Jan 16, 2023 Unacknowledged SYNs by country

Jan 14, 2023 Unacknowledged SYNs by country

It’s sometimes interesting to look at how different a single day might be versus the longer-term trends. And to see what happens when you make changes to your pf rules.

I added all RU networks I was blocking from ssh to the list blocked for everything. I also fired up a torrent client on my desktop.

RU moving up the list versus the previous 5 days is no surprise; a good portion of traffic I receive from RU is port scanning. But I’ll have to look to see what caused the CZ numbers to climb.

I think the only interesting thing about the torrent client is that I should do something to track UDP in a similar manner as I track TCP. If I have a torrent client running, I will wind up with a lot of UDP traffic (much of it directed to port 6881 on this day), and will respond with ICMP port unreachable. To some extent this is a burden on my outbound bandwidth, but on the other hand it will allow me to add an easy new tracker to mcflowd: “to whom am I sending ICMP port unreachables?”. Of course, UDP is trivially spoofed, so I don’t truly know the source of the UDP.

Source IPV4 address space blocked from ssh, by country

Below is a chart showing the number of IPv4 addresses blocked from accessing ssh on my network, by country, for the 25 countries with the most address space blocked. It has changed over the years, but the U.S. is now #2 where it wasn’t in 2017 (it wasn’t even in the top 20 back then). What hasn’t changed: China remains dominant.

It’s worth noting that my automation blocks address space based on access attempts. A prefix doesn’t wind up in the list unless the automation has seen failed access attempts from that prefix. Of course, policy and address allocation determine the width of prefix, as well as aggregation. No one gets blocked forever, but repeat offenders are blocked longer. Bear in mind that ssh on my network is intended for a single user: me. If I’m not in China at the moment, ssh need not be accessible from China.

This next chart comes from mcflowd data. One of the things it tracks is unacknowledged SYN packets that hit my gateway, per source IPV4 address. I can process this data with IP to country information to get an idea of which countries are the predominant prowlers. It shows how often different countries are either probing for a service I don’t run or trying to hit a service that I’ve blocked some of their IPv4 address space from accessing. A metaphor: the number of times they knocked on my door and I purposely didn’t answer (I did not reply with a SYN ACK). I call this the chump factor chart; many of the address spaces that contribute to this chart have been the same for 5 years.

Note that this second chart is from a period of less than 5 days. Anyone with a public Internet connection should not kid themselves into thinking they’re not being probed, constantly.

This is how you splinter the Internet. Make us fed up enough with your traffic that’s indistinguishable from traffic with criminal intent, we block you. Works great for authoritarian governments that don’t want their citizenry to communicate with the free world, and those with other motives too. 🙁

The good news for me is that I have automation that’s pretty flexible in configuration and input sources (the log parser, for example, can be used on a number of different log formats as long as they’re text and contain offending IP addresses). It saves the data I need, and isn’t a significant resource consumer on my gateway. It’s very secure, using my Credence library for ECDH, authentication and authorization (which under the hood is using libsodium at the moment). I have a reasonably robust IP to country service, which updates itself via RDAP. Sadly the registries are a disaster saga, so occasionally I wind up reloading with GeoLite or similar data. But since I only use the country data to determine how long and how wide a prefix will be blocked, and not if a prefix will be blocked, it’s mostly inconsequential. It’s just useful to be able to see where the nefarious traffic is coming from, through a geopolitical lens.

Hey U.S. (my own country): we shouldn’t throw stones while we live in a glass house. And if there’s anything we should do about big tech, I’d say regulating the weaponization of massive cloud computing resources would be a good start. Where do a lot of the U.S. probes come from? Amazon EC2, Google, Microsoft, DigitalOcean, linode, Oracle. The same holds true for probes from Canada and other parts of the western world. Some of these are legitimate research probes. However, to a large extent they’re indistinguishable from nefarious activity. And besides, I pay for my bandwidth at the end of a thin straw we call broadband in the U.S. I don’t want this traffic, yet I pay for it.

Sports thoughts of the day

Jan 5, 2023

Texas fired Chris Beard after a felony domestic violence charge. Maybe Texas Tech and Texas can now agree that Chris Beard might be a scumbag. And probably hangs out with scumbags.

Here’s the sign I want to see at games from both schools: “Chris Beard bites!!!”. See the police report. Yikes.

There are scumbags in all walks of life. But I’d like to see us be less forgiving of scumbags on big stages with positions of leader/teacher/mentor. And any men who bite their domestic partner in anger. That’s just crazy, right? As my friend Andy put it, “Biting Hall of Fame: Marv Albert, Mike Tyson, Hannibal Lecter.” All bat-poop-crazy in their own way.

Kudos to Texas for doing the right thing here. Boos for taking 3 weeks to do it.

I’d like the coach of my alum to be fired (Juwan Howard) for his inability to maintain a professional demeanor. He hasn’t advanced to scumbag status though, at least not yet. There’s the rub: yet. I don’t hate Howard, I just don’t trust him. Ticking time bomb. I miss John Beilein, a lot.

I put Harbaugh in the untrustworthy bucket too. He’s been there a long time, bu† the hypocritical righteousness while violating NCAA rules is the one that really rubs me the wrong way. Not to mention the stupidity. If you bought a hamburger for a recruit at the Brown Jug, it’s downright stupid to lie about it to an investigation committee. We’re not talking about fancy food here; Wendy’s makes better burgers. In fact, at my age, you’d have to pay me to eat a burger at the Brown Jug. It’s a college campus dive. I spent my fair share of time at the Brown Jug as a student, mostly eating eggs and pancakes late at night after a long study session with friends. But it’s not a place you take someone to impress them or sway them. It’s not even the institution that Crazy Jim’s or the Fleetwood is, never mind a fantastic food place like Zingerman’s.

mcblockd 5 years on

mcblockd, the firewall automation I created 5 years ago, continues to work.

However, it’s interesting to note how things have changed. Looking at just the addresses I block from accessing port 22…

While China remains at the top of my list of total number of blocked IP addresses, the US is now in 2nd place. In 2017, the US wasn’t even in the top 20. What has changed?

Most of the change here is driven by my automation seeing more and more attacks originating from cloud hosted services. Amazon EC2, Google, Microsoft, DigitalOcean, Linode, Oracle, et. al. While my automation policy won’t go wider than a /24 for a probe from a known US entity, over time I see probes from entire swaths of contiguous /24 networks from the same address space allocation, which will be coalesced to reduce firewall table size. Two adjacent /24 networks become a single /23. Two adjacent /23 networks become a single /22. All the way up to a possible /8 (the automation stops there).

So today, the last of 2022, I see some very large blocks owned by our cloud providers being blocked by my automation due to receiving ssh probes from large contiguous swaths of their address space.

I am very appreciative of the good things from big tech. But I’m starting to see the current cloud computing companies as the arms dealers of cyberspace.

My top 2 countries:

    CN 131,560,960 addresses
       /9 networks:    1 (8,388,608 addresses)
      /10 networks:   10 (41,943,040 addresses)
      /11 networks:   12 (25,165,824 addresses)
      /12 networks:   18 (18,874,368 addresses)
      /13 networks:   29 (15,204,352 addresses)
      /14 networks:   48 (12,582,912 addresses)
      /15 networks:   48 (6,291,456 addresses)
      /16 networks:   37 (2,424,832 addresses)
      /17 networks:   14 (458,752 addresses)
      /18 networks:    7 (114,688 addresses)
      /19 networks:   10 (81,920 addresses)
      /20 networks:    5 (20,480 addresses)
      /21 networks:    3 (6,144 addresses)
      /22 networks:    3 (3,072 addresses)
      /23 networks:    1 (512 addresses)

    US 92,199,996 addresses
       /9 networks:    3 (25,165,824 addresses)
      /10 networks:    5 (20,971,520 addresses)
      /11 networks:   10 (20,971,520 addresses)
      /12 networks:    9 (9,437,184 addresses)
      /13 networks:   16 (8,388,608 addresses)
      /14 networks:   10 (2,621,440 addresses)
      /15 networks:    8 (1,048,576 addresses)
      /16 networks:   42 (2,752,512 addresses)
      /17 networks:   10 (327,680 addresses)
      /18 networks:   11 (180,224 addresses)
      /19 networks:    8 (65,536 addresses)
      /20 networks:   10 (40,960 addresses)
      /21 networks:    2 (4,096 addresses)
      /22 networks:    9 (9,216 addresses)
      /23 networks:    9 (4,608 addresses)
      /24 networks:  818 (209,408 addresses)
      /25 networks:    4 (512 addresses)
      /26 networks:    5 (320 addresses)
      /27 networks:    5 (160 addresses)
      /28 networks:    2 (32 addresses)
      /29 networks:    7 (56 addresses)
      /30 networks:    1 (4 addresses)

You can clearly see the effect of my automation policy for the US. Lots of /24 networks get added, most of them with a 30 to 35 day expiration. Note that expirations increase for repeat offenses. But over time, as contiguous /24 networks are added due to sending probes at my firewall, aggregation will lead to wider net masks (shorter prefix lengths). Since I’m sorting countries based on the total number of addresses I’m blocking, obviously shorter prefixes have a much more profound effect than long prefixes.

Building custom desks: the first one is done!

First desk done before room is done.

In every failure is an opportunity: a learning experience. Patience and persistence lead to success. That’s basically the story of my desk saga.

This saga started a long time ago, with haggling over what would be appropriate aesthetically versus what I can’t live without in a home work space. Honey, I love you so much for making so many compromises. And for letting me crowd the room a bit so we can each have a desk in this room and work alongside each other. And for choosing and buying the wool rug and pad we’ll have in there!

There’s a big upside to the approaching end of this saga: we’re getting some fairly nice custom matching desks for the home office. Made from scratch by me, from my detailed SketchUp drawings all the way to final assembly and finishing. Solid oak and polished PEI 5 porcelain touch surfaces, solid oak structure, acetal wear surfaces (the feet). Each desk breaks down into 4 very strong pieces. The top has eight threaded inserts for recessed bolts in the base pieces that hold the top to the base pieces. Each of the base side assemblies connect to the rear base assembly with 2 guide pins and flanged leaded bronze bushings for alignment and 3 long stainless recessed hex head bolts from the side assembly into dowel nuts in the rear base assembly.

Two power strips are mounted to the bottom of the top in the rear (plenty of room for those pesky wall warts and 18 total outlets).

The desks are substantial. I can sit on them. I can stand on them. They’re heavy, yet they’re not difficult to move due to the acetal feet and porcelain floor. They’re a good size: the tops are 70″ long by 36″ deep. They don’t scream ‘computer desk’ except for the over-bridges (which aren’t attached to the desks and are hence ‘optional’). No cable grommets. Easily repurposed as a large reading desk or craft desk.

This whole experience was a gamble. While I trust my ability to build things, I had no luck finding any stories about someone using very large porcelain tile in a desk top. I’m sure I’m not the first one to do something like this; I just wasn’t able to find anything.

This made for some guesswork with what I needed to do in order to bring the odds of cracking the porcelain to an acceptable low. I’m very familiar with porcelain flooring deflection requirements, but this isn’t a floor; the static load is low, and the dynamic load is very low. And there are tradeoffs for weight, total thickness, space for support, etc.

The porcelain is very dimensionally stable. The water absorption rate is minuscule at .5%, and it’s very dimensionally stable versus temperature. The solid oak, on the other hand, will contract and expand a bit with changes in humidity and temperature. And the plywood is between the solid oak and the porcelain in terms of dimensional stability.

I didn’t want cement board (weight, thickness). I didn’t trust Ditra here, mainly the bond to the substrate. Floors don’t get inverted, but a desktop could when breaking it down to move.

I wound up with 1.25″ of total plywood thickness under the porcelain: 1/2″ BCX plywood glued and screwed to 3/4″ oak plywood. The porcelain is adhered to the BCX plywood with SikaBond construction adhesive. It retains some flexibility when fully cured, which allows the wood to expand and contract but not lose bond with the porcelain. The frame of the top is 1″ thick solid oak pieces, glued and doweled together as a full assembly before gluing and screwing it to the top of the 3/4″ oak plywood (edging the 1/2″ BCX plywood and standing proud of it to allow the porcelain insert with adhesive). The porcelain is intentionally recessed a little bit; if I spill my coffee on the porcelain, it’ll mostly be contained on the desk. The edges of the 3/4″ oak plywood are concealed with 3/4″ x 3/4″ solid oak pieces that are glued and 18-gauge nailed to the 1″ oak frame. Hence the total top thickness is 1.75″.

I love the desk. It’s super strong and rigid. It has enough mass to avoid monitor shaking. It accommodates the Mac Studio exactly as I intended. My keyboard, trackpad and wrist rest fit under the shelf in the over-bridge. The porcelain should be impervious to my watch bands, writing instruments, coffee spills and sweating cold drink rings.

It’s also satisfying to have gone all the way from this detailed SketchUp drawing I created from scratch:

Desk design in SketchUp.
Lots of fasteners in desk design in SketchUp; dowels, pocket holes, steel guide pins into leaded bronze bushings, threaded inserts, stainless steel bolts into dowel nuts, wood screws.

To a completed desk and overbridge.

Mac Studio on one of the desks I created from scratch.
Mac Studio on the first desk I completed.

I am coming from a Middle Atlantic ELUR 84″ wide edit center desk. I’ve had it for ages. Functionally it’s been great. Aesthetically, not so much. MDF with laminate top and edged with plastic. It’s too big for the den where I want two desks, and definitely too ugly. There was a time that it spoke to me, at the right price, for my work desk. That time has passed.

However, I did take a tiny bit of inspiration from the ELUR. The distance between the side leg assemblies is similar. As is the ability to disassemble the desk (though my fastening is much more robust). The over-bridge height is about the same.

But I wanted a spot to hide away my keyboard, trackpad and wrist rest and didn’t want racks in front of me. I wanted natural looking materials. I wanted a very durable but aesthetically pleasing top surface. I wanted the over-bridge to be optional. I wanted something I could scoot on the floor without damaging the floor or the desk. And I wanted sort of a materials theme to this room. The floor is wood-look porcelain. The walls, built-ins and french doors are wood. So despite the desk porcelain being very different than the floor porcelain, the desk follows the theme: oak and porcelain.

One of the great things about being a ‘maker’ as a hobby instead of as a professional: build what you want or need, on your own timeline, with your own budget for time and money. And today we’re sort of in a golden age for makers thanks to the widespread availability of information, from how to use free or inexpensive CAD software to how to use various power tools to ordering custom machined parts online to how to get started and advance with 3D printing.

In the case of these desks I created, the ability to create detailed SketchUp drawings was very valuable; even the pocket holes are in the drawings. This gave me the reference I needed when I finally started the build. When you’re doing this in your precious ‘spare’ time, it could take many months to complete. A week of workdays between time to spend on woodworking generally erases memories of measurements, etc. And in my particular case, the ‘engineering’ part of the desk creation is as much if not more fun than the actual assembly. There are more opportunities to be creative at no cost other than time and the electricity to run the computer hosting the drawing software. I spent a LOT of time on the drawings, tweaking and refactoring until I had something I was confident would meet all of my desires. Doing this, and being able to drop the desk model into a model of the room with the other furniture I created, was very powerful and very satisfying.

It’s probably worth noting that all of my revisions are in one of my repositories. Which makes it kinda fun to see what I did over time.

This post is too long. The gist: big effort, but I’m really happy with the result. The same is true for the under-desk rack (I’ll post about that later) and the first of two rolling drawer cabinets (I’ll post about those later too).

There are various random pictures of the desk(s) during construction and completed here:

Desk photos

Making my own office furniture: part 8

I haven’t posted a furniture update in a while…

Desk #2 has been done for a while now. It’s in the den. I love it. I’m not using it yet, because I need Desk #1 to be done before I migrate my office to the den. But every time I walk by that room, I wind up walking in there to see the completed desk and run my hands over the porcelain and oak.

The base of Desk #1 has been done for a long time. It was done before I started Desk #2, but I wound up completing desk #2 before returning to work on Desk #1.

I’m now in the process of building the top for Desk #1. The base has been done for a long time. Tonight I routed the final edge of the top and flipped the top upside down on the bench. I then assembled the base on top of it so I can mark the bottom of the top for the threaded inserts. As a reminder, the desk breaks down into 4 pieces. Threaded inserts and bolts hole the top to the base, and the 3 parts of the base are connected via long bolts into dowel nuts and aligned via guide pins into bronze flanged bushings.

I’ll post something outside of this thread about what I think about these new custom desks.

TREBLEET Super Thunderbolt 3 Dock: First Impressions

TREBLEET Super Thunderbolt 3 Dock at Amazon


I received this on August 25, 2022. I immediately installed a Samsung 980 Pro 1TB NVMe, then plugged the dock into AC power via the included power supply brick and into the Mac Studio M1 Ultra via the included Thunderbolt 3 cable. The performance to/from the Samsung 980 Pro 1TB NVMe is what I had hoped.

This is more than 3X faster than any other dock in this form factor available today. Sure, it’s not PCIe 4.0 NVMe speeds, but given that all other docks available in this form factor max out at 770 MB/s, and that Thunderbolt 3/4 is 5 GB/s, this is great.

I also checked some of the data in system report. All looks OK.

My first impression: this is the only dock to buy if you want NVMe in this form factor. Nothing else comes close speed-wise. Yes it’s pricey. Yes, it’s not a big brand name in North America. But they did the right thing with PCIe lane allocation, which hasn’t happened with OWC, Satechi or anyone else.

There’s really no point in buying a dock with NVMe if it won’t ever be able to run much faster than a good SATA SSD (I hope OWC, Satechi, Hagibis, AGPTEK, Qwizlab and others are paying attention). Buy this dock if you need NVMe storage. I can’t speak to longevity yet, but my initial rating: 5 out of 5 stars.

Mac Studio M1 Ultra: Thanks, Apple!

I finally have a computer I LIKE to place on my desk. I’m speaking of the Mac Studio M1 Ultra.

Apple finally created a desktop that mostly fits my needs. My only wishlist item: upgradeable internal storage (DIY or at Apple Store, I don’t care).

This was partly coincidence. The Mac Studio with M1 Ultra ticks the boxes I care about for my primary desktop. Faster than my Threadripper 3960X for compiling my C++ projects while small, aesthetically pleasing, quiet and cool. 10G ethernet? Check. 128G RAM? Check. Enough CPU cores for my work? Check. Fast internal storage? Check. Low power consumption? Check.

I’m serious: thanks, Apple!

This machine won’t be for everyone. News flash: no machine is for everyone. But for my current and foreseeable primary desktop needs, it’s great. And it’ll remain that way as long as we still have accessories for Thunderbolt available that are designed for the Mac Mini or Mac Studio. This isn’t a substitute for the Mac Pro; I can’t put PCIe cards in it, nor 1.5TB of RAM (or any beyond the 128G that came with mine). It’s also way more than a current Mac Mini. But that’s the point: it fills a spot that was empty in Apple’s lineup for a decade, which happens to be the sweet spot for people like me. Time is money, but I don’t need GPUs. I don’t need 1.5TB of RAM. I don’t need 100G ethernet (though I do need 10G ethernet). I’m not a video editor nor photographer; my ideal display is 21:9 at around 38 inches, for productivity (many Terminal windows), not for media. Hence the Studio Display and the Pro XDR are not good fits for me. But the Mac Studio M1 Ultra does what I need, really well.

Some people at Apple did their homework. Some championed what was done. Some did some really fine work putting it all together, from design to manufacturing. Some probably argued that it was a stopgap until the Apple silicon Mac Pro, and that’s true.

That last part doesn’t make it temporary product. Apple, please please please keep this tier alive. There are many of us out here that can’t work effectively with a Mac Mini, iMac or MacBook Pro but find it impossible to cost-justify a Mac Pro. And post-COVID there are many of us with multiple offices, one of which is at home. At home I don’t need a Mac Pro, nor do I really want one in my living space. I need just enough oomph to do real work efficiently, but don’t want a tower on my desk or the floor or even a rack-mounted machine (my home office racks are full).

I don’t care what machine occupies this space. But I’ll buy in this space, again and again, whereas I don’t see myself ever buying a Mac Pro for home with the current pricing structure.

Mac Studio M1 Ultra: The First Drive

Given that my new Mac Studio M1 Ultra is an ‘open box’ unit, I needed to fire it up and make sure that it works properly. One of the things I needed to check: that it works fine with my Dell U3818DW via USB-C for display. I have seen many reports of problems with ultra wide displays and M1 Macs, and I do not have a new display on my shopping list.

So on Sunday I left my hackintosh plugged in to the DisplayPort on the U3818DW, and plugged the Mac Studio into the USB-C port. It looks to me like it works just fine. I get native resolution, 3840×1600, with no fuss.

I am using a new Apple Magic Trackpad 2, and an old WASD CODE keyboard just to set things up. I don’t really need the new trackpad, since eventually I’ll decommission my hackintosh and take the trackpad from there. But I need one during the transition, and it was on sale at B&H.

With just a 30 minute spin… wow. I honestly can’t believe how zippy this machine is, right out of the box. Therein lies the beauty of using the same desktop computer for 10 years; when you finally upgrade, the odds are very good that you’re going to notice a significant improvement. In some cases, some of it will just be “less accumulated cruft launched at startup and login”. But in 10 years, the hardware is going to be much faster.

Compiling libDwm on the Mac Studio M1 Ultra with ‘make -j20' takes 32 seconds. Compiling it on my Threadripper 3960X machine with 256G of RAM with ‘make -j24‘ takes 40 seconds. You read that correctly… the M1 Ultra soundly beats my Threadripper 3960X for my most common ‘oomph’ activity (compiling C++ code), despite having a slower base clock and only having 16 performance cores and 4 efficiency cores. While using a fraction of the electricity. Bravo!

“Moore’s Law is dead.”. In the strictest sense, just on transistor density, this is mostly true. Process shrink has slowed down, etc. But the rules changed for many computing domains long before we were talking about TSMC 5nm. See Herb Sutter’s “The Free Lunch is Over“. Dies have grown (more transistors), core counts have grown, clock speed has increased but very slowly when compared to the olden days. Cache is, well, something you really need to look at when buying a CPU for a given workload.

This last point is something I haven’t had time to research, in terms of analysis. If you need performant software on a general purpose computer, cache friendliness is likely to matter. Up until recently, reaching out to RAM versus on-chip or on-die cache came with a severe penalty. That of course remains true on our common platforms (including Apple silicon). However, Apple put the RAM in the SoC. For the M1 Ultra, the bandwidth is 800 GB/sec. DDR4 3200 is 25.6GB/sec if you have 8 channels. DDR5 4800 with 8 channels is 76.8GB/sec. Let that sink in for a moment… the memory bandwidth of the M1 Ultra is more than a decimal order of magnitude higher than what we see in Intel and AMD machines. My question: how significant has this been for the benchmarks and real work loads? If significant, does this mean we’re going to see the industry follow Apple here? AMD and Intel releasing SoCs with CPU and RAM?

I know there are tinkerers that bemoan this future. But we bemoan the loss of many things in computing. I’m going to remain optimistic. Do I personally really care if today’s CPU + RAM purchase turns into an SoC purchase? To be honest, not really. But that’s just me; computing needs are very diverse. Those of us who tinker, well, we might just wind up tinkering with fewer parts. I don’t see the whole PC industry reversing any time soon in a manner that creates a walled garden any more than what we have today. It’s not like the current industry hasn’t been good for Intel and AMD. Yes, computing needs have diversified and we’ve put ‘enough’ power into smaller devices to meet the needs of many more consumers. And Intel and AMD have largely been absent in mobile. But they’ve maintained a solid foothold in the server market, cloud infrastructure, HPC, etc. As a consumer I appreciate the diversity of options in the current marketplace. We speak with our wallets. If we’re a market, I trust we’ll be served.

Apple turned heads here. For some computing needs (including my primary desktop), it appears the M1 Mac Studio is a winner. It doesn’t replace my Linux and Windows workstation, nor any of my servers, nor any of my Raspberry Pis. But for what I (and some others) need from a desktop computer, the M1 Mac Studio is the best thing Apple has done in quite some time. It hits the right points for some of us, in a price tier that’s been empty since the original cheese grater Mac Pro (2006 to way-too-late 2013). It also happens to be a nice jolt of competition. This is good for us, the consumers. Even if I never desired an Apple product, I’d celebrate. Kudos to Apple. And thanks!