I want to implement a malicious (programmable) OVS switch in a SDN network that can calculate the hash of the packet and tamper data (the PACKET_OUT precisely) before forwarding it to the next hop.
I'm new to Open vSwitch and I searched for tutorials and didn't find anything helpful regarding this task.
Can please show me how to do it?
Related
i have a measurement setup where i want to trigger an oscilloscope base on a network package arriving. I have good results for a few seconds but somewhere between 20s and 40s i get a wrong trigger. My research showed that this could come from the arp packages send from the device. I tried to disable the arp sending but then the whole network went down. Now i'm trying to find a solution where i change the rate at which the arp packets are send without success. So i'm asking you if you know a way to either disable or send as few arp request as possible.
For your information i'm working on a Linux machine. Any help would be appreciated.
I allready tried:
#ip link set arp off dev eth0 <--- results in network down
changing the values for:
/proc/sys/net/ipv4/neigh/default/gc_interval
/proc/sys/net/ipv4/neigh/default/gc_stale_time
/proc/sys/net/ipv4/route/gc_interval
/proc/sys/net/ipv4/route/gc_timeout
with no success
Thx draufunddran
TL;DR: Disabling ARP on your machine will eventually cause other nodes on the network to stop sending packets to your machine (that is why your network appears to go down).
If you want to completely disable ARP packets on your network, you will need to manually program ARP tables on other nodes on your LAN (subnet) so that they know how to map your host's IP to a MAC address to send to on the LAN. This is a difficult thing to do if even possible since some nodes on your network may not offer the ability to program their ARP tables manually.
I have an application on my linux host that communicates via UDP to another machine via 10G ethernet. The machine on the other end does not respond to ARP requests. I am able to get it's MAC address through other means (a different interface, on
Is there a way to programmatically get this information into the arp table w/out privileged status?
I know I can on a command line issue "sudo arp -s 1.2.3.4 AA:BB:CC:DD:EE:FF" every time I power it up.
I know I can add "1.2.3.4 AA:BB:CC:DD:EE:FF" to etc/ethers
I know that as a priviledged usr/process I can issue an ioctl to SIOCSARP.
All of these mechanism's require sudo/root access. I read something about giving the application "CAP_NET_ADMIN" permissions.
I'm looking for this capability so that the end users don't need to do any of the above. It seems like, If I, w/out sudo/root, can open a socket that determines the need for this network information, there should be a way for me, w/out sudo/root, to provide it.
No, you can't edit ARP information as non-root. This makes sense, as otherwise malicious attacker would be able to modify ARP tables and completely disrupt network communication and compromise security.
The solution to your problem is to fix your network configuration.
Problem
I have just started to scratch the surface of this topic so excuse me if I'm formulating the question a bit strange and novice. Let's say I'm on a wireless network which I am right now, and I want to see all the data that is flowing in and out of this network from other clients connected to the network. I remember reading a book about someone doing this while being connected to the Tor network and it got me thinking about how this is done.
Questions
A: what is this process called?
B: How is it done?
Wireshark can do this:
http://www.wireshark.org/
It sniffs packets in "promiscuous mode":
http://en.wikipedia.org/wiki/Promiscuous_mode
That lets you see all the packets routed through a specified network interface, not just the packets targeted to a particular client.
A: It's call packet analyzing / packet sniffing.
B: In an unswitched network (e.g. a wifi network or hub), all you need is a network card that supports promiscuous mode and some software, as mentioned by sdanzig.
In a switched environment (e.g. most modern wired networks), you need to use a Layer 3 switch and set it up to mirror the traffic you're interested in to the port to which you are connected. (Otherwise your network adapter won't 'see' the other traffic.)
Some tools:
http://www.dmoz.org/Computers/Software/Networking/Network_Performance/Protocol_Analyzers/
Related topics on SO:
https://stackoverflow.com/questions/tagged/packet-sniffers
https://stackoverflow.com/questions/tagged/packet-capture
For reasons I can't go into, our system uses a very small MTU (128 bytes). These embedded devices are on a completely separate network so no internet access or interaction with other devices.
Obviously, TCP takes up 66 bytes per packet leaving not very much for payload.
After some googling, I came across IPCOMP which looks like it may help in reducing the amount of traffic on the network.
My question is how can I enable this? Is there a setsockopt, or do I need a special driver?
The only example I've seen is:
socket(PF_INET, SOCK_RAW, IPPROTO_COMP)
but this means I need to create the IP/TCP/payload manually.
Anyone have experience with this.
EDIT: Perhaps a better method would be to enable cslip or ppp on this connection. I can find tutorials on enabling PPP on a serial port (for dial-up modem), but nothing on enabling PPP on ethernet.
I've seen articles on PPPoE, but this seems to add MORE to the payload rather than reducing it.
Can anyone help with this?
I've played around with IP xfrm in the past but I've never tried the comp option. If you want all outgoing traffic compressed, something like this would work.
ip xfrm policy add dev eth0 dir out tmpl proto comp
I am dealing with an application that is protected by a firewall and only allows access from certain IP-Addresses (which are application webservers).
Its a bit delicate and it would be much hassle to introduce another authentication/protection layer.
My understanding of networking is not great because its not my subject, but in my Head I made up the following scenario:
Someone knows the IP-Address of one of our application servers and wants to fake it to get access to the other application which he knows the listening socket and protocol of.
So he alters the Header of his IP packets to have the Webserver IP as transmitter.
What happens next?
A: His ISP rejects the packet and says "Hey, that is not the IP address you were assigned from me." - Problema Solved
B: The ISP passes the packet on to the next level (his up-link...)
Lets assume the ISP has been compromised or the packet is passed on without inspection (I don't know whether that's the case)
What happens next?
A: The carrier rejects the Packet and says "Hey, that IP is not in the range of IP we agreed you are operating on!" - Now if my webserver isnt operated by the same ISP that my attacker compromised - Problema solved
B: The ISP doesn't inspect the packet or is compromised and forwards it to his up-link.
Now I am quite sure that IP addresses ARE inspected and filtered when passing a router. Otherwise it would be total anarchy.
So to put this straight: An Attacker that wants to fake my IP-Address needs to compromise the VERY same ISP that is in charge of the IP-Range my Webserver operates in - or this ISP does not do packet inspection.
Is this correct?
Okay now I imagine my server is located in an office and its ISP is a regional cable company.
What would be the steps necessary to send packets from my IP address to another internet IP?
(Of course I am only asking to get aware of the risks and choose proper protection!)
I imagine locating the routing station which is often in some small container at the side of the street that is only protected by a lock. Going in there. Swapping cables or plugging yourself into.
Will this most likely work if you know what you are doing or is there some encrypted handshake with keys stored on the real offices modem that is required to built an authenticated connection?
I am talking about today's standards in cable internet.
Last thought: So if my origin server is not some household ISP that has its stations vulnerable on the street i should be pretty safe, right?
I remember that NFS servers relies on IP authentication ONLY as a default. Because this is pretty common - are there any examples where NFS servers got hacked by faking IP addresses?
I realise that this question is put very very vagly. This is because I am not sure about anything I am saying here. I just wanted to give some input where I think the cave-eats could be, so they can be confirmed or eliminated.
Overall I am grateful for any comment and your personal thoughts about that subject!
Now I am quite sure that IP addresses ARE inspected and filtered when passing a router.
This assumption is incorrect, despite your level of sureness. "Egress filtering", which is the name of this, is generally not done.
The major protection against widespread spoofing of IP addresses is that the attacker would not recieve any response packets - they would all be routed back to the host that is legitmately using the IP address being spoofed. This kind of attack is known as "blind spoofing", because the attacker is working blind.
In order to send data on a TCP connection, you must be able to finish the TCP "three-way handshake". This requires knowing the initial sequence number used by the opposite end - and since TCP initial sequence numbers are chosen reasonably randomly1, this prevents a blind spoofing attack from being able to do this. (Note also that this does not apply to UDP - without some kind of application layer preventative, UDP is at significant risk from blind spoofing).
If the attacker can see the replies coming back (say, because he is sniffing the uplink or the local network of your server), then this also doesn't apply - spoofing TCP connections in this case is not just possible but trivial.
1. These days, anyway - this wasn't always the case.
Inside a LAN it depends on how your routers/switches/hubs are configured. But I think spoofing should be possible quite often.
I don't think the IP address is inspected. Thus you can send UDP packets with forged sender IP. But you won't receive the answer since the server will send it to the real owner of that IP.
This means you can't simply fake an IP in TCP since establishing the connection needs a handshake.
You can forge the IP of somebody if the response will go through your router. So a network admin can fake all IPs inside his LAN, an ISP all IPs inside his net, and a carrier can fake IPs on many international connections, provided they get routed through him.
Finally there is the possibility of abusing BGP to modify the routes for that IP to go through your computer. But not everybody has access to BGP, you probably need to become an ISP to get it. And then the manipulation will probably be detected because BGP route changes are monitored.