Pages

Showing posts with label COMMANDS. Show all posts
Showing posts with label COMMANDS. Show all posts

Thursday, December 28, 2023

Mastering Packet Analysis with Tcpdump - Packet Analysing.

Tcpdump is a powerful command-line packet analyzer tool used for network troubleshooting and analysis. It allows the user to intercept and display the packets transmitted or received over a network to which the computer is attached. In this guide, we'll explore how to use tcpdump for various purposes, including capturing packets, filtering traffic, and analyzing packet content.

1. Display Available Interfaces:

To see a list of available network interfaces on your system:

tcpdump -D

2. Capture Packets from a Specific Interface:

To start capturing packets from a specific interface (e.g., venet0):

tcpdump -i venet0

3. Capture Only N Number of Packets:

To limit the capture to a specific number of packets (e.g., 2 packets):

tcpdump -c 2 -i venet0

4. Print Captured Packets in ASCII:

To view the captured packets in ASCII format:

tcpdump -c 2 -A -i venet0

5. Display Captured Packets in HEX and ASCII:

To view the packet's contents in both HEX and ASCII formats:

tcpdump -c 2 -XX -i venet0

Advanced Packet Capturing

6. Capture and Save Packets in a File:

To capture packets and save them to a file for later analysis:

tcpdump -w capture.pcap -i venet0 -c 2

7. Read Captured Packets from a File:

To read packets from a previously saved file:

tcpdump -r capture.pcap

8. Capture Packets from a Specific IP Address:

To capture packets involving a particular IP address:

tcpdump -n -i venet0 -c 2 src 117.229.105.142

9. Capture Only TCP Packets:

To capture only TCP packets:

tcpdump tcp -n -i venet0 -c 2

10. Capture Packets from a Specific Port:

To capture packets from a particular port (e.g., SSH port 22):

tcpdump -i venet0 -c 2 port 22

Filtering and Analyzing Traffic

11. Capture Packets with a Readable Timestamp:

To capture packets with a more readable timestamp:

tcpdump -i venet0 -c 2 -tttt

12. Read Packets Longer than N Bytes:

To capture and read packets longer than a certain size (e.g., 10 bytes):

tcpdump -i venet0 greater 10 -c 2

13. Filter Packets – Exclude ARP and RARP:

To capture all packets other than ARP and RARP:

tcpdump -i venet0 not arp and not rarp -c 2

Conclusion

Tcpdump is an incredibly versatile tool that can be used for a wide range of network analysis tasks. By understanding how to use its various options and filters, you can diagnose network issues, monitor traffic in real-time, and perform in-depth protocol analysis. Remember, while tcpdump can capture sensitive data, it should be used responsibly and ethically. Happy analyzing!

Thursday, December 21, 2023

Navigating Server Security: A Comprehensive Guide to Mitigating DDoS Attacks

Distributed Denial of Service (DDoS) attacks can cripple your server, disrupting operations and services. Understanding how to detect and mitigate these attacks is crucial for maintaining uptime and security. This blog provides a structured approach to identifying, combating, and preventing DDoS attacks.

Confirming a Potential Attack

Understanding Connection States: Use the netstat command to analyze the state of network connections:

netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c

This command will list the number of connections in various states:

  1. ESTABLISHED: Valid connections to the server.
  2. SYN_SENT: Active attempts at establishing connections.
  3. SYN_RECV: Received connection requests.
  4. FIN_WAIT: Closing sockets.
  5. TIME_WAIT: Sockets waiting post-closure to handle remaining packets.
  6. LISTEN: Sockets listening for incoming connections.
  7. LAST_ACK: Awaiting acknowledgment after remote shutdown.

A high count in SYN_SENT, SYN_RECV, TIME_WAIT, or FIN_WAIT indicates a likely attack.

Initial Defensive Tweaks

Adjusting System Configuration: Tweak the /etc/sysctl.conf settings to reduce vulnerability:

# Enable TCP SYN cookie protection net.ipv4.tcp_syncookies = 1 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 3 # Turn off the tcp_window_scaling and tcp_sack net.ipv4.tcp_window_scaling = 0 net.ipv4.tcp_sack = 0

Apply changes with sysctl -p.

Identifying the Attack Vector

Determining the Source: If the attack comes from a single or few IPs, block them using the firewall. If the attack is distributed, deeper investigation is necessary.

Pinpointing the Targeted Port: When SYN_RECV connections are high, identify the targeted port with:

netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -nk 1

Use tcpdump to further analyze traffic to a specific port:

tcpdump -nn -tttt -i any port 80

Mitigating the Attack

Adjusting Apache Settings: If the attack targets a web service, modify Apache configurations to handle increased load:

MaxClients 500 
KeepAlive On 
KeepAliveTimeout 3 
/etc/init.d/httpd restart

Isolating the Affected Domain/IP: Use netstat to determine if a specific IP is targeted. Check Apache logs or use the top command to identify if a particular domain is under attack.

Advanced Defense Strategies

Employing ModSecurity and Firewall Rules:

  1. Disable ModSecurity’s automatic IP blocking.
  2. Add specific rules to block malicious traffic to targeted domains.
  3. Use iptables to block access to the domain on port 80:
iptables -I INPUT -p tcp --dport 80 -m string --string "domain.com" --algo bm -j DROP

Implementing Bandwidth Throttling: Limit connections to the targeted domain to reduce the load.

Nullrouting as a Last Resort: If the situation doesn't improve, nullroute the IP causing issues:

iptables -I INPUT -d XX.XX.XX.XX -j DROP

For dedicated IPs, remove them from /etc/ips and restart ipaliases. For shared IPs, consider reducing the TTL and reassigning domains.

Preventative Measures

Fortifying the Server with iptables: Add rules to mitigate future attacks:

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

Conclusion: DDoS attacks are a formidable threat, but with the right knowledge and tools, you can protect your server and ensure it remains secure and operational. Regularly update your configurations, monitor your traffic, and stay informed about new attack methods to maintain robust security.