Dailydave mailing list archives
Re: nkiller2
From: <David_Falloon () kaltire com>
Date: Thu, 11 Jun 2009 13:29:06 -0700
Something like this should do it in iptables ( assuming I've got the right bytes in the tcp header ;) : iptables -N ZERO_WINDOW_RECENT iptables -A -m u32 --u32 "6&0xFF=0x6 && 4&0x1FFF=0 && 0>>22&0x3C@12&0xFFFF=0x0000" -j ZERO_WINDOW_RECENT iptables -A ZERO_WINDOW_RECENT -m recent --set --name ZERO_WINDOW iptables -A ZERO_WINDOW_RECENT -m recent --update --seconds 60 --hitcount 2 --name ZERO_WINDOW -j LOG --log-level info --log-prefix "Zero size Window DoS blocked: " iptables -A ZERO_WINDOW_RECENT -m recent --update --seconds 60 --hitcount 2 --name ZERO_WINDOW -j DROP You'll have to tune the hit count and seconds, I haven't played with the attack enough to determine appropriate numbers, but you'd want to drop any new acks with a zero window size long enough to tombstone and reap the connection. --Dave ________________________________ From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Michael Graham Sent: Thursday, June 11, 2009 11:05 AM To: dailydave () lists immunityinc com Subject: Re: [Dailydave] nkiller2 OK after a few minutes with this I'm not sure you can efficiently do much about it outside of a complex IPS watching for and killing connections that send too many "windows size 0" in response to probes from your server, and then hopefully blocking the IP entirely. On Thu, Jun 11, 2009 at 12:43 PM, Michael Graham <jmgraham () gmail com> wrote: filter on Windows size = 0 and total connections to a host from a host thought whatever you're using for a statefull firewall On Thu, Jun 11, 2009 at 11:39 AM, dave <dave () immunityinc com> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.phrack.org/issues.html?issue=66&id=9#article Is it just me or can pretty much every web site in the world get turned off now? I guess you could use iptables to drop the Window Size 0 packets? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa =mGZB -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- nkiller2 dave (Jun 11)
- Message not available
- Re: nkiller2 Michael Graham (Jun 11)
- Re: nkiller2 David_Falloon (Jun 11)
- Re: nkiller2 Michael Graham (Jun 11)
- Message not available