Design of a Honeypot Based Wireless Network Architecture and its Controlled Penetration Testing International Journal of Scientific & Engineering Research, Volume 4, Issue 10, October-2013 294 ISSN 2229-5518 Design of a Honeypot Based Wireless Network Architecture and its Controlled Penetration Testing Achin Kulshrestha, Prof. Anjali Sardana Abstract — The convenience of 802.11-based wireless access networks has led to widespread deployment in the consumer, industrial and military sectors. Due to the borderless nature of 802.11, security is an obvious concern, mainly due to the physical aspects of the technology, and also because of weak encryption and authentication implementations. W ireless networks introduce a new point of entry into previously closed wired networks and must thus be treated as an untrusted source, just like the Internet. For wireless networking to be most useful, the wireless networks must pass data on to standard wired networks connected to the Internet which makes the wired networks vulnerable to attacks.
Oct 17, 2017 - MAC address filtering is one of those controversial features that some. You can use to control whether or not your kids can access the Internet at certain. The main reason why it doesn't make your network more secure is because. They can spoof it and then send out special packets to your router called.
A Honeypot acts as a supplemented active defense system for network security. Honeypots are closely monitored decoys that are employed in a network to study the trail of hackers and to alert network administrators of a possible intrusion. This paper explains honeypot architecture for the emerging mix of wired and wireless networking equipment and describes the use of this honeypot to capture various attacks by performing controlled penetration tests on the network testbed. The fundamentals will consist of an overview of 802.11b security, various attacks on the architecture and will conclude explaining ways of deception implemented in our honeypot architecture so as to make blackhats lose time in their discovery of the legitimate network. Index Terms —Architecture, Honeypots, Networking, Penetration Testing, Security, Testbed, W ireless. 1 I NTRODUCTION —————————— —————————— ireless technologies drive our world and have become a defacto standard for communication, entertainment and education across the planet.
With wireless technol- ogies opening avenues of change due to their ubiquity, remote capabilities, and ability to close information gaps, the human dependency on these technologies has increased to the point where one can find wireless devices almost everywhere. End users and enterprises are heavily dependent on wireless tech- nologies because of the flexibility, mobility and freedom it provides to access and share information. Along with this flexibiliy, though, come security issues that must be comprehensively understood. Though contemporary wireless devices support standard security methods and pro- tocols (encryption, authentication, authorization etc) useful to thwart common attacks, many kinds of attacks are still possi- ble but are dependent on the real level of security present and the skill of the attacker.
Due to the burgeoning usage of wire- less equipment and technologies today, it is imperative to get knowledge at the grassroots about the real exploitation vectors currently used to compromise wireless networks. Trying to fill this knowledge gap, the main goal of Wireless honeypots is to analyze the state of real life wireless hacking and thereby make the networks more secure. Wireless honeypots could help to reveal real stats about at- ————————————————. Dr. Anjali Sardana, Assistant Professor, Dept.
Of Electronics and Com- munication, Indian Institute of technology Roorkee, India. E-mail: tacks on the infrastructure, such as the frequency of attacks, the blackhat's skill level, his objectives and techniques. Honeypots can also help with protecting the critical networks while the attacker spends substantial effort on bogus targets. 2 P ROBLEM D ESCRIPTION To Design a Honeypot based network architecture for the emerging mix of wired and wireless networking equipment and simulating the attack capture process by performing con- trolled penetration tests on the network. The main objective of this project is to design a honeypot which deals with the attacks launched by a blackhat from a wireless machine. The problem can be subdivided into various steps as follows: 1.
Simulation of various wireless attacks 2. Capturing the Attacks 3. Storing the packets in the database 4. Analysis In real time scenarios, based on the activity detected on the wireless honeypot designed in this architecture, following can be inferred about the intent of the attacker:. Wired honeypot not attacked (but association with the Wireless Access Point (AP) – a wardriver merely surveying the network (this could also be for planned future activities) 1.
Attempt to gain Internet access– An attacker trying to get free internet access (Again this might be a first IJSER © 2013 International Journal of Scientific & Engineering Research, Volume 4, Issue 10, October-2013 295 ISSN 2229-5518 step to a sophisticated attack). Installation of malicious binaries – the hacker is skilled and is looking to compromise a system for fu- ture hacking activities.
Modification of core system files – Attacker is intent- ing to compromise and inflict damage to critical sys- tems. 3 T EST B ED D ESCRIPTION Fig.1 Test Bed Two wired clients are connected to the access point with the help of a Hub, one of which is a honeypot and other is a legitimate wired client. The Entire configuration is as follows:. Attacker: Dell laptop with 1395 running Win and Ub- untu (Dual-boot). Access point (192.168.111.213): D-Link DWL-2100, Air Plus XtremeG. Hub: - Quantum QHM7300B-STP.
Wired Honeypot(192.168.111.209): Running Linux 2.6.31-22 generic and Windows XP(Dual-boot). Wired Client (192.168.111.214): Running Linux 2.6.31- 22 generic. Access point: Set up with a basic WEP 64 encryption having a 5 digit ASCII code and also with MAC ad- dress filtering. Internet access was also provided to the network to get real time data.
The wired honeypot consists of a low interaction honeypot (i.e presenting the adversary with emulators of venera- ble programs like ftp, Telnet and capture limited interaction). This helps in protecting the critical network assets while still gathering attack data for further analysis. There is also a facility for analysis using ACID 2 (Analysis Console for Incident data- bases). ACID is a PHP-based analysis engine to lookup and ana- lyse a database of security incidents captured by Snort. 4 C OMPONENTS B ACKGROUND 4.1 Honeypots Honeypots are an interesting piece of technology with tre- mendous uses in the security sphere. The honeypot concept was first brought to light by several icons in computer securi- ty, specifically Cliff Stoll in the book “The Cuckoo's Egg', and Bill Cheswick's paper 'An Evening with Berferd.'
Since then, honeypots have continued to evolve, developing into the powerful security tools they are today. Honeypots do not solve a specific problem, unlike other secu- rity related network components like IDS/IPS and firewalls. Due to their flexibily, they can do everything from detecting denial of service attacks to capturing an encrypted man in the middle attack. It is this versatility that has made honeypots so effective in thwarting even skilled and highly sophisticated attackers. It is this flexibility that can make honeypots a chal- lenging entity to define and understand.
As such, the follow- ing definition by Lance Splitzner defines’s what a honeypot is: A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. 3 All honeypots share the same concept: a security resource that should not have any production or authorized activity.
In oth- er words, deployment of honeypots in a network should not affect critical network services and applications. A Honeypot can distract adversaries from more valuable ma- chines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot. 4.2 Types of Honeypots Honeypots can be of various types but at a high level they can be broken down into two general categories, low- interaction and high-interaction honeypots. According to Lance’s definition of honeypot, interaction defines the level of activity a honeypot allows an attacker to perform. Low-interaction A low interaction honeypot emulates operating systems and services. In case of an attack they can record the time, com- munication protocols, source IP, source port, destination IP, destination port, and exploit type for each attack. Following features of these honeypots make them a useful tool against attackers:.
Low risk of a possible compromise, as the emulated services control what attackers can and cannot do. Very easy to deploy and install in a network. High-interaction High-interaction honeypots let the attacker interact with the system like any real operating system. They allow administrators to capture extensive details about the full extent of an attacker’s method. They possess increased risk, as there is little to no re- striction placed on what the hacker can do once he/she comprises the system. A honeypot is a machine on which no legitimate activity has to be seen.
This means that any traffic seen on a honeypot can be regarded as an attack or malicious activity. Since any con- nection to a honeypot is most likely a reconnaissance attempt by an attacker the small set of data they collect is of very high significance. IJSER © 2013 International Journal of Scientific & Engineering Research, Volume 4, Issue 10, October-2013 296 ISSN 2229-5518 Honeypots have several clear-cut advantages:.
Honeypots protect the actual production servers from an attack through emulation of services. If a weakness in the network leads to a compromise, honeypots can help buying in sufficient time for the administrators to fix the loophole while the attackers are busy attack- ing the honeypot. Honeypots collect limited amounts of data pertaining only to them.
Since any traffic directed towards them is considered malicious or unauthorized, even the small amount of data they collect is of high signifi- cance for network forensics. Honeypots can help to understand an attacker’s tac- tics and methodologies. Since they are designed to capture anything thrown at them, they can help in finding tools or tactics never seen before.
Honeypots have just one task, to capture everything directed towards them. This requires minimal re- sources. IDS/IPS systems require different configuration set- ting depending on the environment they are de- ployed in. However, honeypots work perfectly in en- crypted or IPv6 environments. It does not matter what the honeypot receives, it will capture it. 4.3 Wireless LAN A Wireless Local Area Network (WLAN) links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio), and usually providing a connection through an access point to the wider internet.
This gives users the mobility to move around within a local cover- age area and still be connected to the network 4. The IEEE 802.11 is a set of standards maintained by the IEEE LAN/MAN Standards Committee.
The first version of IEEE 802.11 was released in 199, but is today obsolete. The base cur- rent version of the standard is IEEE 8. Following are the various versions of 802.11 released till date:. 8 (802.11 legacy). 802.11a OFDM Waveform. 802.11b. 802.11g.
8. 802.11n. 8. 802.11ac.
802.11ad 4.4 Wireless Concepts 4.4.1 Stations and Access points A wireless network interface card (adapter) is a device, called a station, and is used to connect radio-based computer networks. An access point (AP) is a station providing frame distribution service to stations associated with it. AP, also called a base station provides wireless access to a wired Ether- net network.
It plugs into a hub, switch, or wired router and sends out wireless signals. The AP itself is usually connected by wire to a LAN. The station and AP each contain a NIC that has a Media Ac- cess Control (MAC) address, just as wired network cards have.
The MAC address is a 48-bit number, assigned to the device at the time of manufacture and is world-wide-unique. The 48-bit address is represented as a string of six octets sepa- rated by colons (e.g., 00:01:2B:19:C9:F8) or hyphens (e.g., 00- 02-2A-27-C9-F8). While the MAC address as assigned by the manufacturer is printed on the device, the address can be changed in software. Each AP also has a 0 to 32 byte long Service Set Identifier that is used for naming the wireless network5. The SSID is used to segment the airwaves for usage allowing each packet sent over the wireless network to arrive at the correct location. If two wireless networks are physically close, the SSIDs label the respective networks, without SSIDs, sending and receiving data in a location with multiple wireless networks would be chaotic. A separate SSID allows the components of one net- work to ignore those of the other.
4.4.2 Infrastructure and Adhoc Modes A wireless network operates in one of the two defined modes for 802.11 networks, the ad hoc mode and the infra- structure mode. In the ad hoc mode, each station is a peer to the other stations and communicates directly with other sta- tions within the network. No access point is involved and all stations can send Beacon and Probe frames. The ad hoc mode stations form an Independent Basic Service Set (IBSS). 2 Infrastructure and ad-hoc modes The infrastructure mode of operation is slightly different. As shown in the above figure a station in the infrastructure mode communicates with an access point only.
Analogous to the Ad-hoc mode IBSS structure, the infrastructure mode defines a Basic Service Set (BSS) forming a set of stations that are logi- cally associated with each other and controlled by a single AP. Together they operate as a fully connected wireless network. Similar to a MAC address the BSSID is a 48-bit number which uniquely identifies each BSS6. Advantages of the Infrastruc- ture networks include greater stability, better security and scalability than most Ad Hoc networks. 4.4.3 Frames The format of 802.11 frames is illustrated below in figure 3. Most of the frames contain IP packets. The 802.11 MAC frame, consists of a MAC header, the frame body, and a frame check sequence (FCS).
The numbers in the following figure represent the number of bytes for each field 6. IJSER © 2013 International Journal of Scientific & Engineering Research, Volume 4, Issue 10, October-2013 297 ISSN 2229-5518 Fig. 3 IEEE 802.11 Frame There are three different classes of 802.11 frames. Management Frames The management frames create and maintain communications between the components. The different messages involving management frames are:. Association request.
Association response. Reassociation request. Reassociation response.
Probe request. Probe response. Beacon. Announcement traffic indication message. Disassociation. Authentication.
Deauthentication Most of the management frames also contain SSID. These Management messages are never encrypted, even when link encryption such as WEP/WPA/WPA-PSK is being used, so the SSID is visible to anyone who can intercept these frames.
Control Frames The control frames help in data delivery. They perform func- tions of area clearing operations, channel acquisition carrier- sensing maintenance functions and positive acknowledgment of received data. Data Frames The data frames are the pack horses of 802.11 encapsulating the OSI Network Layer packets.
These contain the source and destination MAC address, the BSSID, and the TCP/IP data- gram and haul data from station to station. The payload part of the datagram is encrypted. 4.4.4 Authentication The 802.11 authentication standard explicates that the mo- bile device (station) needs to establish its identity with an Ac- cess Point (AP) or broadband wireless router. For this pur- pose, the IEEE 802.11 standard has defined two types of au- thentication schemes. Open system authentication Open system authentication consists of two communications. The first is an authentication request from the mobile device that contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message.
All stations are au- thenticated without any checking. Shared Key Authentication In the closed network architecture with shared key authentica- tion, a shared key or passphrase is manually set on both the mobile device and the AP/router 7. The stations must know the SSID of the AP in order to connect to the AP.
There are many types of shared key authentication in use today for ex- ample WEP, WPA, WPA2 etc. 4.4.5 Association After the completion of the authencation phase, for the sta- tion and AP to exchange data, a station has to associate with an AP in the infrastructure mode or with another station in the ad hoc mode. All the APs transmit the Beacon management frames that contain the SSID, capabilities, time and other in- formation. Association allows the AP to record each mobile device so that frames may be properly delivered. The association is a multi-step process. After the station and the AP mutually authenticate themselves by exchanging Au- thentication management frames the mobile device authenti- cates to an AP by sending an association Request. The AP pro- cesses the Association Request and after deciding whether or not a particular client request should be allowed, the AP re- sponds with an Association Response frame which is basically a status code of 0 (success) and the Association ID.
The latter is used to identify the station for delivery of buffered frames when power-saving is enabled. A station can be authenticated with several APs at the same time, but associated with at most one AP at any time. Association implies that authentication phase is already complete 7. 5 P ENETRATION T ESTING F LOW We created an architecture which emulates a real time sce- nario. Wireless networks normally provide a 'wedge' into a traditional wired network and in our design we directed at- tack based on of real risks of compromise inherent in the wire- less infrastructure, and lookout for sensitive data stored else- where. The following flowchart represents the flow of Penetration Testing for the Honeypot Architecture: Fig.
4 Honeypot Architecture Pentesting Flow International Journal of Scientific & Engineering Research, Volume 4, Issue 10, October-2013 298 ISSN 2229-5518 The attack methodology can be subdivided as follows: 1. Attack and penetration of networks encrypted with WEP, WPA-PSK and WPA2-PSK 2.
Network discovery and reconnaisance 3. Man-in-the-Middle (MITM) attacks 4. Identify devices interacting with the network 5. Stealing sessions and replaying 6. Traffic sniffing to capture confidential data 7. Evaluating Password weaknesses and vulnerabilities 8.
SSID discovery and impersonation 9. Node detection in the network 10. Joining open/unsecured networks 11. Analysis and report generation 6 A TTACK S IMULATION 6.1 Looking for Wireless Networks – A passive attack A passive attack occurs when someone listens to or eaves- drops on an open wireless network by using a wireless net- work adaptor rigged to work in promiscuous mode. All pack- ets having SSID tokens, MAC addresses are stored for analy- sis. A passive attack may not be malicious at all times but it may be a stepping stone towards an active attack by an adver- sary. The tool used for passive attack in this architecture was InSSIDer8.
InSSIDer scans networks within reach of your computer's Wifi and also has the capability to determine secu- rity settings of a wireless network. NetStumbler9 has long been a favorite for this sort of passive attack, but it doesn't work well with latest version of Windows. Usage of a tool such as InSSIDer is only an initial step in the process of reconnaissance by the attacker. After finding the concerned SSID and related details, the attacker can connect to the wireless network to sniff and capture network traffic. This might expose a lot of details about the network and the enter- prise that uses it. For example, analyzing the network traffic may reveal to the attacker DNS servers being used in the net- work, network names, unencrypted logon traffic etc.
The at- tacker can decipher this information and figure out if the net- work is worth enough to proceed further with other attacks. Also, if the network is using a weak encryption scheme like WEP, the attacker can capture sufficient number of packets and crack the encryption to get inside the network.
6.2 WEP Key crack Simulation For the wireless network, access points act as base stations. It is their task to receive and transmit data for the nodes to communicate within a wireless setup. The SSID of the WLAN should be known to a client for it to join that WLAN; therefore, for the purpose of letting the cli- ents know their SSIDs, the access points has a feature of bea- con transmission, whereby it keeps transmitting a digitised signal so that any client which is in range can detect it in order to show it in the list of available wireless networks.
Data packets are continuously sent between the AP and its nodes. With the right tools in hand of an adversary, no physi- cal access to the network is required to capture these packets. Since wireless networks can allow multiple nodes, to maintain confidentiality and integrity an authentication layer along with encryption is required before letting actual data transfer take place. It is in this layer where attackers can compromise a loophole and get inside the network. 6.2.1 Wireless Encryption Many a time while setting up wireless networks adminis- trators tend to leave the default key unchanged.
Skilled adver- saries try to detect the vendor of the access point and if they fail to do so, they try to break the pre-shared key that is used between the wireless AP and node to encrypt communication. Most of the home and small enterprise networks are encrypted using the two most popular encryption methods: 1. WPA WEP or Wired Equivalent Privacy was designed to act as a default encryption method to protect link level data in wire- less systems.
It was introduced back in 1999 as part of the first 802.11 standard. It is a RC4 encryption based scheme support- ing 3 different key lengths: 64, 128, and 256 bits also known as WEP 64, WEP 128, and WEP 256 respectively 10.
WEPsecuri- ty is badly broken. However, due to its compatibility with older device it is still a widely popular encryption scheme for wireless networks and is used quite extensively. The WEP mechanism utilizes a user-defined or automatically generated key K and a 24 bit Initialization Vector (IV) 11 to encrypt the plaintext M and the checksum CS; the encrypted message is determined using the following formula: C = Msg CS(Msg) + RC4(K IV) WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryp- tion. WPA comes in two modes WPA and WPA2, and was created as a solution to problems found in the WEP encryption scheme.
Both WPA modes provide good amount of security; however, they are not compatible with older devices and therefore not as popular as WEP. By design WPA was made keeping in mind that every node has to be distributed differ- ent keys; however, it is still used quite extensively in a not so secure manner where every node has the same password for authentication encryption. In our honeypot architecture we focused on the WEP en- cryption scheme and tried various new approaches for packet injection to crack the secret paraphrase in real time which are consequently captured by the honeypot having a fake AP run- ning as an emulation service. 6.2.2 Packets and IVs A wireless LAN may employ several security mechanisms. However, since all the wireless packets can be captured by anyone listening in promiscuous made it is imperative that the confidentiality and integrity is maintained as the attack sur- face in wireless is huge.
In the WEP encryption scheme, every encrypted data packet would contain a 24 or 48 bit IV depend- ing on the type of encryption. The motive behind using a ran- dom IV is to encrypt each WEP packet with a different key since the pre-shared key between the AP and the node is stat- IJSER © 2013 International Journal of Scientific & Engineering Research, Volume 4, Issue 10, October-2013 299 ISSN 2229-5518 ic. That is to avoid a data packet from being encrypted by a twin encryption key the IV is constantly changed. Since to decrypt the encrypted WEP packet, the client needs to know the initialization vector, it is sent in plaintext. Now here is a security issue. Theoretically, if every IV was different, it would be nearly impossible to obtain the network key; this is not the case. Since the IV is considerably small, it would wrap around eventually leading to potential reuse of the same key stream by different frames.
For a 24 Bit IV only 16 million unique values can be used for encryption before repetition starts. This may seem like a very large number, but for a busy wireless network, it’s miniscule. Every IV is not unique and since the adversary knows that all the keys used to encrypt packets are related by a known IV (since the user entered parraphrase part of the key is rarely changed); the only change in the key is 24 bits. Also from the concept of probability for random variables, since the IV in WEP encryption is also randomly chosen, there is a fifty per- cent chance that the same IV will again reappear after just 5,000 network packets leading to a collision.
If an adversary can decipher the content of one packet, due to the collision he/she can view the contents of the other packet. If sufficient numbers of packets are collected whose IV match, the complete security of the wireless network can be breached. 6.2.3 Packet Injection Option 1 - ARP Request Replay Attack Address Resolution Protocol (ARP) is a required TCP/IP standard defined in RFC 82612. It is a TCP/IP protocol used to convert an IP address into a physical address. To be more precise ARP resolves IP addresses used by TCP/IP-based software to media access control addresses used by LAN hardware Injection of packets into the network can be done by re- sending packets that have already been received. For this pur- pose the Aireplay tool 13 (part of the Aircrack Suite) can be used.
The most efficacious way of creating initialization vec- tors is through the classic ARP request replay attack and most of the times it works very reliably. To achieve injection of IVs, the malicious node in our architecture keeps on listening for an ARP packet and then does a retransmission of the same packet back to the AP. This makes the AP believe that it has to send the ARP packet with a new IV. So the malicious node keeps on retransmitting the same ARP packet over and over again and the AP keeps send an ARP packet with a new IV. All these IVs collected by the malicious node allows to deter- mine the WEP key.
Basic usage for aireplay: aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 eth0 Where:.3 means standard arp request replay.b 00:17:9A:82:32:51 is the access point MAC address.h 00:11:22:33:44:55 is the source MAC address. eth0 is the wireless interface name In our setup we replayed an ARP which was previously in- jected to save time. The trick is to use the same command plus the ”-r” to read the output file from your last successful ARP replay. Aireplay-ng -3 -b 00:17:9A:82:32:51 -h 00:11:22:33:44:55 -r Achin.cap eth0 Where:.3 means standard arp request replay.b 00:17:9A:82:32:51 is the access point MAC address.h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication).r Achin.cap is the name of the file from the last suc- cessful ARP replay.
eth0 is the wireless interface name Option 2 – Association/Disassociation This was a unique way of getting enough IVs. We simulated the IV generation by creating a batch file to automate the au- thentication and deauthentication process using a legitimate client with the access point, the number of packets required to crack wep were collected very easily using this setup without using any specific tool. #Windows Batch file @echo off for /L%%a in (1,1,1000) do ( netsh wlan connect ssid=test name=test TIMEOUT 10 netsh wlan disconnect) pause Result 45 pcap files with 5000 packets each were collectedand were used as an input. A total of 27620 IVs were collected which subsequently helped in breaking the key. 6.3 ARP Cache Poisoning simulation As discussed earlier in the ARP request replay attack, the Ad- dress Resolution Protocol serves the function of determining the mapping between IP addresses and MAC hardware ad- dresses on local networks. For example, a machine that wants to send a message to IPv4 address 192.168.1.2 sends a broad- cast ARP packet on the LAN that basically is asking for a MAC for that corresponding IP address. The host who’s as- signed IP is 192.168.1.2 sends back an ARP reply packet with its MAC address intact.
