SYN Flooding: Detection and Prevention

SYN Flooding involves flooding a victim with SYN messages (as part of the three-way handshake) but never actually completing the handshake. Further to this the source address is usually spoofed.There are numerous methods to help you identify if you are undergoing this style of attack -If you are running linux you can use the netstat tool to view the relevant connection states:netstat -tuna | grep :<port> | grep SYN_RECVFor example if you were being attacked on port 80 we would issue:netstat -tuna | grep :80 | grep SYN_RECVOr maybe even more...

Read more

TCP: RTT (Round Trip Times) and RTO (Retransmission Timeouts)

A RTT (Round Trip Time) in TCP terms simply defines how long to takes for a client to make a request for example when a sender sends a SYN and then recieve an SYN ACK back from the receiver. Quite often people will refer to an 'initial RTT' - which is simply the time involved establishing a three way handshake between the two nodes (SYN, SYN ACK, SYN.) Although it generally not a good idea to capture packets on the client / server side for the...

Read more

Decrypting TLS traffic with Wireshark and ssldump

Before Perfect Forward Secrecy became the norm it was fairly easy to decrypt packet captures for TLS traffic within if you possessed the corresponding private key: This was done by simply exporting the private key (ensuring it's password protected!) and then importing it into Wireshark by going to: Edit > Preferences > Protocols > SSL > RSA Keys list > Edit > New and then filling in the relevant server details. although nowadays when PFS comes into the equation it is slightly more complex - we must now posses the asymmetric...

Read more

Testing client certificate authentication with curl

A quick snippet useful for testing client certificate authentication against a server: curl -k https://test.domain.com --key ./client.key --cert ./client.crt -v or alternatively you can also include the parent CA with: curl -k https://test.domain.com --key ./client.key --cert ./client.crt --cacert cacert.pem...

Read more

Debugging with apache and nginx on RHEL / CentOS

nginx To enable debug mode on nginx we will need to firstly verify that the '--with-debug' parameter was included at compile time - to check issue: nginx -V | grep "--with-debug" If so, you can simply append 'debug' to the relevant error log definition within your server node e.g. error_log /var/log/nginx/sites/example.com/error.log debug; and reload the system: sudo systemctl nginx reload apache To enable debugging with apache you will need to find (or add) the 'LogLevel' directive to your httpd.conf file e.g.: vi /etc/httpd/conf/httpd.conf and...

Read more

nginx and the default server dilema

Something to look out for when setting up nginx is that there are a fair few misleading default configurations out there - for example when working with SNI's always ensure that you have defined a default server - otherwise the first server block will take this role! To make things even worse quite often you will see server blocks such as: server{    listen 1.2.3.4:80;    server_name _;    ... } or server{    listen 1.2.3.4:80;    server_name localhost;    ... } Neither of these...

Read more

Setup Mutual (2-way) SSL Authentication with apache / httpd

Client certificates can provide a great way of helping to secure a service that you are unable to (or unpredictably) lock down to a specific source. For example quite often VPN's and reverse proxies will rely on certificate authentication to provide access to users from the internet - while the service is publicly available (at least on a network level) a valid private key is needed to access the service. In this scenario we wish to have four main...

Read more

Setting up a reverse proxy on RHEL / CentOS 7

Install apache and the relevant SSL modules with: yum update && yum install httpd mod_ssl We should also ensure the 'mod_proxy' module is installed so that we can serve up our backend. Typically you should not need to install the module as it comes bundled with the standard httpd package on RHEL - although to enable it we must make a few configuration changes to the httpd.conf file: vi /etc/httpd/conf/httpd.conf In some cases there might be an include statement to conf.modules.d - so we might need to edit the following file instead: vi...

Read more

Enable verbose AD login / authentication logging with Server 2003/2008/2012

I came across the following article when attempting to troubleshoot some locked out accounts - of course we can enable failed authentication attempts on the DC with group policy - although in some cases source information can be missing - we can enable this by issuing the following command on the DC: Nltest /DBFlag:2080FFFF This will enable verbose login information logging - which will be written to: %windir%\debug\netlogon.log If this file does not appear shortly after it may be necessary to restart the netlogon service: net stop netlogon net...

Read more

Identifying / analyzing network congestion with Wireshark

Wireshark can be an invaluable tool when troubleshooting network congestion (or network problems in general!) - below I have outlined several methods that can help narrow down the cause of congestion. Protocol Breakdown Quite often network congestion might be caused by a host flooding the network with packets (think broadcast storms, routing loops etc.) An easy way to get an overview of protocol use and potentially identify a protocol that is utilizing...

Read more

Wireshark: Capture Filters and Display Filters

Wireshark has two main filter types - a capture filter that is applied on live captures and display filters that are applied on existing (non-live) captures (which provide you with more granular control.) Display filters provide a way of extracting relevent information from live packet captures and can be applied in one of two ways: - Either by defining a filter on the actual interface - hence only capturing specific traffic. - Or against an pre-existing (offline) capture. Capture filters are comprised of identifiers and qualifiers: - Identifiers...

Read more

TCP Retransmission / TCP Dup ACK

TCP by design is considered a reliable protocol since it keeps track of the data it transmits with sequencing and acknowledgements. And hence some times when a network is congested / saturated or there is a faulty component somewhere between the source and destination causing packet loss it is necessary to re-transmit a specific sequence again. TCP retransmission occurs when the sender sends a TCP segment (which has a specific sequence number associated...

Read more

Detecting duplicate IP's with Wireshark / Gratuitous ARP

More often than not the majority of mainline operating systems have some form of detection of duplicate IPs - whether it's Windows, Cisco IOS or Android - you are usually presented with some form of user friendly warning. Although there are times where you might be working with other devices (such as embedded ones) that do not alert you - so instead we must sniff the traffic between the switch and the device itself. A gratuitous ARP request / reply...

Read more

VLAN termination with Intel NICS on Windows 7/8/10/2008/2012

The vast majority of the time Intel NIC's are supported out of the box on Windows operating systems - although the drivers bundled with Windows only expose a small subset of the functionality typically available with the NICs. A good example of this is the ability to setup VLAN tagging on a subinterface - in order to provide support for this you must firstly install Intel ProSet (and feature called 'Advanced Network Services'): https://downloadcenter.intel.com/download/25016/Intel-Network-Adapter-Driver-for-Windows-10 When...

Read more