Category: Network

Posted on

Refresh ARP cache entry

ARP (Address Resolution Protocol) is the method for finding a host’s hardware address when only its IP address is known. ARP is a Link Layer protocol (Layer 2) because it only operates on the local area network.

When you migrate an IP from a VM or an hypervisor to another one, you can sometime encounter strange network problems (like no traffic received to this IP for a while). The cause of theses problems is that some network equipment (router or firewall) on the path have a ‘expired’ ARP entry in their cache.

Refresh ARP cache

For a GNU/Linux or BSD host, check the current arp table with arp -a.
Then purge the value with arp -d <hostname>

For Cisco iOS use show arp for checking arp table and clear ip arp <ip> to purge an entry.

For equipment you don’t have the hand on, the solution is a little more tricky. You need to broadcast from your VM the correct ARP ‘value’, in order to make the remote device invalidate its existing cache entry. For this use the arping command:

arping -S <ip> -B
Posted on

Dig command examples

The dig utility is very handy for troubleshooting name resolution issues or to find out information about an IP or a domain name. Here are some useful command examples.

Lookup for a domain

# dig google.com

; <<>> DiG 9.3.4-P1.2 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24311
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 217 IN A 216.58.209.238

;; Query time: 0 msec
;; SERVER: 62.210.64.50#53(62.210.64.50)
;; WHEN: Tue Oct 25 11:10:01 2016
;; MSG SIZE rcvd: 44

Lookup for a specific record

You can specify record type using the appropriate prefix:

# dig <prefix> google.com
  • A for A records
  • MX for MX records
  • NS for NameServer records
  • CNAME for cname records
  • TXT for SPF, DKIM and everything that goes inside TXT records

Short answer

If you want just the answer without any comments, you can use the +short option:

# dig A google.com +short
216.58.209.238

You can also enable or disable each output sections, using the appropriate paramaters. For example to get only the ANSWER SECTION:

# dig A google.com +noall +answer
google.com.             299     IN      A       74.125.140.139
google.com.             299     IN      A       74.125.140.101
google.com.             299     IN      A       74.125.140.100
google.com.             299     IN      A       74.125.140.138
google.com.             299     IN      A       74.125.140.113
google.com.             299     IN      A       74.125.140.102

Use a Specific DNS server

To test the answer from a specific DNS server you can use the @ parameter:

# dig A @8.8.8.8 google.com

; <<>> DiG 9.3.4-P1.2 <<>> A @8.8.8.8 google.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28263
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 299 IN A 74.125.140.100
google.com. 299 IN A 74.125.140.113
google.com. 299 IN A 74.125.140.138
google.com. 299 IN A 74.125.140.139
google.com. 299 IN A 74.125.140.102
google.com. 299 IN A 74.125.140.101

;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 25 11:15:23 2016
;; MSG SIZE rcvd: 124

Reverse lookup

You can check the PTR records by doing a reverse lookup:

# dig -x 91.189.94.40

; <<>> DiG 9.3.4-P1.2 <<>> -x 91.189.94.40
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21503
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;40.94.189.91.in-addr.arpa. IN PTR

;; ANSWER SECTION:
40.94.189.91.in-addr.arpa. 3600 IN PTR ovinnik.canonical.com.

;; AUTHORITY SECTION:
94.189.91.in-addr.arpa. 3600 IN NS ns1.canonical.com.
94.189.91.in-addr.arpa. 3600 IN NS ns2.canonical.com.
94.189.91.in-addr.arpa. 3600 IN NS ns3.canonical.com.

;; Query time: 15 msec
;; SERVER: 62.210.64.50#53(62.210.64.50)
;; WHEN: Tue Oct 25 11:43:36 2016
;; MSG SIZE rcvd: 132
Posted on

IP Forwarding

In order to use a linux host as a router/firewall, you first need to enable IP Forwarding:

# sysctl -w net.ipv4.ip_forward=1

To make the change permanent insert or edit the following line in edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1
Posted on

Block the DFind scanner

Dfind is a vulnerability scanner, and a very pain in the *** one, as it will pollute your apache log with lines such as this:

84.145.78.74 [16 / Oct / 2008: 18: 12: 34] "GET /w00tw00t.at.ISC.SANS.DFind :) HTTP / 1.1" 400

How to get rid of this junk ?
The apache return code is 400, which implies that the query syntax is invalid. Looking in the logs we see this:

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)

As the request is invalid, it’s useless to try to block it with a rewrite rule or a mod_security pattern.

The best solution is to block it before the HTTP server using iptables, like that:

iptables -I INPUT -d -p tcp -dport 80 -m string -to 70 -algo bm -string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
Posted on

Active FTP vs passive FTP

Active and passive are the two modes that FTP can run in. FTP is kind of a weird protocol because it use two ports, one for the command channel (by default TCP 21) and one for actual data transfer (TCP 20). It’s a nifty way of sending commands to the server without having to wait for the current data transfer to finish, but it’s make thing pretty difficult when you have NAT and firewall on the way.

Active mode

In active mode the client connects from a random unprivileged port (N > 1023) to the server’s command port (TCP 21). Then the client starts listening to port N+1 and sends the FTP command PORT N+1 to the server. The server will connect “back” to the client’s specified data port from its local data port (TCP 20).

If both host are on the same network, this mode work great. If you have a firewall and/or a router on the way, that a different story. For a firewall/router it appear that an outside host is initiating a connection to an “internal” client which is generally forbidden. And even if it wasn’t forbidden, the router doing NAT doesn’t have any idea to which host forwarding the connection.

Passive mode

In passive mode the client is responsible for initiating both connections to the server, solving the problem of firewalls/routers filtering. It work like this: when opening an FTP connection the client opens two random unprivileged ports locally (N > 1023 and N+1). Then it contact the server on port TCP 21, but instead of issuing a PORT N+1 command it use the PASV command. In respond the server opens a random unprivileged port (P > 1023) and sends the port number back to the client. Then the client initiates the second connection from its second port (N+1) to the specified server’s data port (P).

Which mode should i use ?

Short anwser: passive mode. There are three reasons for that:

  • pretty much everybody is doing NAT
  • many people use their web browser as an FTP client, and browsers only support passive mode
  • It’s true that passive mode opens up a whole new range of problems on the server side, but you are on the server side 😉

Further Reading and sources

Posted on

HTTP return code

  • 200 : request completed
  • 201 : object created, reason = new URI
  • 202 : async completion (TBS)
  • 203 : partial completion
  • 204 : no info to return
  • 205 : request completed, but clear form
  • 206 : partial GET furfilled
  • 300 : server couldn’t decide what to return
  • 301 : object permanently moved
  • 302 : object temporarily moved
  • 303 : redirection w/ new access method
  • 304 : if-modified-since was not modified
  • 305 : redirection to proxy, location header specifies proxy to use
  • 307 : HTTP/1.1: keep same verb
  • 400 : invalid syntax
  • 401 : access denied
  • 402 : payment required
  • 403 : request forbidden
  • 404 : object not found
  • 405 : method is not allowed
  • 406 : no response acceptable to client found
  • 407 : proxy authentication required
  • 408 : server timed out waiting for request
  • 409 : user should resubmit with more info
  • 410 : the resource is no longer available
  • 411 : the server refused to accept request w/o a length
  • 412 : precondition given in request failed
  • 413 : request entity was too large
  • 414 : request URI too long
  • 415 : unsupported media type
  • 500 : internal server error
  • 501 : required not supported
  • 502 : error response received from gateway
  • 503 : temporarily overloaded
  • 504 : timed out waiting for gateway
  • 505 : HTTP version not supported
Posted on

[Cisco] IOS – “Diff” running-config

Sometime people does changes on switches and forget to use the write command. Then you login, make your changes and before making wr tape the following:

show archive config differences nvram:startup-config system:running-config

Because you’re a conscientious admin 😉
Lines preceded with “+” are only found in the running-config. Lines preceded with “-” are absent from the running-config.

Posted on

How to add/remove/change route

The route command is used to show/manipulate the IP routing table. It is primarily used to setup static routes to specific host or networks via an interface.

Display existing routes

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.2.8.1        0.0.0.0         UG    0      0        0 eth0
10.2.8.0        *               255.255.252.0   U     0      0        0 eth0
10.10.16.0      10.10.32.53     255.255.240.0   UG    0      0        0 tun0

Change default gateway

# route del default
route add default gw 10.2.0.4

Add a route for a given network

route add -net 172.17.255.0/24 gw 195.54.62.1

Remove a route for a given network

route del -net 172.17.255.0/24 gw 195.54.62.1

Reject routing for a given network

route add -net 192.168.1.0/24 reject
Posted on

fping

fping is a program like ping which uses the Internet Control Message Protocol to determine if a target host is responding. Contrary to it model fping can be use to target any number of targets. Its output is also designed to be easier to parse.

Command examples

To test a simple host:

fping 172.31.0.1
172.31.0.1 is alive

To scan an entire network by sending just one packet by IP:

fping -a -r 0 -g 172.31.0.0/24

You can make the process faster by decreasing the interval between packet with the -i parameter:

fping -a -i 1 -r 0 -g 172.31.0.0/24

To use a list of IP:

fping -a < host_list.txt