This mapping from IP to Physical ad- dress is stored by the requesting host for future communica- tion. This updation of cache that stores the IP mappings helps in minimizing network traffic and if in future communica- tions, the MAC address corresponding to a given IP address has been changed, the old value in the cache is overridden. ARP replies are unicast packets, that is, only the requester re- ceives them. However, ARP requests are always broadcasted in the entire LAN.
IJSER © 2013 International Journal of Scientific & Engineering Research, Volume 4, Issue 10, October-2013 300 ISSN 2229-5518 6.3.1 ARP Cache Poisoning in 802.11 Networks In our architecture the access points acts as a hubs for all the hosts on the wireless network and they are doing the task of bridging traffic between the wireless network and the wired network. Now in this case, we can say that there are two sepa- rate collision domains 14.
One collision domain is defined by all hosts on the wireless subnet and the host on the wired net- work define the second collision domain. The AP’s presence does not limit the broadcast domain and it extends to the wired network. Protocols such as DNS can be configured to only accept secured dynamic updates but since any node can send an ARP reply to another node it can update any node’s cache with a new IP to MAC mapping.
In our Honeypot envi- ronment this attack is even more dangerous as it is applicable to all hosts in a broadcast domain and because of the fact the access point acts as a bridge the ARP replies can propagate into the entire network. 6.3.2 Modus Operandi – ARP Cache Poisoning Although there are tools to carry out this attack like Cain and Abel 15, as part of this research we created custom tools for ARP poisoning and demonstrated how our honeypot cap- tures the attacks and shows alerts. We worked on the concept that if a MITM attack can be performed by a wireless attacker against two hosts present on the wired network connected to the same switch as the access point and the crafted ARP pack- ets can reach both the victim hosts we can compromise the entire wired network from a wireless node. It was necessary to forge the packets because ethernet frames that not addressed to the legitimate machine cannot be received by the malicious node as all NICs silently cast aside frames addressed to other MAC address (except for multicast Ethernet address).
And specifically for this purpose we used Scapy 16 that allowed us to forge the packets and sending them using a raw socket. Achink:$ scapy ipsrc='192.168.111.112' ipdst='192.168.111.101' macsrc='00:00:00:00:00:AB' macdst='00:00:00:00:00:BC' etherpack=Ether(src=macsrc,dst=macdst) arppack=ARP(op=2,psrc=ipsrc,pdst=ipdst,hwdst=m acdst,hwsrc=macsrc) finalpack=etherpack/arppack sendp(finalpack,loop=1,inter=1) 6.3.3 Protecting against ARP Poisoning. Creating static ARP entries with the correct IP/MAC Address matching. Blocking gratuitous ARP replies. Building custom software designed to monitor and protect your computer’s ARP table.
6.4 Other Attacks Following attacks were also simulated: Evil Twin Attack Dictionary Attack on WPA-PSK Extensible Authentication Protocol Attack De-Authentication Flooding 7 C APTURE M ODULE The designed honeypot was an amalgam of many capture mechanism. It included IDS, Open source Analysis Engine, Custom Emulation Modules for popular protocols and custom scripts. 7.1 Emulation Scripts and High privilege Processes Emulation scripts of criticial services were created:. SSH Emulation Script – This scripts tracks brute force attacks and logs them.
Web Server Emulation Script – This script emulated all critical web issues such as remote file uploads, Cross site request forgert attacks and SQL injection. Windows services Emulation Script – This Script cre- ates instances of windows services such as SMB and FTP. 7.2 Intrusion Detection System Intrusion Detection is the art of detecting inappropriate, in- correct, or anomalous activity 17. Among other tools that are employed in a network environment, an Intrusion Detection System (IDS) sole purpose is to determine if a computer net- work or server has experienced an unauthorized intrusion. 7.1.1 Snort Snort was used as an IDS in our Honeypot architecture as it is one of the best open source intrusion detection system hav- ing considerable community base and also because it support three important functionalities which formed the core basic services of our honeypot: Sniffer Mode: Snort can be used as a packet sniffer similar to wireshark and can be configured easily to display only IP headers or the payload as per the requirement. Logger Mode: It also supports logging all the traffic into a file which can be used for forensics and analysis at a later stage.
Intrusion Detection mode: This is the core mode of' Snort. Snort maintains a database of signatures to which all packets can be compared. If any packet matches a malicious signature then alerts are sent. Snort comes with a large repository of signatures (around 800 signatures) and it also has the ability to load additional plugins 18. Since Snort just an Intrusion detection system at its grass- worrts for our honeypot we needed a comprehensive analysis toolkit and a administration GUI. For this purpose we chose ACID (Analysis Console for Intrusion Databases).
ACID is a web-based analysis toolkit that can be used to inspect Snort data (which is to be written into a database). A NALYSIS U SING BASE - THE B ASIC A NALYSIS AND S ECURITY E NGINE BASE 19 is a tool that has the ability to search and process databases containing security events. It has been written in the IJSER © 2013 International Journal of Scientific & Engineering Research, Volume 4, Issue 10, October-2013 301 ISSN 2229-5518 PHP programming language and also supports display of in- formation from the DB in an organized manner. When BASE is used with Snort as the IDS, it has built in support to read both tcpdump binary log formats and Snort alert formats. Both layer-3 and layer-4 level packet details can be analysed once the data is logged and processed. In our analysis we generated graphs and stats for all the attacks that were simulated. The data from the custom emulation scripts was also utilized in generating the graphs in order to give a lucid picture.
Custom scripts were also written to analyse and derive packet pay- loads corresponding to every attack so as to help in under- standing attack methodologies. Since the the BASE search in- terface supports querying the database and generating visuals at runtime, all attacks were analysed effectively. On top of that BASE also allowed us to easily manage alerts. We categorized high impact attacks into alert groups and min- imized false positives by keeping track of previously handled alerts. C ONCLUSION In this work, a honeypot for a network architecture having a mix of wired and wireless equipment is designed, with web- based monitoring and rule-based intrusion detection capabil- ity. The honeypot is interfaced with a SQL database, having a rich set of logging functionalities, and provided a convenient GUI for users to visualize the results.
The wireless to wired attacks simulated in our controlled pen- etration testing of the wireless architecture demonstrate that due to the wide range of attacks that can be carried out in such an environment, honeypots can act as a great resource in thwarting skilled adversaries and protecting critical resources from being breached. The ability of the honeypot to gather information about the attacker’s tools and methodologies makes it an indispensable network component along with Firewalls and Intrusion detection systems.
However, honeypot can still not be considered as a mandatory product with a fixed place in every security aware environment as firewalls or intrusion detection systems are today. There is a huge risk on the network being totally compromised if the honeypot has loopholes and therefore, there is a ever need for tight supervi- sion and monitoring. Despite the risk, this security resource could easily become an effective way to monitor wireless in- trusions attempts in critical network environments and can act as an important tool to understand a blackhat's goal. A CKNOWLEDGMENT The authors wish to thank Ms.
Radhika Goel, Mr Emmanu- al Pilli and Mr. Raj Khati for their support and help. This work was supported in part by a grant from Microsoft Scholarship Award, Indian Institute of Technology Roorkee, India. R EFERENCES 1 Rick Schoeneck, “Wireless Honeypot, GIAC Security Essentials Certification (GSEC )”, URL:honeypot/104986, pp 7-8, June 2003 2 ACID, “Analysis Console for Intrusion Databases”, URL: 3 L.
Splitzner, 'Honeypots: Definitions and Value, URL:hackers.com/papers/honeypots.html,' 2003 4 Wireless networking, URL:le08-03networks.html.
You can subscribe to this list. Any ideas, anyone?
On Sat, 2004-03-27 at 10:40, Nick Couchman wrote: I'm having a couple (more) issues with keepalived. First, let me explain how I (want to) have things set up. I have three new servers - Intel P4 3.2gHz with 2 and 4 gb of RAM. I would like to have all three servers run keepalived and act as real servers. One would be the master (have VRRP in the master state for the VIP) and the other two would be in the BACKUP state. Here are my two issues: 1) I'm probably going to use tunneling (unless someone else has a better/easier suggestion). I have already applied the arp/hidden patch to the kernel.
I need some way of bringing up the tunneling interface when the machines go into backup state and taking it down when they come out. It seems that if you put the 'notifymaster' and 'notifybackup' directives in the keepalived configuration, keepalived no longer multicasts the VRRP information. So what I end up with when I try to use those directives is two machines in the master state.
Does anyone know a good way to get around this? Maybe there is something that I can put into one of those scripts to replace the default multicast transmission? 2) I also need to deal with IPVS connection synchronization. First of all, I can't even get the IPVS sync daemon to start by default with keepalived.
Then, when I try using the 'lvssyncdaemoninterface eth0' (as per one of the sample configuration files), the VRRP keepalived process fails to start (or dies) altogether. How do I get this daemon to run so that my connection state information is in sync? Second, am I going to have any issues with the MASTER/BACKUP daemons? Let me explain - say keepalived comes up and there is one MASTER IPVS daemon and two BACKUP daemons.
![Fke Mac Adress Doesnt Eork For Router Internet Restri Tion Fke Mac Adress Doesnt Eork For Router Internet Restri Tion](/uploads/1/2/5/5/125529687/760649727.jpg)
When the MASTER VRRP machine goes down, will one of the backup keepalived daemons automatically shut down the backup daemon and start the master daemon (and then shut back off when the master VRRP machine comes back)? Thanks in advanceNick.
Attachments: I'm using keepalived 1.1.6, SuSE Linux Enterprise Server (SLES) 8, kernel '2.4.21-198-athlon'. I compiled thus:./configure -prefix=somewhere CFLAGS='-DNORC5 -DNOIDEA -g' -enable-debug Using the attached configuration file, the vrrp daemon invariably crashes on startup, meaning I only get two keepalived processes running instead of three and I have a core file in the current directory.
I started like this: morse:/ # killall keepalived morse:/ # /home/pei/keepalived/install/sbin/keepalived -D morse:/ # ps ax grep keep 16263? S 0:00 /home/pei/keepalived/install/sbin/keepalived -D 16264? S 0:00 /home/pei/keepalived/install/sbin/keepalived -D 16292 pts/0 S 0:00 grep keep morse:/ # file core core: ELF 32-bit LSB core file of 'keepalived' (signal 11), Intel 80386, version 1 (SYSV), from 'keepalived' morse:/ # gdb /home/pei/keepalived/install/sbin/keepalived core GNU gdb 5.2.1 snip Core was generated by `/home/pei/keepalived/install/sbin/keepalived -D'. Program terminated with signal 11, Segmentation fault. Hi Wensong, Sorry for the delay.
I probably need more time to play with your security extension on syncd. No problems, let me know if I can help. As for the TTL issues, if we set TTL=255, it may create a lot of unnecessary multicast traffic, because routers may forward our multicast messages. So, I set TTL=1 to limit the traffic in the local network. ICV is usually enough to authenticate incoming sync messages, right? Hmm, yes, the main reason IMHO is that testing for TTL=255 is less CPU-consuming than computing the whole ICV upon receiving messages, especially during DoS playground. On the other hand, mcast stream is forwarded on other router interface only if there are some subscribers for mcast group on these interfaces, if no subscribers, no stream forwarded.
From here we can have 2 scenario: 1. Router connecting 2 ethernet segments: - LAN 1 -Router- LAN 2 -: if LAN1 user join group and start sending datagram, router igmp code will acknowledge, then if user on LAN2 performs the same igmp join it will be able to receive stream from LAN1. If we want to controle LAN2 membership, then we can set a firewalling rule for igmp on LAN2 router's interface (so that join request will be dropped). Router interconnected: - LAN 1 -Router1-.-Routern- LAN 2 -: Considering a stream from a LAN1 source, Router1 is the 'First-hop router' and Routern the 'Last-hop' (called 'leaf'). Someone at the upstream of Router1 will see stream only if these routers are running a multicast routing protocol that is in charge of reporting membership to last hop routers. If no mcast routing protocol is used, then stream will not be forwarded since no distribution tree will be created. Is the most used IMHO since loadbalancing stuff are done on some DMZ segment not directly connected to ISP router.
To be fully secure network admin must set some filtering acl on the 'WAN' interface for IGMP. OTOH, we can find complex multi-homed scenario where we want to replicate IPVS connection table using mcast routing protocol to other network segment.
Cool, with BGP. But connections learn by syncd must expire after BGP convergence time. Anyway this is other topics here:) anyway this is up to you:) Regards, Alexandre. Thomas Halwax wrote: Well yes.
That's the idea behind (but is not implemented for scripts yet). Keepalived will fire up only one script. That script (the 'transit' script) will go through all other scripts in the appropriate directory and run them.
I have this file 'transit' on my disk, which I downloaded recently and couldn't figure out why I had it or what it did. Now I see it has your name in it:-) (I was busy yesterday) sorry. same time doing different things. So I have to think about some kind of semaphor to tell the framework to complete the transition to backup befor it can transit to master (or vice versa). OK Thanks Joe - Joseph Mack PhD, High Performance Computing & Scientific Visualization SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007 Federal Contact - John B. Smith 919-541-1087 - smith.johnb@. this seems a neat idea.
The webpage has the directories (in 'Directory structure') and the 'Example of keepalived.conf' as one line, which makes it hard to read. Sorry for this. I will change it. Does this work if you want to fire off multiple scripts for each event (eg if the tobackup transition requires several scripts to to the transition) Well yes.
That's the idea behind (but is not implemented for scripts yet). Keepalived will fire up only one script. That script (the 'transit' script) will go through all other scripts in the appropriate directory and run them. Also the daemons (using the RedHat 'service' command) will be started or stopped. There are (at the moment) two points to think about:.
will we first run the scripts or first start/stop the daemons. if we start a node (name it node B) in vrrp backup mode the framework will also start/stop the necessary daemons.
But if just a few seconds later the master node (node M) fails keepalived will switch node B to master mode so two concurrent framework processes run at (almost) the same time doing different things. So I have to think about some kind of semaphor to tell the framework to complete the transition to backup befor it can transit to master (or vice versa). Thomas Halwax wrote: Please read the initial documentation and tell me what you think about it. This seems a neat idea. The webpage has the directories (in 'Directory structure') and the 'Example of keepalived.conf' as one line, which makes it hard to read.
Does this work if you want to fire off multiple scripts for each event (eg if the tobackup transition requires several scripts to to the transition) Joe - Joseph Mack PhD, High Performance Computing & Scientific Visualization SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007 Federal Contact - John B. Smith 919-541-1087 - smith.johnb@. Ok here is a tiny patch for keepalived 1.1.7 pre0 (1.1.6 post Alex = patch): ipvswrapper.c@. if (modprobeipvs ipvsinit) + modprobeipvs; if (ipvsinit) =20 This way if modprobe fails with message 'insmod: a module named ipvs = already exists' we just re-test if ipvs is available and as it is the = case it not longer stops us to work:) Tested on my conf without the insmod directive in the = /etc/rc.d/init.d/keepalived: Ok /var/log/syslog still report: insmod: insmod: a module named ipvs already exists modprobe: modprobe: insmod ipvs failed Which is normal as we do a modprobeipvs twice=20 Any comments?
