コード例 #1
0
        public static TCPPacket MakePortClosedPacket(byte[] fromMac, byte[] toMac, byte[] fromIP, byte[] toIP, ushort fromPort, ushort toPort, uint ackNumber)
        {
            EthPacket e = new EthPacket(60);

            e.FromMac = fromMac;
            e.ToMac   = toMac;
            e.Proto   = new byte[2] {
                0x08, 0x00
            };
            IPPacket ip = new IPPacket(e);

            ip.DestIP         = new IPAddress(fromIP);
            ip.SourceIP       = new IPAddress(toIP);
            ip.NextProtocol   = 0x06;
            ip.TotalLength    = 40;
            ip.HeaderChecksum = ip.GenerateIPChecksum;
            TCPPacket tcp = new TCPPacket(ip);

            tcp.SourcePort     = fromPort;
            tcp.DestPort       = toPort;
            tcp.SequenceNumber = (uint)0;
            tcp.AckNumber      = ackNumber;
            tcp.WindowSize     = 8192;
            tcp.ACK            = true;
            tcp.RST            = true;
            tcp.Checksum       = tcp.GenerateChecksum;
            tcp.Outbound       = true;
            return(tcp);
        }
コード例 #2
0
ファイル: PacketFactory.cs プロジェクト: hatRiot/fireBwall
 public static TCPPacket MakeSynPacket(byte[] fromMac, byte[] toMac, byte[] fromIP, byte[] toIP, ushort fromPort, ushort toPort)
 {
     EthPacket e = new EthPacket(60);
     e.FromMac = fromMac;
     e.ToMac = toMac;
     e.Proto = new byte[2] { 0x08, 0x00 };
     IPPacket ip = new IPPacket(e);
     ip.DestIP = new IPAddress(fromIP);
     ip.SourceIP = new IPAddress(toIP);
     ip.NextProtocol = 0x06;
     ip.TotalLength = 40;
     ip.HeaderChecksum = ip.GenerateIPChecksum;
     TCPPacket tcp = new TCPPacket(ip);
     tcp.SourcePort = fromPort;
     tcp.DestPort = toPort;
     tcp.SequenceNumber = (uint)new Random().Next();
     tcp.AckNumber = 0;
     tcp.WindowSize = 8192;
     tcp.SYN = true;
     tcp.Checksum = tcp.GenerateChecksum;
     tcp.Outbound = true;
     return tcp;
 }
コード例 #3
0
ファイル: PacketFactory.cs プロジェクト: hatRiot/fireBwall
 public static TCPPacket MakePortClosedPacket(TCPPacket in_packet)
 {
     return MakePortClosedPacket(in_packet.ToMac, in_packet.FromMac, in_packet.DestIP.GetAddressBytes(), in_packet.SourceIP.GetAddressBytes(), in_packet.DestPort, in_packet.SourcePort, in_packet.SequenceNumber);
 }
コード例 #4
0
 public static TCPPacket MakePortClosedPacket(TCPPacket in_packet)
 {
     return(MakePortClosedPacket(in_packet.ToMac, in_packet.FromMac, in_packet.DestIP.GetAddressBytes(), in_packet.SourceIP.GetAddressBytes(), in_packet.DestPort, in_packet.SourcePort, in_packet.SequenceNumber));
 }
コード例 #5
0
ファイル: fireBwallModule.cs プロジェクト: hatRiot/fireBwall
        // main routine
        public override PacketMainReturn interiorMain(ref Packet in_packet)
        {
            PacketMainReturn pmr;

            // check it the packet is, or contains, IP
            if (in_packet.ContainsLayer(Protocol.IP))
            {
                // create a temp IPPacket obj and
                // check the IP address
                IPPacket temp = (IPPacket)in_packet;
                if (!(isIPAllowed(temp.SourceIP)))
                {
                    pmr = new PacketMainReturn(this);
                    pmr.returnType = PacketMainReturnType.Drop;
                    return pmr;
                }
            }

            // simple sanity check to dump the ipcache if it gets too large.
            // this does not effect the blockcache of banned IPs
            if ((ipcache.Count) > 200)
                ipcache.Clear();

            // TCP incoming packets
            if (in_packet.GetHighestLayer() == Protocol.TCP)
            {
                TCPPacket packet = ((TCPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                // if it's inbound and the SYN flag is set
                if (!packet.Outbound && packet.SYN && !packet.ACK)
                {
                    // first packet init
                    if (TCPprevious_packet == null)
                        TCPprevious_packet = packet;

