hping3 flooding makes a host unreachable permanently in mininet - ddos

I was simulating a DoS attack using "hping3 IP --flood" in mininet using POX controller. In my scenario, host 2 attacked host one using the mentioned command and makes the host unreachable.
The problem is that, as I stop everything and try to ping host1, it becomes unreachable! It seems that the host becomes unreachable permanently for some reason.
I even reboot my virtual machine and run the controller and simulator form the scratch but, again the same thing happen. Any ping attempt to host1 is unreachable.
I never seen this before, can you tell me what happen here?
thanks

Related

How do 2 devices communicate over an ethernet switch

Before I proceed, I'd like to mention that I did try to research this topic on the internet, but I still need clarification.
Let's say I have two Linux machines connected to a switch (and only to a switch). Machine A has an IP address of 10.0.0.1 and machine B -- 10.0.0.2. I used nmcli command to set the IP address and create an ethernet interface for each machine. Everything works as expected.
Now, the confusing part is how machine A can find machine B and vice versa? I'm using the following command to connect from machine A to machine B:
ssh userB#10.0.0.2
And it works, even if this is the very first data transmission. This surely means that machine A somehow already knew the machine's B MAC address; otherwise, the frame wouldn't find its way to machine B. But how? Since the IP address is meaningless to the switch (Level2), why when I do ping 10.0.0.2 or ssh 10.0.0.2, it still works?
Probably the ARP cache was already populated. Maybe there was a grations ARP broadcast:
Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.
If not, most likely an ARP request/reply was happening right before the first ping. Check the arp command or ip neigh.
In general I suggest you use Wireshark to explore what's going on, or something like tcpdump -n -i eth0 not ssh if your are working remotely (note the -n to prevent name resolution). You can also record traffic with tcpdump -s 9999 -w output.pcap and view it later in Wireshark.
If you sniff network traffic on a third PC, keep in mind that switches will not send traffic to all ports when they have learned where the destination is. Some switches allow you to configure a mirror port to observe all traffic to or from a certain port. Either way you should always be able to observe ARP requests as they are broadcast.
basically, when the first packet reach to the switch ( virtual or physical switch ), the switch will populate arp broadcast packet for the sake of getting all devices mac and ip addresses. so even though ip addresses seem meaningless to switches ( cause they're layer 3 concept but switch is for layer 2 ), switches still need those data to process the packets. because this is how we, as human beings, interact with computers for transmitting data by using ip addresses.
when you ping a device, like 10.0.0.2, the switch will search in it's arp table and find the corresponding mac address and also the interface for reaching to the destination.
the best way to comprehend the whole process is to capture the data using wireshark or even implementing a simple topology in softwares like cisco packet tracer.

How to handle ip address change in couchbase cluster?

I have couchbase cluster on k8s with operator 1.2 , I see following error today continuously
IP address seems to have changed. Unable to listen on 'ns_1#couchbase-cluster-couchbase-cluster-0001.couchbase-cluster-couchbase-cluster.default.svc'. (POSIX error code: 'nxdomain') (repeated 3 times)
The “IP address change” message is an alert message generated by Couchbase Server. The server checks for this situation as follows: it tries to listen on a free port on the interface that is the node’s address.
It does this every 3 seconds. If the host name of the node can’t be resolved you get an nxdomain error which is the most common reason that users see this alert message.
However, the alert would also fire if the user stopped the server, renamed the host and restarted - a much more serious configuration error that we would want to alert the user to right away. Because this check runs every three seconds, if you have any flakiness in your DNS you are likely to see this alert message every now and then.
As long as the DNS glitch doesn’t persist for long (a few seconds) there probably won’t be any adverse issues. However, it is an indication that you may want to take a look at your DNS to make sure it’s reliable enough to run a distributed system such as Couchbase Server against. In the worst case, DNS that is unavailable for a significant length of time could result in lack of availability or auto failover.
Ps:Thanks to Dave Finlay who actually answered this question to me.
if you received above error "IP address seems to have changed. Unable to listen on 'ns_1#lxcobeccestg1.gcp.xxx.com'. (POSIX error code: 'nxdomain') "
then hostname got changed, however new hostname is not changed in ip / ip_start file. to resolve this got
to /opt/couchbase/var/lib/couchbase/ip_start.
and you have to update the ip_start file with the hostname.
/opt/couchbase/var/lib/couchbase/ look for ip or ip_start vi ip_start
and change the name in my case it was still showing wrong hostname lxcobeccestg1.gcp. i have changed it to lxcobeccestg2.gcp
Execute:
sudo /etc/init.d/couchbase-server start
or systemctl restart couchbase-server

VirtualBox port redirection issues with non standard HTTPS ports

I have setup a CentOS VM to test Hadoop. I set a network interface in NAT mode with a paravirtualized network type interface. Port redirection for SSH (TCP 22) works without issues. However some other ports do not seem to fully work (9870, 8042, 9864). I can see some "action" happening. Let me give an example for port 9870.
These are my rules (remember I said the SSH rule works without issues):
RulesX TCP 127.0.0.1 59870 10.0.3.15 9870
When I try to access http://127.0.0.1:59870 I get automatically redirected to https://127.0.0.1:59870 but eventually I get a ERR_TIMED_OUT error.
Tracing the traffic on the VM, I can see the traffic coming in but I cannot see any response back (I have one single network interface):
I am not sure what else to look at.
Any idea is highly welcome. Thank you!
More than likely, you need to open the non-standard ports on Centos firewall.
Open firewall port on CentOS 7

modbus(watlow F4T) allow to be connected, but does not allow to be read

the mobus (watlow F4T) allows for connection, my pc use a static IP and watlow F4T is also using a static IP(192.168.0.222), it works well on another laptop or pc, but it could not work on one windows 7 laptop.
The modbus use a 502 port and I checked firewall, and using telnet 192.168.0.222 502 there is no error message, if I use a different port the telnet returns a connection failure, so I assume port 502 is open.
I use ModbusTcpTest130 to test, same setting, when I try to read something from watlow F4T, it always mentions "unable to do modbus read, please check the port setting", as different laptop would work, so I assume there is something special on this laptop, anybody has clue?
update: I tried another pc, it works when I only use modbusTCP130, however, when I tried modbus poll (I forgot to close modbusTCP130 connection), it fails, then after close both modbus poll and modbustcp130, whatever I use modbusTCP130 or modbuspoll, both fail, so looks port not released?
How you are closing the port?. Just closing down the terminal?
When you are not sure that your port is closed, I would suggest rebout devices on both ends. Also make sure there are only one instance of terminal is running.
It wort to try change communication port on device to different one, to make sure that, on PC that port is not being use with diff applications.

client is waiting forever for remote server to return a webpage

I have an application with a server written in F# and serve web files using suave. I remote login using powershell into another machine in the network to run the application (The application is also in one of the network drives). I do that because that machine have access to third party APIs needed for the server. Now when I do [IPAddress_Of_Remote_Machine]/[html_file] or [name_of_pc]/[html_file] then chrome is waiting forever and doesn't ever return the webpage. This wasn't happening before and I ran into this problem recently. I opened a different port and used it instead of the default one 80. This made things work but the problem keeps showing up after a couple of days. I don't think it's a firewall issue but I'm clueless to why this is happening.
When running netstat -an, this is what I get (I hid the IP address):
As you can see all of the connections are either in CLOSE_WAIT or ESTABLISHED but not LISTENING. All of these TCP connections is probably because I have PhantomJS and two other APIs running in the application as well. However the loop back address is also open on the same port 5959:
I'm not sure what is difference between these two but when using PortQryUI to query the remote server it returns a success!
I have already made an inbound rule for port 5959 on the server so it should be allowed. The web page is stuck at Waiting for [name_of_pc]. Also, sometimes this problem disappears and everything works fine.
What is the potential problem behind this? Why would this happen all of a sudden?
UPDATE:
I re-ran the application today and it's working correctly. It could be that something is dynamically set within the firewall? Not really sure what is going on. The machine I'm running the server on has a bunch of applications running on it as well so maybe there is an external process that is affecting it?
I made a hello world app with Suave and deployed it on the network drive to test if it's going to work. I opened inbound rule for port 6001
Then I ran the app:
However, it's still not working and this time it says the site cannot be reached when I do: http://[name_of_pc]:6001.
Moving this to an answer so that it can be closed:
Could you post the bindings section of your suave cfg? I'm guessing you know where that is since you are using a non-standard port but if you need don't, search for HttpBinding. I suspect you will find it pointing to 127.0.0.1 which is not good enough for remote access. You could try changing it to 0.0.0.0 or to the server's actual IP address. I would try 0.0.0.0 first for the flexibility it provides