Category Archives: How-To

Hyper-V VM loses network connectivity intermittently

I just resolved an issue where a Hyper-V virtual machine was running fine for a few weeks, then it suddenly dropped off the network and connectivity went unpredictably intermittent.

Couldn’t remote desktop to it, pings drop most of the time but not all of the time; they looked like this:

Reply from 172.24.255.153: Destination host unreachable.
Reply from 172.24.255.153: Destination host unreachable.
Reply from 172.24.255.237: bytes=32 time=1098ms TTL=126
Reply from 172.24.255.237: bytes=32 time=1ms TTL=126
Reply from 172.24.255.153: Destination host unreachable.
Reply from 172.24.255.153: Destination host unreachable.
Reply from 172.24.255.153: Destination host unreachable.
Reply from 172.24.255.237: bytes=32 time<1ms TTL=126
Reply from 172.24.255.153: Destination host unreachable.
Reply from 172.24.255.153: Destination host unreachable.
Reply from 172.24.255.153: Destination host unreachable.
Reply from 172.24.255.237: bytes=32 time<1ms TTL=126
Reply from 172.24.255.237: bytes=32 time<1ms TTL=126

Live replies from the correct address, unreachable response from a different address (but another Hyper-V virtual machine).

The Hyper-V environment is composed of five Windows Server 2012 R2 Standard server loaded on top of a five-blade Cisco UCS B200 M3 with Nimble SAN.

Google found lots of wrong answers involving disabling VMQ on the host and guest, but my new hero Joel Coel mentioned some of his Hyper-V guests had been given duplicate MAC addresses.

Sure enough, I checked the guests with those two IP addresses and they had the same MAC:

These two Hyper-V guests have the same MAC address.

I solved the conflict by turning off the VM, removing the Network Adapter with the duplicate MAC, Applying the change, then adding a new NIC.

Technet’s Gilson Banin wrote how  to solve the root cause – Hyper-V servers with duplicate MAC pools.

InfoSec Handlers Diary Blog – Egress Filtering? What – do we have a bird problem?

Via InfoSec Handlers Diary Blog – Egress Filtering? What – do we have a bird problem?, a very good article on getting started in egress filtering.

One of the major tools that we have in our arsenal to control malware is outbound filtering at firewalls and other network “choke points”. Over the years, it’s become obvious that “enumerating badness” on the internet is next to impossible, it’s generally much easier to enumerate “known good” traffic, and simply deny the rest as bad or at least suspect. Often the management response is “we trust our people”, but that’s not really the point. While maybe you can trust all of your people, you can’t trust the malware they may have, or all the links they might click. But let’s be honest, it’s likely that you can’t trust all of your people to never install a bittorrent client or other higher-risk program.

When you know what legitimate traffic is leaving your organization, you can watch for the bad stuff.

And even beyond that, you want to know what legitimate traffic is leaving your organization, right?

Schneier on Security: Choosing Secure Passwords

Modern password crackers combine different words from their dictionaries:

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as “k1araj0hns0n,” “Sh1a-labe0uf,” “Apr!l221973,” “Qbesancon321,” “DG091101%,” “@Yourmom69,” “ilovetofunot,” “windermere2313,” “tmdmmj17,” and “BandGeek2014.” Also included in the list: “all of the lights” (yes, spaces are allowed on many sites), “i hate hackers,” “allineedislove,” “ilovemySister31,” “iloveyousomuch,” “Philippians4:13,” “Philippians4:6-7,” and “qeadzcwrsfxv1331.” “gonefishing1125” was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, “You won’t ever find it using brute force.”

This is why the oft-cited XKCD scheme for generating passwords — string together individual words like “correcthorsebatterystaple” — is no longer good advice. The password crackers are on to this trick.

The attacker will feed any personal information he has access to about the password creator into the password crackers. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has. Postal codes are common appendages. If it can, the guesser will index the target hard drive and create a dictionary that includes every printable string, including deleted files. If you ever saved an e-mail with your password, or kept it in an obscure file somewhere, or if your program ever stored it in memory, this process will grab it. And it will speed the process of recovering your password.

via Schneier on Security: Choosing Secure Passwords.

Schneier then encourages random character passwords generated and tracked in an app like Password Safe or KeePass.

I agree with him generally, except that Windows passwords will still need to be something easy(ish) to type, and particularly, if it’s a password you’ll use on a touchscreen, like the Microsoft Surface or an iDevice, it will be more difficult to mix special characters into a password.

In those cases, a password with a mix of case, not following rules of grammar or predictable typos, is more likely to be used, remembered, and fairly secure.