Pole Vaulting Firewalls (Part 2)
If you’re here, you must’ve liked Part 1 or you like me(idk why but WIN WIN).
And you want to know what changed(Title doesn’t help the whole suspense thing, does it).
So… the rules were changed, Firewall was Fortinet now and Fair Usage Policies were changed.
Each user gets credentials, no data cap per day or even per month, But download and upload speed(bandwidth for nerds) capped at 1mbps, not to mention the network quality dropped harder than my grades that semester.
1024 kbps/8 gives you your Data transfer bandwidth, so basically you download or upload something, you’d see 100–128 KBps in your client(browsers, downloaders, etc). God lies in the details(of your broadband plan brochure)
If you are here, i assume you’d know how this works but if you don’t, let me enlighten you.
*The Author will now go on and on about an issue that affects him deeply*
Assuming you buy a broadband service for 1mbps download speed and 512kbps upload(generally in that ratio, but the case is often ignored), 1 mbps is 1 mega bits per second. The files storage systems like Bytes more than Bits (this is why), so a 1 mb(casual talk) file is actually a 1mB file i.e 1 mega Byte file that is equal to 8 mega bits as 1 Byte has 8 bits. So you download a 1 mB file on 1 Mbps connection, you are downloading 8192 kb at 1024 kb per second, it takes 8 seconds and not 1 second.
*The Author, content with himself, returns to topic, after point being made*
So, the rules changed, 1 mbps upload and download per account. Although username was university roll number and initial password was ‘student’ or ‘teacher’ depending on what you were. Nobody bothered to change them, if your account was logged in, you just tried another roll number with ‘student’. But not really a breakthrough unless you bypass the bandwidth cap, which unknowingly everybody was bypassing daily, by logging into another random account on their phones and other devices.
Re reading the problem, i researched how bandwidth throttling and traffic shaping worked and the research drove me right into a dead end named TOKEN BUCKET.
But again in the problem, lied the solution.
I realized 1 Mbps per user, so my laptop gets 1 Mbps, login another account on my phone, it gets another 1 Mbps. Now how to fool the network into thinking that i have more machines ?
Virtual Machines to the rescue. Again.
With bridged adapters.
The obvious concern here is hardware limitations, if you remember, in part 1, I used a 1 GB virtual machine and described it as a bare minimum spec.
Assume i wanted to get 16mbps, I'd need 16 such virtual machines and also 16GB ram that i could spare only for the VMs right ?
TC(Tiny core) Linux.
One node running TC linux could be run by allocating 128 MB of RAM.
128*16 = 2GB RAM A.K.A Very much feasible.
The distro(nerd lingo for *nix distribution) had no persistence, in normal language it meant that you Boot it up, write a file, reboot, no file. Anything you wanted to preserve, you tell it specifically. Here’s a howto on that. This was helpful as i was running 16 VMs on a laptop and a laptop HDD is generally 5400–7200 RPMs which means i would’ve had an IOPS bottleneck as well if i had managed to fit 16 ubuntu or windows virtual machines somehow.
So, started 16 VMs in VMware Workstation, opened a browser, logged in a random account in Fortinet gateway and ran a speed test website that took long enough for me to do this on all 16 VMs. Opened task manager on my host machine and voila 16 Mbps.
But how to use it ?
One use case was to download 16 files together, but that’s just stupid.
I used IDM and if you’ve used it, you know it is a multi threaded downloader.
What that means is that if you download a 1GB file, and you select 16 threads, IDM will run 16 parallel threads and download file in 16 equal(almost) parts, and concatenate it upon completion for you.
There are a couple of reasons to do all that but in my case, each thread was going to use a new VM’s 1 Mbps connection giving me an effective throughput of 16 Mbps. So i created a host-only adapter for the network of 16 VMs and my host machine. Each VM had a bridged adapter and a host-only adapter. Host-only adapter for easier management and access and bridged adapter to get internet access. The reason to use bridged versus NAT is that bridged will get recognized as another machine in the network and hence it will be able to authenticate and take up 1 Mbps individually and not from the host connection.
Ran a HAproxy load balancer on one of the nodes and called it the master which connected to 16 slaves including itself as nodes. The source connection was made by applications like IDM that ran on my host, which used that source connection to the master node as just another SOCKS5 proxy. Each request to this source connection was going to one of the 16 nodes according to round-robin.
P.O.C worked fine. But logging in on 16 VMs, and connection drops meant re logging in and each login meant trying random roll numbers until an unoccupied roll number was found.
Did i mention i was learning Python(3.4) and this is the Marvel i created at that time. I won’t clean it because i am lazy and because everybody starts somewhere, and this was my ‘somewhere’. I’ll be brief about the code though.
Rather than doing the keyboard mouse thing again, I learnt about web requests, authorization tokens and sessions. I captured one session of authentication using Fiddler and automated it in python using requests module. So this code uses each of the 16 VM’s socks proxy and runs the authentication flow for all VMs in separate threads while handling cases like network drops, account already logged in, etc.
So there you have it, 16 Mbps to download and 1 Mbps on the host dedicated for YouTube, etc. Facebook couldn’t use this connection as cookies and tokens needed sticky connections to machines which i prohibited in Ha proxy config to keep it performance oriented. Streaming on 16 threads meant rewriting the protocol (That would download chunks in succession using different threads in parallel) so i just downloaded YouTube videos at 16 Mbps instead. (G for Genius)
A year later, network admins gave up and bandwidth throttle was removed and i was the only sad kid in the whole campus that day.
But by then i had other stuff to do. There’s always something to automate in your life. For me it was keeping track of TV shows i watched and finding when, which episode would be released.
Story for another time.