22

Routing and analysis of http behaviour with wireshark makes so much joy and fun.

Wanna get even more fun?

Add DNS. Add loadbalancers.

Loadbalancers?

Hell Yeah!

VLAN X has it's own router and domain overrides to give a service a seperate IP pointing to a loadbalancer inside the VLAN X.

loadbalancer in VLAN X then has additional routes to point to loadbalancer in VLAN Y.

Which might then point to the service in VLAN Y or... point to another loadbalancer in VLAN Z.

I'm always amazed what a human mind can create....

If you think that's insane, then add HTTP keepalive and persistent connections.

I just love people who have no idea what they're doing but are able to create a clusterfuck of brainfuck....

Comments
  • 2
    Some sort of makeshift high availability setup?
  • 6
    @N00bPancakes I wish...

    They just wanted to avoid routing.

    So they use DNS and loadbalancers as an... "router replacement"....
  • 3
    @IntrusionCM Ban them from life.
  • 1
  • 3
    @N00bPancakes Yeah...

    We haven't come to the part of the "Why" yet.

    It took around 3 hours to explain to me the "How"...

    I think I understood it after half an hour but my brain didn't want to process it ^^
  • 5
    @IntrusionCM

    So back in the day I used to do networking as a career. I worked closely with our team that supported load balances.

    Almost inevitably every fuck up load balance wise was because some folks whose competency was as a developer (and I'm sure they were fine at that... I hope) just threw routes at shit until it worked. There was almost no underlying rhyme or reason anyone could ever come up with.

    Literally they'd have physical equipment they routed around and they weren't aware of it until something else went down and they wondered why that other thing didn't take the traffic...
  • 1
    @N00bPancakes Yeah...

    And I was wondering why the latencies seem to be troublesome "randomly"
  • 0
    That's some bone hurting juice.
  • 1
    Ho Li Shit o.O
  • 0
    Perhaps you are missing the big picture. I have the same exact setup, but I work from the higher level down. Some db services talk to some internet hosted services via an application server, which is in a cluster. So the traffic crosses 3 vlans to get to the internet. There are many such intermediate application services - some talk to each other through their specific loadbalancers. If I were to examine this traffic bottom-up, I'd probably end up in an asylum.
  • 0
    @AtuM Nah...

    *scratches head*

    Don't continue reading except you want to hurt self.

    They've "tried" to establish a seperation / firewalling. But were (not my words) "afraid the router couldn't handle the traffic".

    Instead they "segregated" not via routing on a central firewall / route, but rather utilized loadbalancer's and DNS for it.

    You've got service "elastic.local" (fictional).

    You've got an environment "production", which is on it's own VLAN.

    Instead of an central router / fw, you've now an loadbalancer in "production".

    And an DNS server in "production".

    DNS server in "production" makes sure that "elastic.local" points to an loadbalancer inside "production".

    This loadbalancer has the additional routes to traverse to another VLAN.

    In this VLAN you've got the same shitty setup - "elastic.local" points to another loadbalancer, but now with an IP address from the different VLAN.

    (the VLAN from "production" points directly to the other loadbalancer in the other VLAN...)
  • 0
    and yeah.

    the loadbalancer has ACLs based on IP addresses / DNS.

    I'm so happy that I'll only need to advise it to burn it down till there's no atom left.

    But really... Madness. Sheer utter madness.
  • 1
    @IntrusionCM Well... some good experience you will get (Yoda voice). Obfuscation may be the way to go if you do not buy some good firewall. Imagine a hacker to make sense of it all.
Add Comment