Christopher D. Reimer said:
Greetings!
Out of all the recent articles about DOS attacks on some of the big websites, the one thing that stick out to me was the fact that a lot of unsuspecting computers on the internet were used to launch the attacks, and the sysad of those computers may never know it. I have a SuSE Linux 6.3 box with ipchains enabled to route network traffic through a PPP connection to the internet that's on between 8:30am to 1:30am. (This is to avoid being charged by my ISP for having a 24/7 connection.) I'm using a rather simple three-line configuration file to make this stuff happen. I don't have a firewall or anything else to make it difficult for hackers. I have a few questions about this configuration...
1. Does my current configuration prevents someone from using my as a launch pad for DOS attacks?
I don't think so. Apparently the traffic is being generated by a program that has been installed by the vandal(s) to connect to servers and make bogus requests at the their command. Obviously, if your PPP connection isn't up then this program wouldn't be able to listen for the control commands or make its requests, but if you're connected then there's nothing stopping it.
2. How can I tell if my system is being used in this way?
I don't know. Is your link slow? If you're using a modem, are the tx/rx lights flashing when you're not doing anything? Maybe check the output of lsof -li for suspicious processes/connections? (also see below)
I'm looking into the possibility of setting up a firewall (more for the learning potential rather than a specific security threat) and/or adding some additional rules to ipchains. Any help is greatly appreciated!
Thanks!
Ipchains is a useful tool. I was messing around with it a couple weeks ago on my box, trying to figure out why my DSL modem light was flashing in the middle of the night when I wasn't doing anything[*]. Since I didn't want to disturb the rest of my setup I added a "logger" chain like so: ipchains -N logger ipchains -A logger -j RETURN -l ... and then routed everything coming in from my "external" NIC connected to my DSL modem to it.. ipchains -I input -i eth1 -j logger This logged _every_ packet that came in so at this point my log began to expand rapidly with all sorts of junk. :) To cut down on the volume I started adding rules at the head of the list to RETURN before hitting the logging rule at the end. A couple good ones to start with are: ipchains -I logger -p tcp ! -y -j RETURN ipchains -I logger -s 0/0 53 -d 0/0 1024: -p udp -j RETURN The first one stops logging for any packet using the tcp protocol that isn't trying to create a new connection, and the second stops logging for udp packets coming back with DNS lookups. By adding similar rules for other connections as I recognised them I eventually slowed the flood to a trickle, and learned a few things in the process. Now, I was more interested in stuff coming in than going out, but you could do the same sort of thing on your "output" chain if you wanted to see what kind of stuff you're sending out. BTW, a good list of "well known" port numbers is available at: http://www.freesoft.org/CIE/RFC/1700/4.htm -John *As it turned out my brother had connected his laptop to the LAN to check usenet, but had forgotten to quit his newsreader when he went to bed. It was checking every so often for new messages, and that traffic was blinking the modem light. It was an interesting exercise trying to track that down. At least now I'll always remember that port 119 is the nntp port. -John -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/