cos'è questo? attacco DOS?

To: debian-italian <debian-italian@lists.debian.org>
Subject: cos'è questo? attacco DOS?
From: Leonardo Canducci <lcanducci@libero.it>
Date: Mon, 13 Oct 2003 19:19:46 +0200
Message-id: <[🔎] 20031013171946.GA8316@cervellone>
Mail-followup-to: debian-italian <debian-italian@lists.debian.org>

me ne sono accorto oggi con un tail -f syslog. dal 7 ottobre ho il log
pieno di questi messaggi generati da iptables:

...
Dropping: IN=ppp0 OUT= MAC= SRC=80.186.168.191 DST=80.183.122.125 LEN=92
TOS=0x00 PREC=0x00 TTL=113 ID=55768 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=29289
...

più o meno 1 al secondo. mi chedevo che roba siano. ho provato un whois
ma non è che me ne faccia poi molto delle informazioni che ottengo.

ad ogni modo questo è lo script che uso per iptables (dal security
quickstart howto):

#!/bin/sh
IPTABLES=/sbin/iptables
WAN_IFACE="ppp0"
ANYWHERE="0/0"
modprobe ip_conntrack_ftp
# Let's start clean and flush all chains to an empty state.
$IPTABLES -F  
# Set the default policies of the built-in chains. If no match for any 
# of the rules below, these will be the defaults that IPTABLES uses.
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
# Accept localhost/loopback traffic.
$IPTABLES -A INPUT -i lo -j ACCEPT
# ICMP rules, allow the bare essential types of ICMP only. Ping
# request is blocked, ie we won't respond to someone else's pings,
# but can still ping out.
$IPTABLES -A INPUT  -p icmp  --icmp-type echo-reply \
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT  -p icmp  --icmp-type destination-unreachable \
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT  -p icmp  --icmp-type time-exceeded \
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
###################################################################
# Set the catchall, default rule to DENY, and log it all. All other
# traffic not allowed by the rules above, winds up here, where it is
# blocked and logged. This is the default policy for this chain
# anyway, so we are just adding the logging ability here with '-j
# LOG'. Outgoing traffic is allowed as the default policy for the
# 'output' chain. There are no restrictions on that.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "


lo script dovrebbe essere a posto.
cosa ne dite? capita anche a voi? devo preoccuparmi?

ciao
-- 
Leonardo Canducci - lcanducci@libero.it
GPG Key ID: 429683DA

Reply to:

Follow-Ups:
- Re: cos'è questo? attacco DOS?
  - From: Daniele <danielec@hotpop.com>

Prev by Date: Re: Installazione gcc 3.2.3 in woody
Next by Date: ATI Radeon 9200 su Woody 3.0r0
Previous by thread: Re: File system crittografato
Next by thread: Re: cos'è questo? attacco DOS?
Index(es):
- Date
- Thread