Re: help with attack

[Paul Robertson <proberts () patriot net>]

On Fri, 11 Oct 2002, Mark Ryan wrote:

> Is there a way to prevent the following attack from happening again?
> They icmp type-8 flooded me for hours.  My iptables firewall script

The best way to deal with a flood attack is to contact your upstream 
provider and have them filter and/or track back and filter the offender.  
Since it's an ICMP-based attack, spoofing the source is trivial, so 
routing paths are the way to figure out where it's coming from.  Most 
providers have done this enough these days that they'll be able to handle 
it.

> logged and logged but my connection went down for hours.  
Here is an > example from the log.
> Oct 10 23:15:58 dhcp-16-8 kernel: Netfilter: IN=eth0 OUT=
> MAC=00:e0:29:6f:8c:b8:00:d0:ba:1e:6d:70:08:00 SRC=68.144.164.40
> DST=24.240.225.207 LEN=545 TOS=0x00 PREC=0x00 TTL=115 ID=1273 PROTO=ICMP
> TYPE=8 CODE=0 ID=65039 SEQ=3088 

You could try sending back an ICMP network unreachable, but likely the 
source is spoofed and the tool used doesn't care.

> I am using redhat 7.2 on a P166 with 2 nic cards as a router.  I am
> running a iptables rules script that I found on the internet.

Hopefully you understand the rules you found...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards