Solved Download problem: failure at last block [cause: suricata]

[PMc]

Hi, I have a strange download problem:

$ fetch https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.2/FreeBSD-12.2-RELEASE-amd64-bootonly.iso.xz
FreeBSD-12.2-RELEASE-amd64-bootonly.iso.xz     99% of   77 MB  964 kBps 01m12s

It runs at normal speed, then fails right at the end and hangs forever. Inspection shows:

-rw-rw-r--   1 admin  staff  81657856 Dec 18 13:16 FreeBSD-12.2-RELEASE-amd64-bootonly.iso.xz

81657856 / 2 ^ 17
623.0000
81736024-81657856
78168

It transfers all full 128k blocks, then locks up at the last incomplete block.

Someone seen this before?

 

[SirDice]

Have you tried a mirror for this? The installation media is mirrored to a lot of local sites. I typically get mine from ftp.nl.freebsd.org because it's a local Dutch mirror (usually much faster to download from too).

Appendix C. Resources on the Internet

FreeBSD additional resources on internet like websites, mailing lists, mirrors, etc

www.freebsd.org

 

[obsigna]

Hi, I have a strange download problem:

$ fetch https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.2/FreeBSD-12.2-RELEASE-amd64-bootonly.iso.xz
FreeBSD-12.2-RELEASE-amd64-bootonly.iso.xz     99% of   77 MB  964 kBps 01m12s

It runs at normal speed, then fails right at the end and hangs forever. Inspection shows:

-rw-rw-r--   1 admin  staff  81657856 Dec 18 13:16 FreeBSD-12.2-RELEASE-amd64-bootonly.iso.xz

81657856 / 2 ^ 17
623.0000
81736024-81657856
78168

It transfers all full 128k blocks, then locks up at the last incomplete block.

Someone seen this before?

I had this several times in the recent months. To begin with, this seems to be an issue with fetch, since a download with a browser does work without any problem. In addition, when I interrupt fetch at the hanging stage, the file seems to be OK. It can be unpacked using xz(1) and then the iso can be mounted without problems.

 

[SirDice]

Definitely try a mirror to rule out any issues with the download.freebsd.org itself. It may do something fetch(1) doesn't like (or the other way around). That said, the code for fetch hasn't changed for quite some time, there certainly haven't been any recent changes to it. Still won't rule out bugs of course, a change on download.freebsd.org may have triggered a previously unknown issue.

[base] Log of /stable/12/usr.bin/fetch/fetch.c

svnweb.freebsd.org

 

[VladiBG]

Can you try to download it using "wget"

 

[PMc]

Thanks for Your replies! It's definitely not related to fetch or to the mirrorserver.
It comes from the backend, from security/suricata's IPS mode.
I configured that recently, and at first it seemed to work.

Now, strolling thru the logfiles, I found a few of these:
[1:2260002:1] SURICATA Applayer Detect protocol only one direction [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 139.178.72.202:21 -> 91.4.238.165:12146

Okay, I thought, it does not like to run on one leg (diverting only incoming).
And I diverted outgoing also, but things got worse. Then I realized: when running suricata before nat on incoming, I probably should run it behind nat on outgoing. But then it screws up completely:

[1:2200073:2] SURICATA IPv4 invalid checksum [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 91.12.117.72:48732 -> 213.138.116.78:443
[1:2200073:2] SURICATA IPv4 invalid checksum [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 91.12.117.72:3331 -> 213.138.116.78:0
[102574] <Warning> -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[102843] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - thread TX#00 failed

 

[SirDice]

It comes from the backend, from security/suricata's IPS mode.
I configured that recently, and at first it seemed to work.

That's generally why I don't like IPSes. IDS, sure, gladly. IPS, not so much. They often trigger false positives and wreck perfectly fine and valid traffic.

 

[PMc]

Yepp. This probably says it all:

ETN AGGRESSIVE IPs Group 1 [Classification: Misc Attack] [Priority: 2] {UDP} 192.228.79.201:53 -> 192.168.98.14:58417
ETN AGGRESSIVE IPs Group 1 [Classification: Misc Attack] [Priority: 2] {UDP} 192.33.4.12:53 -> 192.168.98.14:55276
ETN AGGRESSIVE IPs Group 0 [Classification: Misc Attack] [Priority: 2] {UDP} 192.5.5.241:53 -> 192.168.98.14:63506
ETN AGGRESSIVE IPs Group 1 [Classification: Misc Attack] [Priority: 2] {UDP} 192.112.36.4:53 -> 192.168.98.14:59369
ETN AGGRESSIVE IPs Group 0 [Classification: Misc Attack] [Priority: 2] {UDP} 193.0.14.129:53 -> 192.168.98.14:58162

Why are the root nameservers considered hackers?

So, my idea was to just have it in the loop. Then, if something annoys me, I can always switch that one from alert to drop.
But there is obviousely a bug. Somewhere. (And there is also a bug in my design, as I just found. So, working on it. )

 

[SirDice]

Why are the root nameservers considered hackers?

You're going to need to look at the rule that got triggered. Looking at the IPs and ports it looks like it's triggering on responses from DNS queries. The actual definition of the rule will tell you why it triggered on those packets.

 

[PMc]

You can read these definitions? (I'm not yet that far, I'm just trying to get the fabric itself work reliably.)
So what does it mean:

alert ip [192.33.4.12,192.36.148.17,2001:500:2::c,192.228.79.201,2001:7fd::1,37.49.230.173,2001:7fe::53,2001:500:1::53,80.94.93.33,198.97.190.53,198.41.0.4,156.96.128.162,2001:dc3::35,2001:500:12::d0d,89.185.239.70,2001:503:ba3e::2:30,149.129.139.48,192.112.36.4,181.143.101.194,154.59.121.183,91.241.19.84,193.29.13.45,8.129.209.71,2001:503:c27::2:30,217.21.193.74,82.113.58.199,51.15.21.205,156.96.150.119,202.12.27.33,94.232.46.25] any -> $HOME_NET any (msg:"ETN AGGRESSIVE IPs Group 1"; reference:url,https://security.etnetera.cz/feeds/etn_aggressive.txt; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:5000001; rev:1608083101

(Going to that URL just gives a vast bunch of IPs.)

 

[PMc]

Now I got this one here almost solved. It unravelled to a whole bunch of issues.

1. downloads hanging at the beginning of the last 128k block

This seems to be reproducible, coming from suricata when in IPS mode "running on one leg", i.e. only the incoming packets are fed to it, not the outgoing ones.
I think this is a malfunction and should not happen, otoh suricata is focused on analyzing flows, and so it needs to see both directions. And over all, suricata appears to be quite delicate about it's configuration being sensible.

2. various connection failures after fixing item 1.

That one was a bug created by me: I just lost these flows somewhere within the ruleset and they went onto a reject rule.

3. IPv4 header checksum errors

SURICATA IPv4 invalid checksum [Classification: Generic Protocol Command Decode]

This is normal and a design feature of the divert.
divert(4): Packets are received and sent unchanged, except that packets read as outgoing have invalid IP header checksums

More precisely, when feeding an outgoing packets out of ipfw onto a divert socket, is has the hopcount already decremented, but the checksum not changed.

I would think, as suricata provides a special adapter to run inline in ipfw on a divert socket, it should also respect this feature and behave accordingly. But - it doesn't.
Using the option -k none to switch off checksums does not really help - it does disable the messages for TCP traffic, but not for UDP, ICMP. (And assumingly this does also switch of the TCP checksum validataion, not only the IP header checksum.)

What does help is to disable the offending rule. Configure suricata-update to use a disable.conf file, and therein put a line with only 1:2200073.

4. suricata suddenly crashes with "permission denied"

[102574] <Warning> -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[102843] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - thread TX#00 failed

I have now seen this one more time, and I do not really understand what it means.
As mentioned, suricata is delicate about it's conditions. It appears to have orignally derived from some admin scripts, and it seems still to be a vast assortion of functionality packed together, lacking some means to ascertain proper over-all reliability.

The problem here is: when suricata runs inline on a divert socket, and it crashes, then those packets go nowhere and connectivity is lost. What can be done: putting this into /etc/crontab to be run periodically: service suricata status >/dev/null || service suricata start

 

[PMc]

[102574] <Warning> -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[102843] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - thread TX#00 failed

It seems I finally figured out where these crashes come from. If you do something like this:

/sbin/ipfw add 1000 divert 8000 all from any to any                       # divert to suricata
/sbin/ipfw add 2000 drop tcp from somehost to someotherhost  # drop something after it returned from suricata

This will only work on the incoming side (where line 2000 might be provided by something like blacklistd).
If you do the same on the outgoing side (i.e. drop some packets after they have been returned from suricata), then the sending process will be notified by the kernel that the packet could not be sent.
The sending process is in this case suricata, and therefore suricata receives a "Permission denied", and consequentially it crashes.
It probably should not crash in such a case, but that's yet another matter. I would rather think it should just ignore the "Permission denied", because it is none of it's business if some other rules might consider the packet dropable.

So, for now I am trying this patch:

# cat /usr/ports/security/suricata/files/patch-xa-divertperm
--- src/source-ipfw.c.orig      2020-12-20 17:08:44.430825000 +0000
+++ src/source-ipfw.c   2020-12-20 17:09:13.286729000 +0000
@@ -579,6 +579,7 @@
                     SCReturnInt(TM_ECODE_FAILED);
                 case EHOSTDOWN:
                 case ENETDOWN:
+                case EACCES:
                     break;
             }
         }