I made a back-end server which redirects users who abuse the main server (via too many invalid webpage requests in a short time) to another port so that the load on the server will be slightly less.
I then in my program via a exec() issue this command to block the IP from regular service:
iptables -t nat -I <tableforport> -p tcp --src <offending ip> -j REDIRECT --to-port <port of my server>
The problem is when I test this using an actual 2-computer setup where one is the client spamming the server (I'm actually holding F5 down for a few minutes to test), The internal port redirection doesn't seem to kick in right away. If I pause from holding F5 down for a few minutes then try again, then the internal redirection works and the blocking message from my server software works.
I feel this is due to linux (which the server runs on) caching remote IP address entries along with its ports along with other instructions causing the new iptables rules (like the one above) to be skipped until the routing cache is flushed for that IP.
In linux, I can easily flush the routing cache for each IP version via:
echo 1 > /proc/sys/net/ipvn/route/flush
where n in ipvn is either a 4 or 6.
The problem with that is if I execute it, then all the good IP's in cache will be flushed which in turn creates a slower experience for all. I only want to create a bad experience to potential hackers.
How do I go about removing only one IP address from the route cache so that when I add a redirection rule to iptables (like above), the redirection takes place right away the moment the client refreshes the page (not several refreshes, seconds or minutes later)?
Once I get an answer, I want to be able to make a C program out of it after which I can probably figure out myself.
Related
Yesterday I successfully performed a MITM attack by ARP poisoning between my router and my Windows7 computer. I used Ettercap on a Linux machine.
However, today, running the same command does not work anymore. It looks like Ettercap cannot reach my computer, which IP is 192.168.0.17.
Here is what I got :
We can see that the only host added to the list is the router one (192.168.0.1)... What I don't understand is that it was working few hours ago.
I noticed also another thing.
using the command
sudo arpspoof -i wlp20s0 -t 192.168.0.17 192.168.0.1
The ARP poisonning DOES work this time. But now the problem is that it is acting like a DDOS on my victim... It completely loses internet connection.
And before it was not, it was working as expected.
So I guess something has changed on my victim computer but I cannot figure what.
Thank you.
IP forwarding is the ability for an operating system to accept incoming network packets on one interface, recognize that it is not meant for the system itself, but that it should be passed on to another network, and then forwards it accordingly.
From https://openvpn.net/faq/what-is-and-how-do-i-enable-ip-forwarding-on-linux/
When you perform MITM packets that don't match your IP are being sent to you and are not passed on correctly so the victim can reach out to the internet. With IP forwarding enabled your computer will reroute the packets correctly and the attacked computer will have access to the internet.
On Linux if I remember correctly:
echo 1 > /proc/sys/net/ipv4/ip_forward
will fo the job.
Arp replies are stored in cache, so first of all do some tricks here:
Remove arp cache from windpws with cmd.
(Cause the first priority is the cache and if host cant find the mac address it will generate an ARP request,then your router will repliy with ARP reply)
issue this command to see arp table:
arp -a
When you do Mitm with arp spoof and your computer looses internet connectivity it might be your DNS misconfiguration.
You ll need to enable dns server.
(If wan to brows web pages)
Try to do it with ettercap and enable arp poision and dns spoof module.
I have router with linux system based. I have the related SDK to customize the linux system of the router.
When I disable a port forwarding from iptables rules, the running crontack sessions do not go down and keep established.
I want to stop all running crontack sessions when I disable a port forwarding from iptable rules. I mean, only remove the crontack sessions related to the removed rule. So stop all crontack sessions with dest IP (lan IP) = the dest IP of removed rule.
How to do that in kernel space? how to develop a kernel module that go over all crontack session and check the destination IP and remove only the session with a given ipaddress? are there some link for that?
Otherwise are a user space way ( C functions or Linux commands) to stop specific crontack sessions ?
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
nf_conntrack_tcp_loose - BOOLEAN
0 - disabled
not 0 - enabled (default)
If it is set to zero, we disable picking up already established
connections.
So the already established connection is detected on-the-fly (without SYN/SYN+ACK/ACK involved) and added back as a new conntrack entry. Since it's a new conntrack entry, the nat table will be traversed again and the DNAT rule applied again. Even if one way doesn't work immediately (if there's no SNAT/MASQUERADE defined in addition to the DNAT rule the http server's outgoing packets might appear on WAN as 192.168.3.17 for a short while and be rejected/ignored by 192.168.33.13), as soon as the other way tries again (ACK retry from 192.168.33.13...) this will match.
Type this:
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
And try again deleting the conntrack entry with conntrack -D ...
This should hopefully prevent a new conntrack entry to be created and cut the download.
This answer is copied from: https://superuser.com/questions/1258689/conntrack-delete-does-not-stop-runnig-copy-of-big-file
here is the situation:
I have written a C program doing some wireless measurements on a WRT54GL Router (OpenWRT White Russian, Busybox 1.00, Dropbear client v0.49). Please note that i can not use a more up to date version of the operating system on the router or install additional packages (just scripts or small programs are allowed).
Up to now, i log my measurements results every 15 minutes from the router to the server via a
cat localfile | ssh target_address cat ">" remotefile
which i call from my C program (system()) for every logfile which is created or present at the moment the log starts. What i don't like is, that the system call opens a new shell for every single call, causing some overhead. The good thing is that in this way the data is encrypted and because i do a connection for every file, i can directly get per file feedback from the server, so that i can remove the logs from the router. (Other approaches calling scripts from the router on the server, which then return values for the logging did not work, as the dropbear ssh client does not support this return).
So what i'm asking for: what could be a more elegant way to do so and to reduce this overhead ? By now, i've read a few tutorials about how to use TLS / TCP Sockets (so i can send the data encrypted to the server). Another possibility could be a HTTP PUT or POST, but there i am not sure how i could get feedback for the data being send. So i would just like to hear your oppions and how you guys would try to tackle this.
Best regards
Since you're talking about log files, this sounds like a job for the syslog protocol.
I am pretty sure OpenWRT supports it out of the box.
I need to detect the presence/absence of internet connection. More precisely, let us suppose that the application is broken up into 2 parts - A and B.
A is responsible for checking whether or not the system is connected to the internet. If it finds that there is no connection, it starts up part B. And as soon as it detects that there is a network connection, it kills B and continues its own work.
What would be the best way to do the A part of the application? Continual pings sounds hideous. There has to be a better way of doing this (preferably in C).
With sufficient privilege you can test the various network interfaces and examine their state. This would tell you if any of the interfaces was connected to a network and operating. However, this won't tell you if the connection is actually usable, i.e., connected to the internet (or your local net if that's all you need). I don't know of anyway to do that short of actually using it.
Using ICMP (ping) can be useful at a low level, but presumably what you need is a connection to an actual endpoint via TCP/IP to do real work. I would say that you should change the design of your application so that B is responsible for indicating when it is unable to continue due to the absence of resources that it relies on -- network or otherwise. A and B should communicate so that A is aware of the situation and is able to either kill B or respond to B terminating itself and thus continuing its work.
A lot of companies have measures in place to prevent outgoing ICMP requests, TCP connections to ports other than 80/443 for example, or even to prevent you from reaching the internet directly by (transparently) proxying your traffic.
Under an internet connection I would understand any way to contact the outside, be it UDP, TCP or ICMP. Depending on what your application needs to contact the internet for, I would suggest to check over the same protocol, as that is the only thing that matters to your app.
If your application uses HTTP to communicate to an external source, try to connect to a few sites you would suspect to not be blacklisted and that have a reliable uptime. Like google.com, microsoft.com, apple.com, and so on...
Edit:
I am unsure what the specifics are, so let me give you an example with a hypothetical situation.
Application A collects data on the system it is running on and forwards it to a Web Service listening on yourserverhost.yourcompany.com:80
Application B would basically take over the job of the Web Service when it is down and log everything so no data is lost.
When all is well, App A will be sending the data to your web service
Once this connection drops, you immediatly launch App B (the obvious remark here would be, why not keep App B running as a failsafe)
App A connects to App B and forwards what it had been buffering
App A continues to try to reestablish the connection to your Web Service and once it is back up will request App B to stop
If the problem you are facing is nothing like this, please provide a more concrete description of what App A and App B are supposed to be doing. I will be more than happy to help.
In your code, you have to check whether the internet connection exists by using a socket to open a connection to a website.
Firstrun: Ask user to input the network parameters, like proxy settings. Save this info.
Next runs: Use these settings to check for the Internet connection. You may simply do a DNS search.
If results are negative, ask user to check settings.
Check whether the cable is connected , if so ping your internet connection to any host as google.com.
ping google.com
I'm running a game website where users connect using an Adobe Flash client to a C server running on a Fedora Linux box.
Often users complain about disconnects. Usually they're "Connection reset by peer"-disconnects.
Is there any way to make the connection more stable or does it all depend on the route from the user host to my server?
One thing I tried is to make it more stable by sending PING in clear text every other minute to avoid timeout problems.
Anyone got more ideas?
You are not exhausting the number of socket/memory use/cpu that the server process is given on the server, are you?
Do check with ulimit.
Also, if possible try to trace the error message in the source code (when a RST packet is sent--), i.e. when a send() or accept() returns an error value. In such cases print a debug message into the logs; if you really fancy debugging it do a simulation of the server:
run it into debug mode on a separate machine (possibly a clone of the server)
simulate thousands of connection (or find a network harnessing program)
backtrace the call and/or sniff the connection
where are you running the server?
at home? at work? at a hosting facility?
this will make a very big difference.
Can you design your app to connect to two sockets on the server and then load balance or make it active/passive (or active/active)?
You can use SO_KEEPALIVE TCP socket option.