[Click] problem with FromHost

pradnyesh sawant spradnyesh at gmx.net
Thu Jul 17 09:27:55 EDT 2003 

i want to run a genuine client like a web-browser, and also an attack tool
on the same m/c as the router. so i have to get packets from the HOST (using
FromHost). the packets from the browser will be sent to the gateway, through
which it will be able to surf the Internet. the packets from the attack tool
will be forwarded to a web server on my own lan.
all other packets can be forwarded using classifier as you have suggested. 
my problem is that i am unable to get packets from the kernel (which have
been passed to it (the kernel) by the browser and the attack tool). i tried
using the same config script as given in the FromHost documentation, but it did
not help. 
if you could tell me just how to get packtes from the kernel, it would be
just great!
waiting for a reply from you soon
> Hi Pradnyesh,
> Why do you want to use a fake device.. If you want to analyze the traffic
> to a particular address, you can do equally well by using a classifier
> element to get packets for that particular ip address. Furthermore,
> after analysis you
> can pass on the packets to that host without having to discard it.. You
> can do the analysis without disrupting the flow.
> This is if you want to do ddos traffic analysis at the router..
> BTW.. Click already has an element call IPRateMonitor for doing bandwidth
> analysis .. and you can use it to detect brute force ddos attacks based on
> packet rate asymmetry..
> -Puneet
> 
> On Tue, 15 Jul 2003, pradnyesh sawant wrote:
> 
> >  thanks for showing interest in my problem
> > i am working on my final year engg. porject which deals with handling of
> DoS
> > attacks
> > the m/c on which i'm working has a single ethernet card. so in the click
> > router, i'm using the same interface (eth0) for both incoming and
> outgoin
> g
> > packets
> > i tried disabling eth0, by using ifconfig, and replaced fake0 by eth0 in
> the
> > script provided below, but i got the foll error msg: "device eth0
> already
> > exists"
> > i also tried having the client on another m/c, just as you've suggested
> > below, but even then click did not catch any packets.
> > i also wanted to ask 1 more question:
> > just as dns server addrs are stored in /etc/resolv.conf, in which file
> is
> > the gateway addr stored?
> >
> > i would be very grateful, if you could help me out
> > thanks for all the help
> > >
> > > I am just taking a guess here...
> > > Since your client(192.168.0.150) is on the same machine as your router
> > > (192.168.0.150) , i believe you would have assigned these addresses to
> > > other interfaces of the machine as well (ethX)..
> > > So , on packet input, the linux kernel routes the packet according to
> t
> he
> > > first match in the routing table... in this case, that probably means
> > > local delivery to  the ip stack on the linux kernel, by-passing the
> fak
> e
> > > de
> > > vice...
> > > You could test this out by using a different machine as a webbrowser
> > > client and put in a fake device with that client's ip address.
> > >
> > > Anyway, what exactly do you want to do ?
> > > Capture and analyze ddos traffic at a router or an end host?
> > > Regards,
> > > Puneet
> > >
> > > > i still haven't got the FromHost thing right.
> > > >
> > > > my first doubt is :
> > > > FromHost documentation says that the kernel passes all packets with
> > > > destination addr as ADDR/MASK to FromHost. I am running a webbrowser
> > > clie
> > > nt on the
> > > > same m/c as the router. hence i want to receive packets destined for
> any
> > > ip
> > > > addr and not just the fixed ADDR in click. my m/c addr is
> 192.168.0.1
> 50
> > > w
> > > hile my
> > > > gateway addr is 192.168.0.1.
> > > > the script i tried out was:
> > > >
> > > > FromHost(fake0,192.168.0.150/8)->cl::Classifier(12/0806,12/0800);
> > > > cl[0]->ARPResponder(0.0.0.0/0, 1:1:1:1:1:1)->c1::Counter->ToHost;
> > > > cl[1]->c2::Counter->Discard;
> > > >
> > > > i even tried putting 192.168.0.1/8 in FromHost, but to no avail.
> > > >
> > > > i can get a tcpdump output when click is not installed.
> > > > when the above config for click is installed, i can still surf
> sites,
> > > whi
> > > ch
> > > > shouldn't have been possible since i'm discarding all packets. also
> t
> he
> > > c
> > > ount
> > > > handlers of both counters remain to zero.
> > > >
> > > > i feel lost and would be very grateful if anyone of you could help
> me
> > > out
> > > .
> > > > thank you for your help
> > > >
> > > > --
> > > > +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> > > >
> > > > Jetzt ein- oder umsteigen und USB-Speicheruhr als Prämie sichern!
> > > >
> > > > _______________________________________________
> > > > click mailing list
> > > > click at amsterdam.lcs.mit.edu
> > > > https://amsterdam.lcs.mit.edu/mailman/listinfo/click
> > > >
> > >
> >
> > --
> > +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> >
> > Jetzt ein- oder umsteigen und USB-Speicheruhr als Prämie sichern!
> >
> 

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++

Jetzt ein- oder umsteigen und USB-Speicheruhr als Prämie sichern!

More information about the click mailing list