On Sun, Jan 01, 2006 at 11:06:18AM -0500, Michael Starks wrote: > If the attacker uses a spoofed source IP of localhost, the server's IP, > a configured DNS server, the Zap2it web site(s) or some other needed IP, > that would be an effective DoS. If the intent is a DoS of some sort > rather than an interactive login, the reply to the SSH SYN is not > necessary. Are there any provisions in these tools to protect against > these types of spoofing attacks?
Protection from martians is built into the Linux TCP/IP stack. This would protect you from someone trying to spoof localhost or a private network address. The localhost packets are dropped if they arrive on *any* interface other than lo, and packets claiming to be from a private address are filtered by input interface and then MAC validated. The box is still vulnerable if the private address spoofing is done on a valid remote subnet and passed by a deficient router, but that's an organizational or procurement problem. Any commercial device should block private source addresses arriving on the WAN port, so if you have a Linksys-type device between your Linux box and the internet you should be safe from local address spoofing. Most remote address spoofing won't work because the reply packets would go to the wrong address and would be dropped because there is no established connection. Having said all that, I would point out that the tools we are discussing are designed to block repeated attempts to validate a name/password combo. They won't pay any attention to connections that are aborted prior to the validation attempt. If you're the victim of a syn-flood then there are other (more appropriate) solutions. The fail2ban rules also apply on a port-by-port basis, so if your DNS server started making login attempts on your box then those login ports would be blocked but the DNS packets would still get through. Of course, if someone hacks your up-stream DNS then you have bigger problems than blocking ssh access as they could send you false DNS replies for your internet banking site, for example.... That's *way* off-topic. :-) -- "When fascism comes to America, it will be wrapped in the flag and carrying the cross." - Sinclair Lewis (1935)
_______________________________________________ mythtv-users mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
