After checking some travel guides, we found that Huangshan is suitable for a two-day trip, with one night spent on the mountain. Including the round trip to Hefei, it would take a total of four days.

Transportation {/examples/}

There are two routes from Hefei to Huangshan:

1. Take a train to Huangshan Railway Station (located in Tunxi, Huangshan City), then take a one-hour bus to Tangkou Town at the foot of Huangshan.
2. Take a direct bus from Hefei Long-Distance Bus Station to Tangkou Town at the foot of Huangshan.
   After arriving at Tangkou Town at the foot of Huangshan, to enter the Huangshan Scenic Area, you can only take the Xin Guoxian bus, which costs 19 yuan per person. The bus ride is a 20-minute winding mountain road, about 10 kilometers. The bus goes in two directions, one to Ciguang Pavilion at the front mountain and one to Yungu Temple at the back mountain. Both Ciguang Pavilion and Yungu Temple have cable cars to go up the mountain, or you can hike up (about 5 kilometers, taking 3 hours). Currently, the cable car at the front mountain is closed for maintenance, and hiking up is too tiring, so tourists usually go up from the back mountain, stay overnight on the mountain, and descend from the front mountain.

Since Jingning gets carsick and can’t sit on a bus for long periods, we chose the train-then-bus option. Currently, there are only K-series trains from Hefei to Huangshan, taking 6-7 hours (high-speed trains will be available this year). Although train tickets from Hefei to Huangshan are not in high demand during winter, we still booked our tickets a month in advance.

Buses within Huangshan City and the Huangshan Scenic Area run every half hour, and reservations are neither needed nor possible.

Accommodation {/examples/}

For the two nights at the foot of the mountain, you can choose to stay in Huangshan City or at the foot of the mountain. Accommodation on the mountain is relatively tight and needs to be booked in advance. You can do this on Ctrip.

Gear {/examples/}

• Documents: ID card, student ID
• Electronics: Mobile phone, iPad, power bank, flashlight (bought from Taobao, but didn’t use it)
• Warm clothing: Scarf, gloves, hat, seat cushion (Huangshan is very cold in winter)
• Climbing aids:
• Clothing: Each person brings 2 pairs of socks, underwear, towel for bathing
• Toiletries: Toothbrush, toothpaste, cup, lip balm, hand cream, skincare products…
  

January 28 {/examples/}

 

On May 16, 2013, my blog got a top-level domain bojieli.com. On January 6, 2015, I registered and enabled a new domain ring0.me (it’s the number 0, the font looks like the letter O).

Ring0 is the highest privilege level in the CPU architecture, and the code running at the Ring0 level interacts directly with the physical hardware. The concept of privilege level can be traced back to MULTICS in the 1960s. In the x86 architecture, ring0 represents the operating system kernel and kernel drivers, as opposed to user-mode applications that usually run in ring 3. The first time I heard about ring0 was in an article about rootkits when I was in junior high school and was very curious about “hacker” technology. Shamefully, I still can’t write a rootkit.

My blog uses the domain ring0.me to show that my main interest is in building the foundation of computer systems and networks through research and technology.

Registering ring0.me was because I felt that the full-spelled domain name bojieli.com didn’t look geeky enough. I considered multiple unregistered domain names such as rdma, ssh22, http80, tcp80, printk, reisub, etc., but in the end, I still thought ring0 was better.

The original bojieli.com has already HTTP 301 redirected to the corresponding page of ring0.me. Due to the policy restrictions of StartSSL, SSL certificates can only be applied for three days after domain registration.Deployed the SSL certificate on January 17.bojieli.com will continue to serve until May 2016, and will not be renewed afterwards.

The blog title has been changed from “null != undefined” to “Ring0”, and the subtitle has been changed from “Seeking possibility for next-generation network” to “Fundamental research in networked systems”. Hope readers like it ^_^

One afternoon in May 2013, Room 5005 of the Physics and Chemistry Building. I was holding Senior He Yu’s phone, calling Lu Yuanwei, who was in a joint training program at MSRA. Maybe I was too nervous; after the call, both the screen and my hand were covered in sweat. A few days earlier, I received a notification: I was admitted to the MSRA joint training program. I replied that I was working on a startup project and might not have time to go. Microsoft urged me to make a decision quickly. I originally wanted to decline on my own, but I thought I should listen to Boss He’s opinion.

Background: The joint training program between USTC and MSRA opens for applications every April. After resume screening and interviews, about 18 people are admitted. They intern at MSRA for their senior year, and their thesis is also done at MSRA. Among these 18 spots, 14 are for those who will continue their studies domestically, and the remaining 4 are for those going abroad or seeking employment. After two months of internship, around early September, about 7 out of the 14 will be selected to stay for a Ph.D., while the rest return to school for their master’s. The so-called joint training Ph.D. means the first year is spent taking classes at USTC, and the next four years are spent doing research at MSRA, ultimately earning a degree from USTC (so we are genuine USTC graduate students, not trainees).

Both Lu Yuanwei and Senior He Yu said it was a good opportunity and suggested I consider it carefully. I thought I would intern for a summer first, see how it goes, and then decide.

At that time, I was deeply influenced by the culture of Linux and free software and had quite a few prejudices against Microsoft. When HR called to confirm my “start date,” I asked why it was called “start date.” Only then did I realize I was going as an intern for joint training, and it felt awkward to become an employee of a company I didn’t like at the time.

Here is an old article: reading notes written in June 2012 (original link). These notes were written for my own reference, and they contain many of my own ideas, which may mislead readers. However, the article is too long, and I don’t have time to revise it. Feel free to criticize.

Recently (in the first half of 2012), under the recommendation of Jiahua Guo, I read the book “The Self-Cultivation of Programmers - Linking, Loading, and Libraries” from the LUG library, and I felt like I had found a treasure. However, the final exams are approaching, and I don’t have time to finish the whole book, so I only wrote a part of it.

There are two ways to build software: one is to make it so simple that there are obviously no defects, and the other is to make it so complicated that there are no obvious defects; the former is much more difficult.

——Hoare in the Turing Award speech “The Emperor’s Old Clothes”

Note: On November 21, 2014, I shared some of my insights on virtualization technology at the Alibaba Tech Club’s Virtualization Technology Exchange and “USTC Cloud 3.0” launch event. After organizing and supplementing, I discuss with you. (Long text, enter with caution)

Everyone is familiar with virtualization technology, most of us have used virtual machine software such as VMWare, VirtualBox. Some people think that virtualization technology has only become popular in recent years with the trend of cloud computing, and ten years ago it was just a toy for desktop users to test other operating systems. Not really. As long as multiple tasks are running on the computer at the same time, there will be a demand for task isolation, and virtualization is the technology that makes each task appear to monopolize the entire computer and isolate the impact between tasks. As early as the 1960s when computers were still huge, virtualization technology began to develop.

IBM 7044

Translator’s note: Jennifer Rexford is a professor at Princeton University and a leading figure in the field of network research. She gave a talk to new graduate students in the field of engineering in 2010: Advice for New Graduates.

Those who know me know that I have a hobby of collecting famous quotes. A sentence explains the story behind this: famous quotes are short and portable, which is a suitable hobby for me who often moved when I was a child. Two famous scientists from Princeton in the 1930s, Einstein and Thomas Lewis, made interesting and somewhat opposing comments on the role of the “individual”.

Einstein in the field of physics said: “All valuable things in human society depend on the opportunity for individual development.”

Thomas Lewis in the field of pharmacology and biology said, “In fact, there is no such thing as a single individual; his own life is not much more than a cell torn from the surface of the skin.”

These two quotes summarize well what graduate students do.

Many people are confused about the difference between these two sets of concepts. Let’s use the example of Xiao Ming downloading a file.

1. Synchronous Blocking: Xiao Ming keeps staring at the download progress bar until it reaches 100%.
2. Synchronous Non-blocking: After Xiao Ming starts the download, he goes to do other things, occasionally glancing at the progress bar. When it reaches 100%, the download is complete.
3. Asynchronous Blocking: Xiao Ming switches to a software that notifies him when the download is complete. However, he still waits for the “ding” sound (which seems silly, doesn’t it?)
4. Asynchronous Non-blocking: Still using the software that “dings” when the download is complete, Xiao Ming starts the download and then goes to do other things. When he hears the “ding”, he knows the download is complete.
   In other words, synchronous/asynchronous refers to the notification method of the download software, or the API being called. Blocking/non-blocking refers to Xiao Ming’s waiting method, or the API caller’s waiting method.