DROP vs Reject Targets

In the packet trace of the above section, the retransmission of the packet containing the string /Setup.php is a manifestation of the attempt to guarantee delivery of data that is built in to TCP after the DROP target refuses to forward the packet to the destination TCP stack. The TCP session is forced to close, rather ungracefully, after a time-out expires. However, fwsnort can use the iptables REJECT target instead of the DROP target so that the attacker's TCP stack receives a RST3 in addition to not being able to forward the malicious packet through the iptables firewall:

[iptablesfw]# --fwsnort --snort-sid 2281 --ipt-reset [+] Parsing Snort rules files... [+] Found sid: 2281 in web-php.rules Successful translation

[+] Iptables script: /etc/fwsnort/fwsnort.sh

[iptablesfw]# /etc/fwsnort/fwsnort.sh [+] Adding web-php rules Rules added: 4

Now, when we launch the attack against the webserver again (after clearing the psad blocking rules from the previous attack with psad --Flush), our TCP stack receives a RST packet that forces the session to close:

[ext_scanner]$ lynx http://71.157.X.X/Setup.php Alert! Unexpected network read error. Connection aborted. Can't access 'http://71.157.X.X/Setup.php' Alert! Unable to access document.

A packet trace captured on the external interface of the iptables firewall clearly shows the RST packet (in bold below) being sent back to the attacker:

[iptablesfw]# tcpdump -i eth0 -l -nn port 80

21:39:13.053057 IP 144.202.X.X.52092 > 71.157.X.X.80: S 1449291682:1449291682(0) win 5840 <mss 1460,sackOK,timestamp 3247303167 0,nop,wscale 2> 21:39:13.053177 IP 71.157.X.X.80 > 144.202.X.X.52092: S 1384965123:1384965123(0) ack 1449291683 win 5792 <mss 1460,sackOK,timestamp 2300769786 3247303167,nop, wscale 2>

21:39:13.073190 IP 144.202.X.X.52092 > 71.157.X.X.80: . ack 1 win 1460 <nop,nop, timestamp 3247303172 2300769786>

21:39:13.078382 IP 144.202.X.X.52092 > 71.157.X.X.80: P 1:229(228) ack 1 win 1460 <nop,nop,timestamp 3247303174 2300769786>

21:39:13.078442 IP 71.157.X.X.80 > 144.202.X.X.52092: R 1384965124:1384965124(0) win 0

Was this article helpful?

0 0

Post a comment