Re: fake ping reply

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ramin Dousti wrote:
On Tue, Sep 02, 2003 at 04:50:26PM +0300, I.S.Kuten wrote:

i wanted to setup iptables , when someone pings my box , echo-reply would come from other machine then mine .

A very strange question. When the client sends you a echo-request, it expects to receive echo-reply from the same IP address. If some other IP address sends the echo-reply, it will simply get dropped by the OS on the client, as there is no match for this bogus packet...

I don't think that's where he's going with this. This used to be a very cool feature that was remove about 2 years ago. :( :( :(


Here's the concept, let's say you've been allocated a class C legal address space and have 10 or so IP address that are not in use. What I used to do was reject echo-request packets going to those address with echo-replies, and reject all other echo-requests with an host-unreachable.

Now, "annoying script kiddie that could not hack their way out of a paper bad" comes along and ping sweeps your network. Only those 10 IP addresses respond, so they start attacking them.

Now, one of the things you need to do when reading your logs is filter out the script kiddies from the people you really need to worry about. Obviously someone who persists in attacking non-existent systems and can't tell the difference can be stopped with a simple ban rule.

Also, increasing the number of packets that an attacker throw at your network also increases your chances of identifying them. Again, this rule was a good fit for that as well.

I have to say I'm a major iptables bigot. I've contributed to the project and talk it up big time in the SANS perimeter training. __The only thing__ that has ever really bummed me about about the project was the removal of the echo-reply reject option.

</dismounting soap box>

;-)
C



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux