Internet Protocol Version 6 (IPv6) is a network layer protocol that enables data communications over a packet switched network.
Packet switching involves the sending and receiving of data in packets between two nodes in a network. The working standard for the IPv6 protocol was published by the Internet Engineering Task Force (IETF) in 1998.
The IETF specification for IPv6 is RFC 2460. IPv6 was intended to replace the widely used Internet Protocol Version 4 (IPv4) that is considered the backbone of the modern Internet.
IPv4 currently supports a maximum of approximately 4.3 billion unique IP addresses. IPv6 supports a theoretical maximum of 2128 addresses (340,282,366,920,938,463,463,374,607,431,768,211,456 to be exact!).
IPv6 and IPv4 share a similar architecture. The majority of transport layer protocols that function with IPv4 will also function with the IPv6 protocol. Most application layer protocols are expected to be interoperable with IPv6 as well, with the notable exception of File Transfer Protocol (FTP)
An IPv6 address consists of eight groups of four hexadecimal digits. If a group consists of four zeros, the notation can be shortened using a colon to replace the zeros.
A main advantage of IPv6 is increased address space. The 128-bit length of IPv6 addresses is a significant gain over the 32-bit length of IPv4 addresses, allowing for an almost limitless number of unique IP addresses.
IPv6 features —————-
* Supports source and destination addresses that are 128 bits (16 bytes) long.
* Requires IPSec support.
* Uses Flow Label field to identify packet flow for QoS handling by router.
* Allows the host to send fragments packets but not routers.
* Doesn’t include a checksum in the header.
* Uses a link-local scope all-nodes multicast address.
* Does not require manual configuration or DHCP.
* Uses host address (AAAA) resource records in DNS to map host names to IPv6 addresses.
* Uses pointer (PTR) resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names.
* Supports a 1280-byte packet size (without fragmentation).
* Moves optional data to IPv6 extension headers.
* Uses Multicast Neighbor Solicitation messages to resolve IP addresses to link-layer addresses.
* Uses Multicast Listener Discovery (MLD) messages to manage membership in local subnet groups.
* Uses ICMPv6 Router Solicitation and Router Advertisement messages to determine the IP address of the best default gateway.
Adding a Temporary IPv6 Address on Linux. =================================
Using “IP” ———-
/sbin/ip -6 addr add <ipv6address>/<prefixlength> dev <interface>
eg: /sbin/ip -6 addr add 2001:49f0:2920::a2/64 dev eth0
A Distributed Denial-of-Service (DDoS)attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.
How DDoS Attacks Work
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
Types of DDoS Attacks
There are many types of DDoS attacks. Common attacks include the following:
Traffic attacks:Traffic flooding attacks send a huge volume of TCP, UDP and ICPM packets to the target. Legitimate requests get lost and these attacks may be accompanied by malware exploitation.
Bandwidth attacks:This DDos attack overloads the target with massive amounts of junk data. This results in a loss of network bandwidth and equipment resources and can lead to a complete denial of service.
Application attacks:Application-layer data messages can deplete resources in the application layer, leaving the target’s system services unavailable.
For Linux Servers
1. Find to which IP address in the server is targeted by the DDoS attack
Distributed Replicated Block Device (DRBD) DRBD is a distributed replicated storage system for the Linux platform. It is implemented as a kernel driver, several user space management applications, and some shell scripts. DRBD is traditionally used in high availability (HA) computer clusters, but beginning with DRBD version 9, it can also be used to create larger software defined storage pools with a focus on cloud integration.
Comparison to RAID-1 ===================== DRBD bears a superficial similarity to RAID-1 in that it involves a copy of data on two storage devices, such that if one fails, the data on the other can be used. However, it operates in a very different way from RAID and even network RAID.
In RAID, the redundancy exists in a layer transparent to the storage-using application. While there are two storage devices, there is only one instance of the application and the application is not aware of multiple copies. When the application reads, the RAID layer chooses the storage device to read. When a storage device fails, the RAID layer chooses to read the other, without the application instance knowing of the failure.
In contrast, with DRBD there are two instances of the application, and each can read only from one of the two storage devices. Should one storage device fail, the application instance tied to that device can no longer read the data. Consequently, in that case that application instance shuts down and the other application instance, tied to the surviving copy of the data, takes over.
Conversely, in RAID, if the single application instance fails, the information on the two storage devices is effectively unusable, but in DRBD, the other application instance can take over.
How it Works ============ The tool is built to imperceptibly facilitate communication between two servers by minimizing the amount of system resources used- It therefore does not affect system performance and stability.
DRBD facilitates communication by mirroring two separate servers- one server, although passive, is usually a direct copy of the other. Any data written to the primary server is simultaneously copied to the secondary one through a real time communication system. Any change made on the data is also immediately replicated by the passive server.
The passive server only becomes active when the primary one fails and collapses. When such a failure occurs, DRBD immediately recognizes the mishap and shifts to the secondary server. This shifting process however, is optional- it can either be manual or automatic. For users who prefer manual, one is required to authorize the system to shift to the passive server when the primary one fails. Automatic systems on the other hand, swiftly recognize problems within the primary servers and immediately shift to the secondary ones.
DRBD installation =================
Install ELRepo repository on your both system: ———————————————-
# rpm -Uvh http://www.elrepo.org/elrepo-release-6-6.el6.elrepo.noarch.rpm
Update both repo ————————
yum update -y
On the PRIMARY server run drbdadm command ——————————————————————
[[email protected] ~]# drbdadm — –overwrite-data-of-peer primary all
Check if Device disk initial synchronization to complete (100%) and check to confirm you are on primary server ———————————————————————————————————————————————————–
[[email protected] yum.repos.d]# cat /proc/drbd
Create filesystem on Distributed Replicated Block Device device ——————————————————————————————-
[[email protected] yum.repos.d]# /sbin/mkfs.ext4 /dev/drbd0
mke2fs 1.41.12 (06-June-2017)
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
131072 inodes, 524007 blocks
26200 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=536870912
16 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912
When you make a modem connection to your ISP and want to connect to, for instance, www.google.com, all the routers along the way have to know where to send the packets you’re sending to our Web server, and the packets from the server have to find their way back to your computer.
For the first few hops, this isn’t much of the problem. For instance, your computer only knows the packets don’t have a local destination, so they should be sent over the modem connection. This can continue for a while, but at some point the decision where to send the packet next becomes more complex than just “local: keep it” / “not local: send it to a smarter router”. The router making this decision will have to know where to send the packet based on the destination IP address contained in it. Since IP addresses are distributed fairly randomly around the globe, there aren’t any shortcuts or calculations that make it possible for the router to decide this for itself.
The only way a router can know where to send a packet, is when another router tells it “send those packets to me, I know how to deliver them”. The Border Gateway Protocol (BGP) is a protocol that is used between routers to convey this information. Since the routers that talk BGP to each other aren’t owned by the same organization (that would kind of defeat the purpose of creating global reachability) this is often called “inter-domain” routing. BGP and Interdomain Routing Terms
AS — Autonomous System.
AS Number ——— Autonomous System Number. Each AS has a unique number that is used to identify it in BGP processing.
Autonomous System —————– An Autonomous System is a network that has its own routing policy. In most cases, customers belong to their ISP’s Autonomous System, but multihomed customers obviously have their own routing policy that is different from either ISP so they must be a separate AS.
BGP — Border Gateway Protocol.
EGP — Exterior Gateway Protocol: a routing protocol used between organizations/networks. BGP is an EGP, but there is also an older EGP called EGP.
Gateway ——- Older term for router. Sometimes the word “gateway” is used to describe a system that connects two dissimilar networks or protocols.
IGP — Interior Gateway Protocol: a routing protocol used within an organization/network. Examples are RIP, OSPF, IS-IS and EIGRP.
