LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-07-2007, 07:36 PM   #16
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Devuan Beowulf
Posts: 514
Blog Entries: 1

Rep: Reputation: 37

So many easy ways to fingerprint it.

Nmap is infinitely more powerful than the example given.

Google is your best friend.
 
Old 04-07-2007, 09:39 PM   #17
c00kie
Member
 
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34

Original Poster
Rep: Reputation: 15
Yeah, exactly why I need to know the distro, cause it's a firewall that can block the type of ddos i'm dealing with

so.. if you want it like this, what distro would you suggest me to use on a firewall? as i said... i'm dealing with some sort of ddos
 
Old 04-07-2007, 10:42 PM   #18
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
If it's the firewall in particular you're trying to ID, then run 'p0f -R' in one terminal and scan it with nmap in another terminal. Unless it's configured to drop packets, trust the p0f findings.

Note: If nmap reports the port as open, then you're ID'ing a server behind the firewall. Only RST packets sent by the firewall itself will give you an accurate ID.

Then again, an RST packet is pretty hard to screw up, so RST's sent by nearly any major OS out there will probably ID the same (I've seen Linux machines ID as FreeBSD before on ID attempts I've run on my own machines)...and it's likely that if this firewall is doing well against ddos attacks, it's probably dropping the packets and not wasting time responding.

Good luck ID'ing it...you'd be better off begging and pleading with the admin of the firewall =) Oh, and I'll chime it in again: Google is your best friend.

Quote:
Originally Posted by Road_Map
What a secret! After 5 min of Google and DistroWatch:

IPCop Firewall 1.4.15 - 46 MB
Wolverine Firewall and VPN Server 2.01.1008 RC1 - 20.8 MB
m0n0wall 1.23 Stable - 5.76 MB
Coyote Linux 2.24 Stable - 2.58 MB

Anyway, who are "they"?
It would appear that "some 20MB firewall distro" would have already been id'd by this response...

Last edited by rocket357; 04-07-2007 at 10:45 PM.
 
Old 04-07-2007, 10:48 PM   #19
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
Ehh, if all you want to do is stop a ddos, then roll your own firewall with OpenBSD's pf. Sick stability and speed. Or you could always run pf on FreeBSD with bruteforceblocker installed... =)
 
Old 04-08-2007, 08:01 AM   #20
c00kie
Member
 
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34

Original Poster
Rep: Reputation: 15
@Rocket357: does FreeBSD's pf offer any support against DDoS? If so.. I'll try to install it... firstly if you have access to a OpenBSD box mabe we'll make some tests.. since I know how they're ddos'ing .

Last edited by c00kie; 04-08-2007 at 09:32 AM.
 
Old 04-08-2007, 09:23 AM   #21
ieatsplaydoh
Member
 
Registered: Oct 2006
Location: Denver
Distribution: All of them
Posts: 62

Rep: Reputation: 15
well... needing the distro makes sense.
sorry i jumped at you like that
 
Old 04-08-2007, 09:31 AM   #22
c00kie
Member
 
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34

Original Poster
Rep: Reputation: 15
it's okay, i'm dld'ing FreeBSD right now.. if someone has any other suggestions, or even better if someone wants to try to help me stop this type of DDoS, it would be great..

Last edited by c00kie; 04-08-2007 at 09:32 AM.
 
Old 04-10-2007, 06:50 PM   #23
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
Quote:
Originally Posted by c00kie
@Rocket357: does FreeBSD's pf offer any support against DDoS? If so.. I'll try to install it... firstly if you have access to a OpenBSD box mabe we'll make some tests.. since I know how they're ddos'ing .
Ehh, only OpenBSD box I have available at the moment is a client's firewall I set up a while back, and that's (for obvious reasons) not a very "ethical" thing to do. I'm a bit short on machines at the moment since my sr. project is taking up my usually free "playground" machine (my school is an M$ house, so I'm working in VS and SQL Server...doh?)

I haven't messed with FreeBSD pf much...but I know bruteforceblocker (in ports) can modify pf rules on the fly to drop packets from ip's that have too many open requests and the like.

I had started writing a similar script a while back, but mine is far from finished, and I don't plan on finishing it since bruteforceblocker is available (I started writing it before I learned of bruteforceblocker). I think bruteforceblocker is intended for sshd attacks, but I'm sure it can be modified to work with whatever you're trying to use it for.

Let me know if this helps any.
 
Old 04-11-2007, 06:31 AM   #24
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Nmap is good but old method, there are new tools now.

Either you find these tools, some are private, forget about finding them.
Or
Use your brains:

Install qemu or vmware or whatever and create an image for all the distros that look like a 20meg firewall.
Probe them and make tables with as input network unit tests, as output the result of these probes.
Connect to them and make the same.

When you find the least minimum network probes that can determine the machine, run them on the target.

I don't see what's illegal in this. Systems are opened and if they allow you to connect (I said connect, not send bad data..) to them, why would it be illegal to do this... It's the game.

My god you are still on this ddos problem... Good luck..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Required to achieve host to host communication via USB file transfer cable may1284 Linux - General 1 03-14-2007 05:02 PM
How do i determine my IP address? How do i determine my host name? jwymore Linux - Networking 5 02-07-2007 10:57 AM
host-to-host USB cable: how to make it work under debian?? stefan_578 Linux - Hardware 18 12-20-2006 03:09 PM
Resolving <www.some remote host>.... failed: Host not found. koodoo Linux - Newbie 2 06-27-2005 09:48 AM
"httpd cannot determine local host name" hty Linux - Software 1 08-05-2003 10:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration