Mike's notes page is souptonuts. For
open source consulting needs, please send an email to
mchirico@comcast.net. All consulting work must include a donation to
SourceForge.net.
This tutorial walks you through creating various DOS attacks for the purpose of analyzing, recognizing, and defending your systems against such attacks.
Structure to follow:
Typically you would execute tcpdump from the shell as root. Below is a simple example giving you the available interfaces.
[root@closet ~]# tcpdump -D
1.eth0
2.eth1
3.any (Pseudo-device that captures on all interfaces)
4.lo
Taking a look at lines 1 and 2 you can see that there are two ethernet cards on the computer named closet. Line 3 is an alias that stands for all devices, and line 4 lo is the loopback device. Compare lines 1 and 2 above with the command executed below on the computer squeezel, which has one eithernet card that is setup for two ip addresses.
[root@squeezel ~]# tcpdump -D
1.eth0
2.eth0:1
3.any (Pseudo-device that captures on all interfaces)
4.lo
# tcpdump -i eth0 -nN -vvv -xX -s 1500 port not 22
The -i option indicates the interface. The -n, means don't convert host addresses to names, and -N means leave out the fully FQN (fully qualified name). The -s option is the snarf snaplen bytes of data from each packet. If you leave this value out, the default it 68. Well now, if you want everything then set this value to zero. The logical constraints "port not 22" can come from a file. It can be rather sophisticated. An important note is that all of this must be done with root.
Below is an example that displays all traffic from or to 192.168.1.81 that does not fall on port 22 (ssh traffic).
$ tcpdump -i eth0 -nN -vvv -xX -s 1500 port not 22 and host 192.168.1.81
If you don't want to capture traffic continiously, limit the number of packets with the -c option. For example, the following command limits the number of packets to 40. A web query has been captured below.
$ tcpdump -i eth0 -nN -vvv -xX -s 1500 port not 22 and host 192.168.1.81 -c 40
08:51:33.263011 IP (tos 0x0, ttl 128, id 5929, offset 0, flags [DF], proto 6, length: 48) 192.168.1.102.1151 > 192.168.1.81.http: S [tcp sum ok] 247540398:247540398(0) win 16384 <mss 1460,nop,nop,sackOK>
0x0000: 0011 118a be3f 0006 5bbb d8b2 0800 4500 .....?..[.....E.
0x0010: 0030 1729 4000 8006 5f97 c0a8 0166 c0a8 .0.)@..._....f..
0x0020: 0151 047f 0050 0ec1 2aae 0000 0000 7002 .Q...P..*.....p.
0x0030: 4000 80d9 0000 0204 05b4 0101 0402 @.............
08:51:33.263056 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 48) 192.168.1.81.http > 192.168.1.102.1151: S [tcp sum ok] 3454586113:3454586113(0) ack 247540399 win 5840 <mss 1460,nop,nop,sackOK>
0x0000: 0006 5bbb d8b2 0011 118a be3f 0800 4500 ..[........?..E.
0x0010: 0030 0000 4000 4006 b6c0 c0a8 0151 c0a8 .0..@.@......Q..
0x0020: 0166 0050 047f cde8 cd01 0ec1 2aaf 7012 .f.P........*.p.
0x0030: 16d0 0f0e 0000 0204 05b4 0101 0402 ..............
08:51:33.263297 IP (tos 0x0, ttl 128, id 5931, offset 0, flags [DF], proto 6, length: 40) 192.168.1.102.1151 > 192.168.1.81.http: . [tcp sum ok] 1:1(0) ack 1 win 17520
0x0000: 0011 118a be3f 0006 5bbb d8b2 0800 4500 .....?..[.....E.
0x0010: 0028 172b 4000 8006 5f9d c0a8 0166 c0a8 .(.+@..._....f..
0x0020: 0151 047f 0050 0ec1 2aaf cde8 cd02 5010 .Q...P..*.....P.
0x0030: 4470 0e32 0000 0000 0000 0000 Dp.2........
08:51:33.263710 IP (tos 0x0, ttl 128, id 5932, offset 0, flags [DF], proto 6, length: 282) 192.168.1.102.1151 > 192.168.1.81.http: P [tcp sum ok] 1:243(242) ack 1 win 17520
0x0000: 0011 118a be3f 0006 5bbb d8b2 0800 4500 .....?..[.....E.
0x0010: 011a 172c 4000 8006 5eaa c0a8 0166 c0a8 ...,@...^....f..
0x0020: 0151 047f 0050 0ec1 2aaf cde8 cd02 5018 .Q...P..*.....P.
