network-security.acl.tcp-intercept.2rt.3sw.3node.1ext-conn.static.ac6665a0 - Topology Description: TCP Intercept - Topology ID: ''0d4a0667-b035-4ac8-ba82-80c6057dd5d1'' - Design and Technology: - TCP Intercept - Routing Protocol - static - 2 routers - 3 servers - Remarks: N/A ### Links Cisco: TCP Intercept [PG1X WIKI] https://pg1x.com/tech:network:cisco:security:network-security:acl:tcp-intercept:tcp-intercept
ubuntu@ubuntu-0:~$ sudo apt search hping3 Sorting... Done Full Text Search... Done hping3/bionic 3.a2.ds2-7 amd64 Active Network Smashing Tool ubuntu@ubuntu-0:~$ sudo apt install hping3
man 8 hping3
sudo apt install apache2
If ubuntu-2 is operational state, ubuntu-0 can get HTTP document.
ubuntu@ubuntu-0:~$ time curl -I 198.51.100.252 HTTP/1.1 200 OK Date: Sun, 27 Sep 2020 04:21:15 GMT Server: Apache/2.4.29 (Ubuntu) Content-Type: text/html; charset=UTF-8 real 0m0.013s user 0m0.000s sys 0m0.005s
ubuntu@ubuntu-2:~$ ss -antu Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.0.255.34%enp0s2:68 0.0.0.0:* udp UNCONN 0 0 [fe80::5054:ff:fe00:6ef]%enp0s2:546 [::]:* tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* tcp ESTAB 0 96 10.0.255.34:22 10.0.255.8:6933 tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 128 [::1]:6010 [::]:*
time curl -I 198.51.100.252
sudo hping3 -I enp0s3 --spoof 10.1.1.123 --flood -S -p 80 198.51.100.252
tcp.port == 80
tmux top -d 1 -c watch -n1 ss -antu watch -n1 "ss -antu | fgrep SYN-RECV | wc -l " sudo tail -f /var/log/apache2/error.log
ubuntu@ubuntu-2:~$ ss -antu | tail tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:1198 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:1186 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:15298 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:1187 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:1231 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:1202 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:1191 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:1234 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:16580 tcp SYN-RECV 0 0 [::ffff:198.51.100.252]:80 [::ffff:10.1.1.123]:15376
ubuntu@ubuntu-0:~$ time curl -I 198.51.100.252 HTTP/1.1 200 OK Date: Sun, 27 Sep 2020 05:09:22 GMT Server: Apache/2.4.29 (Ubuntu) Content-Type: text/html; charset=UTF-8 real 0m7.464s user 0m0.008s sys 0m0.000s
ip.addr == 10.1.1.254
Wireshark Packet Capture Result
try to curl CML-P outside environment with SYN flood attack
wnoguchi@LASTHOPE MINGW64 ~/Nextcloud/Documents/certification/cisco/ccie/enterprise-infrastructure-v1.0/pcap $ time curl -I 10.0.255.34 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/1.1 200 OK Date: Sun, 27 Sep 2020 05:52:19 GMT Server: Apache/2.4.29 (Ubuntu) Content-Type: text/html; charset=UTF-8 real 0m0.040s user 0m0.000s sys 0m0.000s
ip.addr == 10.0.255.34 and tcp.port == 80
Hmmm, response is pretty much fast even if SYN flood attack situation.
ubuntu@ubuntu-2:~$ free -m total used free shared buff/cache available Mem: 1993 111 1455 2 425 1736 Swap: 0 0 0
resource is not busy. reponse time late is come from router spec limitation.
OK. Increase Apache resource limitation
sudo vim /etc/apache2/mods-available/mpm_prefork.conf
<IfModule mpm_prefork_module> StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxRequestWorkers 150 MaxConnectionsPerChild 0 </IfModule>
change to
<IfModule mpm_prefork_module> StartServers 5 MinSpareServers 5 MaxSpareServers 1000 MaxRequestWorkers 150 MaxConnectionsPerChild 0 </IfModule>
sudo apachectl configtest sudo systemctl restart apache2
net.core.somaxconn net.ipv4.tcp_max_syn_backlog
root@ubuntu-2:~# cat /proc/sys/net/core/somaxconn 128 root@ubuntu-2:~# echo 8192 >/proc/sys/net/core/somaxconn root@ubuntu-2:~# cat /proc/sys/net/core/somaxconn 8192
root@ubuntu-2:~# cat /proc/sys/net/ipv4/tcp_max_syn_backlog 128 root@ubuntu-2:~# echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog root@ubuntu-2:~# cat /proc/sys/net/ipv4/tcp_max_syn_backlog 8192
root@ubuntu-2:~# vim /etc/sysctl.conf root@ubuntu-2:~# sysctl -p net.core.somaxconn = 10000000 net.ipv4.tcp_max_syn_backlog = 10000000
systemctl reastart apache2
ListenBacklog 10000000
a2enconf synflood systemctl restart apache2
ready…. but seems no effect….
configure terminal ! access-list 101 permit tcp any 198.51.100.0 0.0.0.255 ! ip tcp intercept list 101 ! ! default mode ip tcp intercept mode intercept ! interface GigabitEthernet 0/1 ip access-group 101 in ! end
debug ip tcp intercept
curl 198.51.100.252 sudo hping3 -I enp0s3 -i 60 -S -p 80 198.51.100.252
ubuntu@ubuntu-1:~$ curl 198.51.100.252 hello ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252 HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes len=40 ip=198.51.100.252 ttl=254 id=26 sport=80 flags=SA seq=0 win=0 rtt=4.8 ms DUP! len=40 ip=198.51.100.252 ttl=254 id=27 sport=80 flags=SA seq=0 win=0 rtt=1012.7 ms DUP! len=40 ip=198.51.100.252 ttl=254 id=28 sport=80 flags=SA seq=0 win=0 rtt=3012.9 ms DUP! len=40 ip=198.51.100.252 ttl=254 id=29 sport=80 flags=SA seq=0 win=0 rtt=7012.4 ms DUP! len=40 ip=198.51.100.252 ttl=254 id=30 sport=80 flags=SA seq=0 win=0 rtt=15012.6 ms DUP! len=40 ip=198.51.100.252 ttl=254 id=31 sport=80 flags=RA seq=0 win=0 rtt=31045.0 ms
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -i enp0s3 tcp and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 22:18:16.752606 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [S], seq 2425271359, win 64240, options [mss 1460,sackOK,TS val 2690830912 ecr 0,nop,wscale 7], length 0 22:18:16.752634 IP ubuntu-2.http > 10.1.1.253.45884: Flags [S.], seq 2886572594, ack 2425271360, win 65160, options [mss 1460,sackOK,TS val 3020441364 ecr 2690830912,nop,wscale 7], length 0 22:18:16.754379 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [.], ack 1, win 64240, length 0 22:18:16.758406 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET / HTTP/1.1 22:18:16.758430 IP ubuntu-2.http > 10.1.1.253.45884: Flags [.], ack 79, win 509, options [nop,nop,TS val 3020441370 ecr 2690830912], length 0 22:18:16.758667 IP ubuntu-2.http > 10.1.1.253.45884: Flags [P.], seq 1:154, ack 79, win 509, options [nop,nop,TS val 3020441370 ecr 2690830912], length 153: HTTP: HTTP/1.1 200 OK 22:18:16.762472 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [.], ack 154, win 64087, length 0
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 22:20:56.463058 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [S], seq 3648753164, win 64240, options [mss 1460,sackOK,TS val 2690990623 ecr 0,nop,wscale 7], length 0 22:20:56.463112 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [S.], seq 377875477, ack 3648753165, win 65160, options [mss 1460,sackOK,TS val 3020601075 ecr 2690990623,nop,wscale 7], length 0 22:20:56.465868 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 1, win 64240, length 0 22:20:56.468652 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET / HTTP/1.1 22:20:56.468668 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [.], ack 79, win 509, options [nop,nop,TS val 3020601080 ecr 2690990623], length 0 22:20:56.468932 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [P.], seq 1:154, ack 79, win 509, options [nop,nop,TS val 3020601080 ecr 2690990623], length 153: HTTP: HTTP/1.1 200 OK 22:20:56.474064 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 154, win 64087, length 0 22:20:56.474913 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [F.], seq 79, ack 154, win 64087, length 0 22:20:56.474953 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [F.], seq 154, ack 80, win 509, options [nop,nop,TS val 3020601086 ecr 2690990623], length 0 22:20:56.478772 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 155, win 64086, length 0 ^C 10 packets captured 10 packets received by filter 0 packets dropped by kernel ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252 HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes len=40 ip=198.51.100.252 ttl=254 id=36 sport=80 flags=SA seq=0 win=0 rtt=5.4 ms DUP! len=40 ip=198.51.100.252 ttl=254 id=37 sport=80 flags=SA seq=0 win=0 rtt=1013.5 ms DUP! len=40 ip=198.51.100.252 ttl=254 id=38 sport=80 flags=SA seq=0 win=0 rtt=3021.4 ms
