Quote:> Hi guys, I'm writing a module for my computer science thesis work.
> I've to catch the smurf attack using netfilter firewalling scheme
> ( so we are in 2.4.0 kernel series ).
> How is filled the broadcast field in the sock structure, and when?
do you mean you want to detect if you are:
- the source amplifier in a smurf attack, or
- the target in a smurf attack?
if the former, it should be a simply matter of adding a firewall rule (I
don't know netfilter yet), that logs any packets arriving on your internet
interface destined for your broadcast address. for IPChains, it would be
ipchains -I input 1 -j REJECT -i ppp0 -d 18.104.22.168 -l
where ppp0 is your link to the internet, and 255 is your broadcast address
(mine is 192 since I have a subnet not a whole net, so make sure you know
what it is).
if you get a lot of packets logged for this, it could be indicative of an
attack. a small number may just be a portscan.