Why only SYN and ACK+PSH packets?

[happyeverydaylove]

Hello, I would like to ask, I am testing with two direct computers (static IPs on the same subnet). I modified the dst_ip in mra.py to the IP of nginx installed on Kali, and sent it according to the commands on Redmin. Eventually, there was an 11.pcap file. When I opened it with Wireshark, I found only SYN and ACK+PSH from src to dst, nothing else. So how do I know if it reflected?

[moloch54]

You need a middle box router/filter from a not so libertarian country 😁

Le lun. 5 août 2024 à 10:37, happyeverydaylove @.***> a écrit :

Hello, I would like to ask, I am testing with two direct computers (static IPs on the same subnet). I modified the dst_ip in mra.py to the IP of nginx installed on Kali, and sent it according to the commands on Redmin. Eventually, there was an 11.pcap file. When I opened it with Wireshark, I found only SYN and ACK+PSH from src to dst, nothing else. So how do I know if it reflected?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDECF3EFSZOKYCEKJFVDZP42TRAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ2DOOJVGIZDKNQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[moloch54]

To understand you need to read the white paper

Le lun. 5 août 2024 à 13:35, Sebastien Meniere @.***> a écrit :

You need a middle box router/filter from a not so libertarian country 😁

Le lun. 5 août 2024 à 10:37, happyeverydaylove @.***> a écrit :

Hello, I would like to ask, I am testing with two direct computers (static IPs on the same subnet). I modified the dst_ip in mra.py to the IP of nginx installed on Kali, and sent it according to the commands on Redmin. Eventually, there was an 11.pcap file. When I opened it with Wireshark, I found only SYN and ACK+PSH from src to dst, nothing else. So how do I know if it reflected?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDECF3EFSZOKYCEKJFVDZP42TRAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ2DOOJVGIZDKNQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[happyeverydaylove]

I'd like to conduct some tests on the internal network to see how they are performed. Could you recommend any middleware or environments for me?

[happyeverydaylove]

After running the script, a file named 11.pcap will be generated in the folder. When opened with Wireshark, it contains only SYN and ACK+PSH packets from the target to the server. Where can I find the returned RST packets? If I try capturing packets directly with Wireshark, there's nothing there.

[moloch54]

The RST packet is made by the middlebox there is no environnement for testing, you have to find a VPS/SERVER on a country with middleboxes

Le mer. 7 août 2024 à 05:44, happyeverydaylove @.***> a écrit :

After running the script, a file named 11.pcap will be generated in the folder. When opened with Wireshark, it contains only SYN and ACK+PSH packets from the target to the server. Where can I find the returned RST packets? If I try capturing packets directly with Wireshark, there's nothing there.

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2272557315, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEBMYGYM4DC34HMMVSTZQGJ2ZAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGU2TOMZRGU . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

I wonder if the TCP reflection amplification can only be tested on the public network, or is it possible to test it on a private network that I have set up myself?

[happyeverydaylove]

Is it possible to set up your own server, like with Apache, Nginx, or Tomcat?

[moloch54]

You need to emulate a middlebox in your environnement. I don't know if such a thing exists

Le jeu. 8 août 2024 à 03:09, happyeverydaylove @.***> a écrit :

Is it possible to set up your own server, like with Apache, Nginx, or Tomcat?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2274691706, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEDLLGP7YPJZGMMN7XTZQLAOBAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZUGY4TCNZQGY . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

Accessing a webpage on the public internet (the "forbidden web" in your code) using a public IP address is generally not an issue; however, the server prohibits access to the target server. This becomes problematic within an internal network setting.

[moloch54]

this is how it works! the middlebox send a reset to the sender, and sometimes a ton of data in a webpage (this page is forbidden and so on....), so you can use it to DDOS a server by spoofing the source IP

Le jeu. 8 août 2024 à 08:42, happyeverydaylove @.***> a écrit :

Accessing a webpage on the public internet (the "forbidden web" in your code) using a public IP address is generally not an issue; however, the server prohibits access to the target server. This becomes problematic within an internal network setting.

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2275065783, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEDLDUBPMTRU5BXIBD3ZQMHMPAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZVGA3DKNZYGM . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

I understand how it works, but I'm a bit confused. When online, the script you wrote can send packets to the server, which eventually reach the target IP. However, when offline with a static IP set, the target server cannot receive them. No data is received when sniffing packets on a server built on my own computer. It feels like the sent requests are not getting to the network card of this computer.

[moloch54]

the packets are sent to the "forbidden sites" only

Le ven. 9 août 2024 à 03:37, happyeverydaylove @.***> a écrit :

I understand how it works, but I'm a bit confused. When online, the script you wrote can send packets to the server, which eventually reach the target IP. However, when offline with a static IP set, the target server cannot receive them. No data is received when sniffing packets on a server built on my own computer. It feels like the sent requests are not getting to the network card of this computer.

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2276990504, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEDHRQU6ZTG6CHNVFL3ZQQMMRAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZWHE4TANJQGQ . You are receiving this because you commented.Message ID: @.*** com>

[moloch54]

the packets are sent to the "forbidden sites" only, that's how it works

I've modified the repo

Le ven. 9 août 2024 à 07:09, Sebastien Meniere @.***> a écrit :

the packets are sent to the "forbidden sites" only

Le ven. 9 août 2024 à 03:37, happyeverydaylove @.***> a écrit :

I understand how it works, but I'm a bit confused. When online, the script you wrote can send packets to the server, which eventually reach the target IP. However, when offline with a static IP set, the target server cannot receive them. No data is received when sniffing packets on a server built on my own computer. It feels like the sent requests are not getting to the network card of this computer.

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2276990504, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEDHRQU6ZTG6CHNVFL3ZQQMMRAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZWHE4TANJQGQ . You are receiving this because you commented.Message ID: @.*** .com>

[happyeverydaylove]

I re-ran the script you compiled, conducting tests on one computer with three virtual machines (NAT). Machine 147 is the pivot (server), and machine 149 is the target, as shown in Figure 1. I would like to ask why the pivot sends a SYN-ACK to the target, and then the target responds with an RST to the pivot?

[moloch54]

Be more specific, give me your locals IP of:

• the server to DDOS
• the forbidden site
• the middlebox

Le ven. 9 août 2024 à 10:57, happyeverydaylove @.***> a écrit :

I re-ran the script you compiled, conducting tests on one computer with three virtual machines (NAT). Machine 147 is the pivot (server), and machine 149 is the target, as shown in Figure 1. I would like to ask why the pivot sends a SYN-ACK to the target, and then the target responds with an RST to the pivot? [image: Uploading 1.png…]

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2277483382, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEBEAQ6HQRMGSACBXDDZQR77VAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGQ4DGMZYGI . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

In NAT mode: Attacker machine IP: 192.168.100.1 Server IP: 192.168.100.10 Target machine IP: 192.168.100.110 In the code, fill in "forbidden" as 192.168.100.10, and run it as python mra.py 100 192.168.100.110

[moloch54]

give me the IP:

• the server to DDOS (target machine):
• the forbidden site:
• the middlebox:

don't care about your machine, the script crafts packets with the forbidden sites and the target to DDOS

Le ven. 9 août 2024 à 11:49, happyeverydaylove @.***> a écrit :

In NAT mode: Attacker machine IP: 192.168.100.1 Server IP: 192.168.100.10 Target machine IP: 192.168.100.110 In the code, fill in "forbidden" as 192.168.100.10, and run it as python mra.py 100 192.168.100.110

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2277575915, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEDQXWCU6AVWB5VO2M3ZQSGENAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGU3TKOJRGU . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

• the server to DDOS (target machine):192.168.100.10
• the forbidden site:192.168.100.110
• the middlebox: tomcat7 192.168.100.110:8080

[moloch54]

The IP of the middlebox?

Le ven. 9 août 2024 à 12:27, happyeverydaylove @.***> a écrit :

• the server to DDOS (target machine):192.168.100.10
• the forbidden site:192.168.100.110
• the middlebox: tomcat7

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2277640771, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEFF4RKQNDU65ERL5TDZQSKPXAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGY2DANZXGE . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

Isn't the middlebox IP the same as the server's IP?

[moloch54]

no!

the middlebox is an "evil" router/firewall that controls the packets and prevents to go outside a country you need to emulate the middlebox, and send a "blocked website blabla" to the source IP (the target to DDOS, because the packet spoof the IP)

Le ven. 9 août 2024 à 12:41, happyeverydaylove @.***> a écrit :

Isn't the middlebox IP the same as the server's IP?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2277663908, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEH5B63RO6OIYDFSITLZQSMFPAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGY3DGOJQHA . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

I'm starting to get what you mean; so currently, only a simple server has been set up without the intermediary box? Are there any tutorials available for me to simulate the intermediary box?

[happyeverydaylove]

So, for example, if I turn on the firewall in a Windows 10 system, would that be considered an intermediary box?

[moloch54]

the middlebox is a ROUTER /FIREWALL that can block some packets. When the destination of the packet is forbidden, this ROUTER /FIREWALL sends to the source IP a web page saying "blablabla forbidden". This page can be huge and this data can be use to DDOS someone. So by crafting a spoofed packet, SRC = IP to DDOS DEST = forbidden site, the ROUTER/FIREWALL will send to the source IP a shiton of datas

Le ven. 9 août 2024 à 12:59, happyeverydaylove @.***> a écrit :

So, for example, if I turn on the firewall in a Windows 10 system, would that be considered an intermediary box?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2277693460, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEHXILNMYKWC7TLHSSLZQSOKFAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGY4TGNBWGA . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

Actually, you could simulate the environment with two devices: one as an attacking machine (running Kali Linux) with a firewall configured to block the destination address, and the other as the target machine or victim. Would this setup work?

