Friday, October 03, 2008

How to kill tcp connection in Linux

You cannot kill a TCP connection using netstat utility. netstat is use for

  • Display network connections
  • Routing tables
  • Interface statistics
  • Masquerade connections
  • Multicast memberships
  • And much more

However Linux support two other commands or utility that can be used to kill a TCP connection.

tcpkill command

Use tcpkill command to kill specified in-progress TCP connections. It is useful for libnids-based applications which require a full TCP 3-whs for TCB creation.

Syntax:

tcpkill -i eth0 { expression }

Examples:

(a) Kill all outgoing ftp (port 21) connection:

tcpkill -i eth0 port 21

(b) Kill all all packets arriving at or departing from host 192.168.1.2 (host12.nixcraft.com)

tcpkill host 192.168.1.2

OR

tcpkill host host12.nixcraft.com


(c) To kill all IP packets between 192.168.1.2 and any host except 192.168.1.111, type the following:

tcpkill ip host 192.168.1.2 and not 192.168.1.111

Since tcpkill expressions are based upon tcpdump command's filter expression, it is recommended that you read options with expression and examples.

cutter command

Cutter is an open source program that allows Linux firewall administrators to abort TCP/IP connections routed over Linux based firewall. It works on Linux router only. We have already covered examples of cutter here.

 

Recently I came across very powerful and nifty tool called cutter. Just imagine that people in your private network using peer to peer (P2P) software such as Kazaa, iMesh or others and you want to cut them or just want to cut all ftp connection over your firewall but not all traffic to host. Network security administrators sometimes need to be able to abort TCP/IP connections routed over their firewalls on demand

cutter utility

In the following sample network diagram client workstation 192.168.1.1 sending ftp, http, ssh traffic using 192.168.1.254 (Linux based) router to server outside our network, and you would like to cut ftp traffic without interrupting other connection? So how do you block and cut traffic? Simply, use cutter utility.

client ->    Linux firewall -> Internet --> Servers FTP    ->    192.168.1.254  -> Internet --> FTP Server HTTP   ->    192.168.1.254  -> Internet --> HTTP Server SSH    ->    192.168.1.254  -> Internet --> SSH Server 192.168.1.1 

Cutter is an open source program that allows Linux firewall administrators to abort TCP/IP connections routed over Linux based firewall. This tool is very handy in situation like:

  • To terminate connection such as SSH tunnels or VPNs left by your own users
  • To abort crackers attacks as soon as they detected
  • To kill high bandwidth consuming connection
  • To kill peer-to-peer traffic etc

How do I use cutter command?

Use apt-get to install cutter on a Debian / Ubuntu Linux firewall:
# apt-get install cutter

1) Login to your iptables based firewall router

2) Identify your internal connection (use netstat or tcpdump)

3) Use cutter the command as follows:
cutter {IP-address} {Port}

Examples:
Cut all connections from 192.168.1.5 to server
# cutter 192.168.1.5

Cut all ssh connection from 192.168.1.5 to server
# cutter 192.168.1.5 22

Cut all ssh connection from 192.168.1.5 to ssh server 202.54.1.20
# cutter 202.54.1.20 192.168.1.5 22

Please note that cutter has been designed for use as a administrators tool for Linux firewalls do not use this tool for malicious purpose. For more information about this tool & how actually it works by sending FIN -> ACK -> RST sequence of packets to terminate connection, see the official web site.

Update: As pointed out by Mina Naguib you can also use tcpkill command for same purpose.



Dapatkan nama yang Anda sukai!
Sekarang Anda dapat memiliki email di @ymail.com dan @rocketmail.com.

0 Comments: