Re: How to get rid of spoofed IP-Address responses

• Previous message: echo@beltrani.com: "Re: Linux Hardening"
• In reply to: NetWatch: "How to get rid of spoofed IP-Address responses"
• Next in thread: NetWatch: "Re: How to get rid of spoofed IP-Address responses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 24 May 2002 09:51:42 -0700
From: Seth Arnold <sarnold@wirex.com>
To: focus-linux@securityfocus.com

On Thu, May 23, 2002 at 10:30:22PM +0200, NetWatch wrote:
> Since several weeks we are getting SYN responses from Hosts that were
> under a DOS attack. The attacker used our IP-Addresses as the spoofed
> source IP and Port 80 as the source port.
> Everything I can find is how to survive when I am the attacked network.
> How can I prevent to get these stupid responses to my network. This is
> really annoying.

Without knowing the details of what the attack looks like, it is
difficult to say what exactly will fix the problem. However, I am going
to guess that the incoming packets have both the SYN and ACK flags set,
since the other end point is supposedly replying to an initial SYN
packet.

If this is the case, you can configure your firewall to block all
incoming SYN+ACK packets that are not in response to an outgoing SYN
packet. This would be pretty straightforward in the ipf or pf firewalls;
it might be straightforward with iptables as well. I'm hoping my
response will help you find some appropriate documentation..

(For completeness of archives, the method to block those packets with
ipf or pf involves block in rules with "flags SA/SA", or something very
similar depending upon local preferences.)

Good luck

-- 
http://sardonix.org/

• application/pgp-signature attachment: stored

• Previous message: echo@beltrani.com: "Re: Linux Hardening"
• In reply to: NetWatch: "How to get rid of spoofed IP-Address responses"
• Next in thread: NetWatch: "Re: How to get rid of spoofed IP-Address responses"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Ideas? Port 21 SYNs, slow ... When I stopped returning packets to that IP, ... >>> You are probably seeing backscatter from a DDoS attack. ... >>there is no way on God's green earth for them to be backscatter. ... >>Because there is no TCP request packet that RESULTS in a SYN packet. ... (Incidents) Re: Good God, What Happened to this Group? ... doing and that I've fallen into the habit of reading responses to my posts. ... > Cabbi I hope you'll take his words to heart, as this would be a much ... support still comes through. ... but I can't abide blind items of attack from one member ... (alt.support.chronic-pain) IDS responses ... I'm currently trying to learn about the different repsonses an IDS can ... responses can traditionally be divided into two ... the attack is carried out, ... As seen above the SNMP Trap explanation is not satisafctory. ... (Focus-IDS) Flaw in Syn Attack Protection on non-updated Microsoft OSes can lead to DoS ... Flaw in Syn Attack Protection on non-updated Microsoft OSes, ... Windows 2003 without SP1 ... The vulnerability resides in the hash table management, ... (Bugtraq) [Full-disclosure] Flaw in Syn Attack Protection on non-updated Microsoft OSes can lead to DoS ... Flaw in Syn Attack Protection on non-updated Microsoft OSes, ... Windows 2003 without SP1 ... The vulnerability resides in the hash table management, ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint