* [LARTC] syn flood protection - inside initiated attacks
@ 2005-03-23 8:45 Ming-Ching Tiew
2005-03-23 10:02 ` Nguyen Dinh Nam
0 siblings, 1 reply; 2+ messages in thread
From: Ming-Ching Tiew @ 2005-03-23 8:45 UTC (permalink / raw)
To: lartc
Perhaps someone will help me on this :-
I have read a lot of examples of syn flood protect on the INPUT chain.
That I have no question at all.
I wonder if it make sense to perform syn flood protection
at the FORWARD chain ? If packets are originated from a
LAN worm, and are not targetted at the firewall itself, but
rather at hosts in the internet, will it cause problem with
the firewall itself, such as iptables connection table full etc ?
I tried to do it, to be specific, I tried this :-
iptables -N lan-syn-flood
iptables -A lan-syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A lan-syn-flood -j DROP
Hook it to FORWARD chain,
iptables -I FORWARD -p tcp --syn -j lan-syn-flood
But this will result in denial of service of a lot of "legitimate" traffic.
I try to increate the limits to bigger values it still does not work,
primarily my firewall is also doubling as a router across subnet
and there are a lot of traffic.
Any advise or comments ?
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [LARTC] syn flood protection - inside initiated attacks
2005-03-23 8:45 [LARTC] syn flood protection - inside initiated attacks Ming-Ching Tiew
@ 2005-03-23 10:02 ` Nguyen Dinh Nam
0 siblings, 0 replies; 2+ messages in thread
From: Nguyen Dinh Nam @ 2005-03-23 10:02 UTC (permalink / raw)
To: lartc
IMO, you have to --limit for each of the computer separately (1 chain
for each IP address), otherwise you will block both the instruder and
the legitimate users.
Perhaps the better solution is to install an IDS and completely block
instruder, wait until he/she contacts you and ask for worm removal
before removing the blockage.
Ming-Ching Tiew wrote:
>Perhaps someone will help me on this :-
>
>I have read a lot of examples of syn flood protect on the INPUT chain.
>That I have no question at all.
>
>I wonder if it make sense to perform syn flood protection
>at the FORWARD chain ? If packets are originated from a
>LAN worm, and are not targetted at the firewall itself, but
>rather at hosts in the internet, will it cause problem with
>the firewall itself, such as iptables connection table full etc ?
>
>I tried to do it, to be specific, I tried this :-
>
> iptables -N lan-syn-flood
> iptables -A lan-syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> iptables -A lan-syn-flood -j DROP
>
>Hook it to FORWARD chain,
>
> iptables -I FORWARD -p tcp --syn -j lan-syn-flood
>
>But this will result in denial of service of a lot of "legitimate" traffic.
>I try to increate the limits to bigger values it still does not work,
>primarily my firewall is also doubling as a router across subnet
>and there are a lot of traffic.
>
>Any advise or comments ?
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-03-23 10:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-23 8:45 [LARTC] syn flood protection - inside initiated attacks Ming-Ching Tiew
2005-03-23 10:02 ` Nguyen Dinh Nam
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.