[ale] protection from TCP DOS attacks

Ryan Bridges reb at techie.com
Mon Jun 7 09:02:44 EDT 1999 

You may also want to try putting a line in your /etc/hosts.deny file.  I
believe you can use this to block any connection from a specific host or
domain.  On second thought, I don't think that would apply to pings...
Let me think of something else...  You could make ipchains drop all
packets from that host...  That would work.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
RyanBridges                            If you produce a more idiot-proof     
ryan at linuxgeneralstore.com             piece of software, the gene-pool
				       Will produce a better idiot.  --
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

On Sat, 5 Jun 1999, Nick Lucent wrote:

> On Sat, 5 Jun 1999, Joe Bayes wrote:
> 
> > 
> > 
> > I have five machines connected directly to an ISP (no firewall)
> > through a DSL line. I suspect that I'm being attacked, probably by
> > ping flood or something, from a specific site from time to time, but I
> > haven't been able to get any concrete evidence. I am running RH6, with
> > tcp wrappers installed and tcp syncookies enabled.
> > 
> > 1) Is there any attack other than a ping flood which would cause this,
> >    but would leave no trace in /var/log/messages?
> 
> there is a bunch of them depending on what kernel version you are running.
> go to www.rootshell.com
> 
> > 2) Is it possible to turn off a specific site's ability to ping my
> >    machine, short of my calling up my ISP and having them reconfigure
> >    their router? I can't seem to find a daemon or an entry in
> >    inetd.conf...what is it that takes care of responding to pings?
> >    Rootshell.com simply suggests reconfiguring your router to drop all
> >    packets from that address, but I would rather take care of it on my
> >    own if possible. 
> 
> you can drop the route with ipchains or ipfwadm.
> 
> > 3) Failing the above, is there some way to log these attacks, so I can
> >    be sure that they're actually happenning and aren't just somebody
> >    ftping a large file somewhere?
> 
> you can get the tcp daemons, they log everything by IP, but if they are
> locking up your machine it probably wont get logged (because the machines
> locked up =)
> 
> Nick
> 
> > 
> > Information or pointers to information would be welcome. Thanks.
> > 
> > --joe
> > 
> 
> 
> ...Buzz Lukens took that fateful step...
>                 -- Vice President Dan Quayle confusing the sexual
>                    assaulter/congressman with Astronaut Buzz Aldren.
>  
> Ok, I won't open it until then
>                 -- Vice President Dan Quayle after having been 
>                    presented with an empty box that was to contain 
>                    a gift from a sailing team in South America. 
>                    He was told that the gift was not ready yet, 
>                    but that it would be presented to him when they 
>                    arrived in the United States. 
>

More information about the Ale mailing list