* Interesting request. block x.x.0.0
@ 2003-01-23 18:43 Daniel F. Chief Security Engineer -
2003-01-22 7:43 ` Raymond Leach
2003-01-23 18:54 ` Ilguiz Latypov
0 siblings, 2 replies; 5+ messages in thread
From: Daniel F. Chief Security Engineer - @ 2003-01-23 18:43 UTC (permalink / raw)
To: netfilter
Anybody know of a way to block this traffic. Notice it's comming from just the
0.0 addresses obviously spoofed. But can you block x.x.0.0 with out blocking
every thing else in the range with out a rule per IP.
This is s snippit of a dDoS we seen recently.
01:19:57.644845 45.208.0.0.1669 > x.x.x.x.53: S 1685323776:1685323776(0)
01:19:57.651441 45.210.0.0.1434 > x.x.x.x.53: S 1296957440:1296957440(0)
01:19:57.659812 46.79.0.0.1738 > x.x.x.x.53: S 1536360448:1536360448(0)
01:19:57.668782 46.82.0.0.1099 > x.x.x.x.53: S 867631104:867631104(0)
01:19:57.693367 46.216.0.0.1627 > x.x.x.x.53: S 1775828992:1775828992(0)
01:19:57.699377 47.86.0.0.1712 > x.x.x.x.53: S 543227904:543227904(0)
01:19:57.717765 47.222.0.0.1109 > x.x.x.x.53: S 1708457984:1708457984(0)
01:19:57.733676 48.93.0.0.1669 > x.x.x.x.53: S 169934848:169934848(0)
I ended up just blocking tcp tp port 53 and allowed UDP through which allowed
our name servers to work fine. TCP is rarely used on the IPs that were being
attacked.
Thanks
--
Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Interesting request. block x.x.0.0
2003-01-23 18:43 Interesting request. block x.x.0.0 Daniel F. Chief Security Engineer -
@ 2003-01-22 7:43 ` Raymond Leach
2003-01-23 18:54 ` Ilguiz Latypov
1 sibling, 0 replies; 5+ messages in thread
From: Raymond Leach @ 2003-01-22 7:43 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 2061 bytes --]
What about :
iptable -A FORWARD -s x.x.0.0/0.0.255.255 -j DROP
On Wed, 2003-01-22 at 09:16, Daniel F. Chief Security Engineer - wrote:
> Anybody know of a way to block this traffic. Notice it's comming from just the
> 0.0 addresses obviously spoofed. But can you block x.x.0.0 with out blocking
> every thing else in the range with out a rule per IP.
>
> This is s snippit of a dDoS we seen recently.
>
> 01:19:57.644845 45.208.0.0.1669 > x.x.x.x.53: S 1685323776:1685323776(0)
> 01:19:57.651441 45.210.0.0.1434 > x.x.x.x.53: S 1296957440:1296957440(0)
> 01:19:57.659812 46.79.0.0.1738 > x.x.x.x.53: S 1536360448:1536360448(0)
> 01:19:57.668782 46.82.0.0.1099 > x.x.x.x.53: S 867631104:867631104(0)
> 01:19:57.693367 46.216.0.0.1627 > x.x.x.x.53: S 1775828992:1775828992(0)
> 01:19:57.699377 47.86.0.0.1712 > x.x.x.x.53: S 543227904:543227904(0)
> 01:19:57.717765 47.222.0.0.1109 > x.x.x.x.53: S 1708457984:1708457984(0)
> 01:19:57.733676 48.93.0.0.1669 > x.x.x.x.53: S 169934848:169934848(0)
>
> I ended up just blocking tcp tp port 53 and allowed UDP through which allowed
> our name servers to work fine. TCP is rarely used on the IPs that were being
> attacked.
>
> Thanks
>
> --
> Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
( Raymond Leach )
) Knowledge Factory (
( )
) Tel: +27 11 445 8100 (
( Fax: +27 11 445 8101 )
) (
( http://www.knowledgefactory.co.za/ )
) http://www.saptg.co.za/ (
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o o
o o
.--. .--.
| o_o| |o_o |
| \_:| |:_/ |
/ / \\ // \ \
( | |) (| | )
/`\_ _/'\ /'\_ _/`\
\___)=(___/ \___)=(___/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Interesting request. block x.x.0.0
2003-01-23 18:43 Interesting request. block x.x.0.0 Daniel F. Chief Security Engineer -
2003-01-22 7:43 ` Raymond Leach
@ 2003-01-23 18:54 ` Ilguiz Latypov
2003-01-23 19:57 ` Daniel F. Chief Security Engineer -
1 sibling, 1 reply; 5+ messages in thread
From: Ilguiz Latypov @ 2003-01-23 18:54 UTC (permalink / raw)
To: Daniel F. Chief Security Engineer -; +Cc: netfilter
On Thu, 23 Jan 2003, Daniel F. Chief Security Engineer - wrote:
> Anybody know of a way to block this traffic. Notice it's comming from just the
> 0.0 addresses obviously spoofed. But can you block x.x.0.0 with out blocking
> every thing else in the range with out a rule per IP.
Can the CIDR approach to networking be of any help? I heard that the
traditional imaginary separation of networks into classes A, B, C,... is
not quite useful, so it is now possible to specify network numbers in
format
X.X.X.X/N
where N is the number of most significant bits.
Based on the above, will the 45.208.0.0/32 notation in an iptables rule
filter the unwanted packets without rejecting any other possible valid
packets coming from 45.208.0.0/16?
--
Ilguiz Latypov
Net Integration Technologies, Inc
tel. +1 (514) 281 9191 x 117
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Interesting request. block x.x.0.0
2003-01-23 18:54 ` Ilguiz Latypov
@ 2003-01-23 19:57 ` Daniel F. Chief Security Engineer -
0 siblings, 0 replies; 5+ messages in thread
From: Daniel F. Chief Security Engineer - @ 2003-01-23 19:57 UTC (permalink / raw)
To: Ilguiz Latypov; +Cc: netfilter
Here in lies the problem.
Im only getting traffic from x.x.0.0
I do not want to block every IP on say 45.208.0.0/16 just the ips ending in
0.0 as the last two octets.
I can write a tcpdump filter to find the traffic Im just not sure if we have a
way to craft a netfilter rule to do so. Or maybe the "recent" patch could be
of use. Although the dDoS included 65000 source IP addresses. all ending in
0.0 for the ip address.
the tcdump filter looks like this.
tcpdump -nn -i eth0 'ip[18:2] == 00'
this is pretty a simple match to make, was wondering if anyone has a patch or
addon that does this or if there is a way to do this with standard rules.
Thanks
On Thursday 23 January 2003 12:54, Ilguiz Latypov wrote:
> On Thu, 23 Jan 2003, Daniel F. Chief Security Engineer - wrote:
> > Anybody know of a way to block this traffic. Notice it's comming from
> > just the 0.0 addresses obviously spoofed. But can you block x.x.0.0 with
> > out blocking every thing else in the range with out a rule per IP.
>
> Can the CIDR approach to networking be of any help? I heard that the
> traditional imaginary separation of networks into classes A, B, C,... is
> not quite useful, so it is now possible to specify network numbers in
> format
>
> X.X.X.X/N
>
> where N is the number of most significant bits.
>
> Based on the above, will the 45.208.0.0/32 notation in an iptables rule
> filter the unwanted packets without rejecting any other possible valid
> packets coming from 45.208.0.0/16?
--
Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
The distance between nothing and infinity is always the same no matter how
close you get to nothing.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Interesting request. block x.x.0.0
@ 2003-01-23 18:54 Ilguiz Latypov
0 siblings, 0 replies; 5+ messages in thread
From: Ilguiz Latypov @ 2003-01-23 18:54 UTC (permalink / raw)
To: netfilter
On Thu, 23 Jan 2003, Daniel F. Chief Security Engineer - wrote:
> Anybody know of a way to block this traffic. Notice it's comming from just the
> 0.0 addresses obviously spoofed. But can you block x.x.0.0 with out blocking
> every thing else in the range with out a rule per IP.
Can the CIDR approach to networking be of any help? I heard that the
traditional imaginary separation of networks into classes A, B, C,... is
not quite useful, so it is now possible to specify network numbers in
format
X.X.X.X/N
where N is the number of most significant bits.
Based on the above, will the 45.208.0.0/32 notation in an iptables rule
filter the unwanted packets without rejecting any other possible valid
packets coming from 45.208.0.0/16?
--
Ilguiz Latypov
Net Integration Technologies, Inc
tel. +1 (514) 281 9191 x 117
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-01-23 19:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-23 18:43 Interesting request. block x.x.0.0 Daniel F. Chief Security Engineer -
2003-01-22 7:43 ` Raymond Leach
2003-01-23 18:54 ` Ilguiz Latypov
2003-01-23 19:57 ` Daniel F. Chief Security Engineer -
-- strict thread matches above, loose matches on Subject: below --
2003-01-23 18:54 Ilguiz Latypov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.