[svlug] Re: iptables syn flood etc

George Georgalis georgw at galis.org
Tue Jan 14 08:26:00 PST 2003

On Mon, Jan 13, 2003 at 10:20:27PM -0800, Vince Hoang wrote:
>On Mon, Jan 13, 2003 at 12:47:23PM -0500, George Georgalis wrote:

>>     # high rate for stealth scans, since they could be legitimate connection
>>     # attempts as well
>I would consult the Stevens book and simply drop the scans that
>cannot be legitimate.
>>     # we are nice and allow traceroute, though it is not required
>>     $IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT
>>     $IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT
>Which version of traceroute uses icmp/11 and icmp/30?

Thanks for your comments Vince. I cannot answer your question, I have
only reformatted the code and am looking for documentation.  There is a
nice ps file on the author's site.


Network Intrusion Detection. An Analyst's handbook, 2nd ed. by Stephen
Northcutt and Judy Novak; and Network Intrusion Detection 3rd edition,
by Stephen Northcutt and Judy Novak (I think they are companion books)
both look interesting too, but I wasn't able to find so much as an table
of content from the internet on those.

// George

GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 

More information about the svlug mailing list