I have a Wireshark capture where several machines send TCP SYN requests and sometimes RST to the same target machine. All the SYN and RST are sent by different machines.
Is a cyber attack present in this capture? If so, what attack is it and how can I mitigate it?
I think it has something to do with TCP SYN Scan (aka half-open scan).
Related
I found out video quality of media streams in webrtc is notably better via UDP connections. Also data-channel is based on UDP too ( is that right ? )
Supposed two peers ( both behind NATs ) connected with each other with webrtc technology and their IP address are exposed to the public ,
will webrtc service be vulnerable to network attack , especially UDP flood attack ?
Real-time interactions like video chat prefer UDP connections over TCP connections because dropped packets over UDP will not result in a wait for retransmissions. The audio or video will simply be corrupted, and if necessary, the receiving party can ask to have something repeated. This is preferred to the interactivity being interrupted while waiting for the retransmitted packet(s). WebRTC prefers UDP connections, but can also fall back to TCP connections. This is true for the data channel as well.
I am not familiar with the details of UDP flood attacks, but will try to describe relevant NAT behavior. When two peers interact from behind NATs, there is only one port open per connection on the NAT to receive packets that are passed on to the client. The external IP address of the NAT is public, but you cannot send to random ports on this IP and have packets delivered to the client. Further, there are different types of NAT behavior; it may not be sufficient to send to the port at the NAT IP to have packets sent to the client, it may also be necessary that they come from address or ports that have already interacted with the client. See NAT types. An attack can also try to overwhelm the NAT unit itself.
The question is we have the following setup and we have noticed sometime client sends RST packet to terminate initial TCP handshake connection and application gets a timeout.
[10.5.8.30]------[Linux FW]-------[10.5.16.20]
Wireshark:
You can see in Wireshark RST packet, I thought its FW sending RST but in capture packet coming from 10.5.8.30 so what could be wrong here? why connection getting reset randomly, if I try next time then it will work.
The fact that the source IP for the RST packet is 10.5.8.30 doesn't mean that it really came from 10.5.8.30.
There are firewalls and various other intermediary devices that forge such packets. Try capturing on both ends to check whether 10.5.8.30 did, in fact, send the RST. It doesn't make sense for a client to send a TCP Syn and then a RST.
Is it possible to make a system call or write a kernel module to craft a tcp connection right into ESTABLISHED state without going over the three way handshaking process, assuming the correct SYN-seq and ack number are provided dynamically?
You may like to have a look at TCP fast open, which modern Linux kernels implement:
TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie (a TCP option) in the initial SYN packet to authenticate a previously connected client. If successful, it may start sending data to the client before the receipt of the final ACK packet of the three way handshake is received, skipping a round trip and lowering the latency in the start of transmission of data.
I am trying to generate a series of packets to simulate the TCP 3-way handshake procedure, my first step is to capture the real connecting packets, and try to re-send the same packets from the same machine, but it didn't work at first.
finally I found it out that the packet I captured with tcpdump is not exactly what my computer sent out, the TCP's checksum field is changed and it lead me to thinkk that I can establish a tcp connection even the TCP checksum is incorrect.
so my question is how is the checksum field calculated? is it modified by tcpdump or hardware? why is it changed? Is it a bug of tcpdump? or it's because the calculation is omitted.
the following is the screenshot I captured from my host machine and a virtual machinne, you can see that the same packet captured on differnet machine are all the same except for the TCP checksum.
and the small window is my virtual machine, I used command "ssh 10.82.25.138" from the host to generate these packets
What you are seeing may be the result of checksum offloading. To quote from the wireshark wiki (http://wiki.wireshark.org/CaptureSetup/Offloading):
Most modern operating systems support some form of network offloading,
where some network processing happens on the NIC instead of the CPU.
Normally this is a great thing. It can free up resources on the rest
of the system and let it handle more connections. If you're trying to
capture traffic it can result in false errors and strange or even
missing traffic.
On systems that support checksum offloading, IP, TCP, and UDP
checksums are calculated on the NIC just before they're transmitted on
the wire. In Wireshark these show up as outgoing packets marked black
with red Text and the note [incorrect, should be xxxx (maybe caused by
"TCP checksum offload"?)].
Wireshark captures packets before they are sent to the network
adapter. It won't see the correct checksum because it has not been
calculated yet. Even worse, most OSes don't bother initialize this
data so you're probably seeing little chunks of memory that you
shouldn't.
Although this is for wireshark, the same principle applies. In your host machine, you see the wrong checksum because it just hasn't been filled in yet. It looks right on the guest, because before it's sent out on the "wire" it is filled in. Try disabling checksum offloading on the interface which is handling this traffic, e.g.:
ethtool -K eth0 rx off tx off
if it's eth0.
If my server implements SYN Cookies to avoid DoS attacks, but an attacker knows the server utilizes SYN Cookies, is it possible that they could create half/fully open connection simply by sending an ACK?
I know that SYN Cookies use an algorithm to create the unique initial connection, and if the attackers handshake is incomplete the SYN is dropped and can only be recreated by receiving a valid SYN-ACK.
But could an attacker still somehow manage?
No, it should not be possible for an attacker to know what the SYN initial sequence value is in order to complete the TCP 3 way handshake. Further more it is not possible for any tcp port to be in a half-open state when they are using SYN Cookies. The answer is rooted in cryptography.
An implementation of SYN Cookies could use a Symmetric Cipher to generate sequence id's. For instance, when the machine boots it will generate a random secret key to be used for all TCP sequence id's. When the machine receives and incoming SYN packet to an open port it will generate a sequence id by encrypting the the Server's IP address, the Client's IP address and the port numbers being used. The server doesn't need to keep track of the SYN initial sequence id it sent out, so it doesn't have a per-client state and this idea of a "half-open" tcp socket doesn't really apply (at-least in terms of DoS). Now when the client sends back its SYN-ACK packet it needs to contain the SYN initial sequence ID. When the server gets this initial sequence id back from the client in a SYN-ACK packet it can work backwards, by encrypting the the Server's IP address, the Client's IP address and the port numbers being used.