fail2ban attack

I was talking about fail2ban running from my firewall and a certain IP being the only one allowed in (as specified in iptables).  First of all, I should probably be using port knocking or something better for this scenario (in fact, after the comment I went ahead and put spa on the firewalls – something I’ve been meaning to do anyway for awhile now) but that’s beside the point.

fail2ban works by denying an ip address for x amount of time because of failed logins.  It does this by using log entries from /var/log/auth.log and writing corresponding iptables rules.  This is mostly for limiting ssh login failures.

If you spoofed the ipaddress of the machine I was logging in from, you could maybe launch a dos by getting the legitimate machine banned. Realistically, I think the attack would not succeed.  Here’s what would happen.

  1. An attacker sends a spoofed connection packet to my firewall with a legitimate ip address (so it makes it through my dummy firewall)
  2. The ssh server responsds with a syn/ack to the correct ip address (not the attacker)
  3. The correct ip address doesn’t know where this came from, so either drops it or sends a RST packet if there are no firewall controls on the sender machine.

The point is that the handshake is never completed, so there is never a failed login entry in /var/log/auth, and it never gets so far as to fail2ban.

 

Unintended consequences of half open scans

Short analysis of the nmap half open scans (also called syn scans).

These scans are distinguished from the default operation of full connection scans, which completes the full tcp handshake. i.e.

SYN –>
<—SYN+ACK
ACK–>

A half open scan just does

SYN–>
<–SYN+ACK

The scanner determines weather the port is up or not based on if the SYN+ACK comes back.  Obviously, the final ack is never sent back.  This can be performed by

$ nmap -P0 -sS target

This was a popular method due to it being ‘stealthy’ though it’s not so much stealthy anymore and because it’s fast – though it doesn’t seem to be faster than a full connection scan in practice.

Anyways, now to something everyone doesn’t already know (maybe, at least I didn’t).

nmap uses raw sockets to craft these packets, which is why syn scans must be run as root.  What’s interesting is that if the remote host responds with a SYN+ACK – the local stack receives this packet, which did not come from the local stack (because again, it was crafted with a raw socket by nmap).  As far as the scanning computer knows, the SYN+ACK is not part of a handshake and appears to have come out of nowhere, so the scanner sends a RST back to the target system.  Nuts.

You can stop this by using simple iptables, on INPUT or OUTPUT, by having a default drop policy (only allowing ESTABLISHED,RELATED and known services through is probably a good rule of thumb).

TCP/IP Drinking Game

This is a preview of what might happen at Chris’s bachelor party (if we get crazy enough). Add your questions here to skew the results! If you’re lucky there may even be a Linux drinking game.

Some of these are stolen from online. Some of them may not seem very hard, but I’m sure they’ll get more and more difficult as we consume more and more alcohol. Also, it’ll be fun to see all the obscure crap I’m sure some of you know just on the top of your head (freakin weirdos).

-What is the minimum length of a tcp packet and why is there a min length?
64 bitsb and so a collision can be detected

-Name at least three official DNS resource record types.
Any three of A, CNAME, HINFO, MX, NS, PTR, SOA, TXT, WKS, RT, NULL,
AXFR, MAILB, MAILA, KX, KEY, SIG, NXT, PX, NSAP, NSAP-PTR, RP, AFSDB,
RT, GPOS, DNAME, AAAA, SRV, LOC, EID, NIMLOC, ATMA, NAPTR, CERT, SINK,
OPT, APL, TKEY, TSIG, IXFR, Deprecated: MB, MD, MF, Experimental:
MINFO, MR, MG, X25

-What is the maximum amount of data in a UDP packet over IPv6?
65487 bytes (65535 – 40 IPv6 header – 8 UDP header).

-What application uses TCP port 666?
Doom

-What does crc stand for?
Cyclic Redundanct check

-What are class D networks used for?
Multicasting

-What is a runt packet?
A packet that is shorter than the minimum packet length as defined
by the protocol it is using.

-As of RFC 1394, how many values can the TOS field in an IPv4 header have?
5 (4 bit wide field, only one may be set at a time, 0 is valid).

-What OSI model layer does IP most closely resemble?
The network layer, layer 3.

-What was the first remotely operated non-computer appliance to be connected to the Internet?
A toaster (controlled using SNMP).

-What is the only field that is different between a regular ARP packet and a gratuitous ARP packet?
The target IP.

-What error is returned if a UDP datagram is received and has a checksum error?
None. It is silently discarded.

-Which parts of the packet does the UDP checksum cover?
UDP pseudoheader, UDP header, UDP data.

-Which parts of the packet does the IP checksum cover?
The IP header.

-How many identical acks need to be received for fast retransmit to occur?
4 (3 duplicate + original).

-How many bytes total are in a standard sized ICMP echo request packet?
84 bytes (56 data, 8 ICMP header, 20 IP header).

-How many bits are in an “A” type DNS resource record?
112, plus the owner name.

-What is the range of class B IP addresses?
128.0.0.0 through 191.255.255.255.

-How many hosts should be on a network with a 255.255.255.192 subnet mask?
62 (64 – (broadcast address and network address))

-Name all 7 layers of the OSI network model.
Physical, Data Link, Network, Transport, Session, Presentation,
and Application.

-In a Christmas tree packet, which TCP flag bits are turned on?
SYN, URG, PSH, and FIN (all of them).

- What service runs on port 6667?
Internet Relay Chat (IRC)

-Name 7 of the 11 states of a socket (one at a time, person who can’t name one has to drink!)
1. LISTEN
2. SYN-SENT
3. SYN-RECEIVED
4. ESTABLISHED
5. FIN-WAIT-1
6. FIN-WAIT-2
7. CLOSE-WAIT
8. CLOSING
9. LAST-ACK
10. TIME-WAIT
11. CLOSED

-What flags are set with a FIN scan?
The FIN flag

-What is the first program able to scan networks using xmas packets?
nmap

-Who wrote nmap?
Fyodor

-Who invented the Internet?
Al Gore. Also acceptable are Bob Kahn and Vint Cerf who invented TCP, or maybe Larry Roberts who started ARPANET. Anyway, Al Gore actually never even said he invented the Internet, but his political contributions actually did probably help.

-What is a Chernobyl Packet?
A Chernobyl packet is a network packet that induces a broadcast storm and/or network meltdown. The term was named after the April 1986 nuclear accident at Chernobyl. Also acceptable is a Chernevog’s mating call.

-What is more common with DNS talk, TCP or UDP?
UDP I think. Although DNS occasionally does use TCP for big things.

-TCP or UDP – IRC?
TCP

-TCP or UDP -SMTP?
TCP

-What does RTT stand for?
Round Trip Time

Follow

Get every new post delivered to your Inbox.

Join 33 other followers