Sunday, July 6, 2014

Stimulus and Response - TCP

So there I was, after encountering some flow data with strange flags, I decided to do a post on stimulus and response. Little did I know, I was biting off a lot more than I would have liked to chew. Just as I was about to finish up, a colleague (thanks Abdul) mentioned, since I'm currently looking at sending these packets to a Windows box to determine the response, I should also send them to a Linux box to get its response. So just when I thought I was about to finish, I just had to basically restart.

Considering the above, I must say I'm glad I got the suggestion. As a result of that suggestion, I've recognize that there are truly significant differences between the ways the Windows 2012 and the CentOS 6.5 TCP/IP stacks handle these packets.

It is common knowledge that when we send a SYN packet to a listening port, we expect a SYN-ACK. Likewise, when we send a SYN to non listening port, we should get back a RST-ACK. However, what happens when we send an ACK or RST or some strange combination to either a listening or a non-listening port? These are the questions we will answer in this series.

This series of posts will be based on sending crafted packets (the stimulus) with various flags set to see the type of responses.

The tests will involve setting specific flags or combination of these flags to a Windows 2012 and CentOS 6.5 systems, both with their firewalls off.

We will test the response when the port (80) is listening and the other when the port (81) is not listening

Topology
SIFT - 10.0.0.50
Windows2012 - 10.0.0.100
CentOS 6.5 - 10.0.0.101

Tool for analysis:
tshark

Packet Crafting:
scapy

The following will be used: flag(s) -> system/system -> port
For a SYN flag to Windows 2012 host / CentOS 6.5 on port 80, we would have: SYN -> Windows 2012/CentOS 6.5 -> 80

To ensure the system where the packet is being crafted does not respond to any unknown packets, we will prevent it from sending out RST by using the following iptables rule:
iptables -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

So without further ado, let's look at the next post to get started

If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27

stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853


Reference and Additional Readings:
http://newartisans.com/2007/09/neat-tricks-with-iptables/

No comments:

Post a Comment