0x0030: 4470 ce55 0000 4745 5420 2f20 4854 5450 Dp.U..GET./.HTTP
0x0040: 2f31 2e31 0d0a 4163 6365 7074 3a20 2a2f /1.1..Accept:.*/
0x0050: 2a0d 0a41 6363 6570 742d 4c61 6e67 7561 *..Accept-Langua
0x0060: 6765 3a20 656e 2d75 730d 0a41 6363 6570 ge:.en-us..Accep
0x0070: 742d 456e 636f 6469 6e67 3a20 677a 6970 t-Encoding:.gzip
0x0080: 2c20 6465 666c 6174 650d 0a55 7365 722d ,.deflate..User-
0x0090: 4167 656e 743a 204d 6f7a 696c 6c61 2f34 Agent:.Mozilla/4
0x00a0: 2e30 2028 636f 6d70 6174 6962 6c65 3b20 .0.(compatible;.
0x00b0: 4d53 4945 2036 2e30 3b20 5769 6e64 6f77 MSIE.6.0;.Window
0x00c0: 7320 4e54 2035 2e30 3b20 2e4e 4554 2043 s.NT.5.0;..NET.C
...
Next is an example of a 3 way handshake using a linux computer
$ tcpdump -i eth0 -nN -vvv -xX -s 1500 port 80 and host 192.168.1.81 -c 40 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 08:58:50.851835 IP (tos 0x0, ttl 64, id 43292, offset 0, flags [DF], proto 6, length: 60) 192.168.1.71.46698 > 192.168.1.81.http: S [tcp sum ok] 682272299:682272299(0) win 5840 <mss 1460,sackOK,timestamp 372969271 0,nop,wscale 2> 0x0000: 0011 118a be3f 000b dbc3 3924 0800 4500 .....?....9$..E. 0x0010: 003c a91c 4000 4006 0db7 c0a8 0147 c0a8 .<..@.@......G.. 0x0020: 0151 b66a 0050 28aa a62b 0000 0000 a002 .Q.j.P(..+...... 0x0030: 16d0 024a 0000 0204 05b4 0402 080a 163b ...J...........; 0x0040: 0f37 0000 0000 0103 0302 .7........ 08:58:50.852040 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 6, length: 60) 192.168.1.81.http > 192.168.1.71.46698: S [tcp sum ok] 661550856:661550856(0) ack 682272300 win 5792 <mss 1460,sackOK,timestamp 372856548 372969271,nop,wscale 2> 0x0000: 000b dbc3 3924 0011 118a be3f 0800 4500 ....9$.....?..E. 0x0010: 003c 0000 4000 4006 b6d3 c0a8 0151 c0a8 .<..@.@......Q.. 0x0020: 0147 0050 b66a 276e 7708 28aa a62c a012 .G.P.j'nw.(..,.. 0x0030: 16a0 f6d4 0000 0204 05b4 0402 080a 1639 ...............9 0x0040: 56e4 163b 0f37 0103 0302 V..;.7.... 08:58:50.852896 IP (tos 0x0, ttl 64, id 43294, offset 0, flags [DF], proto 6, length: 52) 192.168.1.71.46698 > 192.168.1.81.http: . [tcp sum ok] 1:1(0) ack 1 win 1460 <nop,nop,timestamp 372969272 372856548> 0x0000: 0011 118a be3f 000b dbc3 3924 0800 4500 .....?....9$..E. 0x0010: 0034 a91e 4000 4006 0dbd c0a8 0147 c0a8 .4..@.@......G.. 0x0020: 0151 b66a 0050 28aa a62c 276e 7709 8010 .Q.j.P(..,'nw... 0x0030: 05b4 3687 0000 0101 080a 163b 0f38 1639 ..6........;.8.9 0x0040: 56e4 V.
Computer 192.168.1.81 will send many SYN packs to 192.168.1.71 with multiple sources. The attack will be launched on port 22 (ssh). This attack is very effective if syn_cookies are turned off.
[root@192.168.1.81]$ ./rsock -s 192.168.1.155 -d 192.168.1.71 -p 80 -n 1
Next tcpdump is run on tape.squeezel.com or 192.168.1.155 with the following results:
[root@tape ~]# tcpdump -i eth0 -nN -s 1500 port not 22 -c 20 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 15:09:11.576770 IP 192.168.1.71.http > 192.168.1.155.1234: S 2660528199:26605281 99(0) ack 31338 win 5840 <mss 1460> 15:09:11.598161 IP 192.168.1.155 > 192.168.1.71: icmp 52: host 192.168.1.155 unreachable - admin prohibited
So why the "unreachable - admin prohibited" message? It's do the the fire wall setting on tape.squeezel.com [192.168.1.155].
This is another example of a normal 3-way hand shake using "telnet tape.squeezel.com 80".
[root@tape ~]# tcpdump -i eth0 -nN -s 1500 port not 22 and port not ntp -c 200 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 15:54:44.049893 IP 192.168.1.81.57591 > 192.168.1.155.http: S 1252982202:1252982202(0) win 5840 <mss 1460,sackOK,timestamp 397810663 0,nop,wscale 2> 15:54:44.050278 IP 192.168.1.155.http > 192.168.1.81.57591: S 1259957227:1259957227(0) ack 1252982203 win 5792 <mss 1460,sackOK,timestamp 397817438 397810663,nop,wscale 2> 15:54:44.049946 IP 192.168.1.81.57591 > 192.168.1.155.http: . ack 1 win 1460 <nop,nop,timestamp 397810663 397817438>
The following shows the layout of the IP packet.
IP Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If you are running Fedora Core 3 or 4, install "iptables-devel". These are the steps I took:
$ su
$ rpm -ivh /fedora4/Fedora/RPMS/iptables-devel-1.3.0-2.i386.rpm
Preparing... ########################################### [100%]
1:iptables-devel ########################################### [100%]
The following man pages will now be available: iptables(8), ipq_create_handle(3), ipq_destroy_handle(3), ipq_errstr(3), ipq_get_msgerr(3), ipq_get_packet(3), ipq_message_type(3), ipq_perror(3), ipq_read(3), ipq_set_mode(3), ipq_set_verdict(3). So you can read all about ipq_create_handle as follows:
$ man 3 ipq_create_handle
Next, the "ip_queue" needs to be loaded. As above, this step is done as root.
$ modprobe ip_queue
As a check to see that it is loaded, do the following:
$ cat /proc/modules |grep 'ip_'
ip_queue 10849 0 - Live 0xf8c31000
ip_conntrack 41497 1 ipt_state, Live 0xf8a50000
ip_tables 19521 3 ipt_REJECT,ipt_state,iptable_filter, Live 0xf89e7000
You must tell the kernel what packets you want delivered to the queue. The iptables command below will pass all outgoing icmp packets to the queue.
$ iptables -A OUTPUT -p icmp -j QUEUE
Breaking Firewalls with OpenSSH and PuTTY: If the system administrator deliberately filters out all traffic except port 22 (ssh), to a single server, it is very likely that you can still gain access other computers behind the firewall. This article shows how remote Linux and Windows users can gain access to firewalled samba, mail, and http servers. In essence, it shows how openSSH and Putty can be used as a VPN solution for your home or workplace.
Create a Live Linux CD - BusyBox and OpenSSH Included: These steps will show you how to create a functioning Linux system, with the latest 2.6 kernel compiled from source, and how to integrate the BusyBox utilities including the installation of DHCP. Plus, how to compile in the OpenSSH package on this CD based system. On system boot-up a filesystem will be created and the contents from the CD will be uncompressed and completely loaded into RAM -- the CD could be removed at this point for boot-up on a second computer. The remaining functioning system will have full ssh capabilities. You can take over any PC assuming, of course, you have configured the kernel with the appropriate drivers and the PC can boot from a CD. This tutorial steps you through the whole processes.
SQLite Tutorial : This article explores the power and simplicity of sqlite3, first by starting with common commands and triggers, then the attach statement with the union operation is introduced in a way that allows multiple tables, in separate databases, to be combined as one virtual table, without the overhead of copying or moving data. Next, the simple sign function and the amazingly powerful trick of using this function in SQL select statements to solve complex queries with a single pass through the data is demonstrated, after making a brief mathematical case for how the sign function defines the absolute value and IF conditions.
The Lemon Parser Tutorial: This article explains how to build grammars and programs using the lemon parser, which is faster than yacc. And, unlike yacc, it is thread safe.
How to Compile the 2.6 kernel for Red Hat 9 and 8.0 and get Fedora Updates: This is a step by step tutorial on how to compile the 2.6 kernel from source.
Linux System Admin Tips: There are over 160 linux tips and tricks in this article. This article is updated weekly.
Virtual Filesystem: Building A Linux Filesystem From An Ordinary File. You can take a disk file, format it as ext2, ext3, or reiser filesystem and then mount it, just like a physical drive. Yes, it then possible to read and write files to this newly mounted device. You can also copy the complete filesystem, sinc\ e it is just a file, to another computer. If security is an issue, read on. This article will show you how to encrypt the filesystem, and mount it with ACL (Access Control Lists), which give you rights beyond the traditional read (r) write (w) and execute (x) for the 3 user groups file, owner and other.
Working With Time: What? There are 61 seconds in a minute? We can go back in time? We still tell time by the sun?
Mike Chirico, a father of triplets (all girls) lives outside of
Philadelphia, PA, USA. He has worked with Linux since 1996, has a Masters
in Computer Science and Mathematics from Villanova University, and has
worked in computer-related jobs from Wall Street to the University of
Pennsylvania. His hero is Paul Erdos, a brilliant number theorist who was
known for his open collaboration with others.
Mike's notes page is souptonuts. For
open source consulting needs, please send an email to
mchirico@comcast.net. All consulting work must include a donation to
SourceForge.net.