Slashdot Mirror

← Back to Stories (view on slashdot.org)

TCP/IP Connection Cutting On Linux Firewalls

Posted by Hemos on from the better-then-vasectomy dept.

Chris Lowth writes "Network security administrators sometimes need to be able to abort TCP/IP connections routed over their firewalls on demand. This would allow them to terminate connections such as SSH tunnels or VPNs left in place by employees over night, abort hacker attacks when they are detected, stop high bandwidth consuming downloads - etc. There are many potential applications. This article describes how a Linux IPTables based firewall/router can be used to send the right combination of TCP/IP packets to both ends of a connection to cause them to abort the conversation. It describes the steps required to perform this task, and introduces a new open-source utility called 'cutter' that automates the process."

36 of 233 comments (clear)

  1. Would be handy by tomhudson · · Score: 4, Interesting

    This would be a handy thing to put in a script to run once a day, after everyone's gone home, then again before anyone gets in in the morning. Examining the logs for odd activity between the two instances would be VERY handy.

    1. Re:Would be handy by ColdGrits · · Score: 4, Insightful

      Which is all well and good if your organisation is strictly a 9-5 place.

      However, given that a hell of a lot of places run 24/7, when woudl you propose running said script in their cases?

      --
      People should not be afraid of their governments - Governments should be afraid of their people.
    2. Re:Would be handy by Technician · · Score: 5, Interesting

      I think a fuse function should be included. Anything that saturates your uplink for 5 minutes should drop you off the net. This could be from anything such as a rogue robot, cracked or exploited mail server serving mass SPAM, a fast SQL type virus, or a break-in copying your fileserver. P-P serving lots of copyrighted material would also trip it. This could have a few anoyance false trips, but if fuses are widely used, it could greatly slow the kind of stuff we want off the net anyway. Maybe it could even save your webserver from melting when it's posted on /.

      --
      The truth shall set you free!
    3. Re:Would be handy by 56ker · · Score: 4, Interesting

      What variables would you want to be able to alter on the fuse? Bandwidth usage is highly variable anyway (even with normal patterns of usage). How can you tell the difference between an employee downloading a large pdf file and an employee uploading a copy of your fileserver? There's also a fine line between security & convenience - and with logs you get the "little elves" problem too. It depends how bothered you are about IT security I suppose. I've seen plenty of corporate broadband connections without even firewalls - and managment is still IMHO pretty clueless about computers. At least they've moved on from regarding them as an unecessary luxury expense.

      --


      Video Game cheats, hints a
    4. Re:Would be handy by Surak · · Score: 4, Interesting

      Wouldn't work where I work. We regularly post files that are several hundred megabytes in size on our FTP server for download or upload them to other servers. You would have to somehow determine *what* wa saturating that uplink for more than 5 minutes and make sure it wasn't a legit connection. That might be a bit more complicated than it sounds, too.

      --
      My journal has hot /. gossip.
    5. Re:Would be handy by radish · · Score: 3, Insightful

      If you have internal desktops visible to the outside world you have bigger problems...

      --

      ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    6. Re:Would be handy by tomhudson · · Score: 4, Insightful
      If your security at work consists of a Linux box running iptables, I would be scared.</quote>

      If the box is running only the minimum of services, only allows incoming connections that are established & related, doesn't allow connections from a blacklist of known bad ip blocks, etc., and has someone checking the logs on a regular basis, requires external access through a second box, doesn't have a bunch of /virus-laden internal machines/windows boxes/ on the internal network to serve as zombies for internal attacks (went through that once, all the sales reps lost their windows boxes, cd-roms and floppy drives the same day. They bitched for a while, but they got used to linux) :-), what's the problem?

  2. great by mike_scheck · · Score: 5, Insightful

    So now I don't just have to worry about losing my vpn into work in the middle of the night because of some unavoidable packet loss, but also because of some automagic utility that people will throw into place for my benefit. Will the "features" never stop?

