The Department of Chemistry now has an arrangement with Amazon Web Services which allows researchers to access AWS and have the bills paid direct from one of their departmental accounts. Contact the Computer Officers if you would like to set this up for your work.
AWS provides a wide range of cloud computing services which are particularly likely to be of interest to researchers looking for web hosting and high performance computing.
Posted inCloud|Comments Off on Access to Amazon Web Services
For many years the department has had a licence for Intel’s optimizing
compilers and maths libraries which is paid for by several research
Updated versions of the Intel compilers and libraries are
now going to be released as part of a new product called OneAPI, which
is entirely free to download and use, so no one will need to pay for
annual renewals to get access to new releases any more. There’s also no
longer a limit on how many people can use the software at once.
The latest release of the Intel compilers from OneAPI has been installed on managed Linux workstations and compute clusters with sufficiently new operating systems (Ubuntu 18.04 workstations, rogue and nest clusters). OneAPI also comes with Intel MPI which we used to have to buy separately so we now have access to that on all those machines.
The older compilers will carry on working indefinitely, using the licence that was renewed in January.
Posted inLinux, Software|Comments Off on Intel compilers and maths libraries now free to use
We regret that there was a problem with ChemNet wifi between 8am on 9th March and 10.30 on 10th March which caused connections to fail to be assigned IP addresses, and so people would have found they had no network access despite their machine reporting being connected. This was fixed at 10.30 on 10th March and things are now running normally.
The problem began when we restarted the DHCP server (the software that allocates addresses) to update the list of DNS servers it sends out with the IP addresses. This is a routine process, and we’d done it several times recently as we have been updating our DNS servers. None of the previous restarts had issues. This time the DHCP software appeared to restart as normal, without any error message, but for some reason did not then allocate any IPs until a second restart was done. Unfortunately none of the IT staff were in the building on the 9th March so we didn’t become aware of the problem until someone reported it to us on the 10th.
We are looking into providing better monitoring of that DHCP server to detect failures automatically in future.
Posted inNetwork|Taggedchemnet, network|Comments Off on Problems with ChemNet wifi 9th and 10th March 2021
Unfortunately we have had to remove opera and the desktop OwnCloud client (which can be used to access our ChemBox service) from our managed Ubuntu 16.04 workstations. The 3rd party repositories we use for installing these pieces of software no longer support Ubuntu 16.04.
Both packages still work fine on Ubuntu 18.04: if you use a departmentally-managed 16.04 computer and want to arrange an upgrade, please let us know.
Posted inUncategorized|Taggedsoftware|Comments Off on Software removed from managed Ubuntu 16.04 workstations
We have recently added a new page to our website with suggestions for tools that might be of use to people working remotely. This includes some suggestions for online collaboration systems, as well as advice about remotely connecting to IT systems within the Department.
Jenkins (https://jenkins.io) is an open-source tool which can be used to automatically perform tasks such as automatic building and testing of software (continuous deployment/integration). Here in the Department of Chemistry we host some Jenkins instances used by some of our theoretical chemistry research groups, in support of their software engineering workflows.
Jenkins listens on UDP port 33848. You can either send an UDP broadcast packet (targeted to 255.255.255.255) to this port, or you can send an UDP multicast packet (targeted to 18.104.22.168) to this port. When a packet is received (the payload doesn’t matter), Jenkins will send an XML response to the sending UDP port as a datagram.
The purpose of that feature in Jenkins is to allow easy discovery of Jenkins instances on one’s network. However, there is a definite potential downside to having this feature enabled…
Distributed amplification/reflection Denial of Service attacks
In a Denial of Service attack (DoS), the attacker attempts to overwhelm one or more targets by sending them an excessive amount of network traffic. One strategy that is often used is to perform a “reflected DoS” attack. This relies on the fact that UDP is designed to be a connectionless network protocol and so it is easy to send a network packet to the target system with a faked source IP address. This obscures the IP address of the attacker.
A reflected DoS attack becomes more powerful if it’s possible to also leverage a network service which leads to traffic amplification. This occurs when the size of the network response of the reflector is significantly larger than the size of the packet needed to trigger the reflection. One of the most well-known services that can be abused in this way is NTP (network time protocol): https://www.cvedetails.com/cve/CVE-2013-5211/ . One should generally ensure that network services that could be used for a reflected amplification attack are either disabled if not needed, or only accessible to trusted network ranges rather than exposed to the internet.
As mentioned earlier, Jenkins will respond with an XML payload if any UDP packet is sent to port 33848. Thus, even a UDP packet consisting solely of UDP/IP/Ethernet headers but zero-length payload can trigger a response. The exact response size depends on factors such as the hostname of the Jenkins instance and the version of Jenkins being run, but is around 150 bytes: for example,
A commonly-used measure of the size of the amplification is the bandwidth amplification factor (BAF), defined as the ratio of the size of the reflected payload to the size of the original network request. Given that Jenkins responds to a zero-length payload sent to UDP port 33848, the BAF is thus infinite! In practice that’s a slightly misleading characterisation given that the attacker must still send the layer 2/3/4 headers, but it’s still possible to have Jenkins reflect significantly more traffic than is sent to it.
As of October 2019, the Shodan search engine (https://www.shodan.io) identified about 81,000 Jenkins instances that are visible on the internet. Many of them will not respond to a packet sent to UDP port 33848, either due to firewall rules or having disabled Jenkins’ auto-discovery feature. Nonetheless, a quick network scan suggested there were about 10,000 Jenkins instances at that time which did respond and could therefore be used as part of a distributed amplification/reflection DoS attack.
This behaviour also provides a possible DoS vector against a pair of Jenkins instances. An attacker can send a spoofed UDP packet to port 33848 on Jenkins instance A, with a spoofed source address of Jenkins instance B and source port also set to 33848. Jenkins instance A will thus send the ~150 byte XML response to UDP port 33848 of Jenkins instance B, in turn triggering a response which is sent to UDP port 33848 of Jenkins instance A. The subsequent infinite loop could potentially lead to resource exhaustion on either or both of the target Jenkins instances.
This security vulnerability is now listed in the CVE database under CVE-2020-2100.
The Jenkins project released a security advisory on 2020-01-29, when Jenkins 2.219 / 2.204.2LTS was released. As of those versions, Jenkins no longer listens on UDP port 33848 by default. According to the Jenkins documentation, it is also possible to explicitly disable the feature by setting the hudson.udp system property to -1.
Anyone running a Jenkins instance should check if their instance is listening on UDP 33848, and…
upgrade to the latest version of Jenkins
ensure the UDP autodiscovery feature is disabled if not needed
ensure that access to UDP port 33848 is only allowed from trusted networks via suitable firewall rules
…all of which is generally good practice when running any network-facing service, of course!
Posted insecurity, technical|Comments Off on Amplification/Reflection attacks: Jenkins CVE-2020-2100