RE: attacks

To: <firewall38@lycos.com>, "'debian'" <debian-firewall@lists.debian.org>
Subject: RE: attacks
From: "Jeff Bonner" <jeff@integralogic.com>
Date: Tue, 4 Jun 2002 12:23:47 -0400
Message-id: <[🔎] 000e01c20be4$39839950$0200a8c0@JEFF>
In-reply-to: <[🔎] HAANBBFNJICMMAAA@mailcity.com>

> -----Original Message-----
> From: sim ton [mailto:firewall38@lycos.com] 
> Sent: Tuesday, June 04, 2002 11:09 AM
> To: debian
> Subject: attacks

A couple of opinions here; I'm no expert on any of this, so take
these with a grain of salt:

> * to protect against ping of DEATH :
> $IPTABLES --append FORWARD -p icmp --icmp-type echo-request 
> --match limit --limit 1/s --jump ACCEPT

That's how it's shown in the documentation for iptables, so I
hope it works.  ;)  You've got the options spelled out in full
(--append instead of -A, --jump instead of -j) but otherwise it
looks okay to me.

You probably want to add some route verification too:

  for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $f
  done

> * to protect against UDP flooding :
> i don't know yet, i heard about udp flood with chargen(19) 
> and echo(7), must i forbid these ports ??

These (along with discard[9]) are diagnostic ports that I would
venture to say, nobody uses anymore; for example, ICMP is used
now instead of echo.  In fact, they've been removed from NT due
to the DoS aspects.  I would make sure they are turned off in
your inetd/xinetd, because I *have* seen them pop up as enabled
in a default installation.

If you want to know how they could be exploited, have a look at:

   http://www.iss.net/security_center/static/36.php
   http://www.cert.org/advisories/CA-1996-01.html

That having been said, see the last comment at bottom...

> * to protect against tiny fragments and frangment overlapping 
> nothing yet... the only thing i know is that i can't forbid 
> incoming fragment packet... 

I guess you could have -f in a rule.  However, there may be some
implications when using NAT, since all the packets get reassembled
first anyway.  But my understanding of this is limited.  To quote
the docs:

  "If you are doing connection tracking or NAT, then all
   fragments will get merged back together before they reach
   the packet filtering code, so you need never worry about
   fragments."

> last thing i heard an attack on port 0 with UDP
> can i forbid this port ? what is port 0 ?
> is true ?

I'm not really sure what port 0 is used for; one site referred
to ICMP Click as a possible exploit, but IANA just shows it as
simply "reserved".  I hope someone else can clarify what it's
for.

Anyway, what I would do is block TCP & UDP 0-19.  This tosses
"port 0", as well as tcpmux, compressnet, rje, echo, discard,
systat, daytime, netstat, qotd, msp, and chargen all at once:

  $IPTABLES -A INPUT -i eth0 -p tcp --dport 0:19 -j DROP
  $IPTABLES -A INPUT -i eth0 -p udp --dport 0:19 -j DROP

I specified the interface, just in case netstat somehow may
get blocked on the internal machines or the localhost... this
may not be necessary and you can experiment accordingly.

HTH,

Jeff Bonner



-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: attacks
  - From: Mark Ferlatte <ferlatte@cryptio.net>

References:
- attacks
  - From: "sim ton" <firewall38@lycos.com>

Prev by Date: attacks
Next by Date: Re: attacks
Previous by thread: attacks
Next by thread: Re: attacks
Index(es):
- Date
- Thread