-
christian
What is o.j.n ?
-
Martin
observe.jabber.network
-
jonas’
tom, I’m not going to make monitoring data of domains public without their consent, buuut: https://github.com/horazont/xmppobserve-web/issues/3
-
jonas’
Problem is with exposing that data without also exposing the monitoring data of all my private services, as the infrastructure is currently shared
-
jonas’
I have another box I could use to help with that, but its availability is questionable, so I’m hesitant there
-
jonas’
I need to check the memory use on the new monitoring box and whether it’d allow me to split the TSDB in two instances there
-
jonas’
I already have a closed beta where ojn users can access their own monitoring data in a grafana instance ... but that still has too many issues (so registrations for that are currently closed and that’s also why it’s not advertised anywhere)
-
jonas’
hoping to improve on all that in the future, but Prometheus is not really made for tenant separation and running a separate instance for each user is going to be too expensive. So I’ll most likely have to roll my own proxy in front of that which correctly isolates the data
-
neox
Hi everyone. As a reminder (just in case) I am the operator of the chapril.org server. I have had user feedback that audio/video calls do not work when both parties are using 4G (LTE). They can only connect if at least one of them is behind a NAT (for example using wifi or ethernet). What could be the problem? (We use ejabberd)
-
jonas’
add a TURN server
-
jonas’
I think your observation is incomplete; 4G/LTE is very likely to be a CGNAT which tend to be worse for peer to peer connectivity than "classic" NATs.
-
jonas’
so while "classic" NATs can sometimes be worked around either via proper IPv6 support or hole punching, CGNATs are nasty
-
jonas’
and a TURN server helps with that
-
jonas’
when you deploy a STUN/TURN server pair, please pick a random port number (e.g. from the range 8192 -- 32768); the standard port number is being abused in DDoS attacks.
-
jonas’
neox, ^
-
neox
jonas’, well... I didn't know about CGNAT, thank you. We already activated the ejabberd internal TURN server, and it relays data sucessfully, so perhaps is it misconfigured for that special case ?
-
jonas’
neox, how do you know that it is relaying data successfully?
-
neox
jonas’, i see that in the ejabberd logs
-
jonas’
what do you see?
-
neox
jonas’, an amount of data relayed
-
jonas’
I don’t know how and what exactly is measured there
-
jonas’
have you run the tests described in https://gist.github.com/iNPUTmice/a28c438d9bbf3f4a3d4c663ffaa224d9 ?
-
jonas’
or more specifically: https://gist.github.com/iNPUTmice/a28c438d9bbf3f4a3d4c663ffaa224d9#testing
-
jonas’
I had a subtle misconfiguration in my TURN setup which made everything look great except when used via XMPP (typo in the prosody configuration---so probably not directly relevant to you)
-
neox
jonas’, thank you very much. I did not check with that tools, I'm doing it right now
-
jonas’
good luck! :)
-
balabol.im
> when you deploy a STUN/TURN server pair, please pick a random port number (e.g. from the range 8192 -- 32768); the standard port number is being abused in DDoS attacks. Ah, that's what it is. I see strange traffic on 3478/udp ~15-25kbps from time to time...
-
jonas’
balabol.im, yeah, that seems related
-
balabol.im
jonas’: i'll try to change portnumber, thanks for advice :)
-
jonas’
balabol.im, make sure to also change the "alt" port number and set it to the main port number plus one
-
balabol.im
jonas’: hmm...i don't remember setting the _alt_ port...you mean turn tcp/5349?...maybe you're talking about prosody?
-
jonas’
no, alt port is 3479 by default
-
jonas’
if you’re using coturn, it is literally called `alt-xyz-port`
-
rob
Oh that's good to know, I only changed the regular port
-
balabol.im
No, i use ejabberd with built-in turn Afair there wasn't _alt_ port
-
octagon
> when you deploy a STUN/TURN server ... the standard port number is being abused in DDoS attacks. TURN is authenticated, isn't it?
-
jonas’
yeah
-
jonas’
and that makes it worse
-
jonas’
or well, the protocol around authentication makes it worse
-
jonas’
the problem here is that you can send a 20 byte UDP packet to a STUN server and get 100 bytes back
-
jonas’
so for every byte of traffic sent to the STUN server, it emits 5 bytes.
-
octagon
Even without access?
-
jonas’
yes
-
jonas’
that’s just STUN
-
jonas’
with TURN and auth it gets worse, because the "not authorized" message is even larger
-
octagon
That is concerning
-
jonas’
exactly
-
jonas’
and UDP being UDP, an attacker can spoof the source address if their ISP is crappy (or suitable, depending on how you look at it) and thus make the reply go wherever they want
-
jonas’
and there is no way to track them down except with very sophisticated techniques basically requiring cooperation of the entire internet.
-
jonas’
then again, STUN is pretty good still with an amplification factor of 1:5✎ -
jonas’
then again, STUN is pretty good still with an amplification factor of 5:1 ✏
-
jonas’
given that any random authoritative DNS server will probably have a better yield
-
jonas’
and you can’t move *those* to a random port.
-
octagon
Is it viable to disable UDP? Is voice over TCP that inefficient?
-
jonas’
not viable, ICE works over UDP
-
jonas’
and yeah, voice over TCP is bad. a single dropped packet will cause a massive delay and will take a while to recover from also bandwidth wise
-
jonas’
while a single dropped packet with UDP may not even be noticeable if the codec does forward error correction.
-
octagon
Thanks for the clarification
-
jonas’
but the actual media stream is irrelevant here, because that only happens post-auth
-
jonas’
the problem is the parts needed during ICE✎ -
jonas’
the problem are the parts needed during ICE, before anything has been negotiated ✏
-
jonas’
this is clearly a design flaw in STUN/TURN.
-
jonas’
"not authorized" should not cause any reply in UDP-based protocols.
-
jonas’
but here we are
-
balabol.im
jonas’: thank you for explaining, it was very interesting to know
-
jonas’
you’re welcome
-
rob
> Oh that's good to know, I only changed the regular port I forgot I didn't open that port so it doesn't matter in my case
-
jayteeuk
I know I mostly lurk here, but this ☝ is exactly why I continue to lurk. I love how informative and educational it is. ♥
-
Holger
jonas’: > this is clearly a design flaw in STUN/TURN. > "not authorized" should not cause any reply in UDP-based protocols. Yeah, the problem is how STUN/TURN auth is challenge-response. The server won't know whether the response will be valid before sending a challenge to the possibly spoofed IP address.
-
tom
Mmm
-
tom
Edumacayshun
-
tom
Gosh, my computer keeps hanging, despite the oboard intel watchdog being armed
-
tom
It locks up where not even the numlock key works on a PS/2 keyboard, despite the keyboard being directly wired to the second highest interupt
-
tom
Below timer
-
tom
I have to press reset on the physical board, of which it doesn't do anything for 15 seconds then kills power
-
tom
During the hang POST code is still 00
-
tom
Do intel watchdogs have to be tickled a certain way or something?
-
tom
Could this be due to bad ram timings?
-
mimi89999
Establishing a secure connection from muc.tigase.org to lebihan.pl failed. Certificate hash: 6309c033094e3d8fb71d4dea59197ac81bd38240a4c03a68c10fee75fc09ac47. Error with certificate 0: certificate has expired.