Re: counteracting an attack?

To: Pierfrancesco Caci <p.caci@tin.it>
Cc: debian-firewall@lists.debian.org
Subject: Re: counteracting an attack?
From: Erich Schubert <erich.schubert@mucl.de>
Date: 17 Feb 2001 20:34:25 +0100
Message-id: <[🔎] 20010217193425.E9728479FA@erich>
In-reply-to: <[🔎] 87lmr5cfuq.fsf@penny.ik5pvx.ampr.org>

> Hello, is there a way to have iptables call a script if a particular
> rule gets hit too often? 
> I'm thinking of a script that automatically executes a
> whois/traceroute, to help track down dialup offenders.

I would consider this kind of "counteracting" als not good.
Any offensive countermeasures should be manually triggered, in order to
prevent DoS attacks and abuse of your countermeasures.
(p.e. triggering your rules with a wrong ip etc.)

A nice tool for such things is "portsentry".
I use it on one server of mine: if someone does a portscan on the
machine, the firewall goes up for that IP and blocks anything except
ssh.
(and i get a sms notfication)
Of course this could be abused as well: send packets with wrong source
IPs in order to trigger the firewall block for other's.
Or try to cause a buffer overflow in ipchains / portsentry by triggering
it too often with lots of differents IPs.
So this needs to be monitored, too.

Greetings,
Erich

Reply to:

Follow-Ups:
- Re: counteracting an attack?
  - From: Casper <casper@huiscomputer.homeip.net>

References:
- counteracting an attack?
  - From: Pierfrancesco Caci <ik5pvx@penny.ik5pvx.ampr.org>

Prev by Date: counteracting an attack?
Next by Date: Re: NFS mounts: security hole on firewall?
Previous by thread: counteracting an attack?
Next by thread: Re: counteracting an attack?
Index(es):
- Date
- Thread