From: "Daniel F. Chief Security Engineer -" <danielf@supportteam.net>
To: Don Cohen <don-netf@isis.cs3-inc.com>,
netfilter <netfilter@lists.netfilter.org>,
netfilter-devel@lists.netfilter.org
Subject: Re: Fwd: Re: Interesting request. block x.x.0.0
Date: Fri, 24 Jan 2003 08:53:13 -0600 [thread overview]
Message-ID: <200301240853.13635.danielf@supportteam.net> (raw)
In-Reply-To: <15920.37125.743591.125495@isis.cs3-inc.com>
Patrick Schaaf kindly pointed out that I could do this.
iptables -I INPUT -s 0.0.0.0/0.0.255.255 -j DROP
That will drop any IP that ends in 0.0
Thanks for every ones help.
I will also look into the u32 patch thanks again.
On Thursday 23 January 2003 19:04, you wrote:
> > I do not want to block every IP on say 45.208.0.0/16 just the ips ending
> > in 0.0 as the last two octets.
> >
> > I can write a tcpdump filter to find the traffic Im just not sure if we
> > have a way to craft a netfilter rule to do so. Or maybe the "recent"
> > patch could be of use. Although the dDoS included 65000 source IP
> > addresses. all ending in 0.0 for the ip address.
> >
> > the tcdump filter looks like this.
> >
> > tcpdump -nn -i eth0 'ip[18:2] == 00'
>
> The u32 match I recently posted can do this.
--
Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
The distance between nothing and infinity is always the same no matter how
close you get to nothing.
WARNING: multiple messages have this Message-ID (diff)
From: "Daniel F. Chief Security Engineer -" <danielf@supportteam.net>
To: don-netf@isis.cs3-inc.com (Don Cohen),
netfilter <netfilter@lists.netfilter.org>,
netfilter-devel@lists.netfilter.org
Subject: Re: Fwd: Re: Interesting request. block x.x.0.0
Date: Fri, 24 Jan 2003 08:53:13 -0600 [thread overview]
Message-ID: <200301240853.13635.danielf@supportteam.net> (raw)
In-Reply-To: <15920.37125.743591.125495@isis.cs3-inc.com>
Patrick Schaaf kindly pointed out that I could do this.
iptables -I INPUT -s 0.0.0.0/0.0.255.255 -j DROP
That will drop any IP that ends in 0.0
Thanks for every ones help.
I will also look into the u32 patch thanks again.
On Thursday 23 January 2003 19:04, you wrote:
> > I do not want to block every IP on say 45.208.0.0/16 just the ips ending
> > in 0.0 as the last two octets.
> >
> > I can write a tcpdump filter to find the traffic Im just not sure if we
> > have a way to craft a netfilter rule to do so. Or maybe the "recent"
> > patch could be of use. Although the dDoS included 65000 source IP
> > addresses. all ending in 0.0 for the ip address.
> >
> > the tcdump filter looks like this.
> >
> > tcpdump -nn -i eth0 'ip[18:2] == 00'
>
> The u32 match I recently posted can do this.
--
Daniel Fairchild - Chief Security Engineer | danielf@supportteam.net
The distance between nothing and infinity is always the same no matter how
close you get to nothing.
next prev parent reply other threads:[~2003-01-24 14:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20030123232639.14408.11687.Mailman@kashyyyk>
2003-01-24 1:04 ` Fwd: Re: Interesting request. block x.x.0.0 Don Cohen
2003-01-24 14:53 ` Daniel F. Chief Security Engineer - [this message]
2003-01-24 14:53 ` Daniel F. Chief Security Engineer -
2003-01-23 22:42 Daniel F. Chief Security Engineer -
2003-01-23 23:17 ` Patrick Schaaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200301240853.13635.danielf@supportteam.net \
--to=danielf@supportteam.net \
--cc=don-netf@isis.cs3-inc.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.