Re: Fwd: iptables and networking

To: debian-user@lists.debian.org
Subject: Re: Fwd: iptables and networking
From: staticsafe <me@staticsafe.ca>
Date: Sun, 30 Jun 2013 15:04:05 -0400
Message-id: <[🔎] 20130630190405.GL1481@uriel.asininetech.com>
In-reply-to: <[🔎] 51D07700.1090808@plouf.fr.eu.org>
References: <[🔎] 51C1F36D.7070108@fuckaround.org> <[🔎] 1371669370.5346.16.camel@pc-steven.LAN> <[🔎] 51C2DF42.2060204@fuckaround.org> <[🔎] 1371755872.7717.21.camel@pc-steven.LAN> <CAAKASGxwG5q2Ay5g=YByHmRJ0RJOV_vqXO_O2KixqdDJjb3cEg@mail.gmail.com> <[🔎] CAMDu+mPx-AcvODdjEUM2_g2TtR=aKu0t23Dt+hqEJAf98Ade3w@mail.gmail.com> <[🔎] 51D02F83.6080605@plouf.fr.eu.org> <[🔎] 20130630155344.GH1481@uriel.asininetech.com> <[🔎] 51D07700.1090808@plouf.fr.eu.org>

On Sun, Jun 30, 2013 at 08:20:48PM +0200, Pascal Hambourg wrote:
> staticsafe a écrit :
> > On Sun, Jun 30, 2013 at 03:15:47PM +0200, Pascal Hambourg wrote:
> >> Redalert Commander a écrit :
> >>> ---------- Forwarded message ----------
> >>> From: Igor Cicimov
> >>>
> >>>> You can block repeated attempts to log in with iptables using the
> >>>> 'recent' module, an alternative is 'fail2ban', which monitors your
> >>>> server logs (ssh, apache, and others) for failed login attempts and then
> >>>> adds an iptables rule for the offending IP.
> >>
> >> The 'recent' match is vulnerable to source IP address spoofing and can
> >> be abused to cause a DoS for the spoofed address. fail2ban is much less
> >> vulnerable to such attacks.
> 
> Jerry Stuckle a écrit :
> > I don't understand this statement.  How is 'recent' more vulnerable to 
> > source IP address spoofing than fail2ban?  Both depend only on the 
> > supplied address.
> 
> The ruleset using the 'recent' match is based only on TCP packets with
> the NEW state, i.e. the initial SYN. A single SYN packet can be easily
> forged with a spoofed source address. Fail2ban is based on
> authentication failures, which first requires a TCP connection to be
> established with the 3-way handshake. As it involves a positive reply
> from the spoofed address, this is much harder to achieve, unless the
> attacker is in a special position on the network.
> 
> > And how can recent 'be abused to cause a DoS...' any more than fail2ban?
> 
> This is just the consequence of the above.
> 
> > IP address spoofing with TCP, what?
> 
> Yes.
> 
> > That only works with UDP.
> 
> No. It works with any mechanism which is based on a simple packet
> instead of a real "stateful" connection (including a positive reply).
> Which is the case here, see below.
> 
> > (Hint - three way handshake for TCP).
> 
> As I wrote above, the proposed rulesets using the 'recent' and 'limit'
> matches are only based on the initial SYN packets. They do not care
> about the 3-way handshake.
> 

Ah, that clarifies quite a bit, thanks.

On that topic, if you are getting flooded with SYNs, it is a good idea
to enable syncookies (kernel option).
-- 
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post.
Please don't CC! I'm subscribed to whatever list I just posted on.

Reply to:

References:
- iptables and networking
  - From: Pol Hallen <deben@fuckaround.org>
- Re: iptables and networking
  - From: Steven Post <redalert.commander@gmail.com>
- Re: iptables and networking
  - From: Pol Hallen <deben@fuckaround.org>
- Re: iptables and networking
  - From: Steven Post <redalert.commander@gmail.com>
- Fwd: iptables and networking
  - From: Redalert Commander <redalert.commander@gmail.com>
- Re: Fwd: iptables and networking
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Fwd: iptables and networking
  - From: staticsafe <me@staticsafe.ca>
- Re: Fwd: iptables and networking
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: Fwd: iptables and networking
Next by Date: Re: Fwd: iptables and networking
Previous by thread: Re: Fwd: iptables and networking
Next by thread: Re: Fwd: iptables and networking
Index(es):
- Date
- Thread