Re: network flood imunity

[Sorin Panca <sorin.panca@gmail.com>]

Mogens Valentin wrote:

> Sorin Panca wrote:
>
>> Hi!
>> I have a network with no natting and i would linke to develop a rule set
>> for flood protection of some windows stations. Recently one station was
>> flooded while it was powered off (for me this is a uncomprehensible
>> situation / act)..
>
>
> Ehh? Flooded while powered off? Says who? Your ISP? If they can see
> YOUR  IP getting spoofed (while powered off), they -may- have a
> problem with overlapping custumer IP's; I've seend that before :)

Tell taht to my boss! :) As far as he is concerned that flood is my
fault and the ISP is always right... And I should do something for that
matter. (That is why I asked you guys.)

>
>> My ISP added a filter against my station and I can't
>> acces the internet on it now. The server is running kernel 2.4.22-10mdk
>> with mandrake-<some.version> and iptables-1.2.8. I tried to replace it
>> (the server) but due to unknown reasons, I failed three times. And I
>> gave up.
>> If someone has an ideea of how can I protect the server in this
>> configuration against floods, I would be very happy to learn.
>
>
> I havne't got time for rule examples, but you may find the following
> /proc settings quite helpful:
>
>       # Disable ICMP echo-request to broadcast addresses (Smurf
> amplifier):
>           echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
>       # Enable syn-cookies (prevent syn-flood attacks):
>           echo "1" >/proc/sys/net/ipv4/tcp_syncookies
>
>       # Reduce number of possible SYN Floods:
>           echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog
>
>       # Enable defrag error protection:
>           echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
>       # Enable time-wait assassination hazards in tcp (RFC 1337):
>           echo "1" >/proc/sys/net/ipv4/tcp_rfc1337
>
>       # Prevent remote digging of OS-type and uptime (RFC1323):
>           #echo "1" >/proc/sys/net/ipv4/tcp_timestamps    # enable
> timestamps
>           echo "0" >/proc/sys/net/ipv4/tcp_timestamps    # disable
> timestamps
>
>       # Disable RFC2018 TCP Selective Acknowledgements:
>           echo 0 > /proc/sys/net/ipv4/tcp_sack
>
>
>
>       # Sourcerouting and spoofing:
>           for i in /proc/sys/net/ipv4/conf/*; do
>               # Drop all source-routed packets:
>               echo "0" >$i/accept_source_route
>
>               # Deactivate normal ICMP redirect accept/send:
>               echo "0" >$i/accept_redirects
>               echo "0" >$i/send_redirects
>
>               # Activate secure ICMP redirects (send only?) (on by
> default):
>               echo "1" >$i/secure_redirects
>
>               # Enable ingress + egress source-address verification
> (prevent spoofing):
>               #echo "0" >$i/rp_filter   # disable
>               echo "1" >$i/rp_filter   # enable
>           done
>
>       # Log spoofed, source routed and redirect packets:
>           #echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
>           echo 0 >/proc/sys/net/ipv4/conf/all/log_martians
>
>
I'll try these. Thank you!