Re: [fw-wiz] help with attack

From: Paul Robertson (proberts@patriot.net)
Date: 10/11/02


From: Paul Robertson <proberts@patriot.net>
To: Mark Ryan <markryan@charter.net>
Date: Fri Oct 11 17:19:02 2002

On Fri, 11 Oct 2002, Mark Ryan wrote:

> Is there a way to prevent the following attack from happening again?
> They icmp type-8 flooded me for hours. My iptables firewall script

The best way to deal with a flood attack is to contact your upstream
provider and have them filter and/or track back and filter the offender.
Since it's an ICMP-based attack, spoofing the source is trivial, so
routing paths are the way to figure out where it's coming from. Most
providers have done this enough these days that they'll be able to handle
it.

> logged and logged but my connection went down for hours.
Here is an > example from the log.
>
> Oct 10 23:15:58 dhcp-16-8 kernel: Netfilter: IN=eth0 OUT=
> MAC=00:e0:29:6f:8c:b8:00:d0:ba:1e:6d:70:08:00 SRC=68.144.164.40
> DST=24.240.225.207 LEN=545 TOS=0x00 PREC=0x00 TTL=115 ID=1273 PROTO=ICMP
> TYPE=8 CODE=0 ID=65039 SEQ=3088

You could try sending back an ICMP network unreachable, but likely the
source is spoofed and the tool used doesn't care.

> I am using redhat 7.2 on a P166 with 2 nic cards as a router. I am
> running a iptables rules script that I found on the internet.

Hopefully you understand the rules you found...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation



Relevant Pages

  • Re: NASTY SPAM ATTACK
    ... I think the term for this sort of attack is "sporge". ... found this on another newsgroup being bugged by this. ... Perhaps DIG can filter out this attack, for now anyways, using what I saw ... DIG is tempormental. ...
    (talk.origins)
  • Re: Everything is just fine in a.s.d.
    ... of strangers to clog up the newsgroup then there is no sabotaging ... despicable that they had to filter them out. ... have to say and then attack it. ... Too bad you don't know how to spell ...
    (alt.support.diabetes)
  • Re: Everything is just fine in a.s.d.
    ... opposed to the words of others and vocalize that emotion as trolling. ... As far as sabotaging the group...is that even possible? ... they announced were so despicable that they had to filter them out. ... they have to say and then attack it. ...
    (alt.support.diabetes)
  • Re: Everything is just fine in a.s.d.
    ... of strangers to clog up the newsgroup then there is no sabotaging ... despicable that they had to filter them out. ... have to say and then attack it. ... Too bad you don't know how to spell ...
    (alt.support.diabetes)
  • Re: Everything is just fine in a.s.d.
    ... is a troll. ... of strangers to clog up the newsgroup then there is no sabotaging ... despicable that they had to filter them out. ... have to say and then attack it. ...
    (alt.support.diabetes)