Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 03-02-2009, 01:43 PM   #1
LQ Newbie
Registered: Mar 2009
Posts: 2

Rep: Reputation: 0
Query: linux tcp/ip stack logging capability used by external devices like a iptables

Dear Network Experts,

I am reasonably new to the Linux networking principles.

I am just wondering if the Linux networking stack records various attacks to the TCP/IP stack by itself. For example does it log errors of misaligned TCP flags (the setting of both syn and rst etc). And where would such error, failed attempt log files be stored? (Ubuntu user)

I am trying to figure out if various errors that arise within the TCP/IP stack could some how be used as guidance when designing for example firewall rules.

Consider if an offending IP address is launching a DoS attack for example a FIN-WAIT-2 flood attack can the server have its TCP/IP stack log this?
if this is the case then I can use various constraint reasoners and other nuts and bolts to automatically infer a set of dynamic firewall rules to mitigate/reduce attacks.

I understand that iptables can protect the network by implementing various best practices but I am keen to know more about the logging facilities that the server TCP/IP stack can perform on its own. After all, its doing deep packet inspection (using this term loosely) as it decouples the packet, so I presume it has the mechanics to record failed attempts and so forth.

Looking forward to your comments. I have just started on my quest today, so I am still just getting my teeth into the issue.

Old 03-02-2009, 02:13 PM   #2
Registered: Aug 2003
Location: Seattle
Distribution: ubuntu, lately
Posts: 182
Blog Entries: 1

Rep: Reputation: 35
the linux kernel does not do deep packet inspection (examination of the payload), but it does necessarily check packet headers for illegal formations, and generally just silently discards such packets (logging them creates its own security problems, such as logging floods). I'm unaware of any log settings within the network stack. There may be a way to turn some logging on for these events but you might have to edit the source and rebuild the kernel to do this.

As far as I know there's nothing out of the box that will do specifically what you want, especially as "attacks" are not categorized as such by the kernel or even by iptables. In general network packets are either well-formed and allowed or malformed and quietly discarded.

iptables has some logging features that will allow you to record some types of activity. you could implement it along the lines of:

iptables --state ESTABLISHED -j ALLOW # this allows pkts from established sessions
iptables -j LOG # this logs anything that wasn't deemed 'established' like NEW tcp sessions or stray FIN pkts

(don't use these verbatim - I've left out a lot of details that will be specific to your situation.)

Last edited by grepmasterd; 03-02-2009 at 02:15 PM.
Old 03-02-2009, 02:38 PM   #3
LQ Newbie
Registered: Mar 2009
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for the response.

Presumably iptables is also open to log floods as it acts as a proxy logger for its inner systems!

Things are starting to make sense now, in particular as you mention packets getting silently discarded (and not logged). One solution that I already had in mind and you also mention is to have the firewall log packets that have non-compliant headers. Or snort logs.

I could then automatically reason over these logs and auto-configure a new set of firewall rules to mitigate threats to systems it protects.

I'll need to think more about this. I guess I was just hoping that end systems themselves could offer various network facts incurred on their own and then build protective rule sets and so forth to counter them.

Of course if the server was running external TCP stack mechanims for example TCP-Wrapper or snort, I could just interpret its failed log attempts and push the dropping of such packets up stream. Thus bringing about security-in-depth. (I am aware of snort-inline also)

But that was not what I was thinking about as I wanted to know if *vanilla* tcp/ip stacks on servers or even end-client systems could be used in the guidance process. While they themselves would not have the semantic capability to understand the attacks, constructing a reasoner would and thus automatically configure the firewall.

Once again, thanks for your input.
Back the drawing board for me :-)


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
TCP/IP protocol stack query ?????? raklo Linux - Networking 4 07-31-2007 07:09 AM
Linux TCP/IP Stack: meaning of some fields Mr.Bloom Programming 2 04-11-2006 03:18 PM
DG/UX and RedHat Linux Having TCP/IP Stack Issues TonyBerry Linux - Networking 2 01-25-2006 05:55 PM
getting new tcp/ip stack on linux cdp Linux - Networking 7 06-29-2005 12:50 PM
TCP/IP Stack on Linux? Rossak Linux - Networking 2 07-27-2003 06:20 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:54 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration