PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:security:network-security:acl:tcp-intercept:tcp-intercept

INCOMPLETE: Cisco: ACL: TCP Intercept

DO NOT USE THIS CODE TO REAL WORLD. OTHERWISE, YOU WILL BE ARRESTED.

Tasks

  1. SYN flood attack wituout TCP Intercept
  2. SYN flood attack wituout TCP Intercept(Intercept mode)
  3. SYN flood attack wituout TCP Intercept(watch mode)

Needs more verification

  1. Apache respond immediately after ''[SYN]'', ''[SYN,ACK]'' seems we need ham client and exhaust more Apache resource.

Topology TCP Intercept 0d4a0667-b035-4ac8-ba82-80c6057dd5d1

network-security.acl.tcp-intercept.2rt.3sw.3node.1ext-conn.static.ac6665a0

- Topology Description: TCP Intercept
- Topology ID: ''0d4a0667-b035-4ac8-ba82-80c6057dd5d1''
- Design and Technology:
  - TCP Intercept
  - Routing Protocol
    - static
  - 2 routers
  - 3 servers
- Remarks: N/A

### Links

Cisco: TCP Intercept [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:tcp-intercept:tcp-intercept

Base Configuration

Common Configuration Snippet

ubuntu-0

ubuntu-1

ubuntu-2

R1

R2

Lab server configuration

  • ubuntu-1 Attacker
ubuntu@ubuntu-0:~$ sudo apt search hping3
Sorting... Done
Full Text Search... Done
hping3/bionic 3.a2.ds2-7 amd64
  Active Network Smashing Tool

ubuntu@ubuntu-0:~$ sudo apt install hping3
man 8 hping3
  • ubuntu-2 Apache Web Server
sudo apt install apache2

If ubuntu-2 is operational state, ubuntu-0 can get HTTP document.

  • ubuntu-0 Normal Web Client
ubuntu@ubuntu-0:~$ time curl -I 198.51.100.252
HTTP/1.1 200 OK
Date: Sun, 27 Sep 2020 04:21:15 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8


real    0m0.013s
user    0m0.000s
sys     0m0.005s
ubuntu@ubuntu-2:~$ ss -antu
Netid       State         Recv-Q        Send-Q                                  Local Address:Port               Peer Address:Port
udp         UNCONN        0             0                                       127.0.0.53%lo:53                      0.0.0.0:*
udp         UNCONN        0             0                                  10.0.255.34%enp0s2:68                      0.0.0.0:*
udp         UNCONN        0             0                     [fe80::5054:ff:fe00:6ef]%enp0s2:546                        [::]:*
tcp         LISTEN        0             128                                     127.0.0.53%lo:53                      0.0.0.0:*
tcp         LISTEN        0             128                                           0.0.0.0:22                      0.0.0.0:*
tcp         LISTEN        0             128                                         127.0.0.1:6010                    0.0.0.0:*
tcp         ESTAB         0             96                                        10.0.255.34:22                   10.0.255.8:6933
tcp         LISTEN        0             128                                                 *:80                            *:*
tcp         LISTEN        0             128                                              [::]:22                         [::]:*
tcp         LISTEN        0             128                                             [::1]:6010                       [::]:*

Verification: SYN flood attack wituout TCP Intercept 0636a7e5-74b4-429f-9e8f-60dea1c32877

  • ubuntu-0
time curl -I 198.51.100.252
  • ubuntu-1
sudo hping3 -I enp0s3 --spoof 10.1.1.123 --flood -S -p 80 198.51.100.252
  • Wireshark Display Filter
tcp.port == 80
  • ubuntu-2
tmux
top -d 1 -c
watch -n1 ss -antu
watch -n1 "ss -antu | fgrep SYN-RECV | wc -l "
sudo tail -f /var/log/apache2/error.log

ubuntu@ubuntu-2:~$ ss -antu | tail
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1198
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1186
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:15298
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1187
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1231
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1202
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1191
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:1234
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:16580
tcp    SYN-RECV   0        0                     [::ffff:198.51.100.252]:80                                 [::ffff:10.1.1.123]:15376
ubuntu@ubuntu-0:~$ time curl -I 198.51.100.252
HTTP/1.1 200 OK
Date: Sun, 27 Sep 2020 05:09:22 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8


