home / Archive

Networkers Palace

..::Request Time Out::..





So in the few last days, my network have been attacked by some malicious unresponsible person. The attack that attempted was what it may called "UDP Flood Attact". The main behaviour of this kind of attack is sending so many (the size may vary in their order) UDP packet rapidly.

Read More...



UDP is a connectionless protocol and it does not require any connection setup procedure to transfer data. A UDP Flood Attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down.



So it will be quietly clear, that the attacker doesn't need to have a some related connection to our server, all he have to do just, determine the port..

uh GTG, i'll finished it later okay...





So here, in my blog if you see, there are Categories that lay in my side bar. Categories is the common feature in blog, especially that are developed by the word press, movable type, etc. But somehow, Blogspot(blogger) has disable this great feature.

For adding Categories in your blogspot's blog,all you have to do is.
Add This Script



<script type="text/javascript">
<MainOrArchivePage>
function tag (label) {
if (label.slice(0,1)=="?"){ label = label.slice(1) }
<Blogger>
var wp = document.getElementById("toppost<$BlogItemNumber$>");
<BlogItemTitle>
if (label=="<$BlogItemURL$>" ) { wp.className="commentshown"; }
else { </BlogItemTitle> wp.className="commenthidden"; <BlogItemTitle> }</BlogItemTitle> </Blogger> }
</MainOrArchiavePage>
</script>


To your template. You may put it in your <head> of template.

==========================================================

Then, you should put this
Script



<script type="text/javascript">
var txta=location.search; var txtb=txta.substring(1);
if (txtb!="")
{ document.write("<a href=\"<$BlogURL$>\">home</a> »
<a href=\"<$BlogURL$>\?"+txtb+"\">"+txtb+"</a>");}
</script>
</MainOrArchivePage>
<ArchivePage>
<a href="<$BlogURL$>">
home<
/a> / <a href="#">Archive</a>
</ArchivePage>
<ItemPage><a href="<$BlogURL$>" title="<$BlogTitle$>">home</a> »
<Blogger><a href="
<$BlogURL$>/<$BlogItemArchiveFileName$>
">Archive</a> »
<a href="<$BlogURL$>?
<$BlogItemURL$>">
<$BlogItemURL$></a>
</Blogger>
</ItemPage>


Below your <div> Content . The Content DIV may varies in name on other template, you should recognise it yourself, just spot the DIV that define your blog's content(the name maybe content/main/page or something else like that).

==========================================================
Mark your <Blogger> and add this
Script



<div class="<BlogItemTitle>
display</BlogItemTitle>commenthidden" id="toppost<$BlogItemNumber$>">


On yours, don't forger to close the DIV with </div>.

==========================================================


Then, you can Add this

Script



<MainPage>
<script type="text/javascript">
var txta=location.search;
var txtb=txta.substring(1);
if (txtb!="") {tag(txtb);}
</script>
</MainPage>



Before your the end of your Main.

==========================================================

And the last, you should put this Script



<script type="text/javascript">
<Blogger><BlogItemTitle><BlogItemURL>
var <$BlogItemURL$>=0;
var num<$BlogItemURL$>=0;
var <$BlogItemURL$>link="";
</BlogItemURL></BlogItemTitle></Blogger>

<Blogger><BlogItemTitle><BlogItemURL><$BlogItemURL$>+=1
</BlogItemURL></BlogItemTitle></Blogger>
</script>
<h2 class="sidebar-title">Categories</h2>
<ul id="recently">
<Blogger><BlogItemTitle>
<div class="commenthidden" id="link<$BlogItemNumber$>">
<li><a onclick="tag('<$BlogItemURL$>');return false;" href="<$BlogURL$>?
<$BlogItemURL$>"><$BlogItemURL$></a>
<script type="text/javascript"> document.write("("+<$BlogItemURL$>+")")
</script>
<span id="linksfor
<$BlogItemNumber$>"></span> </li></div></BlogItemTitle></Blogger>
</ul>
<ArchivePage><Blogger>
<BlogItemTitle>
<BlogItemURL><span id="posttitle
<$BlogItemNumber$>"><li><a href="<$BlogItemPermalinkUrl$>">
<$BlogItemTitle$></a></li></span></BlogItemURL>
</BlogItemURL></Blogger></ArchivePage>


<script type="text/javascript">
<ArchivePage>
<Blogger><BlogItemTitle><BlogItemURL>
var thetitle=document.getElementById("posttitle<$BlogItemNumber$>").innerHTML;
document.getElementById("posttitle<$BlogItemNumber$>").innerHTML=""
var <$BlogItemURL$>link=<$BlogItemURL$>link+thetitle;
</BlogItemURL></BlogItemTitle></Blogger>
</ArchivePage>

<Blogger><BlogItemTitle><BlogItemURL>
if (num<$BlogItemURL$>!=1)
{ togglecomments('link<$BlogItemNumber$>');
var num<$BlogItemURL$>=1;
<ArchivePage>
document.getElementById("linksfor<$BlogItemNumber$>").innerHTML=
<$BlogItemURL$>link;</ArchivePage>
}
</BlogItemURL></BlogItemTitle></Blogger>
</script>


On your Side Bar.



ifstat is a tool to report network interfaces bandwith just like vmstat/iostat do for other system counters.

ifstat gathers these statistics from the kernel internal counters, which is highly operating system dependent.
Right now, the following systems are supported:

* Linux >= 2.2.0 (through /proc/net/dev file).
* FreeBSD >= 2.2 (using the ifmib(4) interface).
* Solaris >= 5.6 (using the kstat(3K) interface).
* IRIX and OpenBSD (using the SIOCGIFDATA ioctl).
* NetBSD and Darwin (using the route(4) sysctl interface).
* Other BSDs (using the kvm(3) interface).
* Digital Unix (OSF/1), Tru64, and Aix (using the legacy kmem interface).
* HP-UX (using the DPLI streams interface).
* Win32 native or through Cygwin (using the GetIfTable call).

If the net-snmp (or ucd-snmp) library is available, ifstat can use it to gather statistics from remote equipments (hosts, routers, switches...) or even the local host if a SNMP daemon is running.



Somehow, I was still wondering. How could a giant Web Service doesn't have a valid mark up language in its site. A Google page even doesn't have a DocType (DTD)!

It become more adsurb with the result, as we know, a valid mark up language is also a priority in a google's search engine!. So why don't they validate themself!

The Google also still having a warning for its CSS, though as we can see, it's a simple a CSS that Google embedded on it.

here is the warning
------------------------------------------------------------------------------------------------

Warnings

URI : http://www.google.com

  • Line : 5 (Level : 1) You have no background-color with your color : .q
------------------------------------------------------------------------------------------------

Here is the result of the google validation page, taken from w3.org.




IPTraf is a console-based network statistics utility for Linux. It gathers a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.
Features

* An IP traffic monitor that shows information on the IP traffic passing over your network. Includes TCP flag information, packet and byte counts, ICMP details, OSPF packet types.
* General and detailed interface statistics showing IP, TCP, UDP, ICMP, non-IP and other IP packet counts, IP checksum errors, interface activity, packet size counts.
* A TCP and UDP service monitor showing counts of incoming and outgoing packets for common TCP and UDP application ports
* A LAN statistics module that discovers active hosts and shows statistics showing the data activity on them
* TCP, UDP, and other protocol display filters, allowing you to view only traffic you're interested in.
* Logging
* Supports Ethernet, FDDI, ISDN, SLIP, PPP, and loopback interface types.
* Utilizes the built-in raw socket interface of the Linux kernel, allowing it to be used over a wide range of supported network cards.
* Full-screen, menu-driven operation.

Read More...
Protocols Recognized

* IP
* TCP
* UDP
* ICMP
* IGMP
* IGP
* IGRP
* OSPF
* ARP
* RARP

Non-IP packets will simply be indicated as "Non-IP" and, on Ethernet LAN's, will be supplied with the appropriate Ethernet addresses.

Supported Interfaces

* Local loopback
* All Linux-supported Ethernet interfaces
* All Linux-supported FDDI interfaces
* SLIP
* Asynchronous PPP
* Synchronous PPP over ISDN
* ISDN with Raw IP encapsulation
* ISDN with Cisco HDLC encapsulation
* Parallel Line IP

The information generated by IPTraf can be valuable in making network organization decisions, troubleshooting LANs and tracking activity of various IP hosts.

So lets get the show on the road, start off by downloading the latest version. (2.7.0 at the time of this update). Once you have it downloaded, move it to /usr/local/src and untar it by running:

tar -zxvf iptraf-2.7.0.tar.gz

That will create a directory called iptraf-2.7.0, enter it and then go into the src directory. Here you will find the IPTraf source code aswell as a precompiled binary. You can just run:

make install

Or if you feel you must recompile the code, you can run:

make
make install

And that will recompile the source and install the binaries into /usr/local/bin so make sure that directory is in your PATH.

Once you have it installed, start it up by typing /usr/local/bin/iptraf as root. An ncurses based main menu will come up on your screen and you will have a list of options that you can select.

The first one you will probably want to go into is the "Configure" menu. Here you can turn on/off a bunch of featuers such as logging, Reverse DNS lookups and showing TCP/UDP service names. IPTraf logs to /var/log/iptraf and the logfiles can get real big real fast so make sure your partition has enough space or just disable the logs until you really need them, like in the case of an attack.

From the main menu, if you go into "Other protocol filters" it will present you with a list of protocols that you can enable or disable. I normally just have ICMP and UDP enabled here but your tastes may differ.

Let the fun begin, from the main menu, enter into "IP traffic monitor" and it will ask you to select your interface. Either select ALL or just whatever your network interface is, such as ppp0 for PPP connections and eth0 for cable/DSL connections.

Now as you see, the screen is broken up into two sections. All TCP connections are shown on the top part and all ICMP/UDP etc connections are listed on the bottom.

TCP Connections (Source Host:Port) Packets Bytes Flags Iface
216.176.130.250:ircd > 2 108 --A- eth0
24.114.19.126:3610 > 1 67 -PA- eth0

A simple breakdown of what this means is that my host, 24.114.19.126 was contacted by 216.176.130.250 (finger-for-port-scan-info-at-hebron.in.us.dal.net) from port 6667 (ircd) to port 3610.

The TCP Connections section is great for monitoring most attempts of people trying to access your machine. It will display pretty much everything, telnet, ftp, ssh attempts as well as port scans etc. The bottom half of the screen will display whichever protocols you selected in the "Other protocol filters" section. So if you selected ICMP and UDP, it will show all ICMP/UDP packets.

If you find yourself being attacked, first try to establish the IP of the attacker. Generally they normally use more then one IP and that IP is spoofed (not their real one). However, not all attackers are geniuses if you know what I mean. Once you have established if the IP is really theirs, turn on the logging and log the attack.

If you survive, you should probably email the log, as well as a description of what went down to their ISP. You don't know their email address? Sure you do, lets say the Host of the attacker was tspsl2-188.gate.net, you could probably get away with emailing abuse@gate.net since most ISP's have an abuse@isp.com email addresshave. Also, most ISP's have a zero tolerance attitude for denial of service attacks so the attackers account will probably be closed. You can also visit http://www.arin.net and perform a lookup on the IP. From this you should find out who their ISP and what thier abuse address is.

Also, don't install IPTraf and think that you're secure now because you are watching the network. You should consider setting up firewall



here is a screenshot of iptraf in my box




Fping is a ping like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable.

Unlike ping, fping is meant to be used in scripts and its output is easy to parse.

Read More...

You can easily check several router availibilty and performance just by this small tool. Here are the example of the steps you should do when using fping to get efficiently and effectively result.

* Make a text file, containing the the IP Address and it's hostname. For example you may touch a file with your favourite text editor (vi, pico, etc), Save it with name listrouter. So if we read the listrouter file, the output must have somekind of this.



10.15.19.1 (router A)
10.15.20.1 (router B)
10.15.124.1 (router C)
10.15.11.1 (router D)
10.15.13.1 (router E)
10.15.119.1 (router F)

* Run the fping command lineas root, fping -f /home/tso/listrouter -c 100 -n

* The Output should be like this.


router A : xmt/rcv/%loss = 36/36/0%, min/avg/max = 0.17/0.26/0.64
router B : xmt/rcv/%loss = 36/35/2%, min/avg/max = 8.13/24.4/78.1
router C : xmt/rcv/%loss = 36/34/5%, min/avg/max = 10.0/45.7/204
router D : xmt/rcv/%loss = 36/36/0%, min/avg/max = 11.0/59.0/196
router E : xmt/rcv/%loss = 36/35/2%, min/avg/max = 13.6/66.9/201
router F : xmt/rcv/%loss = 36/29/19%, min/avg/max = 10.8/74.3/237

By analising this output, We could know the performance each router.




iftop is a pretty good console bandwidth visualization tool that shows you active connections, where they are going to/from and how much of your precious bandwidth they are using.
First , if you don't have any iftop installed on your machine, just type : apt-get install iftop (if you're using Debian-based Linux). You may also install iftop in binaries, but I warn you it may takes time to configure it because of it's dependencies.

Read More...


When using iftop, we can use some hotkey to get the way its display the result. Here the list of hotkey we can use while iftop running.

General
P - pause display
h - toggle this help display
b - toggle bar graph display
B - cycle bar graph average
T - toggle cummulative line totals
j/k - scroll display
f - edit filter code
l - set screen filter
L - lin/log scales
! - shell command
q - quit

Host display:
n - toggle DNS host resolution
s - toggle show source host
d - toggle show destination host
t - cycle line display mode

Port display:
N - toggle service resolution
S - toggle show source port
D - toggle show destination port
p - toggle port display

Sorting:
1/2/3 - sort by 1st/2nd/3rd column
< - sort by source name > - sort by dest name
o - freeze current order

here is the screenshoot of iftop in my box




For checking the upstream or the downstream you can easily use the 't' hotkey. You can notice it by the arrow direction. So that the display would be like this (the downstream in this example)




It's a pretty tool isn't?. Though would require statistical analytics, it's very powerful to detect some malicious data packet travelling your network.



So Here are the list of command-line in linux (some are same in other *nix OS). For more complete explanation see the man (manual page), just by typing man command. Use it wisely.




alias Create an alias
awk Find and Replace text, database sort/validate/index
break Exit from a loop
builtin Run a shell builtin

cal Display a calendar
case Conditionally perform a command
cat Display the contents of a file
cd Change Directory
cfdisk Partition table manipulator for Linux
chgrp Change group ownership
chmod Change access permissions
chown Change file owner and group
chroot Run a command with a different root directory
cksum Print CRC checksum and byte counts
clear Clear terminal screen
cmp Compare two files
comm Compare two sorted files line by line
command Run a command - ignoring shell functions
continue Resume the next iteration of a loop
cp Copy one or more files to another location
cron Daemon to execute scheduled commands
crontab Schedule a command to run at a later time
csplit Split a file into context-determined pieces
cut Divide a file into several parts

date Display or change the date & time
dc Desk Calculator
dd Data Dump - Convert and copy a file
declare Declare variables and give them attributes
df Display free disk space
diff Display the differences between two files
diff3 Show differences among three files
dir Briefly list directory contents
dircolors Colour setup for `ls'
dirname Convert a full pathname to just a path
dirs Display list of remembered directories
du Estimate file space usage

echo Display message on screen
ed A line-oriented text editor (edlin)
egrep Search file(s) for lines that match an extended expression
eject Eject CD-ROM
enable Enable and disable builtin shell commands
env Display, set, or remove environment variables
eval Evaluate several commands/arguments
exec Execute a command
exit Exit the shell
expand Convert tabs to spaces
export Set an environment variable
expr Evaluate expressions

factor Print prime factors
false Do nothing, unsuccessfully
fdformat Low-level format a floppy disk
fdisk Partition table manipulator for Linux
fgrep Search file(s) for lines that match a fixed string
find Search for files that meet a desired criteria
fmt Reformat paragraph text
fold Wrap text to fit a specified width.
for Expand words, and execute commands
format Format disks or tapes
free Display memory usage
fsck Filesystem consistency check and repair.
function Define Function Macros

gawk Find and Replace text within file(s)
getopts Parse positional parameters
grep Search file(s) for lines that match a given pattern
groups Print group names a user is in
gzip Compress or decompress named file(s)

