From: Nemeth Denes <nemeth.denes@iit.bme.hu>
To: netfilter@vger.kernel.org
Subject: Re: Howto match the 3rd packet in the 3way handshake
Date: Sun, 28 Feb 2010 12:03:36 +0100 [thread overview]
Message-ID: <4B8A4D88.5060901@iit.bme.hu> (raw)
In-Reply-To: <4B8A44FE.7010202@chello.at>
Dear All
This is a good idea,
"But I think you could construct something that matches those hosts which
sent a SYN and continue with INVALID state traffic.
1: put tcp syn into a recent set.
2: match for hosts in the set with state INVALID."
, but the real question is what does INVALID mean, because if it will
also match case where Y!=A+1, than it will allow an attacker to
perform a DoS by easily spoofing valid IP addresses, which will get
dropped (sitewide)
Best wishes,
Denes
Mart Frauenlob wrote:
> On 28.02.2010 10:58, netfilter-owner@vger.kernel.org wrote:
>
>> Dear All,
>>
>> The situation is the following: We have two host A and B, A sends B a
>> SYN packet with a spoofed IP address,
>> since the source IP is spoofed B will not receive the 2. packet of the
>> handshake, but is able
>>
>
> it think you mean A?
>
yes sorry typo
>> to send back the 3rd: an ACK packet with an invalid acknowledgement
>> number. How is it
>> possible distinguish connections in which the source IP is spoofed in
>> this way.
>>
>> 1. A ->B : SYN(IP_X, seq(A))
>> 2. B ->A : SYN_ACK(IP_X, ack(A), seq(B))
>> 3. A ->B : ACK(IP_X. seq(A+1), ack(Y))
>>
>> How is it possible to match the 3rd packet if Y=A+1, and Y!=A+1?
>>
>> I would like to use this for the following. Let us assume that port 222
>> is a normally closed port, and
>> B executed a port scan on that port.
>>
>> iptables -A INPUT -p tcp --dport 222 -match <connections in which source
>> IP can be spoofed> -g DROP
>> iptables -A INPUT -p tcp --dport 222 <execute site wide preventive
>> actions against the IP address: iptables -I INPUT -src THISSRC -j DROP>
>>
>> Thanks Denes
>>
>
>
> I do not think it is possible to match on spoofed IP addresses.
> But I think you could construct something that matches those hosts which
> sent a SYN and continue with INVALID state traffic.
>
> 1: put tcp syn into a recent set.
> 2: match for hosts in the set with state INVALID.
>
> Questioning it all:
> A simple -m state --state INVALID -j DROP should silently discard all those.
>
> Best regards
>
> Mart
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2010-02-28 11:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-28 9:57 Howto match the 3rd packet in the 3way handshake Nemeth Denes
2010-02-28 10:27 ` Mart Frauenlob
2010-02-28 11:03 ` Nemeth Denes [this message]
2010-02-28 11:36 ` Mart Frauenlob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B8A4D88.5060901@iit.bme.hu \
--to=nemeth.denes@iit.bme.hu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox