where an attacker can hurt me too ?
Denial of Service, Distributed Denial of Service, illicit traffic redirections via routing, and DNS spoofing. DoS/DDoS wouldn't allow an attacker to "own" your host, but to render it useless. Make sure you use syn-cookie
Boris Lorenz
and maybe ask your upstream provider about their anti-DoS facilities. Don't expect too much, tho...
OK - DOS is DOS - shit happens. But it seems not insecure. ( except syn-cookies maybe :O)_ - but this is now a remote vulna) What means "illicit traffic redirections via routing". Do you mean icmp-redirects? OK - such packets should filter the packetfilter. If not - how to prevent? DNS spoofing means that the attacker masks his packets with the source-ip of a trusted dns-server my packetfilter accepts response of. So if I check the MAC of the original DNS with my filter too (guess iptables --mac) the attacker can spoof it too. So the packet will go trough to get processed by ip-stack. Is is enough to ensure, that no service is bound against the external interface? Michael
Yup, On 10-Nov-01 Michael Appeldorn wrote:
where an attacker can hurt me too ?
Boris Lorenz
wrote Denial of Service, Distributed Denial of Service, illicit traffic redirections via routing, and DNS spoofing. DoS/DDoS wouldn't allow an attacker to "own" your host, but to render it useless. Make sure you use syn-cookie protection, and maybe ask your upstream provider about their anti-DoS facilities. Don't expect too much, tho...
OK - DOS is DOS - shit happens. But it seems not insecure. ( except syn-cookies maybe :O)_ - but this is now a remote vulna)
DoS is just another way to disrupt a system, regardless of most security precautions. You can't really prevent a DoS attack, but lower it's impact. That's what I meant. (D)DoS is a problem caused by tcp/ip protocol issues, and can consist of syn flooding, ICMP storms, etc.
What means "illicit traffic redirections via routing". Do you mean icmp-redirects? OK - such packets should filter the packetfilter. If not - how to prevent?
Yep, redirects. Filter certain ICMP types. Kurt has assembled a very good list about that, which is attached to this posting. Redirects should not happen in any case.
DNS spoofing means that the attacker masks his packets with the source-ip of a trusted dns-server my packetfilter accepts response of. So if I check the MAC of the original DNS with my filter too (guess iptables --mac) the attacker can spoof it too. So the packet will go trough to get processed by ip-stack.
Is is enough to ensure, that no service is bound against the external interface?
Yes it is, provided you don't do forwarding between external and internal. If you do, narrow it down.
Michael
Boris Lorenz
participants (2)
-
Boris Lorenz
-
Michael Appeldorn