[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 'mirror' with iptables

thomas lakofski <thomas@88.net> writes:

> On Tue, 13 Nov 2001, phadell wrote:
> 
> > I would like to do a rule that mirror the packets that incoming from a
> > portscanner. The rule must return the packets to the source. If anyone
> > scan my machine ports, the result will be the list of source address
> > open ports.
> 
> this will enable an attacker to bounce arbitrary packets off your machine
> to any target by spoofing source address -- probably not what you would
> want to happen...

Frying pan:

If done properly... it's a risk, but one that's assessable.

> if you want to stop portscans maybe portsentry would help you?

Fire:

If you use portsentry in dynamic mode, you're open to spoofed IP#s just as
much - someone making you block your nameserver or default route would be
favourite. (Not to mention, how do you get it to "protect" a serve that's
already on a port...?)

If you want to stop port-scans, use a proper firewall with DENY (ipchains)
or DROP (iptables) by default. 

Use either snort or, at a push, portsentry, to spot incoming packets
matching signatures of known exploits, for `cool, I dropped the packet
anyway' factor.

~Tim
-- 
Move a mountain / Fill the ground           |piglet@stirfried.vegetable.org.uk
Take death on wheels / Re-create the land   |http://spodzone.org.uk/
Reply to: