Re: How to stop the flood?

[Mogens Valentin <monz@danbbs.dk>]

Taylor, Grant wrote:
> Rikunj wrote:
> 
>> Moreover they change the attacking src and dst ports making it hard to
>> pinpoint them.
> 
> Do they change the source and / destination ports or IP addresses?  
> Either way, you should be able to get the DHCP server to log what MAC 
> has what IP address.  As this would be an on going log you could look 
> back and see who had what IP at what time to find the MAC.  With the 
> known MAC of the attacker at any give time you could then look in your 
> log to see what IP is associated with that MAC at present.  Thus you 
> know what IP an attacker has presently, if it has changed from the prior 
> IP.  You could even temporarily block this IP from being able to do any 
> thing on the internet and thus provoking a call from them thus making 
> them stand out in the crowd.

If clients can change IP's on the fly, they can change MAC's all the 
same. Of cause, arranging DHCP on a per-client-based-on-MAC scheme will 
catch this behavior (which you more or less pointed out).

> ...One tip that I can give you would be to have rule like 
> the following:
> 
> iptables -t filter -A FORWARD -p tcp --dport 143
> 
> You would want this rule, with out a jump target (-j...), to act as a 
> counter to see if you do have any traffic like this at all with out 
> interfering with the rest of your firewall.  If you put such rules above 
> any other rules that would effect the FORWARD chain you will get a 
> decent counter.  I would be tempted to modify the rule slightly, as such:
> 
> iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp 
> --dport 143
> 
> This will let you know how much traffic to port 143 (IMAP) Client #1 is 
> sending.

So you chose IMAP merely as an example.. Meaning you'd do similarly for 
other services if interest, right?  Good idea, tnx.

-- 
Kind regards,
Mogens Valentin