Teardown tcp connection что означает
Перейти к содержимому

Teardown tcp connection что означает

  • автор:

Teardown tcp connection что означает

Я впервые столкнулся с CISCO PIX 515, хочу на нем сделать DMZ.
Управляю через PDM, вроде бы ничего такого не настраивал, только самое необходимое. При коннекте из внутренней сети на машину в DMZ в логе пишет сначала
Nov 17 12:56:07 10.60.33.26 PIX-6-302013RealSource:»10.60.33.26″ Nov 17 2003 13:06:49: %PIX-6-302013: Built outbound TCP connection 162 for dmz:10.50.0.42/110 (10.50.0.42/110) to inside:10.60.33.60/4255 (10.60.33.60/4255)
а потом
Nov 17 12:56:07 10.60.33.26 PIX-6-302014RealSource:»10.60.33.26″ Nov 17 2003 13:06:49: %PIX-6-302014: Teardown TCP connection 162 for dmz:10.50.0.42/110 to inside:10.60.33.60/4255 duration 0:00:01 bytes 100 TCP FINs

Соответственно коннект рвется.

Не подскажете в двух словах, где искать?

Заранее спасибо!

Оглавление

  • Teardown tcp connection, ВОЛКА, 19:30 , 17-Ноя-03, (1)
    • Teardown tcp connection, Den, 17:33 , 19-Ноя-03, (2)
      • Teardown tcp connection, ВОЛКА, 22:41 , 19-Ноя-03, (3)
        • Teardown tcp connection, Den, 09:05 , 20-Ноя-03, (4)

        Сообщения по теме

        конфиг покажи.

        Показываю:

        PIX Version 6.3(1)
        interface ethernet0 auto
        interface ethernet1 auto
        interface ethernet2 auto
        interface ethernet3 auto shutdown
        nameif ethernet0 outside security0
        nameif ethernet1 inside security100
        nameif ethernet2 dmz security15
        nameif ethernet3 pix/intf3 security15
        enable password uBsOjijurAEZFM7c encrypted
        passwd h4vMmAV6UI3wICj/ encrypted
        hostname host
        domain-name host.ru
        clock timezone MSK/MSD 3
        clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
        fixup protocol ftp 21
        fixup protocol h323 h225 1720
        fixup protocol h323 ras 1718-1719
        fixup protocol http 80
        fixup protocol ils 389
        fixup protocol rsh 514
        fixup protocol rtsp 554
        fixup protocol sip 5060
        fixup protocol sip udp 5060
        fixup protocol skinny 2000
        fixup protocol smtp 25
        fixup protocol sqlnet 1521
        names
        access-list ICMP permit icmp any any
        access-list inside_access_in permit ip any any log 7 interval 10
        access-list dmz_access_in permit ip any any log 7 interval 10
        pager lines 24
        logging on
        logging timestamp
        logging trap debugging
        logging facility 23
        logging host inside 10.60.33.60
        icmp permit any outside
        icmp permit any inside
        icmp permit any dmz
        mtu outside 1500
        mtu inside 1500
        mtu dmz 1500
        mtu pix/intf3 1500
        ip address outside 10.1.0.2 255.255.255.252
        ip address inside 10.60.33.26 255.255.255.0
        ip address dmz 10.50.0.1 255.255.255.0
        ip address pix/intf3 10.30.30.30 255.255.255.0
        ip audit info action alarm
        ip audit attack action alarm
        no failover
        failover timeout 0:00:00
        failover poll 15
        no failover ip address outside
        no failover ip address inside
        no failover ip address dmz
        no failover ip address pix/intf3
        pdm location 10.60.1.0 255.255.255.0 pix/intf3
        pdm location 10.100.0.108 255.255.255.255 pix/intf3
        pdm location 10.60.33.0 255.255.255.0 inside
        pdm location 10.60.33.60 255.255.255.255 inside
        no pdm history enable
        arp timeout 14400
        static (inside,dmz) 10.50.0.42 10.60.33.60 netmask 255.255.255.255 0 0
        access-group inside_access_in in interface inside
        access-group dmz_access_in in interface dmz
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
        timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
        timeout uauth 0:05:00 absolute
        aaa-server TACACS+ protocol tacacs+
        aaa-server RADIUS protocol radius
        aaa-server LOCAL protocol local
        aaa authentication secure-http-client
        http server enable
        http 10.60.33.0 255.255.255.0 inside
        no snmp-server location
        no snmp-server contact
        snmp-server community public
        no snmp-server enable traps
        floodguard enable
        sysopt connection tcpmss 0
        telnet 10.60.33.0 255.255.255.0 inside
        telnet timeout 15
        ssh timeout 5
        console timeout 0
        username marat password 45W6njenyVAPlJYd encrypted privilege 15
        terminal width 80
        Cryptochecksum:8813f393d6c053d25270dce391c69931

        nat (inside) 0 access-list NO-NAT
        access-list NO-NAT permit ip any 10.50.0.0 255.255.255.0

        >nat (inside) 0 access-list NO-NAT
        >access-list NO-NAT permit ip any 10.50.0.0 255.255.255.0
        Это вместо существующих правил или добавить?

        Если добавляю, то ситуация не меняется

        Пожалуйста, прежде чем написать сообщение, ознакомьтесь с данными рекомендациями.

        Cisco ASA Audit Event: 302014

        Cisco ASA is a security device that provides the combined capabilities of a firewall, an antivirus, and an intrusion prevention system. It also facilitates virtual private network (VPN) connections. It helps to detect threats and stop attacks before they spread through the network.

        Message: %ASA-6-302014: Teardown TCP connection id for interface :real-address /real-port [(idfw_user)] to interface: real-address /real-port [(idfw_user)] duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user)].

        Event 302014 is generated when a TCP connection slot between two hosts is deleted. The message contains information on the:

        • Connection identifier.
        • Actual socket.
        • Lifetime of the connection.
        • Amount of data transfered.
        • AAA name of the user.
        • Name of the identity firewall user.
        • Reason that caused the connection to terminate.
        • Interface name of the side that initiated the teardown.

        How could you resolve this situation?

        This event does not require any action.

        Cisco ASA Auditing Tool

        EventLog Analyzer is a comprehensive log management software with which you can centrally collect, analyze, and manage logs from all the different log sources in your network. You also get reports and alerts on your network security, making it a power-packed IT security tool.

        Thank you.

        Our support team will contact you shortly.

        Teardown tcp connection что означает

        Доброе время суток! Имеется asa 5510 и за ним висит веб-сервак. На asa 5510 настроен
        Connection Limits and Timeouts следующим образом: Max connection: 1024
        Max embrionic connection: 3072 Per-client-max: 3
        Per-client-max-embrionic: 9 Таймаут понижен до минимума. Все равно проходит DDOS и нагрузка процессора возрастает резко.
        Как отбросить лишные соединения на asa, чтобы они не доходили до сервака?

        Оглавление

        Сообщения по теме [Сортировка по времени | RSS]

        > Доброе время суток!
        > Имеется asa 5510 и за ним висит веб-сервак. На asa 5510 настроен
        > Connection Limits and Timeouts следующим образом:
        > Max connection: 1024
        > Max embrionic connection: 3072
        > Per-client-max: 3
        > Per-client-max-embrionic: 9
        > Таймаут понижен до минимума.
        > Все равно проходит DDOS и нагрузка процессора возрастает резко.
        > Как отбросить лишные соединения на asa, чтобы они не доходили до сервака?

        от всех dos такая настройка не защитит. а в чем смысл Per-client-max-embrionic: 9? почему значение больше чем er-client-max: 3
        Сервак можно загасить http-запросами или с использованием уязвимостей ПО web-сервера

        >[оверквотинг удален]
        >> Max connection: 1024
        >> Max embrionic connection: 3072
        >> Per-client-max: 3
        >> Per-client-max-embrionic: 9
        >> Таймаут понижен до минимума.
        >> Все равно проходит DDOS и нагрузка процессора возрастает резко.
        >> Как отбросить лишные соединения на asa, чтобы они не доходили до сервака?
        > от всех dos такая настройка не защитит. а в чем смысл Per-client-max-embrionic:
        > 9? почему значение больше чем er-client-max: 3
        > Сервак можно загасить http-запросами или с использованием уязвимостей ПО web-сервера

        Все правильно, сначала нужно определить что за ddos. Если допустим HTTP Get request, то ограничения tcp соединений вам не сильно помогут, тут нужен комплексный подход, включая использование IPS.

        >[оверквотинг удален]
        >>> Per-client-max-embrionic: 9
        >>> Таймаут понижен до минимума.
        >>> Все равно проходит DDOS и нагрузка процессора возрастает резко.
        >>> Как отбросить лишные соединения на asa, чтобы они не доходили до сервака?
        >> от всех dos такая настройка не защитит. а в чем смысл Per-client-max-embrionic:
        >> 9? почему значение больше чем er-client-max: 3
        >> Сервак можно загасить http-запросами или с использованием уязвимостей ПО web-сервера
        > Все правильно, сначала нужно определить что за ddos. Если допустим HTTP Get
        > request, то ограничения tcp соединений вам не сильно помогут, тут нужен
        > комплексный подход, включая использование IPS.

        Вот что показывакт ASA:

        6 Jun 07 2012 16:02:10 302014 31.192.16.162 52765 10.205.10.2 80 Teardown TCP connection 183808 for outside:31.192.16.162/52765 to inside: 10.205.10.2/80 duration 0:01:05 bytes 30142 TCP FINs

        Это IPTables

        Jun 7 16:02:19 web kernel: ip_conntrack: table full, dropping packet.
        Jun 7 16:02:27 web kernel: printk: 219 messages suppressed.

        В логах Nginx нашел множество HTTP Get request.
        Но есть проблема — нет дополнительных модулей.

        Версия ASA 8.2(1)
        Лицензия — Security Plus

        >[оверквотинг удален]
        > 6 Jun 07 2012 16:02:10 302014 31.192.16.162 52765 10.205.10.2 80 Teardown TCP
        > connection 183808 for outside:31.192.16.162/52765 to inside: 10.205.10.2/80 duration
        > 0:01:05 bytes 30142 TCP FINs
        > Это IPTables
        > Jun 7 16:02:19 web kernel: ip_conntrack: table full, dropping packet.
        > Jun 7 16:02:27 web kernel: printk: 219 messages suppressed.
        > В логах Nginx нашел множество HTTP Get request.
        > Но есть проблема — нет дополнительных модулей.
        > Версия ASA 8.2(1)
        > Лицензия — Security Plus

        Самостоятельно (что нашел) настройл следующее:

        threat-detection rate dos-drop rate-interval 600 average-rate 2 burst-rate 2
        threat-detection rate dos-drop rate-interval 3600 average-rate 2 burst-rate 2
        threat-detection rate bad-packet-drop rate-interval 600 average-rate 2 burst-rate 2
        threat-detection rate bad-packet-drop rate-interval 3600 average-rate 2 burst-rate 2
        threat-detection rate conn-limit-drop rate-interval 600 average-rate 3 burst-rate 3
        threat-detection rate conn-limit-drop rate-interval 3600 average-rate 3 burst-rate 3
        threat-detection rate scanning-threat rate-interval 600 average-rate 2 burst-rate 2
        threat-detection rate scanning-threat rate-interval 3600 average-rate 2 burst-rate 2
        threat-detection rate syn-attack rate-interval 600 average-rate 2 burst-rate 2
        threat-detection rate syn-attack rate-interval 3600 average-rate 2 burst-rate 2
        threat-detection rate inspect-drop rate-interval 600 average-rate 2 burst-rate 2
        threat-detection rate inspect-drop rate-interval 3600 average-rate 2 burst-rate 2
        threat-detection basic-threat
        threat-detection scanning-threat shun duration 600
        threat-detection statistics
        threat-detection statistics host number-of-rate 2
        threat-detection statistics tcp-intercept rate-interval 15 burst-rate 30 average-rate 30

        class-map HTTP
        match port tcp eq www
        class-map TCPNORM
        match any
        class-map CONNS
        match any
        class-map inspection_default
        match default-inspection-traffic
        class-map HTTP_1
        match port tcp eq www
        policy-map type inspect http HTTP_1
        parameters
        protocol-violation action drop-connection log
        match request header content-length length gt 256
        drop-connection log
        policy-map CONNS
        class CONNS
        set connection conn-max 1024 embryonic-conn-max 128 per-client-max 254 per-client-embryonic-max 3
        set connection timeout embryonic 0:00:05 half-closed 0:05:00 tcp 0:30:00 reset dcd 0:00:05 3
        class TCPNORM
        set connection advanced-options TCPNORM
        class HTTP_1
        inspect http HTTP_1
        service-policy CONNS interface outside

        Сможете указаь, что еще можно настройть, или куда рыть?
        С уважением!

        Basic understanding of ARP, DHCP, TCP connection and Teardown through Wireshark

        Here are we are going learn about basic of Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), Transmission Control Protocol (TCP) connection and TCP teardown. Wireshark protocol analyzer will be used to show the packet exchanges for these protocols.

        Load Capture in Wireshark:

        Wireshark is open source free networking tool. It can be downloaded for any operating system. After it’s installed, here is the first screen of Wireshark.

        To load any capture, go to Edit->Open and select the required capture to be displayed into Wireshark.

        Once any capture is loaded it will look like this.

        Now let’s understand some protocols and see packets into Wireshark.

        ARP:

        ARP protocol is used to get the MAC address of another device when you know the IP address of the another device. Let’s see below diagram to understand in simple way.

        Suppose device A knows the IP address of device B but does not know MAC address of device B. What should device A do? Here are the steps.

        ARP Request: Who has 192.168.1.2 tell me (A)? This is a broadcast packet————————————————————>

        So there should be two packets exchanges if someone has the requested IP in ARP request.

        Here is the screenshot in Wireshark after using filter “arp”.

        Packet number 1 is Arp Request and packet number 2 is Arp Reply. Now if we take information from capture and put it in diagram, it will look like this.

        ARP Request:

        ARP Request is the first packet which is sent from the device which is looking for MAC address.

        Here is the screenshot of ARP request packet with inside fields.

        ARP Reply:

        ARP Reply is the packet which is sent from the device which has received the query in ARP request.

        Here is the screenshot of ARP reply packet with inside fields.

        Security concern related to ARP protocol is ARP spoofing.

        Protocol standard for ARP is https://tools.ietf.org/html/rfc6747

        DHCP:

        In simple sentence, DHCP is a process to get IP address from Server. There are mainly 4 packets exchanges in DHCP.

        1. DHCP Discover

        2. DHCP Offer

        3. DHCP Request

        4. DHCP Accept

        Let’s see these 4 packets in simple diagram


        DHCP Discover [Broadcast]

        DHCP Offer [Broadcast]

        DHCP Request [Broadcast]

        DHCP Accept [Broadcast]

        Note: These are mainly broadcast but these packets can be sent as unicast in some scenarios.

        Let’s see these packets in Wireshark. We can use filter name as “bootp” to get DHCP packets

        1. DHCP Discover:

        Here is the screenshot to explain about important fields of DHCP discover packet.

        From above packet we can understand that DHCP discover is a broadcast packet asking for IP address for client.

        2. DHCP Offer:
        Here is the screenshot to explain about important fields of DHCP offer packet.

        As we can see DHCP offer packet has offered IP address, subnet mask, lease time and server informations like server IP, server domain name etc. Remember that client may receive multiple DHCP offer packets from multiple servers. But it’s client choice to send DHCP request packet to one server.

        3. DHCP Request:

        Here is the screenshot to explain about important fields of DHCP request packet.

        Client can choose the server and send DHCP offer mentioning one DHCP server IP address. Also client asks for some parameter list from Server.

        4. DHCP ACK:

        Here is the screenshot to explain about important fields of DHCP ACK packet.

        DHCP ACK packet is basically the Acknowledge packet from server with almost same information sent in packet DHCP offer.

        Now the question comes what happens after 1 day. Client does DHCP renewal. For DHCP renewal there are 2 frame exchanges

        1. DHCP Request: DHCP request packet fields are same as previous point 3 but here Client IP address field should be filled with client’s current IP [Example: 192.168.1.101 ] or we can say requested IP.

        2. DHCP ACK: DHCP ACK us same as previous point 4.

        But the difference is here DHCP Request is unicast packet because client knows its server. DHCP ACK is broadcast as usual.

        See screenshot

        Protocol standard for DHCP is https://tools.ietf.org/html/rfc2131

        TCP:

        Transmission Control Protocol is a major protocol in Transport layer. Client and server have to exchange 3 packets to establish TCP connection. We can call it’s a TCP 3-way handshake.

        TCP Connection:

        Packet1: SYN is sent from Client—————————————>

        Packet3: ACK is sent from Client—————————————>

        Let’s see all three packets from Wireshark. We can use filter “tcp” to list out all tcp packets and the first 3 packets should be the 3-way hand shake packet. Have a look on below screenshot.

        SYN:

        Here is the screenshot for SYN packet sent by client to server

        Basically SYN packet is sent to share client’s capabilities to server.

        SYN+ACK:

        Now server share it’s capabilities to client through SYN+ACK packet. So this packet is acknowledgement of SYN packet and also sharing server’s capabilities.

        Here is the screenshot

        If we compare SYN and SYN+ACK packet we can see differences between client’s and server’s capabilities. These informations are useful when client and server shares TCP data packets.

        ACK:

        Here is the screenshot of ACK packet

        This packet is just the acknowledgement from client.

        Now TCP connection is completed.

        TCP Teardown:

        To discontinue existing TCP connection some packet exchanges occur between client and server. If client wants to terminate connection then client can send FIN packet and server sends ACK. Now if server also wants to terminate connection from its end then server sends FIN and gets ACK packet as reply. So, total 4 packets exchanges are happening for complete TCP connection close between client and server.

        Packet1: FIN is sent from Client—————————————->

        Packet4: ACK is sent from Client—————————————>

        Note: FIN packet is sent as FIN+ACK to indicate that this FIN packet also the ACK of any previous packet. Do not get confused.

        There is no important information inside FIN and ACK packet as this indicates TCP connection termination.

        Here is the screenshot for FIN packet

        In reply to FIN, only ACK packet is sent as an acknowledgement. Here is the screenshot of ACK packet.

        Protocol standard for TCP is https://tools.ietf.org/html/rfc793

        Some security threats related to TCP is TCP half open, TCP full scan, TCP Null scan etc.

        Conclusions:

        From the above article we got basic idea about ARP, DHCP, TCP protocol and their important fields in Wireshark. For deep dive we can go through the shared RFC link.

        ♥♥If you have any doubts or query please let me know in comment section or send mail at feedback@wifisharks.com.♥♥

        Share this:

        • Click to share on Twitter (Opens in new window)
        • Click to share on Facebook (Opens in new window)
        • Click to share on LinkedIn (Opens in new window)
        • Click to share on WhatsApp (Opens in new window)
        • Click to share on Reddit (Opens in new window)
        • Click to share on Tumblr (Opens in new window)
        • Click to share on Pinterest (Opens in new window)
        • Click to share on Pocket (Opens in new window)
        • Click to share on Telegram (Opens in new window)
        • Click to share on Skype (Opens in new window)
        • Click to print (Opens in new window)

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *