Rikunj wrote:
Moreover they change the attacking src and dst ports making it hard to pinpoint them.
Do they change the source and / destination ports or IP addresses? Either way, you should be able to get the DHCP server to log what MAC has what IP address. As this would be an on going log you could look back and see who had what IP at what time to find the MAC. With the known MAC of the attacker at any give time you could then look in your log to see what IP is associated with that MAC at present. Thus you know what IP an attacker has presently, if it has changed from the prior IP. You could even temporarily block this IP from being able to do any thing on the internet and thus provoking a call from them thus making them stand out in the crowd.
If clients can change IP's on the fly, they can change MAC's all the same. Of cause, arranging DHCP on a per-client-based-on-MAC scheme will catch this behavior (which you more or less pointed out).
...One tip that I can give you would be to have rule like the following:
iptables -t filter -A FORWARD -p tcp --dport 143
You would want this rule, with out a jump target (-j...), to act as a counter to see if you do have any traffic like this at all with out interfering with the rest of your firewall. If you put such rules above any other rules that would effect the FORWARD chain you will get a decent counter. I would be tempted to modify the rule slightly, as such:
iptables -t filter -A FORWARD -i $Client_1 -s $Client_1_Subnet -p tcp --dport 143
This will let you know how much traffic to port 143 (IMAP) Client #1 is sending.
So you chose IMAP merely as an example.. Meaning you'd do similarly for other services if interest, right? Good idea, tnx.
-- Kind regards, Mogens Valentin
