How Can You Screw up a Network?

aztektum asks: "Like a lot of Slashdot readers, I have setup my own home network. It isn't tricked out with all the fanciest hardware, but I do have a switch, BSD based firewall, I have configured e-mail (again on BSD), NFS and Samba, as well as remote access services like SSH and FTP. Now my line of work isn't networking or computer related at all. This is a personal hobby and a fairly new one for me (relatively speaking compared to others). I'm looking to learn more about managing problems with networks, but have no idea where to start. With such a small setup and only supporting two users (myself and a roommate) this isn't exactly enterprise level with enterprise level ups and downs. What are some ways I can screw up my network to troubleshoot problems and gain some insight? Also, what are some reference materials that you have found to be educational with relation to network administration?"

Your roommate's computer

[PM4RK5]

Use a very small piece of scotch tape, and place it over only the right or left four copper traces on the end of an ethernet cable. Then plug the cable back into its jack.

When done right, it will take a VERY long time for your roommate to realize why the network isn't working quite right.

Re:Your roommate's computer

[lanswitch]

This guy is an expert in network management. His site contains lots of useful tips.

Reference Materials

[pyrrhonist]

Also, what are some reference materials that you have found to be educational with relation to network administration?

This should help with Windows networks.

Clone some ethernet NICs

[HotNeedleOfInquiry]

With the same MAC number and try to use them.

Give us access

[pv2b]

Open sshd to permit access from the outside world, as well as root logins. Then post your root password and your IP address in a reply to this thread.

That is bound to screw *something* up sooner or later.

Screw up networks

[secolactico]

Install windows 2000 + IIS 5, no service pack, on one machine.

Install solaris 2.6 or 2.7, default install (full + OEM). Don't patch anything. Don't close any service.

Ditch the firewall.

Wait 10 minutes.

Presto.

But seriously, with a network that simple, the only problems you are likely to encouter are mis-configuration on the firewall and physical (wiring) trouble.

Humor

[flood6]

What are some ways I can screw up my network

-You should have hosted a site on it and posted the link.

-Go buy some new Sony CDs

I couldn't decide which response was funnier, so you get them both.

Slashdot Effect

[_Splat]

Put up a web server and link it from /. For added effect, get it linked from fark.com as well.

Duh.

Better Yet,

[Doc+Squidly]

Put all the user and computers in Active Directory in the Domian Controller OU.

Yes, I've seen it done.

just a few thoughts

[Hardwyred]

Take a hub and plug it into your switch. You have to use a hub for this to work, or if you have a really cheesy switch I guess it could work without the hub. Now take an ethernet cable and plug both ends into the hub. Viola, instant layer 2 loop.
Run an ethernet cable (yours perhaps) next to a space heater/box fan/large electric motor of your choice. Periodicaly turn that motor on and off. Instant link loss due to a spike on the line. WARNING, this one could jack up your switch/computer so be sensible.
If you are really green, give your roommate and your computer the same IP.
Take a short ethernet cable and untwist it (take it out of its shielding and untwist the wires). Put it back together in various ways and see how fast/slow your download rates become.

Just wait, it'll screw itself up.

[dtfinch]

Eventually hardware fails, always. Notice the signs that something is about to fail so that you can replace it when in a timely manner and with little downtime, or none in some cases. If you know you'll have to take a server down, figure out how to replace it without data loss or downtime. With an MSDFS root, which Samba does well, phasing out a dying or obsolete server is relatively easy. Otherwise, you'll just have to fiddle with the DNS and maybe give the new server the same IP. You can also look into clustering, but the cost and complexity can be prohibitive for smaller companies, and possibly for home experimentation.

Always keep good backups. If someone comes to you and says they deleted an important file last week, be able to get it back without a full restore. Also, be able to do a full restore of a server, and know it'll work. If the server catches fire, have a plan to replace it within the hour.

Make some ethernet cables. Buy some raw cable, and end plugs, and put them together the right way. The ordering is very important. Not only must each end match, but the color coded twisted wire pairs must be arranged in a certain, non-obvious way or else you'll experience severe noise and crosstalk problems.

Mix older (bargain) gigabit hardware, different brands. Some card-switch or switch-switch combinations have slightly hard to diagnose problems. If you ping, you'll have zero packet loss. But if you transfer a file, sometimes speed will drop down to 20kb/s or so, and it'll only happen in one direction. I've seen buggy drivers cause this too. When packets are sent in rapid sequence, every other packet is lost, and the send window shrinks until it's sending only one packet at a time, and waiting for an ack before sending the next.

Get a really, really long ethernet cable and use it to plug a windows pc to a switch. Let it autodetect the speed. If it's long enough, it'll still detect 100mbit or 1 gigabit, and then fail to connect. You'll have to force it to 10mbit, or get better cabling, or use a switch, hub, or some other repeater to break it into two short connections.

Again, get a really long ethernet cable, and put a sharp kink in it. You do this by making a small loop, then trying to force it straight by pulling instead of carefully undoing the loop. Line quality will suffer dearly, even though you may still be able to connect. The best fix is often to buy a new cable. Any sort of sharp bend will cause problems.

Have fun with Windows name resolution. Windows PC's seem to be able to find each other pretty well just using WINS or broadcasts, but only after checking DNS first, which goes out to your ISP's servers if you don't have your own DNS server(s) set up. These requests tend to fail almost immediately without delay, so the issue can go unnoticed. This allows your network to be hacked a bit more easily from the outside, and also allows internet problems to translate into delays in local name resolution. This sort of problem is easy to create and easy to fix, and plagues some small businesses that lack experienced or knowledgeable IT staff.

Re:Easy way

[Daxster]

http://www.fiftythree.org/etherkiller/

Try this at home, really! One day the local salesmen reps of a major networking company (that rhymes with Nabisco) came by to talk to my boss. Since he was on the phone they came in and talked to me so I showed them the etherkiller. I think it scared the shit out of them. I also got yelled at by my boss since he thinks we might not ever get warranty support again.

The problem with managing problems...

[mysidia]

Is you need more nodes and more complexity -- your network is too simple, so there is fairly little that can go wrong compared to real networks.

Try reinstalling and switching your systems' OSes, especially the BSD firewall's -- provided your hardware and wiring are good, the OS is the most likely thing to mess up anyways.

I.E. Are you sure BSD is the best OS to use for that firewall? Maybe trying to run the fireewall of of VMS or something else could have interesting results.

Increase the demand on your network is the main thing; if you don't get to have problems, you can always try to tune for performance, stability, security, by switching things around and changing configurations --- try to find as many configurations that work as possible and figure out what works best.

Figure out the way to add as many units as possible and to make the network arrangement as complex and spread out as possible --- the more complexity, the more devices, nodes, etc, involved -- the more likely _something_ will go wrong; find a way to get 3 or 4 windows machines in there with serious demands on them, and something's almost certain to break.

Cable tricks and other tricks

[Kymermosst]

Take an ethernet cable and flex it back and forth (crease-style). Works best with solid conductor cable (I hardly ever see braided anyway). Chances are you'll seriously thin out or break a wire, and if it's one of the right four, you'll have issues.

Two DHCP servers on the same LAN is fun.

Plug a crossover cable between two ports on your switch. See what happens (most should disable both ports, but some freak out).

Crimp your own ethernet cables. That leads to all kinds of fun the first few times you try it.

Meh.. I'm not good at breaking stuff, that's all I can think of.

Re:Cable tricks and other tricks

[anticypher]

Crimp your own ethernet cables

I have a box of subtly bad ethernet cables from a reputable commercial source (its now marked "special cables for special lusers"), nice molded strain reliefs with tab protectors.

Normal straight through ethernet cables are wired like this:
1->1
2->2
3->3
6->6

These cables are wired similar to:
1->1
2->2
3->6
6->3

There are also some crossovers with similar polarity problems.

With just one of the directions having the wrong polarity, depending on which brands of NICs on each end, there are all kinds of bizarre problems. Sometimes things work (cisco to intel, but not with auto-negotiate), sometimes you get errors (realtek 81x9), sometimes link status doesn't come up in one direction but is fine in the other direction, sometimes nothing at all works.

I hand these out to people I don't like, those who beg cables off me for "just a few days".

the AC

Try building a firewall script... by hand...

[WoTG]

OK, maybe this is flamebait... maybe not.

The first time I tried to setup a really locked down network (i.e. better than a NAT by allowing specific outgoing traffic only) I screwed up royally. Actually, I still would have significant difficulties without a good GUI.

For a crash course in the difference between UDP and TCP and how IP ports work and what NATs do, IMHO, there's nothing better than actually trying to create a "secure" firewall that still lets you do the stuff you normally expect. E.g. email, web, P2P (take your pick), streaming media, DNS resolution (which is way more complex than I would have imagined).

setup a honeynet and queueing

[pr0m]

setup a honeynet on a network that connects to the internet through the same router as your private lan. i found this challenging because i had to think of the worse case scenarios to mitigate with the firewall on the router. be sure to implement a working queue with altq so that your private network gets a higher priority than the honeynet on outbound traffic. it's also interesting because you learn about how "hackers", "crackers", and "script kiddies" launch attacks and what they do with the machines that they take over.

guest account

[dimss]

Create SSH-accessible "guest" account on your router or server. Set password to "guest". They will come to your network within 24 hours. Make sure they can't do much with this account! Most probably they will try to download local exploits and other nasty tools.

