Slashdot Mirror
TCP/IP Connection Cutting On Linux Firewalls
Chris Lowth writes "Network security administrators sometimes need to be able to abort TCP/IP connections routed over their firewalls on demand. This would allow them to terminate connections such as SSH tunnels or VPNs left in place by employees over night, abort hacker attacks when they are detected, stop high bandwidth consuming downloads - etc. There are many potential applications.
This article describes how a Linux IPTables based firewall/router can be used to send the right combination of TCP/IP packets to both ends of a connection to cause them to abort the conversation. It describes the steps required to perform this task, and introduces a new open-source utility called 'cutter' that automates the process."
So now I don't just have to worry about losing my vpn into work in the middle of the night because of some unavoidable packet loss, but also because of some automagic utility that people will throw into place for my benefit. Will the "features" never stop?
Which is all well and good if your organisation is strictly a 9-5 place.
However, given that a hell of a lot of places run 24/7, when woudl you propose running said script in their cases?
People should not be afraid of their governments - Governments should be afraid of their people.
Without a competent sysadmin and specific application (triggered only for certain events/time lengths), this will go from handy to crude (much like many other tools, come to think of it).
Tm
Support TBI Research: http://www.raisinhope.org
Oh, come on, you can have your web server and ftp server up 24/7, and terminating connections twice every day isn't going to have much effect on legit users, unless you're hosting isos, in which case they'll just have to restart their ftp client and resume from where they left off.
the web server can be shut down and restarted every hour with no effect on users - http is, after all, a connectionless protocol, and on todays machines, it only takes 3 to 4 seconds to shut down and restart apache.
Also, with the newer high-latency DDOoS attacks, this would be a good way to stop them :-)
Just because you don't see the utility of something like this right off doesn't mean there is no use, or that it can't be adapted to certain situations.
I don't see how this is really that much different than running a script that intermittently drops access to certain ports.
Why do you need to ask either side of a tcp connection to abort? Shouldn't the fact that the connection is lost be enough?
If you're trying to stop large downloads run a usage tracking app to a database and temporarily block the IP. Geez.
I, like many people here, develop software. But I have to say, in this case, is this really needed? It just seems like it would be just another thing to test, configure, manage and keep up to date.
Don't mix VPNs in. The thread is about nuking TCP connections and unless you mean SSH or PPP by VPN, the issue is irrelevant. Moreover, even with TCP-based VPNs it is easy to write a proggy that will add IP/port pair of authenticated VPN peers into the list of 'dont drop' connections.
3.243F6A8885A308D313
Instead of running the script once after everyone left, why not combine it with some kind of intrusion detector so that it only runs when there's suspicious activity. This would prevent accidently kicking people off and would actually stop attacks completely. You can't crack something that isn't connected after all.
read my blog
musings on politics and technol
If you have internal desktops visible to the outside world you have bigger problems...
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
If the box is running only the minimum of services, only allows incoming connections that are established & related, doesn't allow connections from a blacklist of known bad ip blocks, etc., and has someone checking the logs on a regular basis, requires external access through a second box, doesn't have a bunch of /virus-laden internal machines/windows boxes/ on the internal network to serve as zombies for internal attacks (went through that once, all the sales reps lost their windows boxes, cd-roms and floppy drives the same day. They bitched for a while, but they got used to linux) :-), what's the problem?
I agree 100%. But it does happen, and this is one of the /ways/tools/ to help sniff them out. More importantly, now Joe Sixpack can be educated to /log out/shut down/ when he leaves, instead of saying "what harm can it do to /leave my machine on all the time/run all sorts of downloaders while I'm home/". Any connection to his machine that comes in after all tcp/ip connections are cut will be obviously wrong, even to a non-computer-literate user. There will be no doubt in his/her mind that someone is "using" their machine, and they will be angry enough to be on your side in the battle for less sloppy security. Any time we can educate the masses, rather than talking at them, we should grab it :-)
Nice troll. Years ago, I would have agreed with you on Linux as a firewall.
The fact is that a properly configured linux machine is a pretty damn good firewall that is as good or better than many commercial firewalls.
If you are a fortune 500 type company it's not really appropriate, but for many of the millions of smaller businesses out there, it's just fine.
If your security at work consists of a Linux box running iptables, I would be scared. On the other hand, this could be usefull for the home network.
Upon what do you base this conclusion? I guess ignorance. We are the second largest DSL telco in the Benelux countries, and we use redundant Linux firewalls to protect important pieces of our network, such as places where our DNS and radius servers live.
This doesn't scare me at all, actually I like the setup better with regards to availability, maintainability and security then the setup in other parts of our network which are protected through Cisco PIX firewalls.
- (BOFH, is that you?!)
:-)
- I might have a very good reason to leave a TCP connection up when I go home.
:-)
- Why not enforce auto locking after n minutes of inactivity, instead of being a counter-productive asshole and cut all connections just to "educate people"?
If it;'s your home machine, you can do what you want with it. If it's not, then you have to go with the company policy.Depends on who you talk to, but nah, can't take too much credit for that
Ordinary desktops don't, and they should be logging out completely, as a habit. If they also learn to shut down properly at the end of every day, they could also help save the environment (less electricity, less heating, so less cooling required, so less electricity again
Some people resist other forms of education, some are damn lazy, some are just stupid. When polite requests, not-so-polite requests, etc., go unheeded because they are being, as you so kindly put it, unproductive ass-holes, this unproductive asshole will still try to find other methods to induce cooperation.