Very Computer

Thanxs

--
$>cd /pub
$>more beer

Tutor at D.S.I. - University of Milan
I'm Linux zion 2.4.0-test9 #2 Fri Oct 27 10:51:12 CEST 2000 i586 unknown

Quote:> Hi guys, I'm writing a module for my computer science thesis work.
> I've to catch the smurf attack using netfilter firewalling scheme
> ( so we are in 2.4.0 kernel series ).
> How is filled the broadcast field in the sock structure, and when?

if the former, it should be a simply matter of adding a firewall rule (I
don't know netfilter yet), that logs any packets arriving on your internet
interface destined for your broadcast address. for IPChains, it would be
something like

ipchains -I input 1 -j REJECT -i ppp0 -d 1.2.3.255 -l

where ppp0 is your link to the internet, and 255 is your broadcast address
(mine is 192 since I have a subnet not a whole net, so make sure you know
what it is).

if you get a lot of packets logged for this, it could be indicative of an
attack. a small number may just be a portscan.

                Ciao :)

--
$>cd /pub
$>more beer

Tutor at D.S.I. - University of Milan
I'm Linux zion 2.4.0-test9 #1 Fri Oct 20 14:09:56 CEST 2000 i586 unknown

Quote:> that I can't understand how the "broadcast" field, in sk_buff structure

it doesn't matter anyway, like I said - the broadcast address of the remote
could be anything. I have no idea how to get it without using my provider's
whois server either. i suspect not all networks have functional whois
servers, so you can't rely on that.

what you will need to do is check the source IP's of the outgoing packets -
if they are not one of your own, it's spoofed - and that is bad even if it's
not being used in a smurf attack.

ipchains -A output -i eth0 ! -s $MYIP -d 0/0 -j REJECT -l