RE: route add to block IP's

From: Chris Davis (chris.davis@computerjobs.com)
Date: 09/18/02


From: Chris Davis <chris.davis@computerjobs.com>
To: focus-linux@securityfocus.com
Date: Wed, 18 Sep 2002 10:29:57 -0400


>I've been an unfortunate target of various script-kiddies/worms and have
>configured apache to perform something like this on all incoming requests
>containing bad URI's:
>
>route -n add <evil IP> gw <bogus local host>
>
>The only concern I have is will this cause performance problems? I've got
>about 10 so far and I just put it up about 24hrs ago

At the rate mentioned, this should not cause performance problems.

Be aware, though, that this does still allow incoming SYN's from evil IPs.
Your machine will then SYN-ACK to your bogus local host gateway, resulting
in the TCP session never being established.

At a rate of 10 per 24 hours, this doesn't matter too much. At a high rate,
though, this can become a quite serious problem as you consume all of your
incoming ports with half established TCP sessions faster than those half
established TCP sessions time out.

Another possible complication is with regards to future troubleshooting of
routing issues since you are effectively turning your Linux server into a
router.

And yet another possible complication is that if Apache receives packets
that have forged source IP addresses, you will be null routing those forged
(innocent) IP addresses.