    1. Re:great by nadadogg · · Score: 5, Interesting

      Well, you could prevent this by assigning a list of "safe" IP addresses that would not call for termination, but merely be logged. This way, unauthorized entry into the network would be stopped, and working from home would be brought to the higher-ups' attention, thereby making you look good :)

      Just a thought, really.

      --
      i use linux and windows oh god how can i have an opinion
    2. Re:great by ColdGrits · · Score: 5, Insightful

      Or we just employ proper secutiry procedures, rather than relying upon a script running twice a day to kill off connections (let's face it, the original suggestion, namely run this twice a day, is pointless - the intruder woudl already have been in, done whatever they were doing, and gone long before the script dropped their connection. Yes, you'd have a nice shiny log to say "J00 waz 0wn3d", but it's a bit late by that point...

      The actual killing of connections, now, THAT is a useful tool where your intrusion detection has detected an active intrusion (or intrusion attempt). But that's not what was being discussed in this subthread :)

      --
      People should not be afraid of their governments - Governments should be afraid of their people.
  3. Well, that kills that. by Divide+By+Zero · · Score: 5, Funny

    So much for downloading the trailer for $NEXT_BIG_MOVIE on company bandwidth. We'll have to do work now. Dammit.

    --
    Dare to Hope. Prepare to be Disappointed.
  4. I have an even better idea: by Sloshed_dot · · Score: 3, Funny

    Just pull the network cable out, then lets see the hacker getting past THAT script!

    --
    fart/faart/(coarse) (v.intr.): emit intestinal gas from the anus. (n.): emission of intestinal gas from the anus.
  5. Google Cache of post, and a quick comment by Cruel+Angel · · Score: 5, Informative
    here

    This is a great idea that someone should have come up with a long time ago. I also like how the author took into consideration the security conserns of such a cutter.

    --
    Two Rules For Success:
    1) Never tell people everything you know.
  6. Google cache by arvindn · · Score: 4, Informative

    slashdotted with less than 5 comments posted. google cache.

  7. For Aol Users by jetkust · · Score: 3, Funny

    Wow, now aol users can close aol without using ctrl+alt+delete.

  8. Evil bit comes to the rescue! by RyanK · · Score: 5, Funny

    Why not just turn on the 'evil' bit for these connections?

    Then simply enable a filter to drop those packets during off hours or peak usage.

    And people thought that was a joke!

  9. That would be great by missing000 · · Score: 4, Funny

    Then you could just ignore your outages after hours since you couldn't ssh in anymore.

    I always wanted to work 9 to 5 like the executives

  10. But what about UDP tunnels? by dpilot · · Score: 4, Informative

    After all, UDP tunnels are frequently better, since tcp-over-tcp can introduce odd timing effects. Run Google against "OpenVPN" for some pretty decent explanations of this and security issues. SSH tunnels are merely secure and easy, not necessarily the best.

    --
    The living have better things to do than to continue hating the dead.
  11. nice first step by Lumpy · · Score: 5, Interesting

    Give me a web interface showing all the connections and each end's ip address, how about a simple bargraph showing bandwidth use per connection also?

    This would be the ultimate-awesome tool for a netadmin. couple this with cutter and you have a great way of managing that traffic!

    --
    Do not look at laser with remaining good eye.
    1. Re:nice first step by tensai · · Score: 5, Interesting

      Check out ntop. It watches traffic passively and generates quite a few pretty graphs. It has breakdowns by protocol, machine, time of day. All sorts of stuff. Extremely useful for troubleshooting the "my internet is broken" problems.

  12. How to announce software on /. by CoolQ · · Score: 5, Funny

    How to announce software on /.:

    1) Go to SourceForge.
    2) Register a project; upload files
    3) Post link to SourceForge page on /.
    4) ???
    5) Profit

    How not to announce software on /.:

    1) Upload software to your web server behind a T1
    2) Post link to /.
    4) ???
    5) Cry over the money you just wasted.

    --Quentin

  13. Re:fuckwit? I don't think so. by tomhudson · · Score: 4, Insightful
    By definition, if it's a 24/7 operation, you wouldn't be terminating tcpip connections at all...</quote>

    Oh, come on, you can have your web server and ftp server up 24/7, and terminating connections twice every day isn't going to have much effect on legit users, unless you're hosting isos, in which case they'll just have to restart their ftp client and resume from where they left off.

    the web server can be shut down and restarted every hour with no effect on users - http is, after all, a connectionless protocol, and on todays machines, it only takes 3 to 4 seconds to shut down and restart apache.

    Also, with the newer high-latency DDOoS attacks, this would be a good way to stop them :-)

    Just because you don't see the utility of something like this right off doesn't mean there is no use, or that it can't be adapted to certain situations.

  14. Golden days at my company by lateralus · · Score: 5, Funny

    My old boss used to use bandwidth hogs as an excuse to cause users pain. We would track the inflated traffic down to hub port level, he would pull the plug and wait. After maybe 2 minutes always came the phone call from some frustrated user saying that his/her Internet was not working. Over the 12 times we did this EVERY time the phone call came from the abuser and not ONCE was he/she downloading anything work related.

    The company has grown since then and those old tricks would get you fired nowadays. Ahhh, the days when IT ruled with an iron fist. Now there this newfangled notion of "service" in the department, how wierd is that?

    --
    If you outlaw the law, only criminals will have laws
  15. Can of Cron and a Script? by Line_Fault · · Score: 3, Insightful

    I don't see how this is really that much different than running a script that intermittently drops access to certain ports.

    Why do you need to ask either side of a tcp connection to abort? Shouldn't the fact that the connection is lost be enough?
    If you're trying to stop large downloads run a usage tracking app to a database and temporarily block the IP. Geez.

    I, like many people here, develop software. But I have to say, in this case, is this really needed? It just seems like it would be just another thing to test, configure, manage and keep up to date.

  16. sniffit by wotevah · · Score: 4, Informative
    Cutting a TCP connection is really simple - just send a RST packet to one or both ends and enjoy.

    As far as tools, I know of at least one that has been around since 97, "sniffit". It show connections in real time (like ethereal today) and has a hot key for resetting a connection.

  17. No need for cutter by hhg · · Score: 4, Funny

    See, his webserver can not accept any connections, and I bet he's not using cutter at the moment

  18. tcpkill by pknut · · Score: 5, Interesting

    The 'cutter' program introduced in the article sounds suspiciously similar to Dug Song's tcpkill program (a member of his dsniff network utilities). In fact, tcpkill appears to be superior because it matches packets via tcpdump expressions, and hence is more versatile.

    1. Re:tcpkill by pknut · · Score: 5, Informative

      tcpkill will use network sniffing and packet insertion to kill any connections that are visible to the host computer. This usually means that connections to/from a computer on the same LAN segment as the host running tcpkill can be taken down. This is irrespective of whether the connection is being routed through the host computer. Running tcpkill on a gateway simply ensures complete visibility of the routed packets. In contrast, cutter does no network sniffing, and hence *must* be run on the gateway computer.

  19. Easy to hack around! by Line_Fault · · Score: 3, Interesting

    I'm sure I could get around this by packet capturing on both ends of the connection and dropping any packets that would abort my connection before they are processed by the OS or application.

    If I getting disconnected was really bugging me, I'm sure changing a few lines of the TCP stack code, and a quick (rather lengthy) recompile would yeild two inevitable outcomes:

    1. Less frustration from disconnects!
    2. The same (or larger) security hole than before!

    Fantastic!!!

  20. An idea by d3faultus3r · · Score: 3, Insightful

    Instead of running the script once after everyone left, why not combine it with some kind of intrusion detector so that it only runs when there's suspicious activity. This would prevent accidently kicking people off and would actually stop attacks completely. You can't crack something that isn't connected after all.

    --
    read my blog
    musings on politics and technol
  21. NO They weren't slashdotted... by splerdu · · Score: 5, Funny

    The script is obviously in place, and cuts unwanted connections originating from a referer-id of slashdot.org!

  22. Re:fuckwit? I don't think so. by tomhudson · · Score: 5, Interesting
    I tend to distrust session variables (especially those stored in /tmp, and, yes, I know you can designate another directory), so I authenticate users on each access. This has the following added benefits
    1. Any changes in permissions are immediately reflected in the user app - not only after they log out
    2. Single point of failure - the user validation code, not user validation && session management
    3. Shutting down and restarting the server doesn't affect user access between clicks
    Don't get me wrong - sessions are fine for those who like them. I'd just rather do things a bit differently. Besides, there's nothing to keep you from maintaining state with one or more of these techniques:
    1. keeping state in variables in a database
    2. keeping state in a file for that particular user
    3. passing state in forms with POST or GET
    4. passing state with urls
    5. passing state with the carrier-pigeon protocol (for very high latency :-)
  23. My ISP is using this already by chronos82 · · Score: 4, Funny

    It seems to me the connection just drops every five minutes, perhaps they have this on their crontab ;)

  24. Re:SSH tunnels or VPNs - isn't that the same? by FreeLinux · · Score: 4, Informative

    No they are different. Let's start with an IPSec VPN.

    IPSec VPNs are designed to be "networks" that encrypt the data that traverses them. This data is between two or more real networks, not just individual hosts. These VPNs are usually configured to completely conceal the contents including source/destination IP addresses of the networks traversing the VPN. These VPNs being actual "networks" also carry network traffic such as routing information and can even be rigged up enough to carry other protocols such as IPX.

    SSH on the other hand is primarily intended to encrypt sessions between two hosts, rather than networks as is the case with IPSec. While it is possible to configure an SSH tunnel to forward multiple ports and there for multiple sessions between the hosts, it is far more difficult to configure SSH tunnels to carry whole network traffic and I am not aware of any way to carry protocols besides IP.

    HTTPS is used to encrypt individual web sessions between two hosts. It is not able to due portforwarding or caryy other network traffic. The similarity between HTTPS and SSH is that they both use SSL/TLS as their means of encryption.

    So, three different protocols for three different uses with very little overlap in functionality.

  25. Re:SSH tunnels or VPNs - isn't that the same? by Tony+Hoyle · · Score: 4, Interesting

    They have different purposes... With SHTTP the client isn't (usually) authenticated, just the server, so the traffic server->client is trusted, but not necessarily client->server (other than being encrypted).

    IPSEC also verifies the endpoints and uses preshared keys, so it's secure enough for joining two LANs. PPTP/MPPE is good enough for picking up your email and stuff, but because there's no endpoint authentication it's not considered really secure.

    SSH itself isn't a VPN but you can create one by running (for example) PPP across it.

  26. Injecting packets into the connection by zaad · · Score: 5, Informative

    Though I haven't taken a careful look at the project, but this project exposes one major flaw of the Netfilter/Iptables firewalling code. Namely, it's impossible to flush the kernel connection tracking table without a reboot (or a complete unload of the Netfilter modules).

    Connection tracking is a wonderful thing, and if you can flush out certain connections, this project wouldn't be necessary at at. Instead, there's no mechanism for aborting connections other than by injecting packets into a connection and getting both sides to abort.

    This is probably a bad idea as well as RST packets don't have to be acknowledged (that's why they're RST, and not FIN). I might be completely wrong here, but this most likely leaves the connection in the tracking table alone to timeout on its own (which according to /usr/src/linux/net/ipv4/netfilter/ip_conntrack_pro to_tcp.c is 5 days!).

    And speaking of the timeouts, there are no sysctl adjustments possible. If you want to change the timeouts, you'd have to edit the kernel source and recompile. How's that for a giant pain?

    Don't get me wrong, I like plenty of things about Netfilter/Iptables. But it's not "enterprise ready" yet.