                    // if the IP hasn't been logged yet
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                    // if the ipcache contains the ip
                    else if (ipcache.ContainsKey(packet.SourceIP))
                    {
                        // increment the packet count if they're coming in fast
                        if ((packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
                            ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
                        else ipcache[packet.SourceIP] = 1;

                        // check if this packet = previous, if the packet count is > 50,
                        // and if the time between sent packets is less than the threshhold
                        if (packet.SourceIP.Equals(TCPprevious_packet.SourceIP) &&
                            ((ipcache[packet.SourceIP]) > 50) &&
                            (packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
                        {
                            pmr = new PacketMainReturn(this);
                            pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                            pmr.logMessage = "DoS attempt detected from IP " + packet.SourceIP + " (likely spoofed). "
                                        + " Packets from this IP will be dropped.  You can unblock this IP from the module interface.";
                            data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "DoS Attempt"));
                            return pmr;
                        }
                    }
                    TCPprevious_packet = packet;
                }
            }

            // fraggle attack mitigation
            if (in_packet.GetHighestLayer() == Protocol.UDP)
            {
                UDPPacket packet = ((UDPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                // if it's inbound
                if (!(packet.Outbound))
                {
                    // add IP to cache or increment packet count
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                    else
                        ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;

                    // if the packet header is empty, headed towards port (7,13,19,17), and count > 50,
                    // then it's probably a fraggle attack
                    if (packet.isEmpty() && packet.DestPort.Equals(7) || packet.DestPort.Equals(13) ||
                         packet.DestPort.Equals(19) || packet.DestPort.Equals(17) &&
                         (ipcache[packet.SourceIP]) > 50)
                    {
                        pmr = new PacketMainReturn(this);
                        pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        pmr.logMessage = "Potential fraggle attack from " + packet.SourceIP + " (likely spoofed). "
                            + " Packets from this IP will be dropped.  You can unblock this IP from the module interface.";
                        data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Fraggle Attempt"));
                        return pmr;
                    }
                }
            }

            // smurf attack mitigation
            if (in_packet.GetHighestLayer() == Protocol.ICMP)
            {
                ICMPPacket packet = ((ICMPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                if (!(packet.Outbound))
                {
                    // init the previous packet
                    if (ICMPprevious_packet == null)
                        ICMPprevious_packet = packet;

                    // add IP to cache or increment packet count
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                    // if the packet is >= threshold after the previous and it's the same packet, clear up the cache
                    else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) >= data.dos_threshold &&
                                packet.Equals(ICMPprevious_packet))
                        ipcache[packet.SourceIP] = 1;
                    // if the packet is coming in quickly, add it to the packet count
                    else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold)
                        ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;

                    // if the packet is an echo reply and the IP source
                    // is the same as localhost and the time between packets is <= threshhold and
                    // there are over 50 accumulated packets, it's probably a smurf attack
                    if (packet.Type.ToString().Equals("0") &&
                         packet.Code.ToString().Equals("0") &&
                         packet.SourceIP.Equals(getLocalIP()) &&
                         (packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold &&
                         ipcache[packet.SourceIP] > 50)
                    {
                        pmr = new PacketMainReturn(this);
                        pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        pmr.logMessage = "Potential Smurf attack from " + packet.SourceIP + " (likely spoofed). "
                            + " Packets from this IP will be dropped.  You can unblock this IP from the module interface.";
                        data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Smurf Attempt"));
                        return pmr;
                    }
                    ICMPprevious_packet = packet;
                }
            }

            return null;
        }
コード例 #6
0
ファイル: ScanDetector.cs プロジェクト: hatRiot/fireBwall
        public override PacketMainReturn interiorMain(ref Packet in_packet)
        {
            PacketMainReturn pmr;
            float av = 0;

            if (in_packet.ContainsLayer(Protocol.TCP))
            {
                // if we're in cloaked mode, respond with the SYN ACK
                // More information about this in the GUI code and help string
                if (data.cloaked_mode && ((TCPPacket)in_packet).SYN)
                {
                    TCPPacket from = (TCPPacket)in_packet;

                    EthPacket eth = new EthPacket(60);
                    eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
                    eth.ToMac = from.FromMac;
                    eth.Proto = new byte[2] { 0x08, 0x00 };

                    IPPacket ip = new IPPacket(eth);
                    ip.DestIP = from.SourceIP;
                    ip.SourceIP = from.DestIP;
                    ip.NextProtocol = 0x06;
                    ip.TotalLength = 40;
                    ip.HeaderChecksum = ip.GenerateIPChecksum;

                    TCPPacket tcp = new TCPPacket(ip);
                    tcp.SourcePort = from.DestPort;
                    tcp.DestPort = from.SourcePort;
                    tcp.SequenceNumber = (uint)new Random().Next();
                    tcp.AckNumber = 0;
                    tcp.WindowSize = 8192;
                    tcp.SYN = true;
                    tcp.ACK = true;
                    tcp.Checksum = tcp.GenerateChecksum;
                    tcp.Outbound = true;
                    adapter.SendPacket(tcp);
                }

                try
                {
                    TCPPacket packet = (TCPPacket)in_packet;

                    // if the IP is in the blockcache, then return
                    if (data.BlockCache.ContainsKey(packet.SourceIP))
                    {
                        pmr = new PacketMainReturn(this);
                        pmr.returnType = PacketMainReturnType.Drop;
                        return pmr;
                    }

                    // checking for TTL allows us to rule out the local network
                    // Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are
                    // fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans.
                    if ((!packet.Outbound) && (packet.TTL < 250))
                    {
                        IPObj tmp;
                        if (ip_table.ContainsKey(packet.SourceIP))
                            tmp = (IPObj)ip_table[packet.SourceIP];
                        else
                            tmp = new IPObj(packet.SourceIP);

                        // add the port to the ipobj, set the access time, and update the table
                        tmp.addPort(packet.DestPort);
                        tmp.time(packet.PacketTime);
                        ip_table[packet.SourceIP] = tmp;
                        av = tmp.getAverage();

                        // if they've touched more than 100 ports in less than 30 seconds and the average
                        // packet time was less than 2s, something's wrong
                        if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) &&
                             tmp.getAverage() < 2000 )
                        {
                            pmr = new PacketMainReturn(this);
                            pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
                            pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
                                            tmp.getTouchedPorts().Count, tmp.getAverage());

                            // set the reported status of the IP address
                            ip_table[packet.SourceIP].Reported = true;

                            // add the address to the potential list of IPs and to the local SESSION-BASED list
                            if (!data.blockImmediately)
                            {
                                potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
                                detect.addPotential(packet.SourceIP);
                            }
                            // else we want to block it immediately
                            else
                                data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);

                            return pmr;
                        }
                    }
                }
                catch (Exception e)
                {
                    pmr = new PacketMainReturn(this);
                    pmr.returnType = PacketMainReturnType.Log;
                    pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);

                    return pmr;
                }
            }
            // This will detect UDP knockers.  typically UDP scans are slower, but are combined with SYN scans
            // (-sSU in nmap) so we'll be sure to check for these guys too.
            else if (in_packet.ContainsLayer(Protocol.UDP))
            {
                try
                {
                    UDPPacket packet = (UDPPacket)in_packet;

                    // if the source addr is in the block cache, return
                    if (data.BlockCache.ContainsKey(packet.SourceIP))
                    {
                        pmr = new PacketMainReturn(this);
                        pmr.returnType = PacketMainReturnType.Drop;
                        return pmr;
                    }

                    if ((!packet.Outbound) && (packet.TTL < 250) &&
                        (!packet.isDNS()))
                    {
                        IPObj tmp;
                        if (ip_table.ContainsKey(packet.SourceIP))
                            tmp = (IPObj)ip_table[packet.SourceIP];
                        else
                            tmp = new IPObj(packet.SourceIP);

                        tmp.addPort(packet.DestPort);
                        tmp.time(packet.PacketTime);
                        ip_table[packet.SourceIP] = tmp;
                        av = tmp.getAverage();

                        if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) &&
                                (tmp.getAverage() < 2000))
                        {
                            pmr = new PacketMainReturn(this);
                            pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
                            pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
                                        tmp.getTouchedPorts().Count, tmp.getAverage());

                            ip_table[packet.SourceIP].Reported = true;

                            if (!data.blockImmediately)
                            {
                                potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
                                detect.addPotential(packet.SourceIP);
                            }
                            else
                                data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
                            return pmr;
                        }
                    }
                }
                catch (Exception e)
                {
                    pmr = new PacketMainReturn(this);
                    pmr.returnType = PacketMainReturnType.Log;
                    pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
                    return pmr;
                }
            }
            return null;
        }