LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Stopping Somethings (https://www.linuxquestions.org/questions/linux-security-4/stopping-somethings-3500/)

iMPReZa-WRX 06-18-2001 05:37 PM

Hi All ! .. am i newbie sys manager .. and my first question is .. how can i stop this external stuff?
* PING to my host and don't reply
* SYN FLOOD to my host
* traceroute to my host

i guess that is something about /proc/sys/net/ipv4 but
dunno what files and what options to set =)

Thanks 4 your help =)
Pablo.

d3funct 06-18-2001 06:05 PM

Go to http://www.linuxdoc.org and do a search on "netfilter" and "iptables", also do some reading up on firewalls etc...

unSpawn 06-18-2001 09:16 PM

Quote:

* PING to my host and don't reply
"ipchains -A input -i (interface) -p icmp --icmp-type echo-request -l -j DENY"
This will deny & log requests, top it off with
"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"

Quote:

* SYN FLOOD to my host
SYN flooding is when your box isn't able to complete the 3way handshake, prolly cuz the source IP's are spoofed, this way the connection won't be closed, consuming resources.
/usr/src/linux/Documentation/ip-sysctl has a few options:
the kernel "SYN COOKIES" feature has to be compiled in and doesnt stop flooding but let's u login to ure box while under attack. rp_filter will attempt reverse path address validation and tcp_max_syn_backlog handles the maximum amount of incomplete connections before they are dropped.
syncookies is handled in /proc/sys/net/ipv4, the other two in /proc/sys/net/conf/*/
Youll also want to deploy Snort which can trace DoS attack signatures such as Ping & Syn Floods. Then drop the offenders into a chain.
Real protection for flooding is only possible with an upstream shutdown. *Seems iptables got rate limiting caps.

Quote:

* traceroute to my host
Note unix uses UDP for traces while W32 uses ICMP.
Deny & log requests:
"ipchains -A input -i $(interface) -p udp --source-port 32769:65535 --destination-port 33434:33523 -j DENY -l"
"ipchains -A output -i (interface) -p icmp --icmp-type time-exceeded -l -j DENY"
*Also note some ppl don't find it necessary to "touch" the host with traceroute specifying a max hopcount to say the closest router.

Btw, if ure a newbie sysadm, its time to do some serious RTM'ing :-]

raz 06-19-2001 06:13 AM

UnSpawn has covered most of this with a good answer, but I'm going to add some more examples so you get an idea what we're talking about and see it's not just a simple case of stopping the things you've listed.

Ping stopping:
ICMP is essential for network maintenance used by the OS, there are 18 types of ICMP messages. A ping request is only 1 of them "a type 8" you'll also need to stop some others to help hide your system.

Use ipchains or tables to stop these types too:
type 8 "Icmp request"
type 10 "Icmp route solicitation"
type 11 "Time exceeded error"
type 13 "Icmp timestamp request" dead give away to OS type
type 17 "Icmp mask request"
type 15 "Icmp old bootp info" should be obsolete but not sure what the linux box would do if it saw this type so deny it anyway
Allow all the other types or your network will slowly start to screw up as the MTU size messes up.

SYN FLOOD stopping:
Basically you want to take as many SYN's as allowed then the SYN's that haven't connected are in a wait state. A resolve is done on the source, then the connection is tore down if it was faked. So you need a buffer space known as a backlog for the SYN requests.

Now if someone could use about 100 systems on T3/E3's with under 50ms latency no mater what your protecting is, it's going to cause a DOS on the port targeted.

Add these lines to improve the recovery times of Linux to such an attack:

# improve the backlog handling of SYN's
sysctl -w net.ipv4.tcp_max_syn_backlog=256
# use a cryptographic challange protocol
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Does a check on source forging
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

Someone could also do a RST attack on your box, the above won't help you if this happens.

Don't forget these too:
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

/raz

jharris 06-19-2001 02:47 PM

:D I was just gonna say search the forum for Raz's posts, but I see he's already been here! LOL

Jamie...


All times are GMT -5. The time now is 06:54 AM.