2016 Technology Exchange perfSONAR Sessions
Posted September 23, 2016 - permalink
The perfSONAR development team is pleased to announce three sessions covering the upcoming release of perfSONAR 4.0 as part of the Advanced Networking track of the Internet2 2016 Technology Exchange. All three take place on Tuesday, September 27.
- 08:40 – 09:00 EDT: perfSONAR 4.0
- 09:00 – 09:20 EDT: perfSONAR 4.0 Feature Tour
- 09:30 – 09:50 EDT: Introducing pScheduler, perfSONAR’s New Scheduler
For the benefit of those unable to be there, all three will be webcast live and available for viewing afterward.
Project Statement on DEFCON perfSONAR Presentation
Posted August 10, 2016 - Permalink
At the DEFCON conference in Las Vegas last week, Luke Young gave a presentation entitled Attacking Network Infrastructure to Generate a 4 Tb/s DDOS for $5 which outlined a trio of vulnerabilities in perfSONAR. The development team has fielded questions about it, so for everyone’s benefit, here is a summary of the vulnerabilities and the current status of each:
- Remote command execution (RCE) in a CGI script: This vulnerability was discovered earlier and eliminated when perfSONAR 3.5.1 was released in March.
- XML external entity (XXE) in OPPD: This vulnerability required that OPPD be running as the superuser, which is not its usual mode of operation. Launching an attack of the magnitude described in the presentation would require that configuration on a large number of nodes. It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).
- Privilege escalation in the configuration daemon: This vulnerability required shell access to the system to exploit. It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).
All auto-updating perfSONAR systems were no longer subject to exploits of these vulnerabilities as of July 7.
The development team will continue to be on the lookout for bugs in perfSONAR and will continue to promptly patch those we discover or are brought to our attention. We would like to thank Mr. Young for sharing his discoveries with us.
- July 7 patch announcement
- Archive of perfSONAR vulnerabilities which have been discovered and patched
- Mr. Young’s presentation (on the DEFCON web site)
New perfSONAR Training Videos Released
Posted July 18, 2016 - permalink
The Department of Energy’s Energy Sciences Network (ESnet), and the Network Startup Resource Center (NSRC) at the University of Oregon have teamed up to create an extensive video training library to help organizations improve the performance of their networks by deploying the perfSONAR network measurement tools and the Science DMZ network architecture.
The library can be found here:
A news release on this project can be found here: http://es.net/news-and-publications/esnet-news/2016/new-training-videos-leverage-esnet-s-expertise-to-improve-network-performance-around-the-world/