[moloch54]

your firewall needs to act like a middlebox

Le ven. 9 août 2024 à 16:14, happyeverydaylove @.***> a écrit :

Actually, you could simulate the environment with two devices: one as an attacking machine (running Kali Linux) with a firewall configured to block the destination address, and the other as the target machine or victim. Would this setup work?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2278046071, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEHZ2CELMLYDYNDWEL3ZQTFC3AVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGA2DMMBXGE . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

I'm going to try setting up the firewall and creating rules, but I have a question. Perhaps I didn't explain it clearly enough. If we set a blocked website, such as Facebook, in a connected environment, we can perform a DDoS attack because we're accessing their servers. But in a disconnected environment, can we set any website as blocked, or...? I hope you understand what I mean. I'm a bit confused about setting up the block.

[moloch54]

you have to emulate a middlebox that send a webpage to the source IP when it detect a forbidden IP dest

Le ven. 9 août 2024 à 17:01, happyeverydaylove @.***> a écrit :

I'm going to try setting up the firewall and creating rules, but I have a question. Perhaps I didn't explain it clearly enough. If we set a blocked website, such as Facebook, in a connected environment, we can perform a DDoS attack because we're accessing their servers. But in a disconnected environment, can we set any website as blocked, or...? I hope you understand what I mean. I'm a bit confused about setting up the block.

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2278156542, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEGO6S7TXSXXGSL3JU3ZQTKTPAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGE2TMNJUGI . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

Is enabling a Linux firewall and adding rules considered simulating a middlebox? How exactly can I simulate a middlebox?

[moloch54]

you have to emulate a middlebox that send a webpage to the source IP when it detect a forbidden IP dest

Do it like you want...

Le ven. 9 août 2024 à 17:07, happyeverydaylove @.***> a écrit :

Is enabling a Linux firewall and adding rules considered simulating a middlebox? How exactly can I simulate a middlebox?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2278169467, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEAB7RRWPKG5GILZJJ3ZQTLMLAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGE3DSNBWG4 . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

If I use Kali Linux with Apache to host a website and set access restrictions so that the source IP is blocked, and then set the forbidden website to be Kali's own IP address, would a script-based attack theoretically perform a DDoS on the source IP?

[moloch54]

you have to emulate a middlebox that send a webpage to the source IP when it detects a forbidden IP dest in a packet

I don't know what to add

Le ven. 9 août 2024 à 18:07, happyeverydaylove @.***> a écrit :

If I use Kali Linux with Apache to host a website and set access restrictions so that the source IP is blocked, and then set the forbidden website to be Kali's own IP address, would a script-based attack theoretically perform a DDoS on the source IP?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2278283891, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDECRQ5QT34KKDZRY3LLZQTSNBAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGI4DGOBZGE . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

OK，What is the final result of DDoS attack on the target drone using the intermediate box? CPU increase? System crash?

[moloch54]

a regular DDOS attack, but with the middlebox reflection, you only need a fewer bandwidth to take down a target

Le ven. 9 août 2024 à 19:49, happyeverydaylove @.***> a écrit :

OK，What is the final result of DDoS attack on the target drone using the intermediate box? CPU increase? System crash?

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2278443318, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEGTR6UVZ6NYJSTEIFTZQT6LTAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGQ2DGMZRHA . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

Why, when connected to the internet, sending a forbidden website to the middlebox can trigger interception? It seems like no specific settings are made on the middlebox itself, and I'm not quite understanding the principle behind this.

[moloch54]

the middlebox is a proxy...

Le sam. 10 août 2024 à 04:17, happyeverydaylove @.***> a écrit :

Why, when connected to the internet, sending a forbidden website to the middlebox can trigger interception? It seems like no specific settings are made on the middlebox itself, and I'm not quite understanding the principle behind this.

— Reply to this email directly, view it on GitHub https://github.com/moloch54/Ddos-TCP-Middlebox-Reflection-Attack/issues/1#issuecomment-2278942365, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5LFDEA7ADZBWPXV5LHFS2LZQVZ3DAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYHE2DEMZWGU . You are receiving this because you commented.Message ID: @.*** com>

[happyeverydaylove]

The result obtained by using this script is based on the middleware reflection shown in (b) of the image

[happyeverydaylove]

I see that it is necessary to configure the wrong middleware server, then if the set to access the source ip forbidden, then the script to disable the server ip, so can it?

[happyeverydaylove]

Have you tested it on the intranet? If so, how was your intermediary box configured?