Niko -Message d'origine- De: Nicolas Helleringer=20 Envoy=E9: jeudi 25 mars 2004 12:23 =C0: 'keepalived-devel@.' Objet: RE: Keepalived-devel Problem sum up wiht keepalived boot = startup Ok It seems I found a way around: In my /etc/rc.d/init.d/keepalived I put a insmod ipvs before launching keepalived It seems to boot fine = then. I have no IPVS directly in the kernel (it s a Mandrake one: no way) Alexandre =3D do the booth process of keepalived try to launch/load = ipvs module? Are these accees mutexed? Should'nt it be?
If one of the process got a 'insmod: a module named ipvs already = exists' it consider IPVS is not available. This is not true Am I = right?
Niko=20 P.S: BTW it seems with the insmod ipvs even with HT and SMP activated = it run fine:) -Message d'origine- De: Francois JEANMOUGIN mailto:Francois.JEANMOUGIN@. Envoy=E9: jeudi 25 mars 2004 12:08 =C0: keepalived-devel@. Objet: RE: Keepalived-devel Problem sum up wiht keepalived boot = startup Nicolas Helleringer: And sorry but I still did not find out why I got message like: kernel: IPVS: Connection hash table configured (size=3D4096memory=3D32Kbytes) kernel: IPVS: Each connection entry needs 120 bytes at least kernel: IPVS: ipvs loaded. insmod: insmod: a module named ipvs already exists modprobe: modprobe: insmod ipvs failed Keepalivedvrrp: IPVS: Can't initialize ipvs: Protocol not available I think that IPVS is already included in your mandrake kernel code. I = suppose it is not version compatible with the ipvs headers you compiled = keepalived with.
Not sure, but. This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux = tutorial presented by Daniel Robbins, President and CEO of GenToo = technologies. Learn everything from fundamentals to system = administration. Keepalived-devel mailing list Keepalived-devel@.
Attachments: Hi, Here are the stuff: 1. Ipvsadm-1.24 patch that add new -icv-key option 2. Kernel 2.6.4 patch 3. Syncdutil tool The syncdutil tool has been used to dump mcast syncd messages as well as for injecting nasty packet to syncd. You will find in scn.h file the scenario buffers I used to validate the syncd extension code.
For non-authenticated mode I added one more sanity check, to validate as much as possible the nrconns field. In normal mode, we can add a sanity check that test if the nrconns present in incoming buffer is lower or equal to: ( (syncrecvmesgmaxlen-SYNCMESGHEADERLEN) / SIMPLECONNSIZE ). = according to interface MTU value. I will put in LVS website syncdutil tool when Horms will complete user data recovering.
Have a nice week-end, Alexandre. Hi Wensong, As previously discussed, you will find attached patch that add strong=20 authentication support to IPVS syncd.
This use the Kernel CryptoAPI for=20 hmac-md5 computation using incremental updates wihile filling in current=20 syncd buffer (currsb). The patch is generated for the last 2.6.4 kernel. The ipvsadm patch apply=20 to the last ipvsadm-1.24 present on software pages. Additionally, you will= =20 find below the short write-up explaining this strong authentication=20 extension. I will put this into a sexy pdf file on the LVS website as soon= =20 as Horms will recover user data. At the end of the document, I would like to discuss the TTL value present=20 in the IP datagram multicasted, and the potential switch from TTL=3D1 to=20 TTL=3D255. Please give me your opinion on this, I really think this can add= =20 more security.
The current strong authentication patch doesn't implements=20 this TTL=3D255 sanity check. All comments are welcome, have a nice week-end, Alexandre PS: Sources files in next message - Syncd write-up - IPVS syncd strong authentication extension Linux Virtual Server OpenSource Project Paris, France, March 2004 Alexandre Cassen, - I. Introduction - The remainder of this document describes the features, de- sign goals and theory of syncd strong authentication extension.
Current syncd design multicast's IPVS connection entries in a plaintext fashion. Those multicated messages are catched by back- up IPVS router subscribed to syncd multicast group and then ap- pended into local router IPVS connection table. Since IPVS load- bancing decisions are scheduled using this connection table, this document is an attempt to add authentication provisions in syncd to protect against packets injection and other malicious attacks. Syncd Authentication global design - To support message authentication, we add a new header: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Sequence Number +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ HMAC-MD5-96bit ICV +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ We add two new fields.
A 32-bit sequence number field to deal with anti-replay attacks and a 96-bit trunc ICV for keyed digest. This design is inspired from the one we found in IPSEC- AH. This new header will be inserted between ipvssyncmesg header and first ipvssyncconn. As keyed digest algorithm, we will use HMAC-MD5.
The main goal is to compute an Integrity Check Value (ICV), using HMAC-MD5, over the whole syncd mes- sage. The sequence number is part of the computation. This bring the following benefit:. Anti-replay prevention: Since sequence number is part of the ICV computation, any attacks based on packet replay will be dealt. Header manipulation: Any attacks based on manipulating the message field in order to pertube final IPVS scheduling decision will be dealt. For simplicity reasons, we will not implement any kind of key exchange mecanism.
Icv-key used for ICV computation will be locally configured on all IPVS routers. So administrator must en- sure this icv-key is the same on all IPVS routers. To keep things simple, we will not support different icv-key specification for master and backup state syncd, instead the same icv-key will be used for both state. The last assumption made is to not support asymetric message authentication handling. In this last point, we mean that an IPVS router can not deal with authenticated messages for master state and unauthenticated messages for backup state (and reciprocity), if authentication is set at the master state, then syncd will assume that incoming messages in backup state MUST use authentication.
This is kind of binary authentication selection while configuring syncd, use or not to use the syncd message authentication that is the question. The Sequence number is monotonically increased by one each time a new syncd message is created. Since syncd is not an elec- tion protocol we don't need to deal with kind of anti-cycle mecanism in order to broke a potential dropping loop. Instead, the syncd maintains a local sequence number counter as dropping policy. This mean, while processing incoming syncd message, the sequence number received in the syncd message is compared with a local copy, if sequence number in the syncd message is greater than the local copy then the message is granted otherwise dropped. Master state extensions - For optimization reasons, the hmac-md5 at master state will be processed using incremental update.
The syncd code use the Kernel Crypto API. The ICV computation is done using the fol- lowing steps:. Icvinit: When a new syncd message is allocated we first start with headers initializations. First one is the ipvssyncicv, we set the sequence number to the locally counter increased by one and zero the ICV field. Next we initialize the hmac-md5 tfm and update it using the previously ipvssyncicv initiali- -zed: /. MD5 update start with icv header.
We skip the. syncmesg header since nrconns and size are. mutable during MD5 update until currsb is. fully filled. Icvupdate: Next when a new connection is received by the ipvssyncconn function, those connections data are appended to the current sync buffer and the hmac-md5 tfm is updated. This process continue until max buffer sending size is reached.
Icvfinal: When syncd message is ready we simply update the hmac-md5 with the ipvssyncmesg data finish the hmac-md5 tfm to generate the final digest. This value is then set to the ipvssyncicv's icv field: /. Final MD5 Update. The last MD5 incremental.
update is done on the syncmesg header since. the nrconns and size fields are now inmutable. Backup state extensions - hmac-md5 updates are not commutatives operations. This is why we need to use the same update order as during master produc- tion. Only the connections entries buffer can be factorized to a single hmac-md5 update.
This is why we divided the incoming mes- sage sanity check into three steps:. Initialize: Initialize the backup hmac-md5 tfm. Copy the incoming message ICV field into a temporary place and zero the field.
Start with a first update over the ipvssyncicv header. Compute connections: Update hmac-md5 over the whole connection buffer.
Generate ICV: The last hmac-md5 update is done over the ipvssyncmesg header and the result is generated. The very last step compare both ICV to drive the dropping decision. For performance reasons and since crypto step are CPU con- suming, we optimized the sanity check to first test the sequence number. If sequence number is lower than local copy then no need to compute hmac-md5, we simply drop this packets since it refers a sequence already processed. Incoming message processing security policy - The last pending point is for the ipvssyncmesg header. Since, syncd messages can be generated using two differents poli- cies (with or without authentication), we need to give to the re- ceiving point a clue on which policy must be used on his side.
