Hi, Thanks to Boris I have the return-rst for the blockage of the IP block. Can this be used to lower the tcpspam caused by CodeRED since I am _not_ _running_ a publicly available http server and thought of applying this concept to the port 80 requests -- Togan Muftuoglu
Hi, On 07-Aug-01 Togan Muftuoglu wrote:
Hi,
Thanks to Boris I have the return-rst for the blockage of the IP block. Can this be used to lower the tcpspam caused by CodeRED since I am _not_ _running_ a publicly available http server and thought of applying this concept to the port 80 requests
of course you could. If you do not run a public web server you just have to block access from the entire outside world (read: connections which are flowing in on the "world device" of your firewall/webserver), thus eliminating any way for an attacker to flood your httpd log files with requests for default.ida's. return-rst would then lower the impact of such attacks on your bandwith if used together with the block of port 80. However, make sure you insert some ipchains input-accept lines for your internal network before blocking the outside world if you want your internal clients to be able to use our internal web server.
-- Togan Muftuoglu
---
Boris Lorenz
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Check out hogwash: http://sourceforge.net/projects/hogwash/ http://hogwash.sourceforge.net/ It uses snort's intrusion detection to decide what packets to scrub out of your traffic. These guys took an unpatched stock roothat 6.2 install and put hogwash on it, dropped it in the capture the flag network at defcon, and it came back untouched. Robert Simmons Systems Administrator http://www.wlcg.com/ On Tue, 7 Aug 2001, Togan Muftuoglu wrote:
Hi,
Thanks to Boris I have the return-rst for the blockage of the IP block. Can this be used to lower the tcpspam caused by CodeRED since I am _not_ _running_ a publicly available http server and thought of applying this concept to the port 80 requests
-- Togan Muftuoglu
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7cA2nv8Bofna59hYRA+tcAKCxTNdr7nHDo9Y4zTM1rpX2a7F3vQCeMPep qhk5/wNMUfK4eBpJH15SvX0= =GsYT -----END PGP SIGNATURE-----
* Rob Simmons;
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
Check out hogwash:
http://sourceforge.net/projects/hogwash/ http://hogwash.sourceforge.net/
I just found that while reading the snort-users maillist and after reading the webpage looks very promising I must say. I will have a go with it and see how it is behaving Thanks for the pointer to confirm my finding (looks like slowly slowy I a learning with all the help I am getting from SuSE maillists) off to to go for a codered wash -- Togan Muftuoglu
participants (3)
-
Boris Lorenz -
Rob Simmons -
Togan Muftuoglu