Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-24-2005, 07:29 AM
|
#1
|
Member
Registered: Dec 2004
Location: Nepal
Posts: 86
Rep:
|
flooding
What is this? Is this attack?
17:26:56.282761 143.5.243.22.1035 > 239.255.150.51.29500: udp 4694 (frag 60743:1480@0+)
17:26:56.285758 143.5.243.22 > 239.255.150.51: (frag 60743:1480@1480+)
17:26:56.288769 143.5.243.22 > 239.255.150.51: (frag 60743:1480@2960+)
17:26:56.288772 143.5.243.22 > 239.255.150.51: (frag 60743:262@4440)
17:26:56.294785 143.5.243.22.1034 > 239.255.150.49.29450: udp 4569 (frag 60745:1480@0+)
17:26:56.297795 143.5.243.22 > 239.255.150.49: (frag 60745:1480@1480+)
17:26:56.318851 143.5.243.22 > 239.255.150.49: (frag 60745:1480@2960+)
17:26:56.318855 143.5.243.22 > 239.255.150.49: (frag 60745:137@4440)
17:26:56.324866 143.5.243.22.1034 > 239.255.150.49.29450: udp 4570 (frag 60746:1480@0+)
17:26:56.336903 143.5.243.22 > 239.255.150.49: (frag 60746:1480@1480+)
17:26:56.348936 143.5.243.22 > 239.255.150.49: (frag 60746:1480@2960+)
17:26:56.348939 143.5.243.22 > 239.255.150.49: (frag 60746:138@4440)
17:26:56.385037 143.5.243.22.1035 > 239.255.150.51.29500: udp 4694 (frag 60752:1480@0+)
17:26:56.391060 143.5.243.22 > 239.255.150.51: (frag 60752:1480@1480+)
17:26:56.394067 143.5.243.22 > 239.255.150.51: (frag 60752:1480@2960+)
17:26:56.394070 143.5.243.22 > 239.255.150.51: (frag 60752:262@4440)
17:26:56.424154 143.5.243.22.1034 > 239.255.150.49.29450: udp 4569 (frag 60757:1480@0+)
17:26:56.430175 143.5.243.22 > 239.255.150.49: (frag 60757:1480@1480+)
17:26:56.445210 143.5.243.22 > 239.255.150.49: (frag 60757:1480@2960+)
17:26:56.445213 143.5.243.22 > 239.255.150.49: (frag 60757:137@4440)
|
|
|
06-24-2005, 08:10 AM
|
#2
|
Member
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379
Rep:
|
You don't have iptables ?
|
|
|
06-24-2005, 12:08 PM
|
#3
|
Member
Registered: Dec 2004
Location: Nepal
Posts: 86
Original Poster
Rep:
|
I do have iptables. But I this packets are coming from DVB interface. How can I block it?
|
|
|
06-24-2005, 03:13 PM
|
#4
|
Member
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379
Rep:
|
Use iptables to block the traffic something like following should help you:
iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A OUTPUT -d IP-ADDRESS -j DROP
Howerver iptables is serious business, you should read man page!
|
|
|
06-25-2005, 03:42 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally posted by nixcraft
Use iptables to block the traffic something like following should help you:
iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A OUTPUT -d IP-ADDRESS -j DROP
Howerver iptables is serious business, you should read man page!
|
that is correct, but if you're gonna input those commands into the command line you should use a "-I" instead of an "-A" to make sure the rules go to the top of the chain and hence the packets won't get accepted by any other rules before they hit the DROP...
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
BTW, you don't really need to add a DROP for the IP to the OUTPUT chain...
|
|
|
06-25-2005, 10:07 AM
|
#6
|
Member
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379
Rep:
|
Quote:
Originally posted by win32sux
that is correct, but if you're gonna input those commands into the command line you should use a "-I" instead of an "-A" to make sure the rules go to the top of the chain and hence the packets won't get accepted by any other rules before they hit the DROP...
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
|
-A will append rule to existing rule set that is why you need it. I assumed that some other rules already exist like -P to drop everythink.
Quote:
BTW, you don't really need to add a DROP for the IP to the OUTPUT chain...
|
You need it OUTPUT rule too.. that is added security
|
|
|
06-25-2005, 10:23 AM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally posted by nixcraft
-A will append rule to existing rule set that is why you need it. I assumed that some other rules already exist like -P to drop everythink.
|
that is precisely why you should use "-I" instead of "-A" if you do this from the CLI... it makes sure that EVERY packet from that IP will go to DROP... if you do "-A" from the CLI it's still possible for a packet from that IP to get sent to ACCEPT because it matches one of the rules above... the policy (-P) has nothing to do with it... look at this example (just a stupid "proof of concept"):
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
if you have the above ruleset active, and you run this command from the CLI:
Code:
iptables -A INPUT -s IP-ADDRESS -j DROP
then the active ruleset would change to:
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s IP-ADDRESS -j DROP
so as you can see, IP-ADDRESS would STILL be able to connect to port 22/TCP...
but if you use "-I" when you execute the command, like:
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
you'd end-up with this instead:
Code:
iptables -P INPUT DROP
iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
now IP-ADDRESS would NOT be able to connect AT ALL because the packet would go to DROP as soon as it enters the chain - before it can be accepted by any other rule...
Quote:
You need it OUTPUT rule too.. that is added security
|
it's an nice option that you have available - but you don't " need" to do it...
Last edited by win32sux; 06-25-2005 at 10:27 AM.
|
|
|
06-25-2005, 10:33 AM
|
#8
|
Member
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379
Rep:
|
Sure, for flooding
Code:
iptables -F
# Setting default filter policy DROP ALL :D
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# allow unlinited traffic on both lo and venet0
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
# Stop flood .. this is also important :D
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j DROP
# Now block all ips
IPS="Ip1 IP2"
for ip in $IPS
do
iptables -A INPUT -s $ip -j DROP
iptables -A OUTPUT -d $ip -j DROP
done
# Now allow the traffic using rules use as shown by win32sux
I still prefer to add OUTPUT rule in drop to avoid ip spoofig stuff attack if you see closely i'm only blocking destiona -D from FW host!
|
|
|
06-25-2005, 10:47 AM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally posted by nixcraft
Code:
# Now block all ips
IPS="Ip1 IP2"
for ip in $IPS
do
iptables -A INPUT -s $ip -j DROP
done
|
you're still just appending (-A) $ip to the END of the chain...
if you really want to block $ip you need to insert (-I) the rule at the START of the chain...
Last edited by win32sux; 06-25-2005 at 10:49 AM.
|
|
|
06-25-2005, 11:05 AM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
wait - i see what you're doing... your other iptables rules would come-in after that section of your script... either way, i'm talking strictly about the CLI - not about a script... if you do it from the CLI it's simple and effective to use "-I" as it makes sure the rule goes to the top of the chain...
Last edited by win32sux; 06-26-2005 at 11:05 AM.
|
|
|
All times are GMT -5. The time now is 12:48 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|