RE: DROP TCP output to HTTP attackers?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx
> [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
> Michael D. Berger
> Sent: Friday, December 23, 2005 3:50 PM
> To: netfilter
> Subject: DROP TCP output to HTTP attackers?
>
> Using -j QUEUE, I DROP http packets that I don't like, and I
> DROP all subsequent packets from the offending ipAddress.
> Using ethereal, I note that when I DROP, I send tcp FIN
> packets.  Therefore, I added -j QUEUE to the OUTPUT filter,
> and I block all OUTPUT to the offending ipAddress, including
> the tcp FIN packets, as confirmed with ethereal.  I just
> deployed this in the last 30 minutes.  My preliminary
> observation, thanks to an obliging attacker, is that I get
> less follow-up junk with the OUTPUT filter blocked, although
> there did appear to be a few anomalies, that I assume are to
> to timing issues.
>
> Any opinions on this procedure?

Hmmmm. I DROP everything that is suspicious and follow up with a block
on that IP afterward and have never noticed any packets going out with
the DROP.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux