Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Update your LookingGlass installations!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Update your LookingGlass installations!

Seems like the 'industry standard' network looking glass now faces a pretty nasty XSS vulnerability, as seen here.

An RDNS XSS was disclosed which has been patched by a temporary fix (thanks ldrrp). To patch, simply replace LookingGlass/LookingGlass.php with the patched version found here: LookingGlass.php

A maintenance/security release will be issued before 2015-01-26, which will include a number of patches for v1.

An example of the XSS attack:

An example of a patched LG:

Comments

  • 0xdragon0xdragon Member
    edited January 2015

    Again, lol.

  • We need a better LG.

    Thanked by 1Maximum_VPS
  • DalekOfSkaro said: We need a better LG.

    No pls, don't make another one. I wish people just focused on one product and made it secure, instead of creating forks and adding tons of unneeded features that leaves the software with even more vulnerabilities.

    At least auto-update would be nice.

    Thanked by 2Maximum_VPS Asim
  • I've been meaning to try out Ramnode's fork of looking glass https://github.com/ramnode/LookingGlass

    Thanked by 1Nick_A
  • 4n0nx said: No pls, don't make another one. I wish people just focused on one product and made it secure, instead of creating forks and adding tons of unneeded features that leaves the software with even more vulnerabilities.

    Honestly, I agree with forking for the purpose of contributing improvements to the original purpose, or writing something completely clean-room to provide for a more liberal license (say... MIT instead of GPL for instance). Or in the case of incompetence.

    4n0nx said: At least auto-update would be nice.

    Honestly, I agree with easy updates, but auto update just introduces an attack vector.

  • The RamNode version seems interesting. I'll give it a whirl today!

    Thanked by 1Asim
  • Rallias said:

    Honestly, I agree with easy updates, but auto update just introduces an attack vector.

    Yeah but all repositories are an attack vector as well, right? I'd like an auto update one can set to install x hours or days after the update was released. Enough time for malicious updates to be spotted.

    Thanked by 1Maximum_VPS
  • @MarkTurner nice of your to point out the obvious and recommend others ....

  • I was actually debating adding more features to the current looking glass.

  • This 'Telephone' looking glass isn't really a looking-glass per-se. It doesn't have any BGP data available. Its just a web ping/traceroute tool

    Thanked by 2ldrrp linuxthefish
  • @MarkTurner true, but you can very easily modify it to at least output AS numbers in traceroute. And who says there should be the possibility to query BGP in a looking glass?

  • MarkTurnerMarkTurner Member
    edited January 2015

    The historic reason for LGs was for netops to be able to check routing announcements. If you go back to the very first LGs like BBN, Ameritech, MAE East/West, UUNet then these didn't have traceroute. It was bgp route, bgp regex, ping and on some of the IXP RS's you had bgp summary.

    Being able to see the routes available at a location is more useful/critical than seeing the current route.

    For example looking at our connectivity to DigitalOcean, I can see direct connectivity via NYIIX, DECIX and that we've learnt the routes directly and from the routeservers.


    inet.0: 516758 destinations, 656623 routes (71079 active, 0 holddown, 516568 hidden) = Active Route, - = Last Active, * = Both 162.243.0.0/17 *[BGP/170] 3w1d 18:56:10, MED 105, localpref 250
    AS path: 62567 I to 206.130.10.9 via te-7/1/0.0 [BGP/170] 10w2d 12:21:00, MED 105, localpref 250
    AS path: 62567 I to 198.32.160.170 via te-0/2/0.0 [BGP/170] 10w2d 12:21:33, MED 105, localpref 250, from 198.32.160.1
    AS path: 62567 I to 198.32.160.170 via te-0/2/0.0 [BGP/170] 10w2d 12:21:33, MED 105, localpref 250, from 198.32.160.2
    AS path: 62567 I to 198.32.160.170 via te-0/2/0.0 [BGP/170] 3w1d 18:56:01, MED 105, localpref 250, from 206.130.10.252
    AS path: 62567 I to 206.130.10.9 via te-7/1/0.0 [BGP/170] 3w1d 18:56:09, MED 105, localpref 250, from 206.130.10.253
    AS path: 62567 I to 206.130.10.9 via te-7/1/0.0
    Thanked by 1aglodek
  • @MarkTurner compare the number of people who know what BGP is to the number of people who know traceroute / ping :) I agree that a BGP capable looking glass is nice, but... it's for network carriers, not for hosting providers. We stopped our BGP looking glass years ago when we started using VRFs (the code wasn't compatible with VRFs and it was not worth it to rewrite it).

  • @rds100 - true but people are getting more savvy; and with that savviness will come the desire to study routes.

    When I started in this business, people didn't even know what Internet was, Internet access was over 9600 baud modem and most leased lines were multiples of 64Kbps. In a short 15 years DSL/FTTH has come, 3G/4G is ubiquitous and people are beginning to understand how to differentiate between network operators.

  • @MarkTurner maybe ill add bgp then... hopefully the repo manager accepts the pull request.

  • Thanks, updated.

  • Nick_ANick_A Member, Top Host, Host Rep

    Yeah, check out ours :)

  • Nick_ANick_A Member, Top Host, Host Rep

    rds100 said: @MarkTurner true, but you can very easily modify it to at least output AS numbers in traceroute. And who says there should be the possibility to query BGP in a looking glass?

    Ours now has the ASN displayed in traceroute. Thanks for the idea.

Sign In or Register to comment.