Packet-Foo | Network Packet Capture and Analysis

DDoS Tracefile for SharkFest Europe 2021

SharkFest Europe has opened it’s doors for the pre-conference classes. Presentations will start on June, 17th.

I am honored to give a presentation on DDoS attacks. The trace files for the presentation are available for download at http ://www.packet-foo.com/blog/SF21EU/DDoS_Tracefiles.zip

The Zip file contains five traces:

FreakOut_Flooding.pcapng
Shows the UDP Flood, TCP Flood, SYN Flood and Slowloris attacks implemented in the FreakOut bot. While an analysis published by Checkpoint covers many technical aspects of the bot, we will examine the traffic you would see as a victim of the botnet.

Each attack wave starts with a syslog message that describes the upcoming attacks. The syslog messages have been added to aid in the analysis of the trace files.

FreakOut_Reflections.pcapng
Shows UDP based reflection attacks. Compare the MAC addresses of the sender and receiver to verify, that source and destination
hosts are different.

Each attack wave starts with a syslog message that describes the upcoming attacks. Again, the syslog messages have been added to aid in the analysis of the trace files.

SYNflood.pcapng
Traffic from a generic SYN flood attack, not related to FreakOut.

UDPreflection.pcapng
Traffic from a UDP reflection attack, also not related to FreakOut.

UDPreflection_trigger.pcapng
A single DNS request that was likely used to trigger the DNS responses found in the trace file UDPreflection.pcapng

Useful Display Filters

Here are the most important display filters, if you want to click along during the presentation. You can use copy & paste to avoid any typos.

The filters are listed in order of appearance

UDPflood.pcapng

udp or icmp

(ip.flags.mf == 1 or ip.frag_offset > 0)

(ip.flags.mf == 1 or ip.frag_offset > 0) and ip.dst == 198.51.100.165

SYNflood.pcapng

tcp.flags.syn == 1 and tcp.flags.ack == 0 and ip.dst == 100.64.0.0/16

Preparing the I/O Graph

Using Wireshark we will create an I/O Graph similar to this one.

Here is how to prepare the graph:

Note that we select the unit “Packets” for the Y-Axis.
Select two distinct colors for two graphs.
Select “Impulse” style.
Use the 10 interval SMA period to smoothen the graph.
Finally, set the interval to 10 msec.

Hope to see you all at SharkFest!

Introducing DNS Hammer, Part 2: Auditing a Name Server’s Rate Limiting Configuration

Introducing DNS Hammer, Part 2: Introducing a new tool

Part one of the series discusses DNS reflection attacks and DNS rate limiting. This post shows how to use DNS Hammer to audit a DNS server’s rate limit configuration.

A dedicated web site https://www.dnshammer.com offers the tool for download and instructions how to use it.

Introducing DNS Hammer, Part 1: DDoS Analysis – From DNS Reflection to Rate Limiting

This article discusses DNS reflection, a technique used in DDoS attacks. DNS rate limiting can be used as mitigation against DNS reflection attacks. This paves the way to our new tool DNS Hammer. The program can help auditing a DNS server’s rate limiting configuration.

Analyzing a failed TLS connection

Eddi
13/7/2020
CaseStudy, Firewalls, TCP Analysis, Wireshark
3 Comments

Summary

This post demonstrates how to correlate two or more trace files to analyze a broken connection. We identify the root cause and gather information about the network topology. Tracefiles are available at http://www.packet-foo.com/blog/TLS/Skype.zip
We assume that the reader is familiar with TCP basics like session setup, retransmissions, window size etc.

Patch! Patch! Patch!

Bob Plankers, Technical Marketing Architect for vSphere at VMware, has a very simple but important message for all of us, and it isn’t really limited to VMware itself: “Patch! Patch! Patch! Did I say… patch?”. That was his starting message when I visited VMware during Security Field Day 2, and there was more Bob had in store for us.

Wireless Capture on Windows

Capturing Wireless on Windows was always problematic, because other than on Linux or Mac it wasn’t possible to activate Monitor mode on the WiFi cards to capture the radio layer. All you could do was capture packets on your WiFi card from the Ethernet layer and up. That’s unless you spent money on the now discontinued AirPCAP USB adapters. But now there is a silver lining on the horizon in the form of the npcap library.

Cisco Live – Network Building Blocks for IoT

Cisco Live happened in Barcelona end of January, and as usual I am a little late with my blog posts about it. Like the last two years I was invited to join the group of technology experts for Tech Field Day Extra, with various presentations covering a number of new and improved Cisco technologies as well as some Cisco partner products.

Sharkfest 2018 EU

I’m back from Sharkfest EU 2018 and once again it was a great conference. This time, many core developers and instructors brought their families along, so it felt even more like a family gathering than ever before.

Installing Moloch on Debian 9 Stretch

Moloch is a tool that builds on Elasticsearch to process large numbers of network packets, either from a live network or from imported PCAP files. This is how I installed it on a Debian 9 server.

Attacking Wireshark

Jasper
03/9/2018
Coding, Network Forensics, Protocols, Security, Wireshark
4 Comments

Every once in a while there is some news about Wireshark being vulnerable to being attacked/exploited/pwned, meaning that there is a way to craft frames/packets in a pcap/pcapng file to make Wireshark crash and (if done right) execute malicious code. So let’s take a look at what that means and what can be done about it.

12 3 4 5