I have created "guest" account on my Linksys router three days ago. Someone from Romania discovered this account next morning. They downloaded some binary files and tried to run them. Idiots! Binaries were for i386 but Linksys router is MIPS :)

UPS

[Alef]

[...] with enterprise level ups and downs.

Did anyone else read that as Uninterruptible Power Supply?

I actually pondered for a brief second on what a "down" was...

How do I screw up a network?

[anticypher]

By touching it. There's always an assistant named Murphy looking over my shoulder, but she usually waits until I'm in the shower or leaving on vacation before "helping".

Your question is really "How do I introduce layer 1 and 2 problems into my home LAN, since all layer 3 routing is limited to a NAT box with a single default route?". The lower layers are a good place to start, since half of all your problems come from there, save the routing problems for a future ask/. question.

Others have already pointed out the joys of having dueling DHCP servers, subtly mis-configured DNS servers, overlength cables and the like. Keep an eye out for others throwing out bad ethernet cables with broken catch-tabs, frayed insulation, sharp kinks or intermittent wiring, and put them into critical places in your network. They may not fail right away, but will wait until you host a lan party at your place or you have a few hours to get a report done. Her name is Murphy, she's a bitch and she'll gladly pay you a visit when you least want her around.

Start to learn what kind of traffic is on your local network. Get ethereal, snort and ntop running, and see what the packets look like. Chances are you'll find some things that look suspicious, you'll learn a lot by figuring out how DHCP handshakes work, how often ARPs happen, what other protocols are on your net besides IP. Since you are running a BSD, you can pretty safely put the box on the outside of the firewall (it probably is the firewall) and watch all the constant crap scanning the internet. That's a great way to learn how to tune firewall rules by hand, and you will break things along the way.

To really start to learn how layer 2 networking almost works, grab some old cisco kit off of eBay. I've seen 2900 switches for US$20. Plug something slightly pro into your network, start simple, just get a cheap used cisco/hp/3com switch off eBay that can do 802.1q vlans, spanning-tree, and snmp. Your BSD ethernet card can be configured to do .1q, so there is a lot of learning there by creating multiple separate vlans, one for each machine. A single router and switch with 802.1q vlans can make some pretty complicated networking topologies without massive amounts of wiring. Then you can break your network by plugging a crossover cable into two ports and watching spanning tree open up one of them. Bonus points if you create a topology where by creating a spanning tree loop, your main gateway or server port is the one that goes into blocking mode (you need a minimum of two switches to do that).

To break things in subtle and non-obvious ways, try changing your address ranges from the usual 192.168.0.0/24 to something unusual like 172.31.255.16/29, doing the netmask/subnet/broadcast calculations in your head for practice. Then misconfigure the netmasks on each device, notice how one machine can ping another, but not the other way around. Try building multiple separate segments rather than multiple subnets on a single wire, this will force traffic to use your router, and really show netmask problems more clearly.

To really break things, instead of using reserved RFC1918 addresses behind your NAT box, use a public network range like 66.35.250.0/24. Sure, it will break one major site, but you shouldn't be wasting your time there :-)

Since you already have a BSD running, do you leave it on 24/24? If so, its time to start loading up the real tools like cacti, nagios, and smokeping. It helps if you have an SNMP capable switch on your network, but configuring your own SNMP can be quite a learning experience as well. With graphs showing what is happening on your net and the internet over time, you will start to see the cycles of congestion every evening and maintenance times every sunday at wee hours. The most frustrating problems in networkin

Combine your ssh remote login with poor passwords

[jonadab]

Your ssh remote login *will* get noticed by port scanners, and both dictionary and brute force attacks will be made against it, particularly if it is running on the standard port (22 IIRC). You can help the attackers to compromise your system if any of the passwords of any of the users who can log in in this fashion -- especially passwords on accounts the attackers can guess must exist, such as your own preferred username or an account that is usually present on most systems, and extra-especially the root account -- are attackable via dictionary or brute force. For instance, if one of these users has a password that is only ten characters long and contains only letters, that is a potential point of entry onto your network. On the other hand, if you want to *prevent* them from getting in, use passwords that are longer, contain non-alphabetic characters, and not based on dictionary words (but pronounceable so that you can easily remember them), e.g., passwords like Frolliga_Bruckenovich or grazzivian-CHOXXI or SpoyBan8CritNox or cetera. (I don't mean these specific examples, but hopefully you get the idea -- passwords that are hard to brute-force don't have to be hard to remember. The more paranoid you are, the more syllables you add, and remember that a certain amount of paranoia is part of any sysadmin's job description.)

