Re: Interesting request. block x.x.0.0

Re: Interesting request. block x.x.0.0

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 2061 bytes --]

What about :
iptable -A FORWARD -s x.x.0.0/0.0.255.255 -j DROP

On Wed, 2003-01-22 at 09:16, Daniel F. Chief Security Engineer - wrote:
> Anybody know of a way to block this traffic. Notice it's comming from just the 
> 0.0 addresses obviously spoofed. But can you block x.x.0.0 with out blocking 
> every thing else in the range with out a rule per IP. 
> 
> This is s snippit of a dDoS we seen recently. 
> 
> 01:19:57.644845 45.208.0.0.1669 > x.x.x.x.53: S 1685323776:1685323776(0) 
> 01:19:57.651441 45.210.0.0.1434 > x.x.x.x.53: S 1296957440:1296957440(0)
> 01:19:57.659812 46.79.0.0.1738 > x.x.x.x.53: S 1536360448:1536360448(0)
> 01:19:57.668782 46.82.0.0.1099 > x.x.x.x.53: S 867631104:867631104(0)
> 01:19:57.693367 46.216.0.0.1627 > x.x.x.x.53: S 1775828992:1775828992(0) 
> 01:19:57.699377 47.86.0.0.1712 > x.x.x.x.53: S 543227904:543227904(0) 
> 01:19:57.717765 47.222.0.0.1109 > x.x.x.x.53: S 1708457984:1708457984(0) 
> 01:19:57.733676 48.93.0.0.1669 > x.x.x.x.53: S 169934848:169934848(0) 
> 
> I ended up just blocking tcp tp port 53 and allowed UDP through which allowed 
> our name servers to work fine. TCP is rarely used on the IPs that were being 
> attacked. 
> 
> Thanks
> 
> --
> Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Interesting request. block x.x.0.0

[Daniel F. Chief Security Engineer -]

Anybody know of a way to block this traffic. Notice it's comming from just the 
0.0 addresses obviously spoofed. But can you block x.x.0.0 with out blocking 
every thing else in the range with out a rule per IP. 

This is s snippit of a dDoS we seen recently. 

01:19:57.644845 45.208.0.0.1669 > x.x.x.x.53: S 1685323776:1685323776(0) 
01:19:57.651441 45.210.0.0.1434 > x.x.x.x.53: S 1296957440:1296957440(0)
01:19:57.659812 46.79.0.0.1738 > x.x.x.x.53: S 1536360448:1536360448(0)
01:19:57.668782 46.82.0.0.1099 > x.x.x.x.53: S 867631104:867631104(0)
01:19:57.693367 46.216.0.0.1627 > x.x.x.x.53: S 1775828992:1775828992(0) 
01:19:57.699377 47.86.0.0.1712 > x.x.x.x.53: S 543227904:543227904(0) 
01:19:57.717765 47.222.0.0.1109 > x.x.x.x.53: S 1708457984:1708457984(0) 
01:19:57.733676 48.93.0.0.1669 > x.x.x.x.53: S 169934848:169934848(0) 

I ended up just blocking tcp tp port 53 and allowed UDP through which allowed 
our name servers to work fine. TCP is rarely used on the IPs that were being 
attacked. 

Thanks

--
Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net

Re: Interesting request. block x.x.0.0

[Ilguiz Latypov]

On Thu, 23 Jan 2003, Daniel F. Chief Security Engineer - wrote:

> Anybody know of a way to block this traffic. Notice it's comming from just the
> 0.0 addresses obviously spoofed. But can you block x.x.0.0 with out blocking
> every thing else in the range with out a rule per IP.

Can the CIDR approach to networking be of any help?  I heard that the
traditional imaginary separation of networks into classes A, B, C,... is
not quite useful, so it is now possible to specify network numbers in
format

   X.X.X.X/N

where N is the number of most significant bits.

Based on the above, will the 45.208.0.0/32 notation in an iptables rule
filter the unwanted packets without rejecting any other possible valid
packets coming from 45.208.0.0/16?

--
Ilguiz Latypov
Net Integration Technologies, Inc

tel. +1 (514) 281 9191 x 117

Re: Interesting request. block x.x.0.0

[Ilguiz Latypov]

On Thu, 23 Jan 2003, Daniel F. Chief Security Engineer - wrote:

> Anybody know of a way to block this traffic. Notice it's comming from just the
> 0.0 addresses obviously spoofed. But can you block x.x.0.0 with out blocking
> every thing else in the range with out a rule per IP.

Can the CIDR approach to networking be of any help?  I heard that the
traditional imaginary separation of networks into classes A, B, C,... is
not quite useful, so it is now possible to specify network numbers in
format

   X.X.X.X/N

where N is the number of most significant bits.

Based on the above, will the 45.208.0.0/32 notation in an iptables rule
filter the unwanted packets without rejecting any other possible valid
packets coming from 45.208.0.0/16?

--
Ilguiz Latypov
Net Integration Technologies, Inc

tel. +1 (514) 281 9191 x 117

Re: Interesting request. block x.x.0.0

[Daniel F. Chief Security Engineer -]

Here in lies the problem. 

Im only getting traffic from x.x.0.0

I do not want to block every IP on say 45.208.0.0/16 just the ips ending in 
0.0 as the last two octets.

I can write a tcpdump filter to find the traffic Im just not sure if we have a 
way to craft a netfilter rule to do so. Or maybe the "recent" patch could be 
of use. Although the dDoS included 65000 source IP addresses. all ending in 
0.0 for the ip address. 

the tcdump filter looks like this.

tcpdump -nn -i eth0 'ip[18:2] == 00'

this is pretty a simple match to make, was wondering if anyone has a patch or 
addon that does this or if there is a way to do this with standard rules. 

Thanks

On Thursday 23 January 2003 12:54, Ilguiz Latypov wrote:
> On Thu, 23 Jan 2003, Daniel F. Chief Security Engineer - wrote:
> > Anybody know of a way to block this traffic. Notice it's comming from
> > just the 0.0 addresses obviously spoofed. But can you block x.x.0.0 with
> > out blocking every thing else in the range with out a rule per IP.
>
> Can the CIDR approach to networking be of any help?  I heard that the
> traditional imaginary separation of networks into classes A, B, C,... is
> not quite useful, so it is now possible to specify network numbers in
> format
>
>    X.X.X.X/N
>
> where N is the number of most significant bits.
>
> Based on the above, will the 45.208.0.0/32 notation in an iptables rule
> filter the unwanted packets without rejecting any other possible valid
> packets coming from 45.208.0.0/16?

-- 
Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
The distance between nothing and infinity is always the same no matter how 
close you get to nothing.