sslug-teknik team mailing list archive

Thread
Date

Re: SYN flood

To: sslug-teknik@xxxxxxxx
From: Juri Jensen <juri_j@xxxxxxxxxx>
Date: Thu, 4 Feb 1999 21:23:48 +0100
Delivered-to: mailing list sslug-teknik@xxxxxxxx
In-reply-to: <79a8d5$m4n$1@osiris.storner.dk>
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
Reply-to: sslug-teknik@xxxxxxxx

Hej,


Du behøver også at slå Source Address Verification til.

>>FRA IP_CHAUNS_HOWTO:<<
5.7 How do I set up IP spoof protection?
IP spoofng is a technique where a host sends out packets which claim to be
from another host. Since packet
filtering makes decisions based on this source address, IP spoofing is uses
to fool packet flters. It is also
used to hide the identity of attackers using SYN attacks, Teardrop, Ping of
Death and the like (don't worry
if you don't know what they are).
The best way to protect from IP spoofng is called Source Address
Verification, and it is done by the routing
code, and not firewalling at all. Look for a file called
/proc/sys/net/ipv4/conf/all/rp_filter. If this
exists, then turning on Source Address Verification at every boot is the
right solution for you. To do that,
insert the following lines somewhere in your init scripts, before any
network interfaces are initialized (eg.
Debian users would put them in /etc/init.d/netbase if they are not already
there):

# This is the best method: turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
echo "CONTROL-D will exit from this shell and continue system startup."
echo
# Start a single user shell on the console
/sbin/sulogin $CONSOLE
fi
>>FRA IP_CHAUNS_HOWTO:<<



>In <Pine.OSF.3.95.990203092951.46R-100000@xxxxxxxxxx> Nikolaj Berntsen
><berntsen@xxxxxxxxxx> writes:
>
>>Jeg lader til at at have en masse til at distrahere mig for øjeblikket. I
>>mine logfiler står flg.
>
>>Warning: possible SYN flood from 207.67.22.172 on 130.225.93.88:111.
>>Sending cookies.
>
>>jeg checker ip:
>
>Det er sjældent umagen værd. Den adresse du får i loggen er med 99%
>sikkerhed falsk - synflood'ing kan snildt udføres uden at man bruger
>den rigtige afsender adresse.
>
>>Jeg har vist bedt om  beskytelse mod et eller andet SYN i kernen, er det
>>det, der har reddet mig
>
>Ja, kernen kan håndtere synflood'ing hvis den er konfigureret til det.
>
>--
>Henrik Storner     | "Software engineering is a race between engineers
><storner@xxxxxxxx> |  who try to create foolproof software and the
>                   |  universe which is trying to create bigger fools.
>                   |  So far, the universe is winning..."

mvh./Best regards
Juri





  Juri Jensen
--------------------------------------------------------
  Macintosh/Linux installation & administration
  Member of the worlds largest Linux User Group: SSLUG (www.sslug.dk)
  email: juri_j@xxxxxxxxxx/juri_j@xxxxxxxxx/lsys@xxxxxxxxxxxx
--------------------------------------------------------
  "Open Source: It's all about making software that doesn't suck!!"

                 		   --- Eric Raymond

References

Re: SYN flood
From: storner, 1999-02-03