LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-24-2005, 07:29 AM   #1
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Rep: Reputation: 15
flooding


What is this? Is this attack?


17:26:56.282761 143.5.243.22.1035 > 239.255.150.51.29500: udp 4694 (frag 60743:1480@0+)
17:26:56.285758 143.5.243.22 > 239.255.150.51: (frag 60743:1480@1480+)
17:26:56.288769 143.5.243.22 > 239.255.150.51: (frag 60743:1480@2960+)
17:26:56.288772 143.5.243.22 > 239.255.150.51: (frag 60743:262@4440)
17:26:56.294785 143.5.243.22.1034 > 239.255.150.49.29450: udp 4569 (frag 60745:1480@0+)
17:26:56.297795 143.5.243.22 > 239.255.150.49: (frag 60745:1480@1480+)
17:26:56.318851 143.5.243.22 > 239.255.150.49: (frag 60745:1480@2960+)
17:26:56.318855 143.5.243.22 > 239.255.150.49: (frag 60745:137@4440)
17:26:56.324866 143.5.243.22.1034 > 239.255.150.49.29450: udp 4570 (frag 60746:1480@0+)
17:26:56.336903 143.5.243.22 > 239.255.150.49: (frag 60746:1480@1480+)
17:26:56.348936 143.5.243.22 > 239.255.150.49: (frag 60746:1480@2960+)
17:26:56.348939 143.5.243.22 > 239.255.150.49: (frag 60746:138@4440)
17:26:56.385037 143.5.243.22.1035 > 239.255.150.51.29500: udp 4694 (frag 60752:1480@0+)
17:26:56.391060 143.5.243.22 > 239.255.150.51: (frag 60752:1480@1480+)
17:26:56.394067 143.5.243.22 > 239.255.150.51: (frag 60752:1480@2960+)
17:26:56.394070 143.5.243.22 > 239.255.150.51: (frag 60752:262@4440)
17:26:56.424154 143.5.243.22.1034 > 239.255.150.49.29450: udp 4569 (frag 60757:1480@0+)
17:26:56.430175 143.5.243.22 > 239.255.150.49: (frag 60757:1480@1480+)
17:26:56.445210 143.5.243.22 > 239.255.150.49: (frag 60757:1480@2960+)
17:26:56.445213 143.5.243.22 > 239.255.150.49: (frag 60757:137@4440)
 
Old 06-24-2005, 08:10 AM   #2
nixcraft
Member
 
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379

Rep: Reputation: 30
You don't have iptables ?
 
Old 06-24-2005, 12:08 PM   #3
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Original Poster
Rep: Reputation: 15
I do have iptables. But I this packets are coming from DVB interface. How can I block it?
 
Old 06-24-2005, 03:13 PM   #4
nixcraft
Member
 
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379

Rep: Reputation: 30
Use iptables to block the traffic something like following should help you:

iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A OUTPUT -d IP-ADDRESS -j DROP

Howerver iptables is serious business, you should read man page!
 
Old 06-25-2005, 03:42 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by nixcraft
Use iptables to block the traffic something like following should help you:

iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A OUTPUT -d IP-ADDRESS -j DROP

Howerver iptables is serious business, you should read man page!
that is correct, but if you're gonna input those commands into the command line you should use a "-I" instead of an "-A" to make sure the rules go to the top of the chain and hence the packets won't get accepted by any other rules before they hit the DROP...
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
BTW, you don't really need to add a DROP for the IP to the OUTPUT chain...
 
Old 06-25-2005, 10:07 AM   #6
nixcraft
Member
 
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379

Rep: Reputation: 30
Quote:
Originally posted by win32sux
that is correct, but if you're gonna input those commands into the command line you should use a "-I" instead of an "-A" to make sure the rules go to the top of the chain and hence the packets won't get accepted by any other rules before they hit the DROP...
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
-A will append rule to existing rule set that is why you need it. I assumed that some other rules already exist like -P to drop everythink.
Quote:
BTW, you don't really need to add a DROP for the IP to the OUTPUT chain...
You need it OUTPUT rule too.. that is added security
 
Old 06-25-2005, 10:23 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by nixcraft
-A will append rule to existing rule set that is why you need it. I assumed that some other rules already exist like -P to drop everythink.
that is precisely why you should use "-I" instead of "-A" if you do this from the CLI... it makes sure that EVERY packet from that IP will go to DROP... if you do "-A" from the CLI it's still possible for a packet from that IP to get sent to ACCEPT because it matches one of the rules above... the policy (-P) has nothing to do with it... look at this example (just a stupid "proof of concept"):
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
if you have the above ruleset active, and you run this command from the CLI:
Code:
iptables -A INPUT -s IP-ADDRESS -j DROP
then the active ruleset would change to:
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -s IP-ADDRESS -j DROP
so as you can see, IP-ADDRESS would STILL be able to connect to port 22/TCP...

but if you use "-I" when you execute the command, like:
Code:
iptables -I INPUT -s IP-ADDRESS -j DROP
you'd end-up with this instead:
Code:
iptables -P INPUT DROP
iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
now IP-ADDRESS would NOT be able to connect AT ALL because the packet would go to DROP as soon as it enters the chain - before it can be accepted by any other rule...

Quote:
You need it OUTPUT rule too.. that is added security
it's an nice option that you have available - but you don't "need" to do it...


Last edited by win32sux; 06-25-2005 at 10:27 AM.
 
Old 06-25-2005, 10:33 AM   #8
nixcraft
Member
 
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379

Rep: Reputation: 30
Sure, for flooding

Code:
iptables -F

# Setting default filter policy DROP ALL :D
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow unlinited traffic on both lo and venet0
iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# Stop  flood  .. this is also important :D
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j DROP

# Now block all ips
IPS="Ip1 IP2"
for ip in $IPS
do
    iptables -A INPUT -s $ip -j DROP
    iptables -A OUTPUT -d $ip -j DROP
done

# Now allow the traffic using rules use as shown by  win32sux
I still prefer to add OUTPUT rule in drop to avoid ip spoofig stuff attack if you see closely i'm only blocking destiona -D from FW host!
 
Old 06-25-2005, 10:47 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by nixcraft
Code:
# Now block all ips
IPS="Ip1 IP2"
for ip in $IPS
do
    iptables -A INPUT -s $ip -j DROP
done
you're still just appending (-A) $ip to the END of the chain...

if you really want to block $ip you need to insert (-I) the rule at the START of the chain...


Last edited by win32sux; 06-25-2005 at 10:49 AM.
 
Old 06-25-2005, 11:05 AM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
wait - i see what you're doing... your other iptables rules would come-in after that section of your script... either way, i'm talking strictly about the CLI - not about a script... if you do it from the CLI it's simple and effective to use "-I" as it makes sure the rule goes to the top of the chain...


Last edited by win32sux; 06-26-2005 at 11:05 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
prevent flooding on firerwall masand Linux - Networking 3 08-09-2005 04:53 PM
prevent flooding from internel network masand Linux - Security 0 04-28-2005 10:31 PM
flooding the network at certain level becky_starr Linux - Networking 2 03-16-2004 02:31 PM
icmp flooding slack66 Linux - Security 10 11-27-2003 03:21 PM
nmbd keeps flooding my system saturn_vk Slackware 1 03-01-2003 07:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration