[plug] Spoofed packets

Earnshaw, Mike earnshawm at wa.switch.aust.com
Thu Jun 1 15:30:39 WST 2000


This is truly a multi talented list ... proper righting lessons as well
as nix stuff ... g8t  ..
can you help with my uni assignment too? :-)

> -----Original Message-----
> From: Leon Brooks [mailto:leon at brooks.smileys.net]
> Sent: Thursday, June 01, 2000 3:18 PM
> To: plug at plug.linux.org.au
> Subject: Re: [plug] Spoofed packets
> 
> 
> "Earnshaw, Mike" wrote:
> > Monitoring the logs recently I see lots of attempts from 
> 192.168.1.6:80
> > to weird ports (>62k) on our ISP permanent assigned IP. Showing my
> > ignorance, I assume these are spoofed packets since they 
> are the private
> > C which should be dropped?
> 
> Yes...
> 
> > I traceroute the number and it goes back to somewhere in Melbourne
> > before I loose it.
> 
> ...in fact, they should be dropped by *every*single*one* of 
> the nodes on
> that traceroute. You should lose it at step 1.
> 
> ipchains -A input -s 192.168.0.0/16 -j DENY -i $GATEWAY_DEVICE
> ipchains -A input -s 172.16.0.0/12 -j DENY -i $GATEWAY_DEVICE
> ipchains -A input -s 10.0.0.0/8 -j DENY -i $GATEWAY_DEVICE
> ipchains -A input -s 127.0.0.0/8 -j DENY -i $GATEWAY_DEVICE
> 
> Also recommend adding -l and sending any hits to probe at auscert.org.au,
> as this might lead to someone becoming aware that they're cracked.
> 
> BTW:
> 
>     loose (luws) == rattling/sleeps around
>     lose (luwz) == misplace/finish last
> 
> If in doubt, don't use an apostrophe. (-:
> 
> -- 
> If at first you don't succeed, try a shorter bungee.
> 



More information about the plug mailing list