Re: Continuous medium traffic fake Syn packets

Wed, 23 Oct 2002 13:49:30 -0700 

"Reinder P. Gerritsen" wrote:
> I've been trying to get around this problem for quite some time. Still
> though I can not figure out what to do:
> 
> The following is happening:
> 
> Some unknown source is sending SYN packets to port 80 on my linux box.
> These SYN packs have their sender address altered.
<..snip..>

If it can help here or in other situations, here's my /proc settings.
Among others, tcp_max_syn_backlog might be usefull...

------------
LOCALPORTRANGE="56000:65096"


# Disable forwarding while setting up rules (needed for masquerading):
    echo "0" >/proc/sys/net/ipv4/ip_forward
    #    echo "1" >/proc/sys/net/ipv4/ip_forward

# Enable syn-cookies (prevent syn-flood attacks):
    echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Reduce number of possible SYN Floods:
    echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier):
    echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable ICMP echo-request altogether (use only if DOS'ed):
    #echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all

# Enable defrag error protection:
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable time-wait assassination hazards in tcp (RFC 1337):
    echo "1" >/proc/sys/net/ipv4/tcp_rfc1337

# Sourcerouting and spoofing:
    for i in /proc/sys/net/ipv4/conf/*; do
        # Drop all source-routed packets:
        echo "0" >$i/accept_source_route

        # Deaktivate ICMP Redirect accept/send:
        echo "0" >$i/accept_redirects
        echo "0" >$i/send_redirects

        # Activate secure ICMP redirects (send only?) (on by default):
        echo "1" >$i/secure_redirects

        # Enable source-address verification (prevent spoofing):
        echo "1" >$i/rp_filter
    done

# Log spoofed, source routed and redirect packets:
    echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

# Set local port range for listeners (ftp et al...)
# Connections initiated from the firewall: Range 56000 60999
# Masqueraded connections: Range 61000-65096.
# So, we combine these two ranges into one:
    #echo "56000 65096" >/proc/sys/net/ipv4/ip_local_port_range
    echo $LOCALPORTRANGE |sed 's/:/ /'
>/proc/sys/net/ipv4/ip_local_port_range
------------


Note: Using the var LOCALPORTRANGE throughout my script is more
practical than hardcoding the range, which could be subject to change.

-- 
Kind regards / venlig hilsen,
Mogens Valentin, Mr Dev

IT Networking, Security, Server Setup
http://www.mrdev.com  [EMAIL PROTECTED]
Phone +45 32 525 878  Cell 51 227 668

Reply via email to