On Fri, 11 Oct 2002, Mark Ryan wrote: > Is there a way to prevent the following attack from happening again? > They icmp type-8 flooded me for hours. My iptables firewall script The best way to deal with a flood attack is to contact your upstream provider and have them filter and/or track back and filter the offender. Since it's an ICMP-based attack, spoofing the source is trivial, so routing paths are the way to figure out where it's coming from. Most providers have done this enough these days that they'll be able to handle it. > logged and logged but my connection went down for hours. Here is an > example from the log. > > Oct 10 23:15:58 dhcp-16-8 kernel: Netfilter: IN=eth0 OUT= > MAC=00:e0:29:6f:8c:b8:00:d0:ba:1e:6d:70:08:00 SRC=68.144.164.40 > DST=24.240.225.207 LEN=545 TOS=0x00 PREC=0x00 TTL=115 ID=1273 PROTO=ICMP > TYPE=8 CODE=0 ID=65039 SEQ=3088 You could try sending back an ICMP network unreachable, but likely the source is spoofed and the tool used doesn't care. > I am using redhat 7.2 on a P166 with 2 nic cards as a router. I am > running a iptables rules script that I found on the internet. Hopefully you understand the rules you found... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 14:34:29 PDT