We have 2 alternatives:. New 8bit field to store options. Instead of a fully qualified 'auth' field, we prefer 'Options' since we will be able to store other infos than auth ones: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Count Conns SyncID Size +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Options Reserved +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+. Choose the syncd processing mode based on configuration step.
(my vote, see bellow). Incoming messages processing is critical since connections presents in messages will be appended into IPVS connection table. Which finally drive the IPVS scheduling decision. It is much more safe setting the daemon processing mode during configuration step than letting daemon determine which mode must be used based on incoming messages options field.
If malicious packets are inject- ed, this field value can totally turn off the ICV protection, which will make ICV protection a fake extension. We prefer let- ting configuration decision to the administrator than auto-select processing mode. This mean that administrator MUST configure all the syncds to use the same processing mode.
For example, consider daemon in backup state configured to use authentication mode processing. If malicious packet is in- jected without ICV header, this will only have for effect to in- troduce buffer offset while processing message, and icv value computed will not be valid and so packet will be dropped. For those reasons, the second choice is recommanded. Configuration considerations - To use authentication mode, a new ipvsadm option have been created.
This option is '-icv-key'. If specified on the ipvsadm command line, daemon is configured to use authentication mode with the specified secret key for ICV computation. As previously discussed, syncd will not support mixed mode for both master and backup daemon. If one daemon start with authentication mode, then when starting second one it will automatically use authentication mode (and reciprocity).
For instance: ipvsadm -start-daemon master -syncid 150 -icv-key toto ipvsadm -start-daemon backup -syncid 150 VII. TTL thoughts - The current syncd design is to set IP TTL to 1 so that mul- ticasted messages can not be forwarded by borders routers. We just want to discuss here to potentially switch this design to use TTL=3D255 instead. We want to introduce security while process- ing incoming messages. This is much more important securing re- ceiving rather than sending point since incoming messages re- ceived will drive IPVS scheduling decision. We want to limit as much as possible packets injections, especially if packet are comming from border router's network. Consider the following topology: +-+ Malicious guy +-+ -+-+- +-+ Router1 +-+ -+-+-+- +-+ +-+ LVS 1 LVS 2 +-+ +-+ In this topology, LVS 1 and LVS 2 are using syncd in both master & backup state.
Consider that Router 1 is misscofigured, or unsecure, or local administrator doesn't trust Router 1 admin- istrator. From both LVS 1 & LVS 2 director, receiving a multicast IP message with TTL=3D1 is ok. But considering IP protocol on the receiving point, this mean that we are the last forwarding router capable for this datagram. This mean that we can receive such packet coming from Malicious guy on a border network. For in- stance, on our diagram, if Malicious guy forge a packet with TTL=3D2 (and router 1 can forward this), then LVS router will re- ceive this packet with TTL=3D1.
If we use TTL=3D255, then things are much more complicated for malicious guy. Because TTL=3D255 is the maximum IP filed value, and according to IP protocol, TTL is decremented hop-by-hop. So if malicious guy send packet the max value LVS directors will re- ceive is 254. So if we use TTL=3D255 and syncd receives packet with 255 TTL field value then this intrinsecly mean that this message has been generated on the same network segment as the receiving point. This avoid injection from border routers. Plus, the use of TTL=3D255 bring optimization benefit since even if packets are valid (good icv, and all sanity check), the first sanity dropping decision is made upon this TTL field.
If TTL255, then packet is droped even if valid, which will not mo- nopolize CPU while computing ICV. Another point, if we want to hide our syncd stream, we just need to ensure that border routers are not using anykind of mcast routing protocol (PIM, DVMRP.). This will ensure syncd traf- fic is only going on a local network segment. References - IPSEC-AH S.
Atkinson, =C2=AB IP Authentication Header =C2=BB, RFC 2402, November 1998. HMAC-MD5 Madson, C., and R. Glenn, 'The Use of HMAC-MD5-96 within ESP and AH', Work in Progress.
Crypto API Linux Kernel source tree: Documentation/crypto/api-intro.txt. I'm having a couple (more) issues with keepalived. First, let me explain how I (want to) have things set up. I have three new servers - Intel P4 3.2gHz with 2 and 4 gb of RAM. I would like to have all three servers run keepalived and act as real servers. One would be the master (have VRRP in the master state for the VIP) and the other two would be in the BACKUP state. Here are my two issues: 1) I'm probably going to use tunneling (unless someone else has a better/easier suggestion).
I have already applied the arp/hidden patch to the kernel. I need some way of bringing up the tunneling interface when the machines go into backup state and taking it down when they come out. It seems that if you put the 'notifymaster' and 'notifybackup' directives in the keepalived configuration, keepalived no longer multicasts the VRRP information. So what I end up with when I try to use those directives is two machines in the master state. Does anyone know a good way to get around this? Maybe there is something that I can put into one of those scripts to replace the default multicast transmission?
2) I also need to deal with IPVS connection synchronization. First of all, I can't even get the IPVS sync daemon to start by default with keepalived.
Then, when I try using the 'lvssyncdaemoninterface eth0' (as per one of the sample configuration files), the VRRP keepalived process fails to start (or dies) altogether. How do I get this daemon to run so that my connection state information is in sync?
Second, am I going to have any issues with the MASTER/BACKUP daemons? Let me explain - say keepalived comes up and there is one MASTER IPVS daemon and two BACKUP daemons. When the MASTER VRRP machine goes down, will one of the backup keepalived daemons automatically shut down the backup daemon and start the master daemon (and then shut back off when the master VRRP machine comes back)? Thanks in advance, Nick - Nick Couchman Information Technology SEAKR Engineering, Inc. Phone: (303) 790-8499 Fax: (303) 790-8720 Web.
Maybe I'm missing something but why not just have apache start on boot on the backup box just like on the master? That way it'll be up when your master fails, or if you really want to make sure it's running, run '/etc/init.d/httpd start' when the backup box takes over, it'll start apache if it's stopped and won't do anything if it's already running.Herman On Fri, 2004-03-26 at 11:11, Thomas Halwax wrote: Hi! I'm only using the VRRP part of keepalived for our HA web server. For ensuring that my needed daemons/services (httpd) are running when the system changes its state from BACKUP to MASTER and vice versa I wrote a little 'framework'. Please read the initial documentation and tell me what you think about it.
Ideas and help are welcome. Bye Thomas - This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration. Keepalived-devel mailing list Keepalived-devel@. Hi everyone, I am very pleased to announce that a chapter I wrote on LVS will be = published by weak next quarter.
This short introduction show, in about = 30 pages, how to setup a LVS-DR using IPVS, noarp and Keepalived. Weka is doing a quarterly updated publication (so I will be in charge of = keeping this chapter uptodate). Commercial information can be found at: Ho, just forgot one thing, it is enterprise oriented (not cheap, = unavailable for users), and aaaaaall in French:). P.S.: Joseph Mack and Alexandre Cassen are cited for their work. I = didn't have so much place to cite every HA developers, sorry for the = others. P.P.S.: If anyone know how to make this fucking Outlook2003 wrapping = lines, I'll be glad.
Ok I'll be more precise: I do run keepalived 1.1.6 with insmod ipvs before its start on a = Mandrake 9.2 with a 2.4.22-10mdksecure kernel and 'acpi=3Dht' boot = paramater, HyperThreading activated in BIOS on a mono-PIV HT on a dual = PIV capable system with the /tmp socket problem no more. So as HT in not SMP and I do not run a SMP kernel, I cannot tell if the = workaround I find for my setup is actually a/the solution for SMP. FYI, Alexandre as stated that the only 'official' workaround for SMP = problems with Keepalived is to launch one keepalived with -P (or -vrrp) = parameter which activates only vrrp process and another with -C (or = -check) parameter which activates only check process. It workarounds a = problem with fork in SMP library. Niko -Message d'origine- De: Peter Mueller mailto:pmueller@.=20 Envoy=E9: jeudi 25 mars 2004 18:36 =C0: Nicolas Helleringer; keepalived-devel@. Objet: RE: Keepalived-devel Problem sum up wiht keepalived boot = startup P.S: BTW it seems with the insmod ipvs even with HT and SMP=20 activated it run fine:) I still get the /tmp socket errors on my SMP kernels, but it 'runs fine' = on VRRP for me. I just get a little nervous is all.
Hmm actually I = tried to run pptpd on keepalived Ips and it didn't work reliably. The = VPN would fail after a while and all these insmod ppp? Errors would = appear in /var/log/messages.
But it routes packets fine via VRRP no = matter what. Can someone point me to a definative post regarding the /tmp socket = errors? Or forward me the appropriate one?
I've tried to look through the mail = archives but without a searchable index I couldn't find the proper = recipe. Using UP instead of SMP probably isn't an option for me. Thnx, P - Checked by AVG anti-virus system. Version: 6.0.634 / Virus Database: 406 - Release Date: 3/18/2004 =20. P.S: BTW it seems with the insmod ipvs even with HT and SMP activated it run fine:) I still get the /tmp socket errors on my SMP kernels, but it 'runs fine' on VRRP for me. I just get a little nervous is all.
Hmm actually I tried to run pptpd on keepalived Ips and it didn't work reliably. The VPN would fail after a while and all these insmod ppp? Errors would appear in /var/log/messages.
But it routes packets fine via VRRP no matter what. Can someone point me to a definative post regarding the /tmp socket errors? Or forward me the appropriate one? I've tried to look through the mail archives but without a searchable index I couldn't find the proper recipe.
Using UP instead of SMP probably isn't an option for me. Thnx, P - Checked by AVG anti-virus system.
Version: 6.0.634 / Virus Database: 406 - Release Date: 3/18/2004. Ok It seems I found a way around: In my /etc/rc.d/init.d/keepalived I put a insmod ipvs before launching keepalived It seems to boot fine then. I have no IPVS directly in the kernel (it s a Mandrake one: no way) Alexandre =3D do the booth process of keepalived try to launch/load = ipvs module? Are these accees mutexed?
Should'nt it be? If one of the process got a 'insmod: a module named ipvs already = exists' it consider IPVS is not available. This is not true Am I right? Niko=20 P.S: BTW it seems with the insmod ipvs even with HT and SMP activated = it run fine:) -Message d'origine- De: Francois JEANMOUGIN mailto:Francois.JEANMOUGIN@.=20 Envoy=E9: jeudi 25 mars 2004 12:08 =C0: keepalived-devel@. Objet: RE: Keepalived-devel Problem sum up wiht keepalived boot = startup Nicolas Helleringer: And sorry but I still did not find out why I got message like: kernel: IPVS: Connection hash table configured (size=3D4096memory=3D32Kbytes) kernel: IPVS: Each connection entry needs 120 bytes at least kernel: IPVS: ipvs loaded. insmod: insmod: a module named ipvs already exists modprobe: modprobe: insmod ipvs failed Keepalivedvrrp: IPVS: Can't initialize ipvs: Protocol not available I think that IPVS is already included in your mandrake kernel code.
I = suppose it is not version compatible with the ipvs headers you compiled = keepalived with. Not sure, but. This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux = tutorial presented by Daniel Robbins, President and CEO of GenToo = technologies. Learn everything from fundamentals to system = administration.
Keepalived-devel mailing list Keepalived-devel@. Nicolas Helleringer: And sorry but I still did not find out why I got message like: kernel: IPVS: Connection hash table configured (size=3D4096memory=3D32Kbytes) kernel: IPVS: Each connection entry needs 120 bytes at least kernel: IPVS: ipvs loaded. insmod: insmod: a module named ipvs already exists modprobe: modprobe: insmod ipvs failed Keepalivedvrrp: IPVS: Can't initialize ipvs: Protocol not available I think that IPVS is already included in your mandrake kernel code.
I = suppose it is not version compatible with the ipvs headers you compiled = keepalived with. Not sure, but. Hi all, I do still have my problem with: Keepalived: Watchdog: Error connecting /tmp/.vrrp wdog socket I do have turned off hyperthreading on my only one PIV in the box in bios and at boot time passing 'acpi=3Doff acpismp=3Doff noht' to my 2.4.22-10mdksecure kernel on Mandrake 9.2 I tried two keepalived in -C and -P configuration: same problem. I have a non-SMP non-HT box with Mandrake 9.2 and Keepalived 1.1.4 with run just fine but which is a test box. And sorry but I still did not find out why I got message like: kernel: IPVS: Connection hash table configured (size=3D4096, memory=3D32Kbytes) kernel: IPVS: Each connection entry needs 120 bytes at least kernel: IPVS: ipvs loaded. Insmod: insmod: a module named ipvs already exists modprobe: modprobe: insmod ipvs failed Keepalivedvrrp: IPVS: Can't initialize ipvs: Protocol not available I must be dumber than I thought Help must appreciated Niko. Do you have a planned date?
I still have a lot of problems with 1.1.6 even with the syncd patch applied. Mar 24 15:45:08 firewallmaster Keepalivedvrrp: IPVS: Can't initialize ipvs: Protocol not available.
Mar 24 15:45:13 firewallmaster Keepalived: Watchdog: success connecting /tmp/.healthcheckers wdog socket Mar 24 15:45:13 firewallmaster Keepalived: Watchdog: Error connecting /tmp/.vrrp wdog socket Mar 24 15:45:48 firewallmaster last message repeated 7 times Mar 24 15:45:58 firewallmaster last message repeated 2 times Mar 24 15:46:03 firewallmaster Keepalived: Watchdog: Error connecting /tmp/.vrrp wdog socket first debug your env. The ipvs error above is a misconfiguration. Next the VRRP watchdog error (as I already posted), is misconfiguration too. First try with and next without VRRP. If vrrp die when used with both VRRP+Healthcheck then use the options -check and -vrrp. As a side note, the OpenSSL upgrade version for Keepalived is not mandatory since Keepalived only use openssl md5 facilities, this is only for internal use.
So not a critical update needed. I have no fixed date. Regards, Alexandre. Do you have a planned date? I still have a lot of problems with 1.1.6 even with the syncd patch = applied.
Mar 24 15:45:08 firewallmaster Keepalived: Starting Keepalived v1.1.6 = (23/02, 2004) Mar 24 15:45:08 firewallmaster Keepalived: Starting Healthcheck child = process, pid=3D4100 Mar 24 15:45:08 firewallmaster Keepalived: Starting VRRP child process, = pid=3D4102 Mar 24 15:45:08 firewallmaster Keepalivedvrrp: Using MII-BMSR NIC = polling thread. Hi JeroenLinux kernel doesn't provide VMAC support, I worked long time ago on a patch to procide such a support. But still in elaboration:/. OTOH, garp is usefull in most of env. This is so a low priority devel task for me:) Hmm.curious.
Programs like LaBrea can send (and answer) packets destined to a fictional mac address. Why wouldn't keepalive be able to do this? Could you give me some pointers to docs regarding this?
Tools like HoneyPot stuff are just simulating connection. But doesn't handle the stream that pass threw the router. Need most of the time setting interface to PROMISC mode in order to spy arp traffic. But if you want to handle the stream associated with a defined MAC of your own (VMAC), then you need to be able to catch the stream associated with the whole connection. To handle this properly and safly the only clean way (IMHO) is to place the code at the ingress & egress to emulated with software the VMAC inside the kernel. And rewrite ARP header at both ingress and egress stage.
I'll keep you informed of the mcast trial. Best regards, Alexandre.