-1

I am developing a system, which can detect the request in local network. If customers request a certain site, System will send a http redirect packet. I build http redirect packet via libnet, new uri is set in Location, like:

HTTP/1.1 302 Moved Temporarily
Location: http://www.example.com

But it doesn't work, the browser doesn't go to the new site. The customer doesn't send a new GET request to redirect url.

Thanks for all answers.

Scott
  • 15
  • 6
  • Do you use the proper line.endings (it should be carriage-return newline (`"\r\n"`))? Do you terminate the headers properly (with an empty line)? – Some programmer dude Mar 23 '15 at 09:13
  • Yes,my http data is "HTTP/1.1 302 Moved Temporarily\r\nLocation: http://www.example.com\r\n\r\n". However, the client does not jump to the new location.@JoachimPileborg – Scott Mar 23 '15 at 11:04
  • Have you used a packet sniffer, like e.g. [Wireshark](https://www.wireshark.org/) to see that the correct packet and data is sent to the client? – Some programmer dude Mar 23 '15 at 11:33
  • I used libnet_build_tcp, libnet_build_ipv4 and libnet_build_ethernet to build my packet, http 302 redirect data is the payload of tcp. I don't know why it is wrong? I see the client does't accept my packet by wireshark., Because I send RST to server before, client retransmit the GET request to old uri. Of course, it gets nothing.@JoachimPileborg – Scott Mar 23 '15 at 11:58
  • You really need to provide a packet capture (.pcap) which shows the original packets in the connection and which shows the packet you're trying to inject to the connection. You can capture packets captures by using Wireshark as suggested by @Joachim Pileborg. If your client retransmits the GET request, it sounds like your ACK number in your injected response packet is incorrect. And if the client doesn't accept the packet, it sounds like its sequence number is incorrect. – juhist Mar 24 '15 at 12:48
  • Yeah, the client retransmits the request to old site after receiving my redirect packet. Because I reset the connection of server before, it get nothing. However, I think my sequence number and ACK number are right. Assuming that the sequence number , ACK number and payload size of GET request packet are seq, ack and len, respectively. The sequence and ACK number of my http redirect packet is set to (ack) and (seq+len). It's wrong?@juhist – Scott Mar 24 '15 at 13:52

1 Answers1

0

What you really want to do is to implement an in-line deep packet inspection device that inspects the TCP stream, the HTTP headers and performs its own response if it detects access to a certain site.

In general, it is not possible to perform complicated application-level responses by using a passive device that simply monitors the traffic but the traffic won't go through the passive device.

You most likely need to do some Linux kernel-level development by using netfilter hooks. It's possible to pass the packets to userspace and back to kernelspace again, if you prefer to do userspace coding. My opinion is that it is better to perform complex deep-packet inspection in userspace.

For parsing the HTTP headers, you most likely need to create your own parser generator as none of the existing parser generators fulfill all the needs for deep packet inspection. In particular, you want to PUSH data into the parser, not for the parser to PULL data by calling a function that returns a piece of data. And the parser must work incrementally. So, yacc or bison doesn't work. Furthermore, practically none of the network protocols have been designed with two-stage (lexer, parser) parsing in mind, so you'll most likely need a solution that integrates lexer and parser into one and turns lexemes on and off based on the parser context. This is not an easy task. However, not having a parser generator to generate the HTTP header parsing code will be a total maintenance hell. It has been tried before, and the short summary is: don't do it.

Do consider that deep packet inspection devices have things called evasions. For example, what do you do if instead of "GET / HTTP/1.1\nHost: badsite.com\n\n" you see "G", "E", "T", " ", "/", " ", "H", "T", "T", "P", "/", "1", ".", "1", "\n", "H", "o", "s", "t", ":", " ", "b", "a", "d", "s", "i", "t", "e", ".", "c", "o", "m", "\n", "\n" in different TCP segments? You are going to have a lot of work ahead of you if you want to handle deep packet inspection evasions in your system.

Disclaimer: I have worked for a major network security device vendor, so I know how these things are implemented.

juhist
  • 4,210
  • 16
  • 33
  • Thank you for your answer. My server can monitor the traffic. I insert a http 302 redirect packet into the conversation. I am sure my packet is right, however, the client can't jump to the site set in Location. In theory, I think, it can work as long as client can resolve my redirect packet. If my idea is wrong, can you give me more suggestions about linux kernel hook? I am not experienced. – Scott Mar 24 '15 at 12:37
  • Well, it looks that you have a bigger task than what you're capable of. So, you are a passive traffic monitorer, not an active inline device. If you inject your own data into the connection, how do you prevent the alternative data from the server to reach the client? It seems you can't do that now. You could try sending RST packet to the server and the data packet to the client, but the network may have in-flight alternative data packets from the server which still can reach the client. – juhist Mar 24 '15 at 12:43
  • As an aside: if you want a hack that sort of works, you could try using Wireshark to investigate if the packet you're sending is a valid packet for the TCP connection. Is the ACK number correct, i.e. does it acknowledge the request the client has sent? Is the sequence number correct? But be prepared that your hack may fail someday, and then if you modify it, it may fail again and so on and on... Really fixing all potential problems would require the hard approach I described in my answer. – juhist Mar 24 '15 at 12:45
  • Thank you again. I send RST to server and http redirect packet to client, and I prevent the data from server successfully. I am sure the seq and ack of redirect packet to client are right. The wireshark display http 302 redirect packet normally. I see the client doesn't send syn to connect the new site after receive my redirect packet by using wireshark. – Scott Mar 24 '15 at 13:43
  • Well, consider attaching a .pcap to your question containing the whole connection from its SYN/SYN+ACK/ACK handshake to the RST and the injected packet. Perhaps there's still something wrong in your packet that people here could help to debug. Are you sure your packet's checksum is correct at the IP and at the TCP level? – juhist Mar 24 '15 at 13:46