Another thing you could do to allow attackers to gain access is to completely ignore security bulletins and never install updates.

Re:etherkiller myths

[anticypher]

Etherkillers shouldn't cause any immediate problems for anything up to 240V, you really need 480V or higher to start frying things. Electrical safety laws require isolation of up to 500VAC for a period of 48 hours, hence the isolation block on all NICs. The point where a card will start to smoke is usually higher than the breakdown voltage on the insulation of the wiring, cat5 or cat6 will break down at 350-600VAC, so its difficult to get enough voltage directly into a NIC to cause anything spectacular to happen. That I'm conversant in such matters is a good indication not to ever get me in a bad mood.

I once worked in a building that was on three phase power, where the outlets in each of the two wings off the main building were on different phases. The main wiring closet was in the main building, and the end points were plugged into PCs and hubs on a different phase. So there was 138VAC between the PCs and the main ethernet switches. NICs in PCs would last a few weeks before quietly failing, ports in switches lasted about two months. Every 3 months or so the company would just have to replace an entire 24 port blade. It was cheaper for them to keep their smartnet contracts up to date than to insist on an electrician fixing the problem since their lease was almost finished. The company that followed them into the building nearly burned it down the first week because of the improper electrical wiring, and much hilarity ensued.

the AC

You should have tried harder to destroy the PIX

Start from the bottom, and work your way up.

[amper]

Wow. Taking a brief look at the responses here, I can't believe how complicated most of the answers are.

You want to know what makes a network tick? Start from the bottom and work your way up. That is, follow the OSI Protocol Stack Model, and start from Layer 1, the Physical Media, and learn why it is that Ethernet (or your choice of PHY) works the way it does. Then move up to Layer 2, the Data Link Layer, which in the case of Ethernet would be CSMA/CD, then move up to Layer 3, the Network Layer, which in most cases these days is TCP/IP (though TCP/IP really sort of covers Layer 4, the Transport Layer, as well).

Allow me to suggest the many excellent books by O'Reilly that will tell you everything you need to know.

Do not use the Cisco or Microsoft books. While most of the information there will be correct, some of it will be specific to Cisco and Microsoft's proprietary implementations. I feel it is always best to learn the generic, standardized protocols before branching out into proprietary protocols.

Check out these books from your library, or buy them. Used or new doesn't really matter all that much, as the basic protocols have not changed much in the past 15 years or so.

1. O'Reilly - Ethernet: The Definitive Guide
2. O'Reilly - Internet Core Protocols: The Definitive Guide
3. O'Reilly - TCP/IP Network Administration
4. O'Reilly - Building Internet Firewalls

That will get you started. Then, you might want to know something about other types of networks:

5. O'Reilly - 802.11 Wireless Networks: The Definitive Guide
6. O'Reilly - T1: A Survival Guide

With those six books, you'll have a solid grounding in how networks network, and how internetworks, internetwork. Once you have that, you'll have a pretty good idea of how to screw up a network. You'll also have a pretty good idea of what more advanced topics you'd like to know more about.

One old book that is out of print and difficult to find that I highly recommend is Inside AppleTalk, 2nd. Edition, from Addison-Wesley. It's the definitive book for AppleTalk, and you might want to know about AppleTalk, even though it is falling out of favor.

Another way: play packet WTF

[dubl-u]

Another great way to learn about your network is to install a packet sniffer like Ethereal. Capture some packets, pick a random one, and try to figure out what the hell it's for.

For the advanced version of the game, do something specific (bring a DHCP machine up; do an FTP transfer; surf a web site) and write down what you think goes on on the network. Then capture the packets and see how close you can get.

By learning what a network looks like when it's working normally, you'll have a much better chance of figuring out problems when they happen.

Staple your cables

[Phreakiture]

Just as simple as that.... In stapling up your cables to walls, joists, studs or whatever, drive a staple through the cable.

I did that at least two times while setting up my home network. The first one shorted out a pair, and the cable was fine as soon as I removed the staple. The second one apparently severed a conductor, but then bridged it. That cable worked just fine until I removed the staple.

Needless to say, I have since acquired a cable-safe staple gun. It has a wire guide on its tip (you straddle the cable with the guide and it keeps the cable out of the way of the outcoming staple) and it uses rounded staples.