[svlug] Re: iptables syn flood etc
georgw at galis.org
Tue Jan 14 08:26:00 PST 2003
On Mon, Jan 13, 2003 at 10:20:27PM -0800, Vince Hoang wrote:
>On Mon, Jan 13, 2003 at 12:47:23PM -0500, George Georgalis wrote:
>> # high rate for stealth scans, since they could be legitimate connection
>> # attempts as well
>I would consult the Stevens book and simply drop the scans that
>cannot be legitimate.
>> # we are nice and allow traceroute, though it is not required
>> $IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT
>> $IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT
>Which version of traceroute uses icmp/11 and icmp/30?
Thanks for your comments Vince. I cannot answer your question, I have
only reformatted the code and am looking for documentation. There is a
nice ps file on the author's site.
Network Intrusion Detection. An Analyst's handbook, 2nd ed. by Stephen
Northcutt and Judy Novak; and Network Intrusion Detection 3rd edition,
by Stephen Northcutt and Judy Novak (I think they are companion books)
both look interesting too, but I wasn't able to find so much as an table
of content from the internet on those.
GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229
Security Services, Web, Mail, mailto:george at galis.org
Multimedia, DB, DNS and Metrics. http://www.galis.org/george
More information about the svlug