Network tagged blogs

DoS Attacks

DoS Attacks

-14th of November 2009

This piece of text will summarize some DoS attacks. There propably new invented all the time, so this is not an attempt of a full complete list. Denial of Service Attacks(DoS) are defined easily by the following three lines:

1. Extensive overuse and abuse of resources that leads to downtime and instabillity of services.
2. Physical attacks on infrastructure.
3. Change or destruction of system configuration.

Various forms of DOS attacks:

*SYN attack: This attack occurs when the attacker floods the victim with TCP SYN packets(the first step in a three way handshake). This opens a TCP session, the victim replies with a TCP SYN-ACK reply, but gets no reply from the initiator. The source address of the TCP SYN packets are often spoofed, and that is why the host that receives the TCP SYN-ACK reply does not recognize the session and ignores it. There might not even be a valid source address in the TCP SYN packet, resulting in the TCP SYN-ACK packet to be dropped somewhere in the network.

When the victim receives a flood if TCP SYN requests, this can result in a buffer overflow. The memory used to store initiated TCP sessions is overrun before the sessions time out. This results in the victim not being able to answer more TCP request, and therefore seems unresponsive to other clients. This attack can be prevented in several ways, including shortening timeout intervals for TCP sessions, incresing the TCP buffer, setting up a firewall to recognize TCP SYN attacks, and installing Intrusion Detection / Intrusion Prevention Systems(IDS/IPS).

*Ping of death: Fragmented ICMP ping packets are sent to the victim, bypassing MTU, overriding the 65 535 byte limit of a ICMP packetand when the fragments are reassembled. This causes a buffer overflow that can result in DoS or other unforseen behaviour. This attack can be prevented by properly configured firewalls.

*Teardrop: Fragmented IP packets are sent to the victim. As the firewall only checks the first packet in the fragmented seqence, the following packets will overwrite the destination information and maybe also the source address information. This results in a completely different receiver of the packet, and maybe also a different source address then the firewall first thought. And thus bypassing the firewall completely.

*Smurf Attack: This is a broadcast of ICMP packets with a spoofed source address. The receiver of the ICMP broadcast packets and also the source address receiving the replies will be under a DoS attack through flooding and excessive resource usage. Prevention against Smurf attacks include blocking of ICMP broadcasts in a firewall.
>More info.

*Fraggle Attack: The same as the Smurf Attack, but then with UDP brodcasts and not ICMP broadcasts. Prevention of UDP broadcast attacks, include blocking of UDP broadcasts in a firewall. Much the same as the Smurf Attack.

*Spoofing: Setting a fake source address on a transmitted package.
>More info.

*Session Hijacking: Take over one side of a communicating session, or both sides. Session-Hijacking can be done through listening to the communication between two parties and steal the session by answering a part of the communication with the correct session ID. This results in the host answering to the hijacker, and dropping the correct client. The correct client will perseve the incident as just a lost connection to the host. Since the client no longer has the correct session ID(it is incremented in the session), the client can not rejoin the communication automatically. If the client wants the session back, he would have to hijack it back. Another way to get the session ID, would be to brute force for a session ID(more likely to be detected). >More info.

*Land.c : The victim receives a packet with the same source address as destination address. The victim will then try to reply to itself, resulting in a loop. This attack can easily be prevented by blocking all packets that have the same source address as destination address.

*Christmastree packets: The victim receives a TCP packet with all the flags set. The response is analyzed for further attacks. Can be prevented by properly configuring firewalls.

*Buffer Overflow: Excessive overrun and flooding of a victims resources, resulting in DoS(Denial Of Service).

*Factory standardized configuration of equipment: Can lead to unauthorized access, resulting in a security breach and possibly DoS.

*E-mail bombs. Excessive sending of e-mail, often as a result of a trojan or a virus. Consequences are DoS of mail or network services.
>More info.

Aditionally, other dangers have always been rootkits, phishing, trojans, viruses, and other malware. These can ultimately end in a DoS attack. General precoutions against DoS or DDoS attacks are installing IDS/IPS systems, make agreements with ISP's for further protection, keep an eye on vulnerabilities, and keep you system patched and up to date.

Source: Høgskolen i Sør-Trøndelag

Tagged as: Network

Local Network Security Actions

Local Network Security Actions

-16th of September 2009

When considering local network security, take into account the four following points in the planning and configuration:

1. Make sure the packages leaving your network to the internet are leaving with the same source address as the network it is leaving from. Implement a blocking of all suspicous packages with phony source addresses, to help protect the outside world from possibly owned/infected or taken over computer systems on your network.

2. Block incomming packages from the internet that are addressed to broadcast addresses on the internal network. There is no reason why external clients or devices should be allowed to broadcast on your internal network.

3. Turn off the Direct Broadcast capability of your internet router, unless it is absolutely essential. This will hinder potential attackers from the outside to broadcast various types of attacks into your network. See for instance the blog on DoS attacks for some examples.

4. Block all packages arriving from the internet that have source addresses that are within the non-routable spectre defined by RFC1918. These are, and These addresses are set by RFC1918 to be private and non-routable on the internet. Routers on the internet will drop these by default. If you receive packages from the internet with source addresses in these address spaces, it should be seen as suspicious activity.

Source: Computer Security Handbook, 5th Edition. ISBN: 978-0-470-32722-7

Tagged as: Network

Linux Firewalls

Linux Firewalls

-13th of January 2013

When evaluating a network packet, the firewall will read header information in the packet for the corresponding layer in the OSI Model to evaluate this against the rules in a iptables chain. The iptables firewall is capable of handeling network information from all of the network layers, however it is not initially designed to do so. In the examples that will be given below, there will be explained usage of the iptables firewall in conjunction with MAC addresses(Data Link layer), IP addresses(Network layer), and TCP/UDP ports(Transport layer).

When sending information over the network, the information is divided into packages that get encapsulated into protocols in the different layers of the OSI model. The packages are always divided into a size specified by the Maximum Transmission Unit(MTU) of the sending interface. Typically this size is 1500 bytes, but can be up to 9000 bytes and then called Jumbo Frames. If the package encounters equipment with a lower MTU than it was originally handeled by, the package will be further divided. Small packages create more protocol overhead but require less data to be re-transmitted if the package is lost. Thus a small MTU is preferable for a network that is in some sort less reliable. A large MTU requires less overhead and thus more information can be transmitted faster. A large MTU is a good choice for networks that experience low retransmissions and are considered fairly reliable.

This protocol overhead that is added to the packages that are to be transmitted has various information essential for the receiving part, or essential for the equipment used to send the package on its way to the destination. This packet to be transferred typically starts its life at the application layer and traverses downwards to the physical layer where it is sent over the medium used for networking. A series of packages typically make up a whole piece of information that is to be received by the receiver, and is put together at the receiving end. When transmitting information with the IP protocol, it is possible to encapsulate it/transmit it over the TCP or UDP protocols on the Transport layer. Each of these represent two different transport mechanisms. TCP establishes a session with a three-way-handshake and ensures that all packages belonging to that session are tagged with sequence numbers and transmitted correctly over the wire. If packages are lost or mangled in the transport process, they are re-requested and re-transmitted. TCP also ensures that the receiver can put the packages together in the correct order. TCP does however have a higher overhead then UDP, wich is a stateless protocol. With UDP no attempt is made to establish a session, the packages are just put on the wire with a destination address hoping that the receiver will receive them and have the necessary applications to handle and interpret the information received. This method of package transmission demands less overhead and is a good choice for realtime communication that needs to arrive at its target fast, but not necessarily in the correct order or at all. Many popular network enhanced games use the UDP protocol when communicating over the network.
The Linux iptables firewall consists of a set of chains with firewall rules that a network packet gets evaluated by in the order that the chains are set up. As illustrated on the picture to the right, a packet will traverse the PREROUTING chain before it is sent to either the INPUT chain or the FORWARD chain depending on if the packet is intended for this particular host, or if it needs to be forwarded to another network that the receiving host is connected to. To forward network traffic to other networks, the host needs to be configured as a router.

Examples of iptable rules set by a script or via the terminal:
1. iptables -A INPUT -p icmp -m icmp -m limit --limit 2/second -j ACCEPT
2. iptables -A INPUT -i lo -s -j ACCEPT
3. iptables -A INPUT -m mac --mac-source 00:20:b0:4b:6f:1b -j ACCEPT
4. iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT
5. iptables -A INPUT -p tcp -i eth1 --dport 20 -j ACCEPT

6. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
7. iptables -A INPUT -m state --state INVALID -j DROP
8. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
9. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
10. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
11. iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
12. iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP

Explanation to the rules listed above:
1. Limit the amount of ping packets(icmp) to the input chain to two per second, to avoid icmp flood attacks/DOS attack.
2. Allow the loopback interface to communicate with the host. This is often required by several applications that might be running on the host.
3. Allow sender with a specified mac source address to pass the INPUT chain. Note that mac addresses can be spoofed.
4. Allow packets over the INPUT chain arriving at TCP port 21 to pass. Often required by FTP servers.
5. Allow packets over the INPUT chain arriving at TCP port 20 to pass. Often required by FTP clients in active mode.
6. Allow packets over the INPUT chain that are a part of a related or already established communication transaction.
7. Drop packets that are considered invalid.
8. If a packet is considered new and not a part of a already established TCP session, and the syn flag is not set, then drop it.
9. If a packet has all the TCP flags set, it is considered invalid and dropped. TCP packets with all the flags set are suspected to be Christmastree packets.
10. If no TCP flags are set on the TCP packet, it is considered invalid and dropped.
11. ICMP(ping) packets that request address mask information are dropped.
12. ICMP(ping) packets that request timestamp information are dropped.

More information regarding various iptables rules that can be applied to iptable chains can be found at various sites on the internet and is recommended reading.

The Linux iptables firewall is often used together with technologies like Snort, FWSnort and PSAD. Snort is generally used to monitor and log network traffic to alone form a Intrusion Detection System(IDS). However, when PSAD and FWSnort, or Snort is used together in conjunction with iptables, it forms an Intrusion Prevension System(IPS). A graphical interface to these systems can be set up with several GUI systems, like BASE or OSSIM.

Better yet, the commandline interface that the iptables firewall has, makes it easily scriptable and thus tweakable through various script languages(e.g. Perl, BASH, Python). Iptables with its capabillities reaching alot further then mentioned here therefore gets to be a nerds dream in a tweakable Linux world.

Sources: Linux Firewalls. ISBN: 978-1-59327-141-1
              Drift av lokalnettverk. ISBN: 82-519-2075-2

Tagged as: LinuxNetwork

Netmap, Netcat, Nmap, Netstat and TCPDump

Netcat, Nmap, Netstat and TCPDump

-20th of December 2013


Netcat as a server to setup port for testing a network connection:
nc -w 600 -k -l 2389
Netcat will listen for 600 seconds(-w) and then stay up after the client disconnects(-k). The client will listen on port 2389.

To test the connection to the netcat server, you can use telnet from a different machine on the same network:
telnet -e p 2389
press p
type quit
press enter

We can also test the connection with netcat as a client:
nc 2389

Send a file over with netcat using udp(-u):
>at the server: $ nc -u -l 2389 > outputfile
>at the client: cat testfile | nc -u localhost 2389

Netcat as a client via a gateway and spoofing its IP:
nc -s spoofed_ip -g <gateway> remote_host <port>
Note: Up to eight hop points may be specified using the -g flag.

Netcat as a port scanner:
nc -r -w1 -v -n -z 3305 – 3320
-r for random ports in range
-w1 for wait 1 second for a reply
-v for verbose output
-n for no name resolution
-z for send no data

Get all header replies from services listening on ports in range:
echo "" | nc -v -n -w1 3306 – 3307
Example reply: Host '' is not allowed to connect to this MySQL server

Netcat proxy to Google that sends responses on port 123456 back to client:
nc -l -p 12345 | nc 80 | nc -l -p 12346

Show a web page on port 80:
while true; do nc -l -p 80 -q 1 < error.html; done

Send a partition over the network with netcat:
Receiving side:
nc -l -p 9000 | dd of=/dev/sda

Sending side:
dd if=/dev/sda | nc 9000


#2 find what servers respond to ping

SYN scan with spoofed source addresses

Ping scan with a spoofed source address

TCP SYN Scan with OS detection

Scan port range 1-200 with version detection

  • NMAP Project Guide
  • NMAP Ping of Death
  • NMAP tricks #1
  • NMAP tricks #2


    NBTSCAN is the Linux version of NBTSTAT, and can
               handle ranges of addresses instead of just a single host.
    nbtscan -hv

    The tool will scan for netbios information on the host.

  • More NBTSCAN examples


    List all open ports with netstat

    All open ports, numeric with network timers

    Click and see titles under for descriptions

    Click and see titles under for descriptions

  • netstat -au or netstat -at
  • netstat -lt or netstat -lu
  • netstat -st
  • netstat -su
  • Microsofts Netstat
  • Linux and Unix Netstat
  • More Netstat
  • Netstat MAN Pages


    Source: Manual pages

    Tagged as: LinuxCommandsNetwork

    Deep Security Virtual Patching

    Configuring Virtual Patching in Deep Security 9

    -29th of June 2013

    Virtual Patching

    In Deep Security IPS is what makes up Virtual Patching.
    See page 74 in the Deep Security Administration guide. DPI will inspect the traffic to the guest system and use IPS to block any traffic that might be exploiting known vulnerabilities that are fixed in patches not yet applied to the guest system.

    1. In the Deep Security Console, go to computers.
    2. Choose a test machine and double click it.
    3. Choose 'Intrusion prevention' and choose ON, then decide if you want 'Detect' or 'Prevent'.
    4. Choose to add rules manually (Assign/Unassign button) or choose to get recommendations (then press the button 'Scan for Recommendataions').
    5. If you choose the manual method, then just check off the rules you want and right click so that you can choose 'Assign rules -> to all interfaces'
    6. If you choose 'Scan for Recommendations' you can either choose to let the rules automatically be added or see what is recommended.
    7. Usually it is adviceable to choose under Assign/Unassign -> 'Recommended for assignment.'
    8. Then right click 'select all' - right click and 'Assign rules -> to all interfaces.'

    Please see the illustration on the right.

    For further information, please see the administration manual.

    Source: Deep Security 9 Administration Manual

    Tagged as: VMWareHowToNetwork

    Main page
    VMWare Hyper-V
    Active Directory
    SQL 2008
    SQL 2016