On 28.02.2010 12:03, netfilter-owner@xxxxxxxxxxxxxxx wrote: > Mart Frauenlob wrote: >> On 28.02.2010 10:58, netfilter-owner@xxxxxxxxxxxxxxx wrote: >> >>> Dear All, >>> >>> The situation is the following: We have two host A and B, A sends B a >>> SYN packet with a spoofed IP address, >>> since the source IP is spoofed B will not receive the 2. packet of the >>> handshake, but is able >>> >> >> it think you mean A? >> > yes sorry typo >>> to send back the 3rd: an ACK packet with an invalid acknowledgement >>> number. How is it >>> possible distinguish connections in which the source IP is spoofed in >>> this way. >>> >>> 1. A ->B : SYN(IP_X, seq(A)) >>> 2. B ->A : SYN_ACK(IP_X, ack(A), seq(B)) >>> 3. A ->B : ACK(IP_X. seq(A+1), ack(Y)) >>> >>> How is it possible to match the 3rd packet if Y=A+1, and Y!=A+1? >>> >>> I would like to use this for the following. Let us assume that port 222 >>> is a normally closed port, and >>> B executed a port scan on that port. >>> >>> iptables -A INPUT -p tcp --dport 222 -match <connections in which source >>> IP can be spoofed> -g DROP >>> iptables -A INPUT -p tcp --dport 222 <execute site wide preventive >>> actions against the IP address: iptables -I INPUT -src THISSRC -j DROP> >>> >>> Thanks Denes >>> >> >> >> I do not think it is possible to match on spoofed IP addresses. >> But I think you could construct something that matches those hosts which >> sent a SYN and continue with INVALID state traffic. >> >> 1: put tcp syn into a recent set. >> 2: match for hosts in the set with state INVALID. >> >> Questioning it all: >> A simple -m state --state INVALID -j DROP should silently discard all >> those. > Dear All > > This is a good idea, > > "But I think you could construct something that matches those hosts which > sent a SYN and continue with INVALID state traffic. > > 1: put tcp syn into a recent set. > 2: match for hosts in the set with state INVALID." > > , but the real question is what does INVALID mean, because if it will > also match case where Y!=A+1, than it will allow an attacker to > perform a DoS by easily spoofing valid IP addresses, which will get > dropped (sitewide) > Without being an expert here, imho: If there's no existing valid connection from the spoofed ip, what does it matter? If there is, only those packets will be recognized as INVALID and therefor dropped. It does not mean an existing connection marked as ESTABLISHED would be closed from the conntrack side. Anyone please correct me if I'm wrong. But yes good question, 'what does state INVALID exactly mean?' There's not much documentation about it afaik. But i think you could say: Everything that is not state NEW, ESTABLISHED, RELATED (those last 2 must be valid traffic (i.e. tcp with no anomalies)), or UNTRACKED (set by the NOTRACK target in the raw table). Best regards Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
