On a social engineering layer, banning misbehaving users does not yield results in some ambitious cases since the users tend to come back using VPNs and other paraphernalia; ie: you throw them out through the door, they climb through the window. A far better option, given social engineering principles, is to make yourself humble enough so they do not consider you worthy of soliciting services from - even if the network administrator's impulse is to outright ban them.

Example software includes the Drupal misery module that makes a website randomly pretend that it is broken. Highlights include, morbid delays, white screens, random HTTP errors, forms that do not submit and up to replacing content with spam.

Unfortunately, there is no comprehensive solution to make this great feature available to services other than HTTP. Instead, the netem quality of service component can be used to achieve a subset of grievances similar to the Drupal misery module.

The following guide will show how to create a fast and efficient blacklist where entries can be added or removed conveniently that will simulate network failure and random packet-level errors.

ipset is a Linux tool that can manage lists of IPs and then match them using iptables in order to perform various operations. To install the ipset tool, issue:

aptitude install ipset

Under Debian, there is no persistent way of storing ipset entries such that a custom package by Viktor Szépe has to be fetched:

cd /usr/src
git clone https://github.com/szepeviktor/debian-server-tools/tree/master/security/myattackers-ipsets/ipset-persistent

and then installed, following the instructions, by issuing:

cd ipset-persistent
cp --parent etc/ipset/README /
cp --parent etc/default/ipset-persistent /
cp --parent etc/init.d/ipset-persistent /

The /etc/default/ipset-persistent configuration file has to be edited in order to point the IPSET_BIN variable to the ipset command (on Debian, installed at /sbin/ipset).

An IP to blacklist can be added, first by creating a set by issuing:

ipset create blacklist hash:net

where:

• blacklist is the name of the IP set
• hash:net is the set type (various optimization options are available by issuing ipset help, but specifically, a hash:net optimizes network entries)

and then by adding the IP with:

ipset add blacklist 4.150.102.189

where:

• blacklist is the name of the IP set, and
• 4.150.102.189 is an example IP to blacklist

Conversely, an IP can be removed by issuing:

ipset del blacklist 4.150.102.189

Note that if ipset-persistent was installed, then the command:

service ipset-persistent save

must be issued in order to save the added entries such that they will be reloaded on boot.

With the IP set in place, the next step is to create QoS rules based on netem in order to perturb the outgoing traffic to any IP in the IP set. Either execute the following commands every time, or place them in a script to be executed on boot:

OUT_IF=eth0
OUT_RATE=1000Mbps
 
PACKET_DELAY="800ms 250ms 25%"
PACKET_LOSS="7%"
DUPLICATE_PACKETS="5%"
CORRUPT_PACKETS="10%"
 
tc qdisc del dev $OUT_IF root
tc qdisc add dev $OUT_IF handle 1: root htb
tc class add dev $OUT_IF parent 1: classid 1:15 htb rate $OUT_RATE
tc qdisc add dev $OUT_IF parent 1:15 handle 15 netem \
    delay $PACKET_DELAY \
    loss $PACKET_LOSS \
    duplicate $DUPLICATE_PACKETS \
    corrupt $CORRUPT_PACKETS
tc filter add dev $OUT_IF parent 1:0 prio 1 protocol ip handle 15 fw flowid 1:15

The script roughly performs the following operations:

• tries to remove any existing shaping,
• creates a separate band 1:15 with the following settings (as configured using the settings):
  • adds a delay of give or take with a probability of to every packet,
  • does not send of packets,
  • of the sent packets will be duplicates,
  • of the sent packets will be corrupted
• specifies that packets numerically marked 15 via iptables will go through the 1:15 band

With the previous traffic shaping rules in place, packets can now be marked via iptables such that they are throttled. Note that the classifier only works on packets that are sent back from a server to a blacklisted IP.

For instance, would we like to make life miserable to clients connecting to HTTP/HTTPs, we would add a firewall rule along the lines of:

iptables -t mangle -A OUTPUT \
    -m set --match-set blacklist dst \
    -m multiport --sport 80,443 \
    -j MARK --set-mark 15

which means:

• mangle traffic on the output chain by,
• matching destinations from the IP set named blacklist,
• when the source port is either 80 (HTTP) or 443 (HTTPs),
• mark the packets with the numeric identifier 15.

The rule can be simplified when all traffic has to be made miserable:

iptables -t mangle -A OUTPUT \
    -m set --match-set blacklist dst \
    -j MARK --set-mark 15

which will mark all packets bound for any IP on the blacklist set and send them through the shaper.

Leveraging the stateless HTTP protocol, the following can be added to the firewall:

iptables -A INPUT \
    -m set --match-set blacklist src \
    -m statistic --mode random --probability 0.50 \
    -p tcp -m multiport --dport 80,443 \
    -m state --state NEW \
    -j DROP

that will randomly drop new connections to HTTP or HTTPs with a probability of .

Using the commands ipset add and ipset remove you can add an IP address under your control that can be used for testing. The values for the rule:

OUT_IF=eth0
 
PACKET_DELAY="800ms 250ms 25%"
PACKET_LOSS="7%"
DUPLICATE_PACKETS="5%"
CORRUPT_PACKETS="10%"
 
tc qdisc add dev $OUT_IF parent 1:15 handle 15 netem \
    delay $PACKET_DELAY \
    loss $PACKET_LOSS \
    duplicate $DUPLICATE_PACKETS \
    corrupt $CORRUPT_PACKETS

can be tweaked according to preference.