[plug] Spoofed packets
Leon Brooks
leon at brooks.smileys.net
Thu Jun 1 15:32:30 WST 2000
"Earnshaw, Mike" wrote:
> Monitoring the logs recently I see lots of attempts from 192.168.1.6:80
> to weird ports (>62k) on our ISP permanent assigned IP. Showing my
> ignorance, I assume these are spoofed packets since they are the private
> C which should be dropped?
Yes...
> I traceroute the number and it goes back to somewhere in Melbourne
> before I loose it.
...in fact, they should be dropped by *every*single*one* of the nodes on
that traceroute. You should lose it at step 1.
ipchains -A input -s 192.168.0.0/16 -j DENY -i $GATEWAY_DEVICE
ipchains -A input -s 172.16.0.0/12 -j DENY -i $GATEWAY_DEVICE
ipchains -A input -s 10.0.0.0/8 -j DENY -i $GATEWAY_DEVICE
ipchains -A input -s 127.0.0.0/8 -j DENY -i $GATEWAY_DEVICE
Also recommend adding -l and sending any hits to probe at auscert.org.au,
as this might lead to someone becoming aware that they're cracked.
BTW:
loose (luws) == rattling/sleeps around
lose (luwz) == misplace/finish last
If in doubt, don't use an apostrophe. (-:
--
If at first you don't succeed, try a shorter bungee.
More information about the plug
mailing list