I really don't want them to do this and they are blocked as soon as discovered. All the clients are from DHCP IP's of 4 subnets of /24. Blocking them one by one will eat up IP's. Moreover they change the attacking src and dst ports making it hard to pinpoint them. My real problem is to identify the curlprits. How can I diferenciate a genuine traffic and a infected attack? What should I look for? Regards, Rikunj Patel ----- Original Message ----- From: "Dwayne Hottinger" <dhottinger@xxxxxxxxxxxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Thursday, April 28, 2005 6:54 PM Subject: RE: How to stop the flood? > Im confused. Why would you allow someone on your network (subnet or net) do > such a thing. Cant you just not give them access, either via dhcp or some > other way. Sounds almost like an issue for management ie someone needs to > start looking for employment elsewhere. > > ddh > > Quoting Rob Sterenborg <rob@xxxxxxxxxxxxxxx>: > > > netfilter-bounces@xxxxxxxxxxxxxxxxxxx <> scribbled on Thursday, 28 April > > 2005 16:48: > > > > > Thankyou for the reply. > > > > > > This was the log from one of my client who was attacked from a client > > > on other subnet. > > > > > > My network consist of clients from different subnets of /24. > > > > > > The attacks from one subnet travels through my linux router > > > and hits the client on other subnet. > > > > > > I tried few rules as below but seems not to be working. > > > > The script doesn't block any packets from 192.168.25.208. > > If 192.168.25.208 isn't allowed passing your router, you should block it > > : > > > > $IPT -A FORWARD -s 192.168.25.208 [-d <destination_ip>] \ > > -j [DROP|REJECT --reject-with-tcp-reset] > > > > Or something like that. > > > > The real solution is like Jason said : track down the person at > > 192.168.25.208 and kick his/her ass ! > > > > > > Gr, > > Rob > > > > > > > -- > Dwayne Hottinger > Network Administrator > Harrisonburg City Public Schools >
