Network Engineer

Welcome to my little blog. I am mostly techie over here, blogging about networking and system administration topics, but there will also be some Travel Reports from time to time…

ExaBGP 4.0 getting started

On May 31, 2016, by Christian Kildau, 0 Comments

Welcome back to my little tech blog. It’s been a few years since I last posted here.. 🙂

I’ve been playing around a lot with several DDoS mitigation techniques, be it in house or as a service and used many BGP implementations like classic Cisco IOS, Cisco IOS-XR(v), Bird and ExaBGP.

ExaBGP is a nice little BGP injector ‘ExaBGP‘ for things like s/dRTBH and injection of FlowSpec rules.

As I’ve had some starting issues with ExaBGP I thought I’d share just a very basic config to save others some time and will probably share some more complex examples later.

I switched from 3.4 to 4.0 (tracking -master) already, so this post will get you started with ExaBGP 4.0 only. 4.0 is still under heavy development and still has some issues as of the time of writing this post, but all in all it does what I need. Syntax might still change though.

Examples are available at but these are just snippets and I did not find them to be very well updated when syntax changes occurred.

To get ExaBGP running I just used a basic CentOS 7 installation:

git clone
git checkout master

My basic config looks like (place it in ./exabgp/etc/exabgp/exabgp.conf):

# Control pipe
process announce-routes {
run /usr/bin/socat stdout pipe:/var/run/exabgp.cmd;
encoder json;

# IPv4 template
template INTERNET_EDGE_v4 {
local-as 64496;
peer-as 64496;
hold-time 180;
group-updates false;
capability {
graceful-restart 120;
family {
ipv4 unicast;
ipv4 flow;
api {
processes [ anounce-routes ];

# IPv6 template
template INTERNET_EDGE_v6 {
local-as 64496;
peer-as 64496;
hold-time 180;
group-updates false;
local-address 2001:DB8::;
capability {
graceful-restart 120;
family {
ipv6 unicast;
ipv6 flow;
api {
processes [ announce-routes ];


# Neighbours

neighbor {
inherit INTERNET_EDGE_v4;
description "r1";
neighbor {
inherit INTERNET_EDGE_v4;
description "r2";
neighbor {
inherit INTERNET_EDGE_v4;
description "r3";

neighbor 2001:DB8::101 {
inherit INTERNET_EDGE_v6;
description "r1";
neighbor 2001:DB8::102 {
inherit INTERNET_EDGE_v6;
description "r2";
neighbor 2001:DB8::103 {
inherit INTERNET_EDGE_v6;
description "r3";

To get ExaBGP started just run

./exabgp/sbin/exabgp ./exabgp/etc/exabgp/exabgp.conf

or in case you want to see debug output:

sudo env exabgp.daemon.daemonize=false ./exabgp/sbin/exabgp ./exabgp/etc/exabgp/exabgp.conf

Thomas Mangin (the author of ExaBGP) provides great support via Google Groups, GitHub issue tracker and Gitter. So in case you encounter any issues, you will find support! Also, theres a FAQ

How To disable Time Machine’s MobileBackup

On July 24, 2011, by Christian Kildau, 4 Comments

Starting with Lion I noticed that Time Machine is running even when my Time Capsule is not available. I also noticed that Finder shows a different amount of used disk space than df. My MacBook Pro’s SSD also got somewhat slow. Turned out it’s Time Machines MobileBackup function.

If you want to disable MobileBackup and free up the abused disk space, simply run the following command and reboot.

sudo tmutil disablelocal

How to fix SSH UTF-8 issues in Mac OS X Lion

On July 24, 2011, by Christian Kildau, 2 Comments

After upgrading from Snow Leopard to Lion, ssh connections to remote servers using iTerm2 have issues with non ascii characters.

Luckily that’s easy to fix. Simply comment SendEnv LANG LC_* in /etc/ssh_config out.

Host *
 # SendEnv LANG LC_*
 # ForwardAgent no
 # ForwardX11 no

No other changes are needed. You could also permanently change your locale to UTF-8.
Just place export LANG=en_US.UTF-8 in your shell’s source file.

How to activate Serial Console on Debian Squeeze

On July 6, 2011, by Christian Kildau, 5 Comments

Activating a Serial Console starting at the bootloader all the way up to a tty login requires just a few steps, but it took me some time to figure out all the knobs. Here’s how to do it with Debian Squeeze:

To have configruation changes persistent in Debian, you may not edit /boot/grub/grub.cfg directly, but need to edit/add the appropiate lines in /etc/defaults/grub:

GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,9600n8"
GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"

Now run update-grub and you’ll get the Bootloader and all Kernel and Init messages on your serial console the next time you boot.

To get a login promt on serial you need to modify /etc/inittab to:

1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6
# Serial console
s0:2345:respawn:/sbin/getty -L 9600 ttyS0 vt102

That’s it. run init q to reload init and activate serial login, or simply reboot.

Intel 320 Series vs. OCZ Vertex 2 (vs. Apple)

On April 29, 2011, by Christian Kildau, 8 Comments

Actually this post should be called NO OCZ NO or something like that…

I already wrote about the OCZ Vertex 2 E once or twice with somewhat mixed feelings.
Now after 6 months with the first one, and 3 months with the second one, I wouldn’t recommend buying any of these again. Well, at least not if you’re using Apple.

60Gb OCZ Vertex 2 E in my Mac Mini (6 Months old):

  • huge loss in performance (maybe due to the lack of TRIM in OSX?)
  • sometimes the mini won’t fall asleep or just wakes up again

120Gb OCZ Vertex 2 E in my MacBook Pro (10 weeks old):

  • performance is still good
  • suspend2disk doesn’t work. Known bug. OSX will crash. OCZ promised to fix it – but didn’t!
  • sleep and direct wake-up results in the SSD not being recognized for ~10 minutes!!! No booting possible!

Most of the issues with OCZ’s SSDs seem to be sleep/hibernate related and from what I’ve heard do mostly affect Apple products, but their crappy support prevents me from buying any of their products again. They promised to release a firmware upgrade which fixes suspend2disk, but they did not. They closed the thread in their forums and don’t even respond to requests via eMail. But hey! At least they release the OCZ Vertex 3 – so you possibly get all these bugs fixed for just 180€!

All these issues and their non-responding support made me replace the Vertex with the new Intel 320 Series SSD. They might be slower according to their specs, but performance isn’t everything

Which leads me to the next part of this post…

The Intel 320 120Gb SSD! I installed this one in my MacBook Pro last week and what shall I say? After one week everything is great. I’m not talking about pure performance. I didn’t NOTE any difference in real life performance, but just in case… here is a simple sequential performance check:

OCZ Vertex 2 E 120Gb:

homer:~ $ dd if=/dev/zero of=10000M.img bs=1024 count=10000000
10000000+0 records in
10000000+0 records out
10240000000 bytes transferred in 82.815477 secs (123648385 bytes/sec)
homer:~ $ dd if=10000M.img of=/dev/null
20000000+0 records in
20000000+0 records out
10240000000 bytes transferred in 47.731347 secs (214534068 bytes/sec)

Intel 320 Series 120Gb:

homer:~ mrkofee$ dd if=/dev/zero of=10000M.img bs=1024 count=10000000
10000000+0 records in
10000000+0 records out
10240000000 bytes transferred in 108.879939 secs (94048546 bytes/sec)
homer:~ mrkofee$ dd if=file.img of=/dev/null
20000000+0 records in
20000000+0 records out
10240000000 bytes transferred in 47.695655 secs (214694610 bytes/sec)

The Intel is a tad slower in pure sequential write performance, which is a bit disappointing considering it’s one generation newer than the Vertex 2… But, now to the important stuff

  • Suspend2Disk: works
  • Closing and directly opening the MBP: works
  • Support: Well… it’s Intel. I don’t expect it to be any better than OCZ’s.
  • The good feeling of reliability: works

I haven’t received any negative reports from friends about the Intel X25-M  (the 320 Series predecessor) nor have I found much on the Interwebs… so I’m much happier with the Intel now…

How to Check services and restart using Monit

On March 27, 2011, by Christian Kildau, 1 Comment

I have a monitoring service (Zabbix) which dies every few weeks, because it’s MySQL tables were locked for too long during a backup… Annoying! mostly because it’s then dead unnoticed for not just a few minutes. So, how do you monitor a monitoring service? Or simply… How do you restart any service that has just gone away in a simple way?

I recently came across monit. They state it’s up and running in just 15min. I got it faster

# Daemonize and check every 2mins.
set daemon  120

# Mail settings, in case you want to receive notifications
set mailserver
set mail-format { from: }
set alert

# The first check
check process zabbix_server with pidfile /var/run/zabbix/
        start program = "/etc/init.d/zabbix-server start"
        stop program = "/etc/init.d/zabbix-server stop"
        group server

You can also monitor network availability, application availability, file permissions and system utilization…
I think this tool is really great for a small network, though I don’t think it would scale that well. Just give it a try.

How to OpenBSD with Huawei E1750 UMTS

On March 21, 2011, by Christian Kildau, 0 Comments

Getting my OpenBSD (4.8) box to talk an Huawei E1750 USB UMTS Stick as a backup solution turned out to be not very straight forward, so in case you are in a similar situation…

Have a look at man umsm to see which devices are supported by OpenBSD.

The UMTS (USB)-Sticks are registered as /dev/cuaUX, where X is the number of your device… You’ll need userland pppd to connect. Place your peer configuration in /etc/ppp/peers/o2 for example:

connect /etc/ppp/connect.o2
disconnect /etc/ppp/disconnect.o2
#: because is the alias for my DSL default gateway

You’ll also need Chat scripts to connect and disconnect the connection. Note that you’ll need to at least adjust /etc/ppp/connect.o2 to suit your provider:

chat -vs 
 at OK 
 atz OK 
 # uncomment the following if your SIM is PIN protected
 # and replace **** with your PIN
 #at+cpin=**** OK 
 'AT+CGDCONT=1,"IP",""' OK 
 'atdt*99***1#' CONNECT

And /etc/ppp/disconnect.o2 looks like:

chat -vs 
 'K' '' '+++ATH'

Now make sure ppp0 is initialized on startup…

touch /etc/hostname.ppp0
sh /etc/netstart ppp0

… and to connect simply run pppd call o2 and pkill pppd to disconnect. Run ifconfig ppp0 to see if your connection is up and running:

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        priority: 0
        groups: ppp egress
        inet --> netmask 0xfffffffc

Next post will be about auto fail-over between this and my regular DSL connection.

OpenVPN over TCP is BAD

On March 17, 2011, by Christian Kildau, 3 Comments

I use OpenVPN in a road-warrior setup over often slow and unreliable wireless connections. That on it’s own makes using interactive applications pretty hard.

But if you’re now additionally running OpenVPN in TCP mode over these links things get worse. The reason is, that TCP uses some kind of a three-way handshake to make sure all packets arrive in time and re-transmits those packets that don’t. With OpenVPN over TCP you now have your application’s TCP session encapsulated in your VPN”s TCP session, doubling your ACKs and re-transmissions (if needed).

Now I switched to UDP on the VPN’s session and if the link starts to loose packets, the VPN will too, but the application’s TCP session will make sure those packets are being re-transmitted. All in all everything feels much faster – at least for a crappy 3G connection.

See this link for a more detailed explanation.

How to Upgrade to Xcode4 (or uninstall Xcode3)

On March 12, 2011, by Christian Kildau, 12 Comments

I recently bought Xcode 4 on the Mac AppStore and thereby thought I’d upgrade. Nope. Xcode 3 is moved to ‘/Developer-old’, but kept. No big dead actually, except when your OS Disk is only 60Gb. The new Xcode 4 uses almost 10Gb plust 5Gb for Xcode 3. So if you don’t need Xcode 3 anymore, just run:

sudo /Developer-old/Library/uninstall-devtools --mode=all

This removes all Xcode3 files, freeing up about 5Gb of space.

How to Create your own ‘DynDNS’ Service

On February 27, 2011, by Christian Kildau, 2 Comments

First off: This is not DynDNS as you might know it from You can’t use clients like ddclient. I’m using DNSSEC and ‘nsupdate’. You’ll need to be familiar with Bind and some shell scripting… Also I only got this working on *nix and I don’t have any intention to try it on Windows.

Let’s start with what you have to do on your client:

$ dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom

Now copy (your pubkey) to your server’s configdir (in case of Debian: /etc/bind) and define it as follows:

key {
        algorithm HMAC-MD5;
        secret "<put key from here>";
zone "" {
        type master;
        file "master/";
        allow-update { key; };

This allows everyone with the key, to update zone ‘’. Feel free to find out how to do privilege separation on your own Back to your client: Since we can’t use ddclient or similar clients, I wrote my own small script:

dir=$(dirname $0)
old_ip=$(cat $dir/ip_cur.txt)
new_ip=$(ifconfig pppoe0 | grep -E 'inet.[0-9]' | 
       grep -v '' | awk '{ print $2}')

if [ $old_ip != $new_ip ];
  echo $new_ip >> $dir/ip_log.txt
  echo "server <yourserver>nzone 
    nupdate delete A
    nupdate add 60 A $new_ip 
    nsend" > $dir/ip_nsupdate_instructions.txt
  nsupdate -k $dir/ 
    $dir/ip_nsupdate_instructions.txt || exit 1
  echo $new_ip > $dir/ip_cur.txt

My script get’s the current IP Address of pppoe0, compares it to the one from it’s previous run and executes ‘nsupdate’ if they mismatch. ‘nsupdate’ doesn’t accept it’s configuration from stdin, that’s why I needed to hack around with echo… If ‘nsupdate’ fails (due to connection issues or something like that) my script exits. If update was successful it writes the current ip into ip_cur.txt, so the script only executes ‘nsupdate’ on IP Address change and not every time your run it. Add my script to crontab to run it once a minute or so…

* * * * *