Pablo Neira Ayuso has made a panorama of Netfilter changes since last workshop. On user side, the first main change to be published after last workshop, is libnetfilter_cttimeout. It allows you to define different timeout policies and to apply them to connections by using the CT target. An other important new “feature” is a possibility to disable to automatic helper assignment. More information on Secure use of iptables and connection tracking helpers. ...

Martin is working for one.com a local ISP and is facing some DDoS. SYN cookie was implemented but the performance were too low with performance below 300kpps which is not what was expected. In fact SYN is on a slow path with a single spin lock protecting the SYN backtrack queue. So the system behave like a single core system relatively to SYN attacks. Jesper Dangaard Brouer has proposed a patch to move the syn cookie out of the lock but it has some downside and could not be accepted. In particular, the syncookie system needs to check every type of packet to see if they belong to a previous syn cookie response and thus a central point is needed. ...

The routing cache was maintaining a list of routing decisions. This was an hash table which was highly dynamic and was changing due to traffic. One of the major problem was the garbage collector. An other severe issue was the possibility of DoS using the increase The routing cache has been suppressed in Linux 3.6 after a 2 years effort by David and the other Linux kernel developers. The global cache has been suppressed and some stored information have been moved to more separate resources like socket. ...

Kronosnet is a “I conceived it when drunk but it works well” VPN implementation. It is using an Ether TAP for the VPN to provide a lyaer 2 vpn. To avoid reinventing the wheel, it is delegating most of the work to the kernel. It supports multilink and redundancy of servers. On multilink side, 8 links can be done per-host to help redundancy. One of the use of this project is the creation of private network in the cloud as it can be easily setup to provide redundancy and connection for a lot of clients (64k simultaneous clients). And because a layer 2 VPN is really useful for this type of usage. ...

Introduction I’ve made yesterday a presentation of ulogd2 at Open Source Days in Copenhagen. After a brief history of Netfilter logging, I’ve described the key features of ulogd2 and demonstrate two interfaces, nf3d and djedi. The slides are available: Ulogd2, Netfilter logging reloaded. Screencasts This video demonstrates some features of nf3d: This screencast is showing some of the capabilities of djedi: Thanks a lot to the organizers for this cool event.

Introduction Iptables duplicate work for each family and is using a socket protocol which is far too static. Xtables2 is an ongoing effort to evolve the packet filter. It aims at providing finer frained modification (and not the whole ruleset modification). Capabilities rule packing: increase cache hit. family independent: no more IPv4 and IPv6 specific code. Only the hook remains specific as they are dependant of core network. xt extension support atomic replace support xtables syntax is quite similar but not the same. libxtadm is a high-level library for ruleset inspection/manipulation. ...

PF_PACKET introduction This is access to raw packet inside Linux. It is used by libpcap and by other projects like Suricata. PF_PACKET performance can be improved via dedicated features: Zero-copy RX/TX Socket clustering Linux socket filtering (BPF) BPF architecture looks like a small virtual machine with register and memory stores. It has different instructions and the kernel has its own kernel extensions to access to cpu number, vlan tag. Netsniff-NG Netsniff-ng is a set of minimal tools: ...

Introduction ConnMan is a connection manager which integrate all critical networking components. It provides a smart D-Bus API to develop an User Interface. It is plugin oriented and all different network stacks are implemented in different modules. Connection sharing (aka tethering) is using Netfilter to setup NAT masquerading. So it is a simple usage. Switching to nftables Application connectivity is a more advanced part involving Netfilter as it makes a use of statistics and differenciated routing. For example, in a car, service data must be sent to manufacturer operator and not on the owner network. ...

The problem Centralized firewall design does not scale well when dealing with a lot of servers. It begins to collapse after a few thousands rules. Furthermore, to be able to have an application A to connect to server B, it would take a workflow and possibly 3 weeks to get the opening. From Service Oriented Architecture to Service Oriented Security Service are autonomous. They call each other using a standard protocol. The architecture is described by a list of dependencies between services. You can then specify security via things like ACCEPT Caching TO Frontend ON PORT 80. But this force you to do provisioning each time a server start. ...

Why ipset ? iptables is enough sufficient but in some cases limit are found: High number of rules: iptables is linear Need to change the rules often Independant study available at d(a)emonkeeper’s purgatory has shown that the performance of ipset are almost constant with respect to the number of filtered hosts: History The originating project was ippool featuring a a basic set and after some time it has been taken over by Jozsef and renamed ipset. A lot of type of sets are now handled. ...

Introduction Harald Welte when asked about IPv6 NAT was answering: “it will be over my dead body”. It is now available in official kernel. Reasons for adding IPv6 NAT Dynamic IPv6 Prefixes : ISP assigning dynamic IPv6 prefixes so Internal network address change. NAT can bring you stability. Easier test setup. Users are asking and most operating systems have it. To resume the arguments of NAT, Patrick McHardy used this video: ...

Introduction nftable is a kernel packet filtering framework to replaces iptables. It brings no changes in the core (conntrack, hooks). Match logic is changed: you fetch keys and once you have your key set, you make operation on them. Advanced and specialized matchs are built upon this system. nftables vs iptables In iptables, extension were coded in separate files and they must be put in iptables source tree. To act, they must modify on a binary array storing the ruleset and injecting it back to the kernel. So every update involve a full download and upload of the whole ruleset. ...

Objectives of this release So it is my first ulogd2 release as maintainer. I’ve been in charge of the project since 2012 October 30th and this was an opportunity for me to increase my developments on the project. Roadmap was almost empty so I’ve decided to work on issues that were bothering me as a user of the project. I’ve also included two features which are connection tracking event filtering and a Graphite output module. Ulogd is available on Netfilter web site ...

Ulogd Graphite output plugin I’m committed a new output plugin for ulogd. The idea is to send NFACCT accounting data to a graphite server to be able to display the received data. Graphite is a web application which provide real-time visualization and storage of numeric time-series data. Once data are sent to the graphite server, it is possible to use the web interface to setup different dashboard and graphs (including combination and mathematical operation): ...

A huge work Suricata 1.4 has been released December 13th 2012 and it has been a huge work. The number of modifications is just impressing: 390 files changed, 25299 insertions(+), 11982 deletions(-) The following video is using gource to display the evolution of Suricata IDS/IPS source code between version 1.3 and version 1.4. It only displays the modified files and do not show the files existing at start. A collaborative work A total of 11 different authors have participated to this release. The following graph generated by gitstats shows the number of lines of code by author: ...

Mother Nature has been really unfair with me. It has given me two strong interests in life: building things and information security. Once that was done, my doom was sealed and I’ve become a infosec defense guy. Nowadays this is one of the worst fate possible in computer science. Today, this burden is really hard to wear. I know some of you will try to encourage me by saying this like: ...

Introduction Kernel oops have been reported by some users running Suricata with AF_PACKET multiple thread capture activated. This is due to a bug I’ve introduced in AF_PACKET when fixing an other bug. Which kernel not to use with Suricata in AF_PACKET mode The following kernel version will surely crash if Suricata or any other program is used with AF_PACKET capture with multiple capture threads: Linux 3.2.30 to 3.2.33 Linux 3.4.12 to 3.4.18 Linux 3.5.5 to 3.5.7 Linux 3.6.0 to 3.6.6 If only one capture thread is used there is no risk of crash. If you are running a vulnerable kernel, your configuration should looks like: ...

The naive approach would consider that an IDS is just taking packet and doing a lot of matching on it. In fact, this is not at all what is happening. An IDS/IPS like Suricata is in fact rebuilding the data stream and in case of known protocols it is even normalizing the data stream and providing keyword which can be used to match on specific field of a protocol. Let’s say, we a rule to match on a HTTP request where method is GET and the URL is “/download.php”. ...

Since this morning, I’m the owner of a XPS 15 end-2012 edition. The model I have come with a hard drive and a SSD and it is pre-installed with Windows 8. As it is not a good choice for a OS you want to use the laptop for real work, I’ve installed a Debian sid on it. ...

lstlisting is a convenient way to display code when using latex. It has no definition for suricata rules language and I’ve cooked one: \lstdefinelanguage{suricata} {morekeywords= {alert, tcp, http, tls, ip, ipv4, ipv4, drop, pass, sid, priority, rev, classtype, threshold, metadata, reference, tag, msg, content, uricontent, pcre, ack, seq, depth, distance, within, offset, replace, nocase, fast\_pattern, rawbytes, byte\_test, byte\_jump, sameip, ip\_proto, flow, window, ftpbounce, isdataat, id, rpc, dsize, flowvar, flowint, pktvar, noalert, flowbits, stream\_size, ttl, itype, icode, tos, icmp\_id, icmp\_seq, detection\_filter, ipopts, flags, fragbits, fragoffset, gid, nfq\_set\_mark, tls.version, tls.subject, tls.issuerdn, tls.fingerprint, tls.store, http\_cookie, http\_method, urilen, http\_client\_body, http\_server\_body, http\_header, http\_raw\_header, http\_uri, http\_raw\_uri, http\_stat\_msg, http\_stat\_code, http\_user\_agent, ssh.protoversion, ssh.softwareversion, ssl\_version, ssl\_state, byte\_extract, file\_data, dce\_iface, dce\_opnum, dce\_stub\_data, asn1, filename, fileext, filestore, filemagic, filemd5, filesize, l3\_proto, luajit}, otherkeywords={ipv4-csum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum, icmpv6-csum, decode-event, app-layer-event, engine-event, stream-event}, sensitive=true, morecomment=[l]{//}, morecomment=[s]{/*}{*/}, morestring=[b]", } To use it, you can simply add this code at start of your tex file and you can then use it: ...