From: "Daniel F. Chief Security Engineer -" <danielf@supportteam.net>
To: netfilter-devel@lists.netfilter.org
Subject: Fwd: Re: Interesting request. block x.x.0.0
Date: Thu, 23 Jan 2003 16:42:40 -0600 [thread overview]
Message-ID: <200301231642.40937.danielf@supportteam.net> (raw)
anyone on devel that can help me here.
---------- Forwarded Message ----------
Subject: Re: Interesting request. block x.x.0.0
Date: Thu, 23 Jan 2003 13:57:01 -0600
From: "Daniel F. Chief Security Engineer -" <danielf@supportteam.net>
To: Ilguiz Latypov <ilguiz@nit.ca>
Cc: netfilter <netfilter@lists.netfilter.org>
Here in lies the problem.
Im only getting traffic from x.x.0.0
I do not want to block every IP on say 45.208.0.0/16 just the ips ending in
0.0 as the last two octets.
I can write a tcpdump filter to find the traffic Im just not sure if we have
a way to craft a netfilter rule to do so. Or maybe the "recent" patch could
be of use. Although the dDoS included 65000 source IP addresses. all ending
in 0.0 for the ip address.
the tcdump filter looks like this.
tcpdump -nn -i eth0 'ip[18:2] == 00'
this is pretty a simple match to make, was wondering if anyone has a patch or
addon that does this or if there is a way to do this with standard rules.
Thanks
On Thursday 23 January 2003 12:54, Ilguiz Latypov wrote:
> On Thu, 23 Jan 2003, Daniel F. Chief Security Engineer - wrote:
> > Anybody know of a way to block this traffic. Notice it's comming from
> > just the 0.0 addresses obviously spoofed. But can you block x.x.0.0 with
> > out blocking every thing else in the range with out a rule per IP.
>
> Can the CIDR approach to networking be of any help? I heard that the
> traditional imaginary separation of networks into classes A, B, C,... is
> not quite useful, so it is now possible to specify network numbers in
> format
>
> X.X.X.X/N
>
> where N is the number of most significant bits.
>
> Based on the above, will the 45.208.0.0/32 notation in an iptables rule
> filter the unwanted packets without rejecting any other possible valid
> packets coming from 45.208.0.0/16?
--
Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
The distance between nothing and infinity is always the same no matter how
close you get to nothing.
-------------------------------------------------------
--
Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
The distance between nothing and infinity is always the same no matter how
close you get to nothing.
next reply other threads:[~2003-01-23 22:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-23 22:42 Daniel F. Chief Security Engineer - [this message]
2003-01-23 23:17 ` Fwd: Re: Interesting request. block x.x.0.0 Patrick Schaaf
[not found] <20030123232639.14408.11687.Mailman@kashyyyk>
2003-01-24 1:04 ` Don Cohen
2003-01-24 14:53 ` Daniel F. Chief Security Engineer -
2003-01-24 14:53 ` Daniel F. Chief Security Engineer -
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200301231642.40937.danielf@supportteam.net \
--to=danielf@supportteam.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.