* ICMP Land Attack
@ 2007-04-09 11:53 Manish Jain
2007-04-09 12:36 ` Cedric Blancher
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Manish Jain @ 2007-04-09 11:53 UTC (permalink / raw)
To: netfilter-devel
Hello,
We are experiencing ICMP Land Attach (ICMP packet with [source ip = dest ip]
&& [source mac == dest mac]).
Do we have any standard mechanism to counter this attach using
iptable/ipsets? Or any other suggestion?
Whether it is possible to write iptable rule saying "source ip == dest ip"
instead of specifying hard-coded values?
Any pointers will be appreciated.
Best Regards,
Manish Jain
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ICMP Land Attack
2007-04-09 11:53 ICMP Land Attack Manish Jain
@ 2007-04-09 12:36 ` Cedric Blancher
2007-04-09 14:13 ` Henrik Nordstrom
2007-04-09 16:46 ` Jan Engelhardt
2 siblings, 0 replies; 4+ messages in thread
From: Cedric Blancher @ 2007-04-09 12:36 UTC (permalink / raw)
To: Manish Jain; +Cc: netfilter-devel
Le lundi 09 avril 2007 à 17:23 +0530, Manish Jain a écrit :
> We are experiencing ICMP Land Attach (ICMP packet with [source ip = dest ip]
> && [source mac == dest mac]).
> Do we have any standard mechanism to counter this attach using
> iptable/ipsets? Or any other suggestion?
Activate Reverse Path Filtering that checks if incoming interface is
consistent to routing table, and drops it if not:
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i;
done
Don't forget to activate martians logging to see them in your logs:
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $i;
done
In addition to this, when a packet reaching a Linux box comes from one
of its own IP address and is received on an external interface, it is
silently dropped.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ICMP Land Attack
2007-04-09 11:53 ICMP Land Attack Manish Jain
2007-04-09 12:36 ` Cedric Blancher
@ 2007-04-09 14:13 ` Henrik Nordstrom
2007-04-09 16:46 ` Jan Engelhardt
2 siblings, 0 replies; 4+ messages in thread
From: Henrik Nordstrom @ 2007-04-09 14:13 UTC (permalink / raw)
To: Manish Jain; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 362 bytes --]
mån 2007-04-09 klockan 17:23 +0530 skrev Manish Jain:
> Whether it is possible to write iptable rule saying "source ip == dest ip"
> instead of specifying hard-coded values?
A quite trivial custom match to write if not supported by any of the
existing matches..
The addrtype match is a reasonable complex template to start from.
Regards
Henrik
[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ICMP Land Attack
2007-04-09 11:53 ICMP Land Attack Manish Jain
2007-04-09 12:36 ` Cedric Blancher
2007-04-09 14:13 ` Henrik Nordstrom
@ 2007-04-09 16:46 ` Jan Engelhardt
2 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2007-04-09 16:46 UTC (permalink / raw)
To: Manish Jain; +Cc: netfilter-devel
On Apr 9 2007 17:23, Manish Jain wrote:
>Hello,
>
>We are experiencing ICMP Land Attach (ICMP packet with [source ip = dest ip]
>&& [source mac == dest mac]).
If the source mac == the dest mac, then the evil sender is right at your
network, just one hop away. Kill him.
Jan
--
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-04-09 16:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-09 11:53 ICMP Land Attack Manish Jain
2007-04-09 12:36 ` Cedric Blancher
2007-04-09 14:13 ` Henrik Nordstrom
2007-04-09 16:46 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.