C++ Developer for Windows Internals (Hybrid TLV) Requirements: 10 years of experience working with C++ in Microsoft Windows environments. Experience in Object-Oriented development. In-depth knowledge of the Microsoft Windows operating system, especially Windows Internals. Experience in Multi-threading development and debugging. Experience in developing System Services under Windows. Knowledge of communication protocols such as TCP, UDP. Advantage: Experience with Microsoft .NET and C#. Expe...

This is not only a H.323 topic, but since H.323 also uses TCP connections, it applies to H.323 as well:

To detect network errors and signaling connection problems, you can enable TCP keep alive feature. It will increase signaling bandwidth used, but as bandwidth utilized by signaling channels is low from its nature, the increase should not be significant. Moreover, you can control it using keep alive timeout.

The problem is that most system use keep alive timeout of 7200 seconds, which means the system is notified about a dead connection after 2 hours. You probably want this time to be shorter, like one minute or so. On each operating system, the adjustment is done in a different way.

After settings all parameters, it's recommended to check whether the feature works correctly - just make a test call and unplug a network cable at either side of the call. Then see if the call terminates after the configured timeout.

Linux systems

Use sysctl -A to get a list of available kernel variables
and grep this list for net.ipv4 settings (sysctl -A | grep net.ipv4).
There should exist the following variables:

net.ipv4.tcp_keepalive_time:   time of connection inactivity after which
                               the first keep alive request is sent
net.ipv4.tcp_keepalive_probes: number of keep alive requests retransmitted
                               before the connection is considered broken
net.ipv4.tcp_keepalive_intvl:  time interval between keep alive probes

You can manipulate with these settings using the following command:

sysctl -w net.ipv4.tcp_keepalive_time=60 net.ipv4.tcp_keepalive_probes=3 

    net.ipv4.tcp_keepalive_intvl=10

This sample command changes TCP keepalive timeout to 60 seconds with 3 probes,
10 seconds gap between each. With this, your application will detect dead TCP
connections after 90 seconds (60 + 10 + 10 + 10).

FreeBSD and MacOS X

For the list of available TCP settings (FreeBSD 4.8 an up and 5.4):

sysctl -A | grep net.inet.tcp

net.inet.tcp.keepidle - Amount of time, in milliseconds, that the (TCP) 
connection must be idle before keepalive probes (if enabled) are sent.

net.inet.tcp.keepintvl - The interval, in milliseconds, between 
keepalive probes sent to remote machines. After TCPTV_KEEPCNT (default 
8) probes are sent, with no response, the (TCP)connection is dropped.

net.inet.tcp.always_keepalive - Assume that SO_KEEPALIVE is set on all 
TCP connections, the kernel will periodically send a packet to the 
remote host to verify the connection is still up.

therefore formula to calculate maximum TCP inactive connection time is 
following:

net.inet.tcp.keepidle + (net.inet.tcp.keepintvl x 8)

the result is in milliseconds.

therefore, by setting
net.inet.tcp.keepidle = 10000
net.inet.tcp.keepintvl = 5000
net.inet.tcp.always_keepalive =1 (must be 1 always)

the system will disconnect a call when TCP connection is dead for:
10000 + (5000 x 8) = 50000 msec (50 sec)

To make system remember these settings at startup, you should add them 
to /etc/sysctl.conf file

Solaris

For the list of available TCP settings:

ndd /dev/tcp ?

Keepalive related variables:
- tcp_keepalive_interval - idle timeout

Example:
ndd -set /dev/tcp tcp_keepalive_interval 60000

Windows 2000 and Windows NT

Search Knowledge Base for article ID 120642:
http://support.microsoft.com/kb/120642/EN-US

Basically, you need to tweak some registry entries under
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

Tcp Client Sever is a useful network utility for testing network programs, network services, firewalls and intrusion detection systems. Tcp Client Sever can also be used for debugging network programs and configuring other network tools. Depending on Client-Server mode the tool can work as a Tcp client or Tcp server, accept multiple network connections, receive and send data over network. The tool is designed with a user-friendly interface and is easy to use.

Tcp Port Forwarding tool allows to capture and redirect TCP traffic that flows through a particular port. Tcp Port Forwarding software also can work as network bridge for redirecting TCP network traffic from one network card to another one. This tool is used for testing some services, firewall and intrusion detection systems. The program can also be used for debugging programs and configuring other network tools.

TCP BBR is one of the most powerful congestion control algorithms. In this article, we provide a comprehensive review of BBR analysis, expanding on existing knowledge across various fronts. Utilising ns3 simulations, we evaluate BBR's performance under diverse conditions, generating graphical representations. Our findings reveal flaws in the probe's RTT phase duration estimation and unequal bandwidth sharing between BBR and CUBIC protocols. Specifically, we demonstrated that the probe's RTT phase duration estimation algorithm is flawed and that BBR and CUBIC generally do not share bandwidth equally. Towards the end of the article, we propose a new improved version of TCP BBR which minimises these problems of inequity in bandwidth sharing and corrects the inaccuracies of the two key parameters RTprop and cwnd. Consequently, the BBR' protocol maintains very good fairness with the Cubic protocol, with an index that is almost equal to 0.98, and an equity index over 0.95.

Posted by Solar Designer on Nov 12

NIST doesn't appear to provide their own CVSS vectors/scores lately.
However, they republish (with attribution) some third-party ones, this
time from CISA-ADP. The CISA-ADP CVSS vector for this vulnerability
specifies that it not only is network-reachable, but also that it has
High impact not only on Availability, but also on Confidentiality and
Integrity. This results in a CVSSv3.1 score of 9.8. Even merely
correcting the vector not to...

Posted by Clemens Lang on Nov 12

Hi,

I think the source for the CISA-ADP data is at [1]. For this specific CVE, the relevant file would be [2]. Their readme
has a section at the bottom, where they encourage feedback:

I’m aware of at last one prior case where a similar case of (IMHO) overblown CVSS scores was discussed in an issue on
this particular GitHub project [3].

Somebody seems to already have opened a ticket for this CVE, too: [4]

[1]:...

Posted by Joel GUITTET on Nov 12

Hello
First thanks to Alexander for reposting because I was not able to do so!
You're right Clemens, I have myself ask the question on this github
(https://github.com/cisagov/vulnrichment/issues/130), but still no information for the moment.
Joel

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed _"SACK Panic_," allows a remotely-triggered kernel panic on recent Linux kernels. There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective.

Slackware Security Advisory - New libpcap and tcpdump packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

129 bytes small Linux/x86_64 bind (4444/TCP) shell (/bin/sh) + password (pass) shellcode.

120 bytes small Linux/x86_64 reverse (127.0.0.1:4444/TCP) shell (/bin/sh) + password (pass) shellcode.

Linux/x86 TCP reverse shell 127.0.0.1 nullbyte free shellcode.

53 bytes small Linux/x86 bind TCP port 43690 null-free shellcode.

Whitepaper called Covert Channel and Data Hiding in TCP/IP.

188 bytes small Lnux/x64 reverse TCP stager shellcode.

CHIYU BF430 TCP IP Converter suffers from a persistent cross site scripting vulnerability.

Malbait is a honeypot written in perl. It creates fake servers and supports both TCP and UDP protocols, either singly or in combination. It outputs in CSV format as well as giving more detailed text reports. You can serve fake Telnet, FTP, SMTP, POP3, HTTP, TR-69, IMAP, asciitime, systat and echo servers, as well as serving blank or random output.

rdp2tcp is a tunneling tool on top of remote desktop protocol (RDP). It uses RDP virtual channel capabilities to multiplex several TCP ports forwarding over an already established rdesktop session.

tcpdump allows you to dump the traffic on a network. It can be used to print out the headers and/or contents of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect many attacks, or to monitor the network activities.