TCP/IP Connection Cutting On Linux Firewalls

Chris Lowth writes "Network security administrators sometimes need to be able to abort TCP/IP connections routed over their firewalls on demand. This would allow them to terminate connections such as SSH tunnels or VPNs left in place by employees over night, abort hacker attacks when they are detected, stop high bandwidth consuming downloads - etc. There are many potential applications. This article describes how a Linux IPTables based firewall/router can be used to send the right combination of TCP/IP packets to both ends of a connection to cause them to abort the conversation. It describes the steps required to perform this task, and introduces a new open-source utility called 'cutter' that automates the process."

great

[mike_scheck]

So now I don't just have to worry about losing my vpn into work in the middle of the night because of some unavoidable packet loss, but also because of some automagic utility that people will throw into place for my benefit. Will the "features" never stop?

Re:great

[ColdGrits]

Or we just employ proper secutiry procedures, rather than relying upon a script running twice a day to kill off connections (let's face it, the original suggestion, namely run this twice a day, is pointless - the intruder woudl already have been in, done whatever they were doing, and gone long before the script dropped their connection. Yes, you'd have a nice shiny log to say "J00 waz 0wn3d", but it's a bit late by that point...

The actual killing of connections, now, THAT is a useful tool where your intrusion detection has detected an active intrusion (or intrusion attempt). But that's not what was being discussed in this subthread :)

Re:Would be handy

[ColdGrits]

Which is all well and good if your organisation is strictly a 9-5 place.

However, given that a hell of a lot of places run 24/7, when woudl you propose running said script in their cases?

Re:fuckwit? I don't think so.

[tomhudson]

By definition, if it's a 24/7 operation, you wouldn't be terminating tcpip connections at all...</quote>

Oh, come on, you can have your web server and ftp server up 24/7, and terminating connections twice every day isn't going to have much effect on legit users, unless you're hosting isos, in which case they'll just have to restart their ftp client and resume from where they left off.

the web server can be shut down and restarted every hour with no effect on users - http is, after all, a connectionless protocol, and on todays machines, it only takes 3 to 4 seconds to shut down and restart apache.

Also, with the newer high-latency DDOoS attacks, this would be a good way to stop them :-)

Just because you don't see the utility of something like this right off doesn't mean there is no use, or that it can't be adapted to certain situations.

Re:Would be handy

[tomhudson]

If your security at work consists of a Linux box running iptables, I would be scared.</quote>

If the box is running only the minimum of services, only allows incoming connections that are established & related, doesn't allow connections from a blacklist of known bad ip blocks, etc., and has someone checking the logs on a regular basis, requires external access through a second box, doesn't have a bunch of /virus-laden internal machines/windows boxes/ on the internal network to serve as zombies for internal attacks (went through that once, all the sales reps lost their windows boxes, cd-roms and floppy drives the same day. They bitched for a while, but they got used to linux) :-), what's the problem?