Wireshark-users: Re: [Wireshark-users] [LARTC] Problem with ip spoofing load balancing
From: Niccolò Belli <darkbasic@xxxxxxxxxxxxxxx>
Date: Wed, 26 Oct 2011 14:26:49 +0200
I did some dumps with the ulogd pcap target: http://mail.linuxsystems.it/broken-nospoof-client.pcap http://mail.linuxsystems.it/broken-nospoof-server.pcap http://mail.linuxsystems.it/broken-spoofing-client.pcap http://mail.linuxsystems.it/broken-spoofing-server.pcap http://mail.linuxsystems.it/working-spoofing-client.pcap http://mail.linuxsystems.it/working-spoofing-server.pcap "client" means it is the dump on the client side. "server" means it is the dump on the server side."spoofing" means I sent the output using the ppp0 link (the server IP belongs to the nas0 subnet and so it receives the incoming packets from nas0).
"nospoof" means I did not use ppp0 at all."broken" means the client is the one which does not load the page when spoofing is enabled. "working" means the client is the one which does load the page when spoofing is enabled. Both clients (broken and working) do load the page when spoofing is disabled.
nas0 is RFC 2684 routed, it has a 16 IP subnet and a 1500 MTU. The provider is Telecom Italia. ppp0 is pppoatm, it has a single static IP and a 1492 MTU. The provider is Tiscali.
The modem is a Solos multi-port ADSL2+ PCI card. I opened the dumps with ethereal and it clearly shows a problem: HTTP [TCP Previous segment lost] Continuation or non-HTTP traffic and some TCP [TCP Dup ACK 4#1] 39243 > http [ACK] [...] both RED. but I don't know how to interpret it. Why doesn't ip spoofing load balancing work for every client? Thanks, Niccolᅵ Il 26/10/2011 00:10, Niccolᅵ Belli ha scritto:
Hi, My router is a linux box with two adsl lines attached, one with a 16 IP subnet and another with a single static address. Since I need more upload bandwidth and my isp allows me to do ip spoofing, I decided to do an ip spoofing load bal. Unfortunately it doesn't work with every client and I don't know why :( nas0 is the adsl with the public subnet, ppp0 is the adsl with the single static ip. server_ip is one of the IPs of the subnet. This is the log with a working client: SERVER: Oct 25 22:45:47 firewall kernel: [22098.077637] **NEW** IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=16271 DF PROTO=TCP SPT=25258 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 Oct 25 22:45:47 firewall kernel: [22098.096517] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=25258 WINDOW=5792 RES=0x00 ACK SYN URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.195139] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=16272 DF PROTO=TCP SPT=25258 DPT=80 WINDOW=229 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.214590] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=655 TOS=0x00 PREC=0x00 TTL=58 ID=16273 DF PROTO=TCP SPT=25258 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.233922] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=51475 DF PROTO=TCP SPT=80 DPT=25258 WINDOW=438 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.315441] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=1482 TOS=0x00 PREC=0x00 TTL=63 ID=51476 DF PROTO=TCP SPT=80 DPT=25258 WINDOW=438 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.335592] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=155 TOS=0x00 PREC=0x00 TTL=63 ID=51477 DF PROTO=TCP SPT=80 DPT=25258 WINDOW=438 RES=0x00 ACK PSH URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.355670] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=51478 DF PROTO=TCP SPT=80 DPT=25258 WINDOW=438 RES=0x00 ACK FIN URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.434146] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=16274 DF PROTO=TCP SPT=25258 DPT=80 WINDOW=273 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.454836] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=16275 DF PROTO=TCP SPT=25258 DPT=80 WINDOW=273 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.473351] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=16276 DF PROTO=TCP SPT=25258 DPT=80 WINDOW=273 RES=0x00 ACK FIN URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.492317] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=16277 DF PROTO=TCP SPT=25258 DPT=80 WINDOW=273 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:45:48 firewall kernel: [22098.510745] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=51479 DF PROTO=TCP SPT=80 DPT=25258 WINDOW=438 RES=0x00 ACK URGP=0 MARK=0x4 CLIENT: Oct 25 22:46:27 laptop kernel: [92080.819184] *NEW* OUT CONN IN= OUT=wlan1 SRC=192.168.1.2 DST=<server_ip> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16271 DF PROTO=TCP SPT=34877 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 Oct 25 22:46:27 laptop kernel: [92080.938028] IN CONN IN=wlan1 OUT= MAC=00:c0:ca:21:8a:e6:f0:7d:68:fb:4f:e3:08:00 SRC=<server_ip> DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=34877 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Oct 25 22:46:27 laptop kernel: [92080.938067] OUT CONN IN= OUT=wlan1 SRC=192.168.1.2 DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16272 DF PROTO=TCP SPT=34877 DPT=80 WINDOW=229 RES=0x00 ACK URGP=0 Oct 25 22:46:27 laptop kernel: [92080.938565] OUT CONN IN= OUT=wlan1 SRC=192.168.1.2 DST=<server_ip> LEN=655 TOS=0x00 PREC=0x00 TTL=64 ID=16273 DF PROTO=TCP SPT=34877 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 Oct 25 22:46:27 laptop kernel: [92081.075375] IN CONN IN=wlan1 OUT= MAC=00:c0:ca:21:8a:e6:f0:7d:68:fb:4f:e3:08:00 SRC=<server_ip> DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=51475 DF PROTO=TCP SPT=80 DPT=34877 WINDOW=438 RES=0x00 ACK URGP=0 Oct 25 22:46:27 laptop kernel: [92081.174877] IN CONN IN=wlan1 OUT= MAC=00:c0:ca:21:8a:e6:f0:7d:68:fb:4f:e3:08:00 SRC=<server_ip> DST=192.168.1.2 LEN=1482 TOS=0x00 PREC=0x00 TTL=51 ID=51476 DF PROTO=TCP SPT=80 DPT=34877 WINDOW=438 RES=0x00 ACK URGP=0 Oct 25 22:46:27 laptop kernel: [92081.174903] OUT CONN IN= OUT=wlan1 SRC=192.168.1.2 DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16274 DF PROTO=TCP SPT=34877 DPT=80 WINDOW=273 RES=0x00 ACK URGP=0 Oct 25 22:46:27 laptop kernel: [92081.178769] IN CONN IN=wlan1 OUT= MAC=00:c0:ca:21:8a:e6:f0:7d:68:fb:4f:e3:08:00 SRC=<server_ip> DST=192.168.1.2 LEN=155 TOS=0x00 PREC=0x00 TTL=50 ID=51477 DF PROTO=TCP SPT=80 DPT=34877 WINDOW=438 RES=0x00 ACK PSH URGP=0 Oct 25 22:46:27 laptop kernel: [92081.178793] OUT CONN IN= OUT=wlan1 SRC=192.168.1.2 DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16275 DF PROTO=TCP SPT=34877 DPT=80 WINDOW=273 RES=0x00 ACK URGP=0 Oct 25 22:46:27 laptop kernel: [92081.178861] OUT CONN IN= OUT=wlan1 SRC=192.168.1.2 DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16276 DF PROTO=TCP SPT=34877 DPT=80 WINDOW=273 RES=0x00 ACK FIN URGP=0 Oct 25 22:46:27 laptop kernel: [92081.198553] IN CONN IN=wlan1 OUT= MAC=00:c0:ca:21:8a:e6:f0:7d:68:fb:4f:e3:08:00 SRC=<server_ip> DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=51478 DF PROTO=TCP SPT=80 DPT=34877 WINDOW=438 RES=0x00 ACK FIN URGP=0 Oct 25 22:46:27 laptop kernel: [92081.198590] OUT CONN IN= OUT=wlan1 SRC=192.168.1.2 DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16277 DF PROTO=TCP SPT=34877 DPT=80 WINDOW=273 RES=0x00 ACK URGP=0 Oct 25 22:46:28 laptop kernel: [92081.351125] IN CONN IN=wlan1 OUT= MAC=00:c0:ca:21:8a:e6:f0:7d:68:fb:4f:e3:08:00 SRC=<server_ip> DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=51479 DF PROTO=TCP SPT=80 DPT=34877 WINDOW=438 RES=0x00 ACK URGP=0 This is the log with a *NOT* working client: SERVER: Oct 25 22:32:55 firewall kernel: [21325.121680] **NEW** IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=14919 DF PROTO=TCP SPT=31549 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 25 22:32:55 firewall kernel: [21325.140239] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=31549 WINDOW=5792 RES=0x00 ACK SYN URGP=0 MARK=0x4 Oct 25 22:32:55 firewall kernel: [21325.236986] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=14920 DF PROTO=TCP SPT=31549 DPT=80 WINDOW=46 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:32:55 firewall kernel: [21325.267581] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=653 TOS=0x00 PREC=0x00 TTL=54 ID=14921 DF PROTO=TCP SPT=31549 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 MARK=0x4 Oct 25 22:32:55 firewall kernel: [21325.286615] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=55122 DF PROTO=TCP SPT=80 DPT=31549 WINDOW=438 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:32:55 firewall kernel: [21325.385647] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=137 TOS=0x00 PREC=0x00 TTL=63 ID=55124 DF PROTO=TCP SPT=80 DPT=31549 WINDOW=438 RES=0x00 ACK PSH URGP=0 MARK=0x4 Oct 25 22:32:55 firewall kernel: [21325.405173] OUT PPP0 CONNIN=ethWEB OUT=ppp0 SRC=<server_ip> DST=<client_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=55125 DF PROTO=TCP SPT=80 DPT=31549 WINDOW=438 RES=0x00 ACK FIN URGP=0 MARK=0x4 Oct 25 22:32:55 firewall kernel: [21325.484020] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=14922 DF PROTO=TCP SPT=31549 DPT=80 WINDOW=46 RES=0x00 ACK URGP=0 MARK=0x4 Oct 25 22:32:55 firewall kernel: [21325.504418] IN NAS0 CONNIN=nas0 OUT=ethWEB SRC=<client_ip> DST=<server_ip> LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=14923 DF PROTO=TCP SPT=31549 DPT=80 WINDOW=46 RES=0x00 ACK URGP=0 MARK=0x4 CLIENT: Oct 25 22:32:54 shoutcast-server kernel: [180468.541703] *NEW* OUT CONN IN= OUT=eth0 SRC=192.168.203.10 DST=<server_ip> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14919 DF PROTO=TCP SPT=49680 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 25 22:32:55 shoutcast-server kernel: [180468.659871] IN CONN IN=eth0 OUT= MAC=00:01:2e:2d:72:e3:00:11:92:95:25:72:08:00 SRC=<server_ip> DST=192.168.203.10 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=49680 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Oct 25 22:32:55 shoutcast-server kernel: [180468.659935] OUT CONN IN= OUT=eth0 SRC=192.168.203.10 DST=<server_ip> LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=14920 DF PROTO=TCP SPT=49680 DPT=80 WINDOW=46 RES=0x00 ACK URGP=0 Oct 25 22:32:55 shoutcast-server kernel: [180468.660406] OUT CONN IN= OUT=eth0 SRC=192.168.203.10 DST=<server_ip> LEN=653 TOS=0x00 PREC=0x00 TTL=64 ID=14921 DF PROTO=TCP SPT=49680 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 Oct 25 22:32:55 shoutcast-server kernel: [180468.805969] IN CONN IN=eth0 OUT= MAC=00:01:2e:2d:72:e3:00:11:92:95:25:72:08:00 SRC=<server_ip> DST=192.168.203.10 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=55122 DF PROTO=TCP SPT=80 DPT=49680 WINDOW=438 RES=0x00 ACK URGP=0 Oct 25 22:32:55 shoutcast-server kernel: [180468.908678] IN CONN IN=eth0 OUT= MAC=00:01:2e:2d:72:e3:00:11:92:95:25:72:08:00 SRC=<server_ip> DST=192.168.203.10 LEN=137 TOS=0x00 PREC=0x00 TTL=48 ID=55124 DF PROTO=TCP SPT=80 DPT=49680 WINDOW=438 RES=0x00 ACK PSH URGP=0 Oct 25 22:32:55 shoutcast-server kernel: [180468.908733] OUT CONN IN= OUT=eth0 SRC=192.168.203.10 DST=<server_ip> LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=14922 DF PROTO=TCP SPT=49680 DPT=80 WINDOW=46 RES=0x00 ACK URGP=0 Oct 25 22:32:55 shoutcast-server kernel: [180468.924857] IN CONN IN=eth0 OUT= MAC=00:01:2e:2d:72:e3:00:11:92:95:25:72:08:00 SRC=<server_ip> DST=192.168.203.10 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=55125 DF PROTO=TCP SPT=80 DPT=49680 WINDOW=438 RES=0x00 ACK FIN URGP=0 Oct 25 22:32:55 shoutcast-server kernel: [180468.924914] OUT CONN IN= OUT=eth0 SRC=192.168.203.10 DST=<server_ip> LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=14923 DF PROTO=TCP SPT=49680 DPT=80 WINDOW=46 RES=0x00 ACK URGP=0 As you can see both clients do receive the spoofed packets, but the second one can't load the page. Suggestions? Thanks, Niccolᅵ _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxxxxxxxx http://lists.linuxsystems.it/listinfo/lartc
- Prev by Date: Re: [Wireshark-users] ISDN Layer 3 decode
- Next by Date: Re: [Wireshark-users] ISDN Layer 3 decode
- Previous by thread: Re: [Wireshark-users] sec-macof.pcap take ages to load on WireShark 1.4.9 on MacOS Lion
- Next by thread: [Wireshark-users] filter out PVST packets?
- Index(es):