JP Vossen on 3 Feb 2012 12:26:59 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Quick& dirty IP blocking


Date: Fri, 3 Feb 2012 09:09:35 -0500
From: "Paul W. Roach III"<paul@isaroach.com>

Definitely a cool tool!  Something to consider:

Nullroutes don't affect incoming traffic, they affect outgoing traffic.
This means that their packets will still hit you (and whatever service is
on the other end of the port in question), but your replies will be
nullrouted into the bit bucket.

I was thinking that they'd be routed into the bit bucket on the way in too. But I have no real evidence for that, and when I think about it, your way makes more sense. I dunno, didn't really look.

All the stuff *I* care about is TCP, so this'll break that.


If you have an exposed service that's vulnerable to a UDP attack, you're
still exposed.  Or if you had a vulnerability that could be triggered by
any single packet or a stream that required no handshake or reply, TCP or
otherwise.

If you are right about when it routes to the bit bucket, which you probably are, I agree. UDP could still kill you.


This doesn't limit you from locking yourself out either, if you're in that
subnet.

I agree. Sure, you can shoot yourself in the foot either way, but I still say that a trivial 1 line 'ip route add blackhole ...' command is harder to screw up than an iptables config. (But that assumes the iptables config is >1 line.)


The iptables equivalent would be:

iptables -A INPUT -s 192.168.192.0/24 -j DROP

OK, I have to admit I haven't played with iptables in a long time, and it and distros change. Having said that, are you sure? I thought there would be some defaults you'd need to make sure you don't run afoul of. Like a default allow a couple of things the a "deny all". So if you don't allow all the right things before you turn it on...

Am I assuming wrong? If, on a stock Debian Lenny or Ubuntu 10.04 or newer system it's really just that 1 line, then that is much simpler than I recall it being.

And that makes this pretty compelling:
http://www.digitalsanctuary.com/tech-blog/debian/using-iptables-to-prevent-ssh-brute-force-attacks.html

See also: http://www.digitalsanctuary.com/tech-blog/debian/how-to-block-an-ip-in-linux.html


Do you have any data to suggest that routing is any more or less overhead
than iptables?

That was based on the stuff I was reading on the web, but when I looked for that detail in the URLs in my notes, I didn't find it, except for an out-of-context performance note in http://en.wikipedia.org/wiki/Null_route. So this may be me overgeneralizing... Or I saw it in "supporting" URLs I didn't bother to note down.


Both happen in the kernel, and netfilter is, in my
experience, VERY efficient -- and is always running, whether you think it
is or not.

I was going to say it's not running if it's not installed, which it isn't on that server. But I'm wrong. I thought it wasn't installed because I can't find any /etc/init.d/ip* script. But /sbin/iptables is there... And anyway, you'd have said it was still in the kernel, which is true. Traversing an empty/unconfigured path is still faster than traversing one that makes choices, but I'll admit the difference is probably infinitesimal. :-)

Thanks for the feedback,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug