LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-18-2008, 01:42 PM   #1
SCerovec
Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware and Porteus
Posts: 648

Rep: Reputation: 45
Question what to do in case of a port flood? (newbies on broadband)


1. How could a net-newbie distinguish an
accidental flood to a regular service (25,80,443,21+high ports)
from a DOS/DDOS attack?
what's to be looked for?

2. The funny thing is: when I stop the firewall, the traffic goes away
(ports are 'closed' instead of 'filtered'?)
the service does not run in either case?
the firewall in question is "arno's iptables"

3. What does "scanning attempt" in firewall logs stand for?
Doesn't normal operation involve 'scanning' of ports too?

4. Shall a linux user resort to AIDE or shall we "know stuff" and "roll our own"?

5. where does one turn to (homework) to understand this? 8)

I a total lammer and loosing "it" here, please be kind when kicking me :-( for this post...
 
Old 06-18-2008, 01:59 PM   #2
ARC1450
Member
 
Registered: Jun 2005
Location: Odenton, MD
Distribution: Gentoo
Posts: 290

Rep: Reputation: 30
1) The only thing I can think of is look for a very large number of SYN packets. From what I understand, the basic idea of a DoS attack is to open all the network connections allowed and cause the router/server to deny opening any more. Now, those SYN packets would probably come from illegitimate addresses, such as any of the private blocks (10.x.x.x, 172.16.x.x, 192.168.x.x) so as to keep a computer from answering a SYN packet request.

2) When the port is "closed", you're responding back to a request if the port is open or not. The only way to truly "stealth" a port (as in make it seem like nothing exists) is to filter it, and that is basically meaning not responding to anything that hasn't been asked for. The reason you don't see firewall logs grow when the firewall is off is that your computer, even with ports closed, is responding to requests.

3) Normal operation does not include "scanning" for ports. Scanning for ports means sending SYN packets to sequential ports to see what state the port is in. You can randomize what order you hit ports in to find scanning attempts, but I think they're generally still caught, though.

4) For intrusion detection, do as you see fit. Although many good security guys will tailor intrusion detection as they see fit

5) Look in books, on the web, here. . .basically, go anywhere you can to find information, and try to find that information from 3 sources if you want to ensure its legitimacy.
 
Old 06-23-2008, 03:53 AM   #3
SCerovec
Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware and Porteus
Posts: 648

Original Poster
Rep: Reputation: 45
Kind thanks, ARC1450,

It does konfirm my guesses.

I meant 'no traffic' was showing zero troughput on gkrellm (I monitor my "exposed one" via gkrellmd+gkrellm.

While the firewal is 'down' there apears to be no traffic? Is aswering to a 'closed' port - no traffic?

I also added a custom rule to "DROP" (and tried "TARPIT" too ?) all traffic originating from the offending ports, then the traffic merely declined but still i was flooded (or is the propper term "congestion"?).

Namely, my 'flooded' host is a DNS server and got hit by mail servers while having no mail service. A week before i had a test-run of postfix on it, but I decided I have no time to learn it and stopped it for the moment. Few days after I noticed the flood?

Am I doing something (what?) wrong?
:-(
 
  


Reply

Tags
admin, attack, flood, internet


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Copying files from case-sensitive Linux to case-insensitive Windows via CIFS? SlowCoder Linux - General 4 05-07-2008 07:03 PM
Stopping UDP Packtet Flood on Port: 28960 murder Linux - Security 6 09-19-2005 09:42 PM
Stoping UDP Packtet Flood on Port: 28960 murder Linux - Networking 1 09-19-2005 08:43 AM
Sharing broadband between WinXP and MDK 9.2 using Planet ADSL 4 port Modem Router cwchia Linux - Networking 12 05-27-2004 11:01 PM
compusa 4 port 10\100 switch internet cable\dsl broadband router mcslinux Linux - Networking 1 11-22-2003 08:29 PM


All times are GMT -5. The time now is 06:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration