where an attacker can hurt me too ?
Denial of Service, Distributed Denial of Service, illicit traffic redirections via routing, and DNS spoofing. DoS/DDoS wouldn't allow an attacker to "own" your host, but to render it useless. Make sure you use syn-cookie
Boris Lorenz
and maybe ask your upstream provider about their anti-DoS facilities. Don't expect too much, tho...
OK - DOS is DOS - shit happens. But it seems not insecure. ( except syn-cookies maybe :O)_ - but this is now a remote vulna) What means "illicit traffic redirections via routing". Do you mean icmp-redirects? OK - such packets should filter the packetfilter. If not - how to prevent? DNS spoofing means that the attacker masks his packets with the source-ip of a trusted dns-server my packetfilter accepts response of. So if I check the MAC of the original DNS with my filter too (guess iptables --mac) the attacker can spoof it too. So the packet will go trough to get processed by ip-stack. Is is enough to ensure, that no service is bound against the external interface? Michael