How to stop the flood?
Rikunj at raha.com
Thu Apr 28 19:10:26 CEST 2005
I really don't want them to do this and they are blocked as soon as
All the clients are from DHCP IP's of 4 subnets of /24. Blocking them one by
one will eat up IP's.
Moreover they change the attacking src and dst ports making it hard to
My real problem is to identify the curlprits.
How can I diferenciate a genuine traffic and a infected attack? What should
I look for?
----- Original Message -----
From: "Dwayne Hottinger" <dhottinger at harrisonburg.k12.va.us>
To: <netfilter at lists.netfilter.org>
Sent: Thursday, April 28, 2005 6:54 PM
Subject: RE: How to stop the flood?
> Im confused. Why would you allow someone on your network (subnet or net)
> such a thing. Cant you just not give them access, either via dhcp or some
> other way. Sounds almost like an issue for management ie someone needs to
> start looking for employment elsewhere.
> Quoting Rob Sterenborg <rob at sterenborg.info>:
> > netfilter-bounces at lists.netfilter.org <> scribbled on Thursday, 28 April
> > 2005 16:48:
> > > Thankyou for the reply.
> > >
> > > This was the log from one of my client who was attacked from a client
> > > on other subnet.
> > >
> > > My network consist of clients from different subnets of /24.
> > >
> > > The attacks from one subnet travels through my linux router
> > > and hits the client on other subnet.
> > >
> > > I tried few rules as below but seems not to be working.
> > The script doesn't block any packets from 192.168.25.208.
> > If 192.168.25.208 isn't allowed passing your router, you should block it
> > :
> > $IPT -A FORWARD -s 192.168.25.208 [-d <destination_ip>] \
> > -j [DROP|REJECT --reject-with-tcp-reset]
> > Or something like that.
> > The real solution is like Jason said : track down the person at
> > 192.168.25.208 and kick his/her ass !
> > Gr,
> > Rob
> Dwayne Hottinger
> Network Administrator
> Harrisonburg City Public Schools
More information about the netfilter