Re: Weird!

From: Kostas K (acezerocool_at_yahoo.com)
Date: 07/13/04

  • Next message: Louie Miranda: "Re: Visited by a cracker"
    Date: 13 Jul 2004 13:40:12 -0000
    To: focus-linux@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <40EC6DD5.9090407@bcgreen.com>

    Stephen,

    i am using the following rules:

    -iptables -t nat -A PREROUTING -i ppp0 -s 192.168.0.0/16 -j DROP
    -iptables -t nat -A POSTROUTING -o ppp0 -d 192.168.0.0/16 -j DROP

    Do you think that these rules meet the requirements and in case they do not i apply yours.
    I have also disabled RIP in my router since it's not the gateway to Internet.

    Regards,
    Kostas

    >My reading is that aa.aaa.aaa is probably attempting to send packets
    >to address 192.168.1.100 OVER THE PPP LINK (i.e. out into the
    >wider internet). [[ You should be egress filtering against such things ]]
    >after a couple of hops, the packet hits a (border?) router that filters
    >against such evils and it sends back the ICMP reject.
    >
    >Suggested rule:
    >
    >-A FORWARD -o PPP0 -d 192.168.0.0/16 -J REJECT
    >-A OUTPUT -o PPP0 -d 192.168.0.0/16 -J REJECT
    >
    >(similarly for other non-routable networks).
    >
    >That should get rid of your wierd messages.
    >
    >(( The other possibility is that someone else is faking your
    >source address, but that's rarely of any use with TCP unless they're
    >in a position to capture any response en-route. ))
    >
    >--
    >Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
    > http://www.bcgreen.com/~samuel/
    > Powerful committed communication. Transformation touching
    > the jewel within each person and bringing it to light.
    >


  • Next message: Louie Miranda: "Re: Visited by a cracker"

    Relevant Pages

    • Re: RE: Odd Increase in Malformed Packets Aimed at Port 0
      ... ('binary' encoding is not supported, ... The first IP, is the source and the one I have X'd out is a public IP on our network (web server, firewall, router, etc.). ... You'll notice that the source is query'ing via the illegal UDP port 0. ... I'm going to try to get some form of tcpdump output and will present here, ...
      (Incidents)
    • Re: How do I stop my PC from returning a "Ping"?
      ... to send out packets and retrieve the incoming replies as well. ... I would bet that he is behind a router, the router is getting the IP ... The router probably can be set up to disable ICMP ... >> Hmmm, but "ping of death" attacks could be pretty major, should they ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Help - Tried almost everything!
      ... In the previous message I gave you a link to Google, ... I've spent hours searching ... > still have no answer why the ICMP still goes out every ... >>>>Hosts send ICMP Router Solicitation messages to the all ...
      (microsoft.public.security)
    • Re: icmp werden ignoriert
      ... Router und *Computer* können zwar für das Beachten des DF Bits konfiguriert ... RFC-konform konfigurierte Router waren/sind eine der ersten Instanzen, ... von ICMP DoS Attacks überflutet wurden. ...
      (microsoft.public.de.security.netzwerk.sicherheit)
    • Dinosaurs wont route
      ... very simple routing tasks -- a local LAN and a gateway router, ... Ethernet0 is up, line protocol is up ... ICMP unreachables are always sent ... IP fast switching on the same interface is disabled ...
      (comp.dcom.sys.cisco)