Multihoming ———– The practice of connecting to two or more ISPs. Most multihomed networks run BGP so the rest of the Internet knows where to send packets for the multihomed network even if one of the connections fails. Router 1. Any system that will receive packets over one network connection and then forward them to another by looking at the network address inside the packet. 2. A special-purpose system (like a computer, but usually without a screen, keyboard and harddisks) that forwards packets.
Routing Policy ————– A policy that defines how a network is connected to other networks and how packets are allowed to flow.
A trojan horse is used to enter a victim’s computer, granting the attacker ‘wrapped’ into a program meaning that this program may therefore have hidden fuctions that you are not aware of. unrestricted access to the data stored on that computer and causing great damage to the victim. A trojan can be a hidden program that runs on your system without your information, or it can be
Different types of trojans :
1) FTP torjans : These trojans open an FTP server on the victim’s machine that might store and serve illegal software and/or sensitive data, and allow attackers to connect to your machine via FTP.
2) Destructive trojans : The only function of these trojans is to destroy and delete files. This makes them very simple to use. They can automatically delete all the core system files on your machine. The trojan can either be activated by the attacker or can work like a logic bomb that starts on a specific day and time. A destructive trojan is a danger to any computer network. In many ways, it is similar to a virus, but thedestructive trojan has been created purposely to attack you, and therefore is unlikely to be detected by your antivirus software.
3) Proxy trojans : These trojans turn the victim’s computer into a proxy server, making it available to the whole world or to the attacker alone. It is used for anonymous Telnet, ICQ, etc., to make purchases with stolen credit cards, and for other such illegal activities. This gives the attacker complete anonymity and the opportunity to do everything from YOUR computer, including the possibility to launch attacks from your network. 4) Denial of Servce (DoS) attack trojans : These trojans give the attacker the power to start a Distributed Denial of Service attack if there are enough victims. The main idea is that if you have 500 infected ADSL users and you attack the victim simultaneously from each, this will generate HEAVY traffic, causing its access to the Internet to shut down.
5) Security software disablers : These are special trojans, designed to stop/kill programs such as antivirus software, firewalls, etc. Once these programs are disabled, the hacker is able to attack your machine more easily.
6) Data-sending trojans : The purpose of these trojans is to send data back to the hacker with information such as passwords (ICQ, IRC, FTP, HTTP) or confidential information such as chat logs, address lists, etc. The trojan could look for specific information in particular locations or it could install a key-logger and simply send all recorded keystrokes to the hacker.
7) Remote access trojans : These are probably the most publicized trojans, because they provide the attacker with total control of the victim’s machine. Example : Back Orifice trojans. The idea behind them is to give the attacker COMPLETE access to someone’s machine, and therefore full access to files, private conversations, accounting data, etc. Some trojans can also automatically connect to IRC and can be controlled through IRC commands almost anonymously, without the attacker and the victim ever making a real TCP/IP connection.
Another question : How can I get infected ? Generally, attack are being done through :
1) Infection via attachment ( of course emails : the most common way )
2) Infection by downloading files from a website (another common way )
Now most important thing, how to protect your network from trojans ?
Ok, if you think that anti-viruses are really helpful and they’ll protect your system and network from trojan attacks, then you are wrong. Anti-viruses just help us to some extent. To effectively protect your network against trojans, you must follow a multi-level security strategy:
1. You need to implement gateway virus scanning and content checking at the perimeter of your network for email, HTTP and FTP – It is no good having email anti-virus protection, if a user can download a trojan from a website and infect your network.
2. You need to implement multiple virus engines at the gateway – Although a good virus engine usually detects all known viruses, it is a fact that multiple virus engines jointly recognize many more known trojans than a single engine.
3. You need to quarantine/check executables entering your network via email and web/FTP at the gateway. You have to analyze what the executable might do.
4. Do not open unsolicited attachments in email messages.