From: "Jon Anderson" <jon-anderson@rogers.com>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Blocking hosts on the fly...?
Date: Wed, 30 Oct 2002 20:35:16 -0500 [thread overview]
Message-ID: <002c01c2807d$c4d5abc0$0300000a@hypnos> (raw)
In-Reply-To: 878z0qjelg.fsf@ataraxia.vodkafone.de
I was playing around with my firewall yesterday, and I had a thought...Would
it be possible to block portscans on the fly (i.e. as they happen, block the
offending host)?
It's easy enough to foil invalid packet portscans (i.e. invalid state), but
syn and connect() scans are a little more annoying...They can be blocked (in
an unusable way) with the following:
# iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
# iptables -A INPUT -p tcp --syn -j REJECT --reject-with tcp-reset
That of course would allow one syn packet per second (plus burst, but I'll
ignore that for now), and packets beyond that would be sent a tcp-rst -
making open or closed ports look closed after a burst of syn packets is
detected. This effectively blocks the port scan (because everything after
1/s + burst looks closed). I tested this with nmap -sS, and it does in fact
trick it into thinking all ports are closed.
Doing it this way obviously doesnt't work though, because, this makes DoS
attacks real easy, and prevents more than one connection a second, even from
legitimate users. This obviously isn't a working solution.
This leads me to wonder if it's possible to block hosts on the fly - is
there a way to say something like allow one syn packet per second, per host,
and if more than 1/s block that host?
Hope that question makes some sense...And I hope there's an iptables based
solution to this!
Cheers,
jon anderson
prev parent reply other threads:[~2002-10-31 1:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-30 22:31 Found weird packets using ULOG accounting Hilko Bengen
2002-10-31 1:35 ` Jon Anderson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002c01c2807d$c4d5abc0$0300000a@hypnos' \
--to=jon-anderson@rogers.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox