Wednesday, 6 May 2020

Network is too Slow - UDP and SYN flooding

What is a UDP flood attack:


       A UDP flood attack is a volumetric denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.

Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:

  • Check for the application listening at that port;
  • See that no application listens at that port;
  • Reply with an ICMP Destination Unreachable packet.
DDoS_UDP Flooding
DoS UDP Flooding


Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s) may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach them, and anonymizing their network location(s). Most operating systems mitigate this part of the attack by limiting the rate at which ICMP responses are sent.

UDP Flood Attack Tools:

  • Low Orbit Ion Cannon
  • UDP Unicorn

This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them. However, as firewalls are 'stateful' i.e. can only hold a number of sessions, firewalls can also be susceptible to flood attacks.



What is an SYN flood attack:

An SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.  SYN flood is a protocol attack.

When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

  1. The client requests a connection by sending a SYN (synchronize) message to the server.
  2. The server acknowledges this request by sending SYN-ACK back to the client.
  3. The client responds with an ACK, and the connection is established.

SYN attack -Abnormal traffic


This is called the TCP three-way handshake and is the foundation for every connection established using the TCP protocol.

An SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, cause the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it "knows" that it never sent a SYN.

The server will wait for the acknowledgment for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.



Firewall: In computing, a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and an untrusted external network, such as the Internet.

Sophos Deployment Mode – Techbast



at No comments:

Monday, 13 April 2020

How to get Free Antivirus for Home PC and Mobile Devices

Sophos Home Antivirus

Click here to download Software:
https://home.sophos.com/en-us/download-antivirus-pc.aspx


Windows system requirements
Windows 7, Windows 8/8.1, or Windows 10; minimum 1 GB of free disk space, minimum 1 GB of RAM.

Mac system requirements
Mac OS X 10.12, 10.13, 10.14, or 10.15; minimum 4 GB of free disk space, minimum 4 GB of RAM


Step1: You have to register your mail account for download the Sophos Home
Register for Sophos Home Free below, and you will also receive a free 30-day trial of Sophos Home Premium.

Step2: Click on Add Device Button to download the setup .... 😀😀

Sophos Home Dashboard Preview:





Sophos Intercept X for Mobile
Sophos Home customers may use their mobile devices to access the Sophos Home Dashboard and use the "Add new device/Add device" button to reach the appropriate store. 
Otherwise, they can download the app directly from the "Apple App Store" and "Google Play stores" on their devices.
Sophos Intercept X for mobile provides a free device, network, and application security for Android, iOS and Chrome OS (managed only) devices. 
It is offered as managed (Device is controlled by central console requires a license) and un-managed (not any control from the central console-free version for individuals).
This document covers the use and support of the un-managed version of Sophos Intercept X for mobile 
For Android Mobiles:
https://play.google.com/store/apps/details?id=com.sophos.smsec&hl=en


For iOS Mobiles:
at No comments:

How to configure SSL VPN in Cyberoam Firewall

Overview
SSL (Secure Socket Layer) VPN provides simple-to-use, secure access for remote users to the corporate network from anywhere, anytime. It enables creation of point-to-point encrypted tunnels between remote user and company’s internal network, requiring combination of SSL certificates and a username/password for authentication.
Cyberoam allows remote users access to the corporate network in 3 Modes:
-       Tunnel Access Mode: User gains access through a remote SSL VPN Client.
-       Web Access Mode: Remote users can access SSL VPN using a web browser only, i.e., clientless access.
-       Application Access Mode: users can access web applications as well as certain enterprise applications through a web browser, i.e., clientless access.
Scenario
Configure SSL VPN in Cyberoam such that the remote user shown in the diagram below is able to access the Web and Intranet Servers in the company’s internal network. The user is to have Full Access, i.e., Tunnel, Web and Application Access. The network particulars given below are used as an example throughout this article.
 
Network Parameters
Configuration Parameter
Value
Cyberoam WAN IP
203.10.10.100
LAN Network
172.16.16.0/24
Intranet Server IP
172.16.16.1
Web Server IP
172.16.16.2
IP Range Leased to user after successful connection through SSL VPN
10.10.10.1 to 10.10.10.254

Configuration
Configure SSL VPN in Cyberoam by following the steps given below. You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Generate Default Certificate Authority

To generate the default Certificate Authority, go to System > Certificate > Certificate Authority and click Default CA.
Update the Default CA as shown below.
 
Click OK to generate Default Certificate Authority.
Note:
If you are using an external certificate authority, you can upload the same by following steps mentioned in the article Add an External Certificate Authority (CA) in Cyberoam.

Step 2: Create self-signed Certificate

To create a self-signed Certificate, go to System > Certificate > Certificate and click Add. Generate a Self Signed Certificate as shown below. 
 
Click OK to create the certificate.

Step 3: Configure SSL Global Parameters

To set global parameters for tunnel access, go to VPN > SSL > Tunnel Access and configure tunnel access settings with following values:
Parameter
Value
Description
Protocol
TCP
Select default protocol for all the SSL VPN clients.
SSL Server Certificate
SSLVPN_SelfSigned
Select SSL Server certificate from the dropdown list to be used for authentication
Per User Certificate
Disabled
SSL server uses certificate to authenticate the remote client. One can use the common certificate for all the users or create individual certificate for each user
SSL Client Certificate
SSLVPN_SelfSigned
Select the SSL Client certificate from the dropdown list if you want to use common certificate for authentication
IP Lease Range
10.10.10.1 to 10.10.10.45
Specify the range of IP addresses reserved for the SSL Clients
Subnet Mask
255.255.255.0
Specify Subnet mask
Primary DNS
4.2.2.2
Specify IP address of Primary DNS
Secondary DNS
8.8.8.8
Specify IP address of Secondary DNS
Enable DPD
Enabled
Click to enable Dead Peer Detection.
Check Peer after every
60
Specify time interval in the range of 60 to 3600 seconds after which the peer should be checked for its status.
Disconnect after
300
Specify time interval in the range of 300 to 1800 seconds after which the connection should be disconnected if peer is not live.
Idle Time Out
15
Specify idle timeout. Connection will be dropped after the configured inactivity time and user will be forced to re-login.
Data Transfer Threshold
250
Once the idle timeout is reached, before dropping the connection, appliance will check the data transfer. If data transfer is more than the configured threshold, connection will be dropped.
 
To set global Idle Time for Web Access Mode, go to VPN > SSL > Web Access and set Idle Time as shown below. 
 

Step 4: Create Bookmarks (Applicable for Web and Application Access Mode Only)

Bookmarks are the resources whose access is available through SSL VPN Web portal. You can also create a group of bookmarks that can be configured in SSL VPN Policy. These resources are available in Web and Application Access mode only.
To create Bookmark, go to VPN > SSL > Bookmark and click Add. Create Bookmark using following parameters.
Parameter
Value
Description
Name
Telnet
Name to identify Bookmark.
Type
TELNET
Specify type of bookmark.
URL
192.168.1.120
Specify URL at which telnet sessions are allowed to remote users.
  
Click OK to create Bookmark.
Similarly, create a bookmark Intranet of type HTTP to allow access to the internal Intranet server.
Note:
Intranet is accessible in Web as well as Application Access Mode, while Telnet is accessible in Application Access Mode.

Step 5: Configure SSL VPN Policy
To configure SSL VPN policy, go to VPN > SSL > Policy and click Add. Create policy using parameters given below.
Parameter Description
Parameter
Value
Description
Add SSL VPN Policy
Name
Full_Access
Name to identify the SSL VPN policy
Access Mode
Tunnel Access Mode
Web Access Mode
Application Access Mode
Select the access mode by clicking the appropriate option.
Tunnel Access Settings
Tunnel Type
Split Tunnel
Select tunnel type. Tunnel type determines how the remote user’s traffic will be routed.
Accessible Resources
<As required>
Select Hosts or Networks that remote user can access.
DPD Settings
Use Global Settings
You can customize and override the global Dead Peer Detection setting.
Idle Time out
Use Global Settings
You can use the global settings or customize the idle timeout.
Web Access Settings
Enable Arbitary URL Access
Enabled
Enable to access custom URLs not defined as Bookmarks.
Accessible Resources
Intranet
Select Bookmarks/Bookmarks Group that remote user can access.
Idle Time out
Use Global Settings
You can use the global settings or customize the idle timeout.
Application Access Settings
Accessible Resources
Intranet
Telnet
Select Bookmarks/Bookmarks Group that remote user can access.
 

Step 6: Apply SSL VPN Policy on User

To apply SSL VPN policy on user, follow the steps given below.
Go to Identity > Users > User and select the user to which policy is to be applied. Here we have applied it on user John Smith. Under Policies section, select Full_Access for SSL VPN as shown below. 
 
Click OK to update the user’s SSL VPN Policy.

Note:

Make sure that Firewall Rules allowing traffic from LAN to VPN and vice versa are present. If they are not present, create them manually. They are necessary for the VPN connections to function properly. 

Step 7: Download and Install SSL VPN Client at Remote End

Remote users can login to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and logging in.
Note:
Use default port: 8443 unless customized. Access is available only to those users who have been assigned an SSL VPN policy. 
 
User is directed to the Main Page which displays Tunnel, Web or Application Access Mode section according to policy applied on user.  
 
For Tunnel Access, user needs to access internal resources through an SSL VPN Client.
-   Download the SSL VPN client from the Cyberoam website by clicking “Installer”.
-  Download the client configurationfrom the Portal.
-   Install the client on theremote user’s system. On complete installation, the CrSSL Client icon  appears in the system tray.
-   Right-click the Client icon  and click Import.Import the SSL VPN configuration downloaded from the Portal.
-   Login to the Client and accessthe company’s internal network through SSL VPN.

For Web and Application Access, user can access internal resources using web browser, i.e., clientless access. In this, user needs to browse to https://<WAN IP address of Cyberoam:port> and login.

at No comments:
Subscribe to: Comments (Atom)