From: Mogens Valentin <monz@danbbs.dk>
To: "Taylor, Grant" <gtaylor@riverviewtech.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: How to stop the flood?
Date: Sun, 01 May 2005 02:59:56 +0200 [thread overview]
Message-ID: <42742A0C.5040808@danbbs.dk> (raw)
In-Reply-To: <4271A606.9090504@riverviewtech.net>
Taylor, Grant wrote:
> Rikunj wrote:
>
>> Moreover they change the attacking src and dst ports making it hard to
>> pinpoint them.
>
> Do they change the source and / destination ports or IP addresses?
> Either way, you should be able to get the DHCP server to log what MAC
> has what IP address. As this would be an on going log you could look
> back and see who had what IP at what time to find the MAC. With the
> known MAC of the attacker at any give time you could then look in your
> log to see what IP is associated with that MAC at present. Thus you
> know what IP an attacker has presently, if it has changed from the prior
> IP. You could even temporarily block this IP from being able to do any
> thing on the internet and thus provoking a call from them thus making
> them stand out in the crowd.
If clients can change IP's on the fly, they can change MAC's all the
same. Of cause, arranging DHCP on a per-client-based-on-MAC scheme will
catch this behavior (which you more or less pointed out).
> ...One tip that I can give you would be to have rule like
> the following:
>
> iptables -t filter -A FORWARD -p tcp --dport 143
>
> You would want this rule, with out a jump target (-j...), to act as a
> counter to see if you do have any traffic like this at all with out
> interfering with the rest of your firewall. If you put such rules above
> any other rules that would effect the FORWARD chain you will get a
> decent counter. I would be tempted to modify the rule slightly, as such:
>
> iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp
> --dport 143
>
> This will let you know how much traffic to port 143 (IMAP) Client #1 is
> sending.
So you chose IMAP merely as an example.. Meaning you'd do similarly for
other services if interest, right? Good idea, tnx.
--
Kind regards,
Mogens Valentin
next prev parent reply other threads:[~2005-05-01 0:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-28 13:35 How to stop the flood? Rikunj
2005-04-28 14:16 ` Jason Opperisano
2005-04-28 14:47 ` Rikunj
2005-04-28 15:47 ` Rob Sterenborg
2005-04-28 15:54 ` Dwayne Hottinger
2005-04-28 17:10 ` Rikunj
2005-04-29 3:12 ` Taylor, Grant
2005-04-29 13:17 ` Rikunj
2005-05-01 0:59 ` Mogens Valentin [this message]
2005-05-01 19:19 ` Taylor, Grant
2005-04-28 21:50 ` R. DuFresne
2005-04-28 21:58 ` wkc
2005-04-28 22:04 ` Dwayne Hottinger
2005-04-28 17:54 ` Rikunj
2005-04-28 16:35 ` Jason Opperisano
2005-04-28 20:16 ` Taylor, Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42742A0C.5040808@danbbs.dk \
--to=monz@danbbs.dk \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox