DEV Community

Robert Teminian
Robert Teminian

Posted on

Handshake One: Know Your SYN, source of DoS attack, or client IP profiles at least

This article was posted at Aug. 9th. 2022 on my old blog.
https://codenested.blogspot.com/2022/08/handshake-one-know-your-syn-source-of.html
The application is still available to download, and the source code is intact. If you need binary for other Linux distribution, please let me know.


It was a hot summer in the middle of COVID-19 renewing its infection top day by day. I saw managers of a small online community defend the server against a Dos(Denial of Service) attack. They were enthusiastic, but I found out the work is quite inefficient. The only thing they could rely on was some web server logs and our good old friend iptables.

Well, being too small to invest in some security, we know the only viable option we have is either iptables or nftables against those dull and stupid, yet quite efficient attacks. However, when we encounter the attacks, usually we're puzzled and stuck; log is too long and complicated to read so that we have difficulties on distinguishing attacker IPs against user IPs.

So, I developed a small utility named Handshake One to help server engineers who want to find out sources of DoS attacks as early as possible, or, learn IP profiles for your service at least. This small utility collects SYN packets from clients IPs for past 60 seconds to generate reports as you see below:

Handshake One TCP SYN counter report
(C)Copyright 2022 Robert Teminian.
This application is provided free of charge, and provided AS IS: though the developer hopes that this would help the user in any way, the software does NOT guarantee anything at all.

Stop by the developer's blog and leave a comment! Visit http://codenested.blogspot.com

====================
At 1660000053
IP  Hits
192.168.1.26    14
Total   14

====================
At 1660000054
IP  Hits
192.168.1.26    11
Total   11

====================
At 1660000055
IP  Hits
192.168.1.26    1
Total   1
Enter fullscreen mode Exit fullscreen mode

Currently binaries for three operating systems are supported, but you can contact me to build binaries for other OSes. Click the link below to download the executable binary for each:

They're just compressed files. You can just decompress the file in any directory you want to use.

The usage is as follows:

  • Install: Windows
    • Decompress the ZIP file in any location you want
    • On Windows, Handshake One depends on npcap(https://npcap.com/) for capturing packets. Please install the separate binary, or install Wireshark(https://www.wireshark.org/) which installs both packet analysis tool and npcap.
    • After installing npcap, copy Packet.dll and wpcap.dll from C:\Windows\Systems32\Npcap to the executable directory
  • Install: Linux
    • Decompress the TGZ file in any location you want
    • On Linux, Handshake One depends on libpcap. Usually it is installed alongside with tcpdump but if it's not, consult your Linux distribution's package manager(apt, yum, ......) to install the package
  • Configuration
    • The only way to configure Handshake One is via its configuration file, HandshakeOne.json. Currently there are only two keys
      • resultpath: the directory to save report file. Handshake One will automatically generate and update(overwrite) file named "HandshakeOneReport.txt" on that directory every 30 seconds.
        • In Linux, I recommend to set the directory to some RAM disk(e.g. /tmp) so that you can reduce I/O burden for the server
      • sniffer: device name to capture the packets. In Linux its the device name shown on commands like ip link or ifconfig, but in Windows it's a bit tricky since the name npcap refers to is NOT the "human readable name" for the interface, but internal device name like \Device\NPF_{12345678-9ABC-DEF0-1234-567890ABCDEF}. To see the device names and corresponding human readable descriptions(e.g. Realtek PCIe GbE Family Controller), run Handshake One with "show" parameter, e.g. HandshakeOne show
      • reportsizelimit: when updating(actually overwriting) the report file, limit the size of report file in bytes. If the file size is bigger than designated size, the application will write until the last data for the timestamp currently being written and finish. For example, if the report size at 10:00:00(including data for 09:00:00~09:00:59) was 1.5MB the report will contain everything, yet at 10:01:00(including data for 10:00:00~10:00:59)the actual size is 2.5MB and it hits the set limit (i.e. 2MB) around writing data for 10:00:47, it'll complete write data up to 10:00:47, finish writing, and refresh the report at 10:00:02
  • Run the application
    • In Windows, just run HandshakeOne.exe
      • If you're interested in using Handshake One as Windows Service, I think you can use nssm(http://nssm.cc/). Though I have no experience using it, I find very positive reviews in many places.
    • In Linux, you have two choices
      • Run HandshakeOne directly. Caution: since libpcap needs root privilege, HandshakeOne must be run with commands like sudo or su.
      • You can register Handshake One as systemd service. Edit HandshakeOne.service as needed(at least ExecStart and WorkingDirectory must be changed to match exact path for the binary) and refer to following command to register the binary as systemd service
sudo cp systemd.service /etc/systemd/system
sudo systemctl enable HandshakeOne
sudo systemctl start HandshakeOne
Enter fullscreen mode Exit fullscreen mode

So...... That's all, folks! I hope you enjoy the application. If you have any comments, opinions, or questions, please leave a comment.

Top comments (0)