[...] > > -----Original Message----- > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > > Michael D. Berger > > Sent: Friday, December 23, 2005 3:50 PM > > To: netfilter > > Subject: DROP TCP output to HTTP attackers? > > > > Using -j QUEUE, I DROP http packets that I don't like, and I > > DROP all subsequent packets from the offending ipAddress. > > Using ethereal, I note that when I DROP, I send tcp FIN > > packets. Therefore, I added -j QUEUE to the OUTPUT filter, > > and I block all OUTPUT to the offending ipAddress, including > > the tcp FIN packets, as confirmed with ethereal. I just > > deployed this in the last 30 minutes. My preliminary > > observation, thanks to an obliging attacker, is that I get > > less follow-up junk with the OUTPUT filter blocked, although > > there did appear to be a few anomalies, that I assume are to > > to timing issues. > > [...] > > My only comment would be that for proxy users (AOL, for instance) you > may end up dropping legitimate traffic. The risk/reward of that is > something you'll have to determine for yourself. > > Derick Anderson > I must admit that I have little knowledge of these proxies. I infer from what you say that different users might present the same peer ip address. Is this true? If so, perhaps I should set a time limit on the block. With regard to blocking output in response to attacks, thereby blocking TCP FIN, are there any opinoins on this? Thanks for your help. Mike. -- Michael D. Berger m.d.berger@xxxxxxxx
