Dear All,
The situation is the following: We have two host A and B, A sends B a
SYN packet with a spoofed IP address,
since the source IP is spoofed B will not receive the 2. packet of the
handshake, but is able
to send back the 3rd: an ACK packet with an invalid acknowledgement
number. How is it
possible distinguish connections in which the source IP is spoofed in
this way.
1. A ->B : SYN(IP_X, seq(A))
2. B ->A : SYN_ACK(IP_X, ack(A), seq(B))
3. A ->B : ACK(IP_X. seq(A+1), ack(Y))
How is it possible to match the 3rd packet if Y=A+1, and Y!=A+1?
I would like to use this for the following. Let us assume that port 222
is a normally closed port, and
B executed a port scan on that port.
iptables -A INPUT -p tcp --dport 222 -match <connections in which source
IP can be spoofed> -g DROP
iptables -A INPUT -p tcp --dport 222 <execute site wide preventive
actions against the IP address: iptables -I INPUT -src THISSRC -j DROP>
Thanks Denes
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