R2#debug ip tcp intercept TCP intercept debugging is on R2# *Sep 30 22:12:41.251: INTERCEPT: new connection (10.1.1.253:2592 SYN -> 198.51.100.252:80) *Sep 30 22:12:41.252: INTERCEPT(*): (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:12:42.252: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:12:44.253: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:12:48.252: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:12:56.252: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:13:12.251: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2592 <-> 198.51.100.252:80) *Sep 30 22:13:12.252: INTERCEPT(*): (10.1.1.253:2592 <- RST 198.51.100.252:80) R2# *Sep 30 22:13:41.002: INTERCEPT: new connection (10.1.1.253:2593 SYN -> 198.51.100.252:80) *Sep 30 22:13:41.003: INTERCEPT(*): (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:13:42.002: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:13:44.002: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:13:48.002: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:13:56.003: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:14:03.915: INTERCEPT: new connection (10.1.1.253:45882 SYN -> 198.51.100.252:80) *Sep 30 22:14:03.916: INTERCEPT(*): (10.1.1.253:45882 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:14:03.918: INTERCEPT: 1st half of connection is established (10.1.1.253:45882 ACK -> 198.51.100.252:80) *Sep 30 22:14:03.920: INTERCEPT(*): (10.1.1.253:45882 SYN -> 198.51.100.252:80) *Sep 30 22:14:03.920: INTERCEPT: 2nd half of connection established (10.1.1.253:45882 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:14:03.921: INTERCEPT(*): (10.1.1.253:45882 ACK -> 198.51.100.252:80) *Sep 30 22:14:03.922: INTERCEPT(*): (10.1.1.253:45882 <- WINDOW 198.51.100.252:80) R2# *Sep 30 22:14:08.930: INTERCEPT: ESTAB timing out (10.1.1.253:45882 <-> 198.51.100.252:80) R2# *Sep 30 22:14:12.002: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2593 <-> 198.51.100.252:80) *Sep 30 22:14:12.003: INTERCEPT(*): (10.1.1.253:2593 <- RST 198.51.100.252:80) R2# *Sep 30 22:18:00.977: INTERCEPT: new connection (10.1.1.253:45884 SYN -> 198.51.100.252:80) *Sep 30 22:18:00.977: INTERCEPT(*): (10.1.1.253:45884 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:18:00.979: INTERCEPT: 1st half of connection is established (10.1.1.253:45884 ACK -> 198.51.100.252:80) *Sep 30 22:18:00.979: INTERCEPT(*): (10.1.1.253:45884 SYN -> 198.51.100.252:80) *Sep 30 22:18:00.980: INTERCEPT: 2nd half of connection established (10.1.1.253:45884 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:18:00.980: INTERCEPT(*): (10.1.1.253:45884 ACK -> 198.51.100.252:80) *Sep 30 22:18:00.981: INTERCEPT(*): (10.1.1.253:45884 <- WINDOW 198.51.100.252:80) R2# *Sep 30 22:18:05.990: INTERCEPT: ESTAB timing out (10.1.1.253:45884 <-> 198.51.100.252:80) R2# *Sep 30 22:18:42.855: INTERCEPT: new connection (10.1.1.253:2753 SYN -> 198.51.100.252:80) *Sep 30 22:18:42.856: INTERCEPT(*): (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:18:43.856: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:18:45.856: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:18:49.856: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:18:57.856: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:19:13.855: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2753 <-> 198.51.100.252:80) *Sep 30 22:19:13.856: INTERCEPT(*): (10.1.1.253:2753 <- RST 198.51.100.252:80) R2# *Sep 30 22:20:39.984: INTERCEPT: new connection (10.1.1.253:45886 SYN -> 198.51.100.252:80) *Sep 30 22:20:39.985: INTERCEPT(*): (10.1.1.253:45886 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:20:39.987: INTERCEPT: 1st half of connection is established (10.1.1.253:45886 ACK -> 198.51.100.252:80) *Sep 30 22:20:39.987: INTERCEPT(*): (10.1.1.253:45886 SYN -> 198.51.100.252:80) *Sep 30 22:20:39.988: INTERCEPT: 2nd half of connection established (10.1.1.253:45886 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:20:39.988: INTERCEPT(*): (10.1.1.253:45886 ACK -> 198.51.100.252:80) *Sep 30 22:20:39.989: INTERCEPT(*): (10.1.1.253:45886 <- WINDOW 198.51.100.252:80) R2# *Sep 30 22:20:44.997: INTERCEPT: ESTAB timing out (10.1.1.253:45886 <-> 198.51.100.252:80) R2# *Sep 30 22:21:36.388: INTERCEPT: new connection (10.1.1.253:2358 SYN -> 198.51.100.252:80) *Sep 30 22:21:36.388: INTERCEPT(*): (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:21:37.389: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:21:39.389: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:21:43.389: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:21:51.389: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:22:07.388: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2358 <-> 198.51.100.252:80) *Sep 30 22:22:07.388: INTERCEPT(*): (10.1.1.253:2358 <- RST 198.51.100.252:80) R2#
configure terminal ! access-list 101 permit tcp any 198.51.100.0 0.0.0.255 ! ip tcp intercept list 101 ! ! default mode ip tcp intercept mode watch ! interface GigabitEthernet 0/1 ip access-group 101 in ! end
curl 198.51.100.252 sudo hping3 -I enp0s3 -i 60 -S -p 80 198.51.100.252
R2# R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip tcp inter R2(config)#ip tcp intercept mo R2(config)#ip tcp intercept mode wa R2(config)#ip tcp intercept mode watch R2(config)#end R2# *Sep 30 22:24:30.022: %SYS-5-CONFIG_I: Configured from console by console R2# R2# R2# R2# R2# R2# R2# R2# R2# R2# R2# *Sep 30 22:26:08.176: INTERCEPT: new connection (10.1.1.253:45888 SYN -> 198.51.100.252:80) *Sep 30 22:26:08.177: INTERCEPT: (10.1.1.253:45888 <- ACK+SYN 198.51.100.252:80) *Sep 30 22:26:08.181: INTERCEPT: (10.1.1.253:45888 ACK -> 198.51.100.252:80) R2#
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 22:26:26.644561 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [S], seq 3649025256, win 64240, options [mss 1460,sackOK,TS val 2691320807 ecr 0,nop,wscale 7], length 0 22:26:26.644587 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [S.], seq 676254311, ack 3649025257, win 65160, options [mss 1460,sackOK,TS val 3020931256 ecr 2691320807,nop,wscale 7], length 0 22:26:26.650334 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 2691320812 ecr 3020931256], length 0 22:26:26.652239 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [P.], seq 1:79, ack 1, win 502, options [nop,nop,TS val 2691320812 ecr 3020931256], length 78: HTTP: GET / HTTP/1.1 22:26:26.652276 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [.], ack 79, win 509, options [nop,nop,TS val 3020931264 ecr 2691320812], length 0 22:26:26.652672 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [P.], seq 1:154, ack 79, win 509, options [nop,nop,TS val 3020931264 ecr 2691320812], length 153: HTTP: HTTP/1.1 200 OK 22:26:26.655754 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 154, win 501, options [nop,nop,TS val 2691320819 ecr 3020931264], length 0 22:26:26.655777 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [F.], seq 79, ack 154, win 501, options [nop,nop,TS val 2691320819 ecr 3020931264], length 0 22:26:26.655803 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [F.], seq 154, ack 80, win 509, options [nop,nop,TS val 3020931267 ecr 2691320819], length 0 22:26:26.659524 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 155, win 501, options [nop,nop,TS val 2691320823 ecr 3020931267], length 0 ^C 10 packets captured 10 packets received by filter 0 packets dropped by kernel ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252 HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes len=44 ip=198.51.100.252 ttl=62 DF id=0 sport=80 flags=SA seq=0 win=64240 rtt=13.3 ms
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 22:30:00.444812 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [S], seq 1140506343, win 512, length 0 22:30:00.444840 IP 198.51.100.252.80 > 10.1.1.253.2879: Flags [S.], seq 283107734, ack 1140506344, win 64240, options [mss 1460], length 0 22:30:00.450001 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [R], seq 1140506344, win 0, length 0 22:30:30.648045 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [R.], seq 1, ack 1, win 0, length 0
R2# *Sep 30 22:29:40.920: INTERCEPT: new connection (10.1.1.253:2879 SYN -> 198.51.100.252:80) *Sep 30 22:29:40.921: INTERCEPT: (10.1.1.253:2879 <- ACK+SYN 198.51.100.252:80) R2# *Sep 30 22:30:10.920: INTERCEPT: SYNRCVD timing out (10.1.1.253:2879 <-> 198.51.100.252:80) *Sep 30 22:30:10.921: INTERCEPT(*): (10.1.1.253:2879 RST -> 198.51.100.252:80) R2#
Wireshark Packet Capture Result
R1-R2
R2-SW1