FW: iptables anti-nimda anyone?
From: Trevor Benson (tbenson@gdxinc.com)Date: 09/26/01
- Previous message: Mogens Valentin: "Re: Help with hijacked sendmail"
- Maybe in reply to: Konrad Michels: "iptables anti-nimda anyone?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <378253B6F337D411BB0B009027C3F043801A0F@EMAILSERVER> From: Trevor Benson <tbenson@gdxinc.com> To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com> Subject: FW: iptables anti-nimda anyone? Date: Wed, 26 Sep 2001 14:05:14 -0700
From Eric Mroczka:
I agree with the concept of filtering out the unnecessary traffic at your
border router but your pipe from your ISP is still going to get the traffic.
The ACL's you are referring to will simply keep the traffic from passing
through your router. They will not keep the traffic from flooding your
Internet connection to begin with. If enough machines are trying to flood
your block of addresses your going to suffer-unless you can convince your
ISP to filter the packets before they get into your Internet pipe.
You definitely have a point, you would want this on the ISP end as well.
Although the concept was immediate relief to the problems the attacks cause:
dropped connections, lag, DoS. As many people know ISP's can take quite
some time to adjust something if they are themselves dealing with virus and
traffic issues. Although you can adjust your router while waiting for them
to answer the phone, and give your firewall breathing space to traverse
chains for traffic to legitimate hosts. Not everyone got hit hard by the
virus, although I had some load balanced firewalls take so much traffic they
ended up with DoS for over an hour on internal use. Although immediately
stopping those hits took off the load from the rules, and let us browse over
slow to mid sized pipes without seeing much loss in any location. Allowing
business and email and other things to once again function, albeit not at
optimal performance. Slow is better then none however. You chopped also
the lines from below:
Then you next configure your firewall to do all the rest of the suggestions
for
the legitimate web hosts you run. Add all of that together and you
essentially don't even notice the bandwidth loss, and have successfully
blocked out most of the Denial of Service this can cause to the Internet
when a few infected hosts start hitting you simultaneously.
"Essentially don't notice the bandwidth loss" I figured there would be
traffic on the pipe. It won't resolve the loss of bandwidth, just stop the
true problem in most networks, the firewalls bogged with illegitimate
traffic, not the pipe taking all of the bandwidth. It doesn't take much of
a small to mid sized pipe to crush your firewall with hits, stopping this in
many locations shows that usage wasn't even all that bad after the ACL went
into place. You are correct though for the complete package against
something like this, in quickest result oriented order would be ACL your
router from inbound illegitimate port traffic, thus reducing firewall loads.
Firewall with appropriate rules of state to catch the illegitimate traffic
to legitimate hosts you provide those services through. At the same time or
shortly after firewall, get your ISP working on adjusting the ACL's on their
router (another problem is not every ISP out there has bothered to do the
basic configuration to support ACL's, many but not all).
Thank you for pointing out the other component of defending from this, as
all of it together almost eliminates any problems. Mind you this has
nothing to do with internal Nimda issues you can experience that might
actually hinder your LAN if it gets out of hand ;).
Trevor
- Previous message: Mogens Valentin: "Re: Help with hijacked sendmail"
- Maybe in reply to: Konrad Michels: "iptables anti-nimda anyone?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
