Nov 152014
 

Sometimes in life, the conventional options just won’t do.

Unique circumstances force upon us the urgency and necessity of non-routine responses.

For those rare moments and with the responsibility to use it prudently, we have nuclear options like tcpkill for handling attacks on your server.

Tcpkill – Powerful Tool

Let’s face it.

There are far too many whackos out there who think it’s great sport to deface your web site or blog or even crash your network.

As seasoned Linux administrators are aware, hackers have an endless number of IP addresses at their disposal.

So even if you drop one, two, three or a dozen IP addresses via IP Tables, sometimes the ferocity of attacks won’t let up because the criminals quickly resume their attack from a different IP.

When the attack from a particular IP becomes so overwhelming that it threatens to rain havoc on your server or computer, you don’t call the hitman but beckon tcpkill to your aid.

Part of the dsniff network auditing and penetration testing tools suite, tcpkill is a powerful command line tool that can be used to kill/terminate tcp connections on a LAN, WAN or Internet from ports or hosts. You can install dsniff via the Software Manager on Linux Mint or through the Ubuntu Software Center if you’re running Ubuntu.

Alternatively on Ubuntu systems, you can get dsniff by running the below command via the terminal :

$ sudo apt-get install dnsiff

On RedHat or CentOS servers, the command would be:

$ yum install dsniff

Tcpkill – Commands

The syntax of tcpkill is: tcpkill [-i interface] [-1…9] expression.
-i Interface to listen on.
1-9 Refers to the degree of brute force you wish to apply to kill a connection. Although the default is 3, I usually go to 9, the most powerful.
expression – You must specify a tcpdump expression to select the connection to kill.

tcpkill -i eth0 [expression]
* Here’s an example to kill traffic to port 22:

$ tcpkill -i eth0 port 22

* Sometimes you may suspect a single IP address showing up in your netstat results to be malicious. In such circumstances, instead of killing all IPs on a port you can kill only the offending IP with the below command:

$ tcpkill -9 host xxx.xxx.xxx.xxx

* If we wish to kill traffic for port 25 from a suspicious IP, we’d run the following command:

$ tcpkill -9 port 25 host xxx.xxx.xxx.xxx

* You can also kill by domain name like below:

$ tcpkill -9 host example.com

* If you’re a liberal with no sympathy for Republicans, you’d run the below command and prevent your employees from visiting a nasty site: 😉

$ tcpkill −9 host www.foxnews.com

* Another way to handle a malicious IP is by looking at its ID number and then running the below command:

$ tcpkill host 46783

* To kill all IP packets between 192.168.1.2 and any host except 192.168.1.111, use below command:

$ tcpkill ip host 192.168.1.2 and not 192.168.1.111

* In the below command, all traffic to port 80 will be killed:

$ kill -9 $( lsof -i:80 -t )

To test the above command, I ran it without thinking of the consequences. It killed traffic to all my web sites and I had to restart Apache to restore traffic to the sites.

Related Commands

Closely related to tcpkill is the netstat network monitoring command.

Results from running netstat are what lead you to use the tcpkill command.

A favorite target of hackers is the MySQL database, a backend element of WordPress blogs. Recently, a friend running a WordPress blog was the victim of a DOS attack on his MySQL Server.

There are a gazillion useful options in netstat including a few commands that give you the number of connections from a single IP address (useful in detecting DDOS attacks).

For instance, running the below command displays a list of current active connections by IP address. The culprit IP is oftentimes the one with a high number of connections:

$ netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

By running the following command, we could quickly get a look at the “Established” connection and get the attacking IP:

$ netstat -atnp | grep ESTA

But getting details of the IP and the server under attack was only the first step.

We still needed to stop the attacks that were seemingly immune to IPTables since the malicious hackers already had an “Established” connection to the server.

So the next step was to run the following command:

$ tcpkill -9 host xxx.xxx.xx.xx

[where xxx.xxx.xx.xx is the attacking IP Address]

If the attack is severe, it’ll take some time for the command to complete its work. Be patient.

The attacks stopped on my friend’s server although unfortunately the criminals are resorting to other forms of online harassment.

Here’s another useful netstat command:

$ netstat -ant

Tcpkill Limitations

TCPkill is not a panacea for all attacks.

But it’s a nuke of a tool to handle small attacks, allows you a breather while you ponder the next move, get to your tech support guys and devise a suitable long-term response to plug the security dykes.

If you’re confronted with a large-scale DDOS attack, just fold your hands and pray. 😉

Related tcpkill content:
dsniff tools – Information and Download
tcpkill on Wikipedia

Sorry, the comment form is closed at this time.