real    0m7.464s
user    0m0.008s
sys     0m0.000s
ip.addr == 10.1.1.254

Wireshark Packet Capture Result

try to curl CML-P outside environment with SYN flood attack

wnoguchi@LASTHOPE MINGW64 ~/Nextcloud/Documents/certification/cisco/ccie/enterprise-infrastructure-v1.0/pcap
$ time curl -I 10.0.255.34
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/1.1 200 OK
Date: Sun, 27 Sep 2020 05:52:19 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=UTF-8



real    0m0.040s
user    0m0.000s
sys     0m0.000s
ip.addr == 10.0.255.34 and tcp.port == 80

Hmmm, response is pretty much fast even if SYN flood attack situation.

ubuntu@ubuntu-2:~$ free -m
              total        used        free      shared  buff/cache   available
Mem:           1993         111        1455           2         425        1736
Swap:             0           0           0

resource is not busy. reponse time late is come from router spec limitation.

OK. Increase Apache resource limitation

sudo vim /etc/apache2/mods-available/mpm_prefork.conf
/etc/apache2/mods-available/mpm_prefork.conf
<IfModule mpm_prefork_module>
        StartServers                     5
        MinSpareServers           5
        MaxSpareServers          10
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>

change to

/etc/apache2/mods-available/mpm_prefork.conf
<IfModule mpm_prefork_module>
        StartServers                     5
        MinSpareServers           5
        MaxSpareServers          1000
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>
sudo apachectl configtest
sudo systemctl restart apache2
net.core.somaxconn
net.ipv4.tcp_max_syn_backlog
root@ubuntu-2:~# cat /proc/sys/net/core/somaxconn
128
root@ubuntu-2:~# echo 8192 >/proc/sys/net/core/somaxconn
root@ubuntu-2:~# cat /proc/sys/net/core/somaxconn
8192
root@ubuntu-2:~# cat /proc/sys/net/ipv4/tcp_max_syn_backlog
128
root@ubuntu-2:~# echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog
root@ubuntu-2:~# cat /proc/sys/net/ipv4/tcp_max_syn_backlog
8192
root@ubuntu-2:~# vim /etc/sysctl.conf
root@ubuntu-2:~# sysctl -p
net.core.somaxconn = 10000000
net.ipv4.tcp_max_syn_backlog = 10000000
systemctl reastart apache2
/etc/apache2/conf-available/synflood.conf
ListenBacklog 10000000
a2enconf synflood
systemctl restart apache2

ready…. but seems no effect….

Configure TCP Intercept with Intercept mode ab860ced-3832-4f36-9611-e490a9690092

  • R2
configure terminal
!
access-list 101 permit tcp any 198.51.100.0 0.0.0.255
!
ip tcp intercept list 101
!
! default mode
ip tcp intercept mode intercept
!
interface GigabitEthernet 0/1
 ip access-group 101 in
!
end

Verification ab860ced-3832-4f36-9611-e490a9690092

  • R2
debug ip tcp intercept
  • ubuntu-1
curl 198.51.100.252
sudo hping3 -I enp0s3 -i 60 -S -p 80 198.51.100.252
ubuntu@ubuntu-1:~$ curl 198.51.100.252
hello
ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252
HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes
len=40 ip=198.51.100.252 ttl=254 id=26 sport=80 flags=SA seq=0 win=0 rtt=4.8 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=27 sport=80 flags=SA seq=0 win=0 rtt=1012.7 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=28 sport=80 flags=SA seq=0 win=0 rtt=3012.9 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=29 sport=80 flags=SA seq=0 win=0 rtt=7012.4 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=30 sport=80 flags=SA seq=0 win=0 rtt=15012.6 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=31 sport=80 flags=RA seq=0 win=0 rtt=31045.0 ms
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -i enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:18:16.752606 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [S], seq 2425271359, win 64240, options [mss 1460,sackOK,TS val 2690830912 ecr 0,nop,wscale 7], length 0
22:18:16.752634 IP ubuntu-2.http > 10.1.1.253.45884: Flags [S.], seq 2886572594, ack 2425271360, win 65160, options [mss 1460,sackOK,TS val 3020441364 ecr 2690830912,nop,wscale 7], length 0
22:18:16.754379 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [.], ack 1, win 64240, length 0
22:18:16.758406 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET / HTTP/1.1
22:18:16.758430 IP ubuntu-2.http > 10.1.1.253.45884: Flags [.], ack 79, win 509, options [nop,nop,TS val 3020441370 ecr 2690830912], length 0
22:18:16.758667 IP ubuntu-2.http > 10.1.1.253.45884: Flags [P.], seq 1:154, ack 79, win 509, options [nop,nop,TS val 3020441370 ecr 2690830912], length 153: HTTP: HTTP/1.1 200 OK
22:18:16.762472 IP 10.1.1.253.45884 > ubuntu-2.http: Flags [.], ack 154, win 64087, length 0
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:20:56.463058 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [S], seq 3648753164, win 64240, options [mss 1460,sackOK,TS val 2690990623 ecr 0,nop,wscale 7], length 0
22:20:56.463112 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [S.], seq 377875477, ack 3648753165, win 65160, options [mss 1460,sackOK,TS val 3020601075 ecr 2690990623,nop,wscale 7], length 0
22:20:56.465868 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 1, win 64240, length 0
22:20:56.468652 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET / HTTP/1.1
22:20:56.468668 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [.], ack 79, win
509, options [nop,nop,TS val 3020601080 ecr 2690990623], length 0
22:20:56.468932 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [P.], seq 1:154,
ack 79, win 509, options [nop,nop,TS val 3020601080 ecr 2690990623], length 153: HTTP: HTTP/1.1 200 OK
22:20:56.474064 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 154, win 64087, length 0
22:20:56.474913 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [F.], seq 79, ack 154, win 64087, length 0
22:20:56.474953 IP 198.51.100.252.80 > 10.1.1.253.45886: Flags [F.], seq 154, ack 80, win 509, options [nop,nop,TS val 3020601086 ecr 2690990623], length 0
22:20:56.478772 IP 10.1.1.253.45886 > 198.51.100.252.80: Flags [.], ack 155, win 64086, length 0
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252
HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes
len=40 ip=198.51.100.252 ttl=254 id=36 sport=80 flags=SA seq=0 win=0 rtt=5.4 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=37 sport=80 flags=SA seq=0 win=0 rtt=1013.5 ms
DUP! len=40 ip=198.51.100.252 ttl=254 id=38 sport=80 flags=SA seq=0 win=0 rtt=3021.4 ms
R2#debug ip tcp intercept 
TCP intercept debugging is on
R2#
*Sep 30 22:12:41.251: INTERCEPT: new connection (10.1.1.253:2592 SYN -> 198.51.100.252:80)
*Sep 30 22:12:41.252: INTERCEPT(*): (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:12:42.252: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:12:44.253: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:12:48.252: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:12:56.252: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2592 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:13:12.251: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2592 <-> 198.51.100.252:80)
*Sep 30 22:13:12.252: INTERCEPT(*): (10.1.1.253:2592 <- RST 198.51.100.252:80)
R2#
*Sep 30 22:13:41.002: INTERCEPT: new connection (10.1.1.253:2593 SYN -> 198.51.100.252:80)
*Sep 30 22:13:41.003: INTERCEPT(*): (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:13:42.002: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:13:44.002: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:13:48.002: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:13:56.003: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2593 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:14:03.915: INTERCEPT: new connection (10.1.1.253:45882 SYN -> 198.51.100.252:80)
*Sep 30 22:14:03.916: INTERCEPT(*): (10.1.1.253:45882 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:14:03.918: INTERCEPT: 1st half of connection is established (10.1.1.253:45882 ACK -> 198.51.100.252:80)
*Sep 30 22:14:03.920: INTERCEPT(*): (10.1.1.253:45882 SYN -> 198.51.100.252:80)
*Sep 30 22:14:03.920: INTERCEPT: 2nd half of connection established  (10.1.1.253:45882 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:14:03.921: INTERCEPT(*): (10.1.1.253:45882 ACK -> 198.51.100.252:80)
*Sep 30 22:14:03.922: INTERCEPT(*): (10.1.1.253:45882 <- WINDOW 198.51.100.252:80)
R2#
*Sep 30 22:14:08.930: INTERCEPT: ESTAB timing out (10.1.1.253:45882 <-> 198.51.100.252:80)
R2#
*Sep 30 22:14:12.002: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2593 <-> 198.51.100.252:80)
*Sep 30 22:14:12.003: INTERCEPT(*): (10.1.1.253:2593 <- RST 198.51.100.252:80)
R2#
*Sep 30 22:18:00.977: INTERCEPT: new connection (10.1.1.253:45884 SYN -> 198.51.100.252:80)
*Sep 30 22:18:00.977: INTERCEPT(*): (10.1.1.253:45884 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:18:00.979: INTERCEPT: 1st half of connection is established (10.1.1.253:45884 ACK -> 198.51.100.252:80)
*Sep 30 22:18:00.979: INTERCEPT(*): (10.1.1.253:45884 SYN -> 198.51.100.252:80)
*Sep 30 22:18:00.980: INTERCEPT: 2nd half of connection established  (10.1.1.253:45884 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:18:00.980: INTERCEPT(*): (10.1.1.253:45884 ACK -> 198.51.100.252:80)
*Sep 30 22:18:00.981: INTERCEPT(*): (10.1.1.253:45884 <- WINDOW 198.51.100.252:80)
R2#
*Sep 30 22:18:05.990: INTERCEPT: ESTAB timing out (10.1.1.253:45884 <-> 198.51.100.252:80)
R2#
*Sep 30 22:18:42.855: INTERCEPT: new connection (10.1.1.253:2753 SYN -> 198.51.100.252:80)
*Sep 30 22:18:42.856: INTERCEPT(*): (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:18:43.856: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:18:45.856: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:18:49.856: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:18:57.856: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2753 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:19:13.855: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2753 <-> 198.51.100.252:80)
*Sep 30 22:19:13.856: INTERCEPT(*): (10.1.1.253:2753 <- RST 198.51.100.252:80)
R2#
*Sep 30 22:20:39.984: INTERCEPT: new connection (10.1.1.253:45886 SYN -> 198.51.100.252:80)
*Sep 30 22:20:39.985: INTERCEPT(*): (10.1.1.253:45886 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:20:39.987: INTERCEPT: 1st half of connection is established (10.1.1.253:45886 ACK -> 198.51.100.252:80)
*Sep 30 22:20:39.987: INTERCEPT(*): (10.1.1.253:45886 SYN -> 198.51.100.252:80)
*Sep 30 22:20:39.988: INTERCEPT: 2nd half of connection established  (10.1.1.253:45886 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:20:39.988: INTERCEPT(*): (10.1.1.253:45886 ACK -> 198.51.100.252:80)
*Sep 30 22:20:39.989: INTERCEPT(*): (10.1.1.253:45886 <- WINDOW 198.51.100.252:80)
R2#
*Sep 30 22:20:44.997: INTERCEPT: ESTAB timing out (10.1.1.253:45886 <-> 198.51.100.252:80)
R2#
*Sep 30 22:21:36.388: INTERCEPT: new connection (10.1.1.253:2358 SYN -> 198.51.100.252:80)
*Sep 30 22:21:36.388: INTERCEPT(*): (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:21:37.389: INTERCEPT(*): SYNRCVD retransmit 1 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:21:39.389: INTERCEPT(*): SYNRCVD retransmit 2 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:21:43.389: INTERCEPT(*): SYNRCVD retransmit 3 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:21:51.389: INTERCEPT(*): SYNRCVD retransmit 4 (10.1.1.253:2358 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:22:07.388: INTERCEPT: SYNRCVD retransmitting too long (10.1.1.253:2358 <-> 198.51.100.252:80)
*Sep 30 22:22:07.388: INTERCEPT(*): (10.1.1.253:2358 <- RST 198.51.100.252:80)
R2#

Configure TCP Intercept with watch mode 22bc0a36-ad6a-449d-9865-d5a3d7b5b8a9

  • R2
configure terminal
!
access-list 101 permit tcp any 198.51.100.0 0.0.0.255
!
ip tcp intercept list 101
!
! default mode
ip tcp intercept mode watch
!
interface GigabitEthernet 0/1
 ip access-group 101 in
!
end

Verification 22bc0a36-ad6a-449d-9865-d5a3d7b5b8a9

  • ubuntu-1
curl 198.51.100.252
sudo hping3 -I enp0s3 -i 60 -S -p 80 198.51.100.252
R2#
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip tcp inter
R2(config)#ip tcp intercept mo
R2(config)#ip tcp intercept mode wa
R2(config)#ip tcp intercept mode watch 
R2(config)#end
R2#
*Sep 30 22:24:30.022: %SYS-5-CONFIG_I: Configured from console by console
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#
*Sep 30 22:26:08.176: INTERCEPT: new connection (10.1.1.253:45888 SYN -> 198.51.100.252:80)
*Sep 30 22:26:08.177: INTERCEPT: (10.1.1.253:45888 <- ACK+SYN 198.51.100.252:80)
*Sep 30 22:26:08.181: INTERCEPT: (10.1.1.253:45888 ACK -> 198.51.100.252:80)
R2#
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:26:26.644561 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [S], seq 3649025256, win 64240, options [mss 1460,sackOK,TS val 2691320807 ecr 0,nop,wscale 7], length 0
22:26:26.644587 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [S.], seq 676254311, ack 3649025257, win 65160, options [mss 1460,sackOK,TS val 3020931256 ecr 2691320807,nop,wscale 7], length 0
22:26:26.650334 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 2691320812 ecr 3020931256], length 0
22:26:26.652239 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [P.], seq 1:79, ack 1, win 502, options [nop,nop,TS val 2691320812 ecr 3020931256], length 78: HTTP: GET / HTTP/1.1
22:26:26.652276 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [.], ack 79, win
509, options [nop,nop,TS val 3020931264 ecr 2691320812], length 0
22:26:26.652672 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [P.], seq 1:154,
ack 79, win 509, options [nop,nop,TS val 3020931264 ecr 2691320812], length 153: HTTP: HTTP/1.1 200 OK
22:26:26.655754 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 154, win 501, options [nop,nop,TS val 2691320819 ecr 3020931264], length 0
22:26:26.655777 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [F.], seq 79, ack 154, win 501, options [nop,nop,TS val 2691320819 ecr 3020931264], length 0
22:26:26.655803 IP 198.51.100.252.80 > 10.1.1.253.45888: Flags [F.], seq 154, ack 80, win 509, options [nop,nop,TS val 3020931267 ecr 2691320819], length 0
22:26:26.659524 IP 10.1.1.253.45888 > 198.51.100.252.80: Flags [.], ack 155, win 501, options [nop,nop,TS val 2691320823 ecr 3020931267], length 0
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
ubuntu@ubuntu-1:~$ sudo hping3 -I enp0s3 -i 1800 -S -p 80 198.51.100.252
HPING 198.51.100.252 (enp0s3 198.51.100.252): S set, 40 headers + 0 data bytes
len=44 ip=198.51.100.252 ttl=62 DF id=0 sport=80 flags=SA seq=0 win=64240 rtt=13.3 ms
ubuntu@ubuntu-2:/var/www/html$ sudo tcpdump -nni enp0s3 tcp and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:30:00.444812 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [S], seq 1140506343, win 512, length 0
22:30:00.444840 IP 198.51.100.252.80 > 10.1.1.253.2879: Flags [S.], seq 283107734, ack 1140506344, win 64240, options [mss 1460], length 0
22:30:00.450001 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [R], seq 1140506344, win 0, length 0
22:30:30.648045 IP 10.1.1.253.2879 > 198.51.100.252.80: Flags [R.], seq 1, ack 1, win 0, length 0
R2#
*Sep 30 22:29:40.920: INTERCEPT: new connection (10.1.1.253:2879 SYN -> 198.51.100.252:80)
*Sep 30 22:29:40.921: INTERCEPT: (10.1.1.253:2879 <- ACK+SYN 198.51.100.252:80)
R2#
*Sep 30 22:30:10.920: INTERCEPT: SYNRCVD timing out (10.1.1.253:2879 <-> 198.51.100.252:80)
*Sep 30 22:30:10.921: INTERCEPT(*): (10.1.1.253:2879 RST -> 198.51.100.252:80)
R2#

Wireshark Packet Capture Result

R1-R2

R2-SW1

References

tech/network/cisco/security/network-security/acl/tcp-intercept/tcp-intercept.txt · Last modified: 2020/10/25 10:17 by wnoguchi