Dailydave mailing list archives

Re: nkiller2

From: <David_Falloon () kaltire com>
Date: Thu, 11 Jun 2009 13:29:06 -0700
Something like this should do it in iptables ( assuming I've got the
right bytes in the tcp header ;) :

iptables -N ZERO_WINDOW_RECENT 
iptables -A -m u32 --u32 "6&0xFF=0x6 && 4&0x1FFF=0 &&
0>>22&0x3C@12&0xFFFF=0x0000" -j ZERO_WINDOW_RECENT
iptables -A ZERO_WINDOW_RECENT -m recent --set --name ZERO_WINDOW
iptables -A ZERO_WINDOW_RECENT -m recent --update --seconds 60
--hitcount 2 --name ZERO_WINDOW -j LOG --log-level info --log-prefix
"Zero size Window DoS blocked: "
iptables -A ZERO_WINDOW_RECENT -m recent --update --seconds 60
--hitcount 2 --name ZERO_WINDOW -j DROP

You'll have to tune the hit count and seconds, I haven't played with the
attack enough to determine appropriate numbers, but you'd want to drop
any new acks with a zero window size long enough to tombstone and reap
the connection.

--Dave


________________________________

        From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Michael
Graham
        Sent: Thursday, June 11, 2009 11:05 AM
        To: dailydave () lists immunityinc com
        Subject: Re: [Dailydave] nkiller2
        
        
        OK after a few minutes with this I'm not sure you can
efficiently do much about it outside of a complex IPS watching for and
killing connections that send too many "windows size 0" in response to
probes from your server, and then hopefully blocking the IP entirely.
        
        
        On Thu, Jun 11, 2009 at 12:43 PM, Michael Graham
<jmgraham () gmail com> wrote:
        

                filter on Windows size = 0 and total connections to a
host from a host thought whatever you're using for a statefull firewall 


                On Thu, Jun 11, 2009 at 11:39 AM, dave
<dave () immunityinc com> wrote:
                

                        -----BEGIN PGP SIGNED MESSAGE-----
                        Hash: SHA1
                        
        
http://www.phrack.org/issues.html?issue=66&id=9#article
                        
                        Is it just me or can pretty much every web site
in the world get turned
                        off now?
                        
                        I guess you could use iptables to drop the
Window Size 0 packets?
                        
                        - -dave
                        -----BEGIN PGP SIGNATURE-----
                        Version: GnuPG v1.4.9 (GNU/Linux)
                        Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
                        
        
iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e
                        fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa
                        =mGZB
                        -----END PGP SIGNATURE-----
                        _______________________________________________
                        Dailydave mailing list
                        Dailydave () lists immunitysec com
        
http://lists.immunitysec.com/mailman/listinfo/dailydave
                        



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:

nkiller2 dave (Jun 11)
- Message not available
  - Re: nkiller2 Michael Graham (Jun 11)
    - Re: nkiller2 David_Falloon (Jun 11)