hash Remember the full pathname of a name argument
head Output the first part of file(s)
history Command History
hostname Print or set system name

id Print user and group id's
if Conditionally perform a command
import Capture an X server screen and save the image to file
info Help info
install Copy files and set attributes

join Join lines on a common field

kill Stop a process from running

less Display output one screen at a time
let Perform arithmetic on shell variables
ln Make links between files
local Create variables
locate Find files
logname Print current login name
logout Exit a login shell
lpc Line printer control program
lpr Off line print
lprint Print a file
lprintd Abort a print job
lprintq List the print queue
lprm Remove jobs from the print queue
ls List information about file(s)

m4 Macro processor
man Help manual
mkdir Create new folder(s)
mkfifo Make FIFOs (named pipes)
mknod Make block or character special files
more Display output one screen at a time
mount Mount a file system
mtools Manipulate MS-DOS files
mv Move or rename files or directories

nice Set the priority of a command or job
nl Number lines and write files
nohup Run a command immune to hangups

passwd Modify a user password
paste Merge lines of files
pathchk Check file name portability
popd Restore the previous value of the current directory
pr Convert text files for printing
printcap Printer capability database
printenv Print environment variables
printf Format and print data
ps Process status
pushd Save and then change the current directory
pwd Print Working Directory

quota Display disk usage and limits
quotacheck Scan a file system for disk usage
quotactl Set disk quotas

ram ram disk device
rcp Copy files between two machines.
read read a line from standard input
readonly Mark variables/functions as readonly
remsync Synchronize remote files via email
return Exit a shell function
rm Remove files
rmdir Remove folder(s)
rpm Remote Package Manager
rsync Remote file copy (Synchronize file trees)

screen Terminal window manager
sdiff Merge two files interactively
sed Stream Editor
select Accept keyboard input
seq Print numeric sequences
set Manipulate shell variables and functions
shift Shift positional parameters
shopt Shell Options
shutdown Shutdown or restart linux
sleep Delay for a specified time
sort Sort text files
source Run commands from a file `.'
split Split a file into fixed-size pieces
su Substitute user identity
sum Print a checksum for a file
symlink Make a new name for a file
sync Synchronize data on disk with memory

tac Concatenate and write files in reverse
tail Output the last part of files
tar Tape ARchiver
tee Redirect output to multiple files
test Evaluate a conditional expression
time Measure Program Resource Use
times User and system times
touch Change file timestamps
top List processes running on the system
traceroute Trace Route to Host
trap Run a command when a signal is set(bourne)
tr Translate, squeeze, and/or delete characters
true Do nothing, successfully
tsort Topological sort
tty Print filename of terminal on stdin
type Describe a command

ulimit Limit user resources
umask Users file creation mask
umount Unmount a device
unalias Remove an alias
uname Print system information
unexpand Convert spaces to tabs
uniq Uniquify files
units Convert units from one scale to another
unset Remove variable or function names
unshar Unpack shell archive scripts
until Execute commands (until error)
useradd Create new user account
usermod Modify user account
users List users currently logged in
uuencode Encode a binary file
uudecode Decode a file created by uuencode

v Verbosely list directory contents (`ls -l -b')
vdir Verbosely list directory contents (`ls -l -b')

watch Execute/display a program periodically
wc Print byte, word, and line counts
whereis Report all known instances of a command
which Locate a program file in the user's path.
while Execute commands
who Print all usernames currently logged in
whoami Print the current user id and name (`id -un')

xargs Execute utility, passing constructed argument list(s)
yes Print a string until interrupted

.period Run commands from a file
### Comment / Remark


Author

Categories

  • Networking
  • Misc
  • Networking
  • Misc
  • Networking
  • Networking
  • Networking
  • Networking
  • UDP flood
  • Categories in Blogspot (Blogger)
  • Ifstat
  • Google Validation
  • IPTraf - rather than TCPDump
  • Fping - Small Tool but Powerful
  • Realtime Bandwidth Monitor
  • A-Z Linux Command
  • Last posts

    Archives

    Friends

    Contributors

    Powered by Blogger

    make money online blogger templates

    my ATOM 0.3

    Shout Me !! Photobucket - Video and Image Hosting

    outdoor furniture