From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Ramin Dousti <ramin@cannon.eng.us.uu.net>
Cc: "I.S.Kuten" <i.kuten@sam-solutions.net>, netfilter@lists.netfilter.org
Subject: Re: fake ping reply
Date: Thu, 04 Sep 2003 15:32:46 -0400 [thread overview]
Message-ID: <3F57935E.9060305@chrisbrenton.org> (raw)
In-Reply-To: 20030904162444.GB31513@cannon.eng.us.uu.net
Ramin Dousti wrote:
> On Tue, Sep 02, 2003 at 04:50:26PM +0300, I.S.Kuten wrote:
>>
>>i wanted to setup iptables , when someone pings my box , echo-reply
>>would come from other machine then mine .
>
> A very strange question. When the client sends you a echo-request, it
> expects to receive echo-reply from the same IP address. If some other
> IP address sends the echo-reply, it will simply get dropped by the OS
> on the client, as there is no match for this bogus packet...
I don't think that's where he's going with this. This used to be a very
cool feature that was remove about 2 years ago. :( :( :(
Here's the concept, let's say you've been allocated a class C legal
address space and have 10 or so IP address that are not in use. What I
used to do was reject echo-request packets going to those address with
echo-replies, and reject all other echo-requests with an host-unreachable.
Now, "annoying script kiddie that could not hack their way out of a
paper bad" comes along and ping sweeps your network. Only those 10 IP
addresses respond, so they start attacking them.
Now, one of the things you need to do when reading your logs is filter
out the script kiddies from the people you really need to worry about.
Obviously someone who persists in attacking non-existent systems and
can't tell the difference can be stopped with a simple ban rule.
Also, increasing the number of packets that an attacker throw at your
network also increases your chances of identifying them. Again, this
rule was a good fit for that as well.
I have to say I'm a major iptables bigot. I've contributed to the
project and talk it up big time in the SANS perimeter training. __The
only thing__ that has ever really bummed me about about the project was
the removal of the echo-reply reject option.
</dismounting soap box>
;-)
C
next prev parent reply other threads:[~2003-09-04 19:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-02 13:50 fake ping reply I.S.Kuten
2003-09-04 16:24 ` Ramin Dousti
2003-09-04 17:10 ` I.S.Kuten
2003-09-04 19:32 ` Chris Brenton [this message]
2003-09-04 20:04 ` Ramin Dousti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F57935E.9060305@chrisbrenton.org \
--to=cbrenton@chrisbrenton.org \
--cc=i.kuten@sam-solutions.net \
--cc=netfilter@lists.netfilter.org \
--cc=ramin@cannon.eng.us.uu.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.