60 lines
3.1 KiB
HTML
60 lines
3.1 KiB
HTML
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
|
|
<meta name="Author" content="JC Pollman">
|
|
<meta name="GENERATOR" content="Mozilla/4.61 [en] (X11; I; Linux 2.2.11 i686) [Netscape]">
|
|
</head>
|
|
<body bgcolor=#ffffff>
|
|
|
|
<center><b><font size=+1>IP Spoofing</font></b></center>
|
|
|
|
<p>The best information comes straight from the<a href="http://metalab.unc.edu/pub/Linux/docs/howto/IPCHAINS-HOWTO">
|
|
IP Chains How To</a>:
|
|
<p>IP spoofing is a technique where a host sends out packets which claim
|
|
to be from another host. Since packet filtering makes decisions based
|
|
on this source address, IP spoofing is used to fool packet filters. It
|
|
is also used to hide the identity of attackers using SYN attacks, Teardrop,
|
|
Ping of Death and the like (don't worry if you don't know what they are).
|
|
<p>The best way to protect from IP spoofing is called Source Address Verification,
|
|
and it is done by the routing code, and not firewalling at all. Look
|
|
for a file called rp_filter by doing this:
|
|
<p><i><font color="#FF0000"> </font><font color="#330000">ls
|
|
-l /proc/sys/net/ipv4/conf/all/rp_filter [Enter]</font></i>
|
|
<p>If this exists, then turning on Source Address Verification at every
|
|
boot is the right solution for you. To do that, insert the following
|
|
lines in your <font color="#330000">init script (for Redhat based distributions
|
|
use /etc/rc.d/rc.sysinit script)</font>: <font color="#330000">immediately</font>
|
|
after /proc is mounted:
|
|
<br>
|
|
<p><tt># This is the best method: turn on Source Address Verification and
|
|
get</tt>
|
|
<br><tt># spoof protection on all current and future interfaces.</tt>
|
|
<br><tt> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter
|
|
]; then</tt>
|
|
<br><tt> echo -n "Setting
|
|
up IP spoofing protection..."</tt>
|
|
<br><tt> for f in /proc/sys/net/ipv4/conf/*/rp_filter;
|
|
do</tt>
|
|
<br><tt>
|
|
echo 1 > $f</tt>
|
|
<br><tt> done</tt>
|
|
<br><tt> echo "done."</tt>
|
|
<br><tt> else</tt>
|
|
<br><tt> echo PROBLEMS
|
|
SETTING UP IP SPOOFING PROTECTION. BE WORRIED.</tt>
|
|
<br><tt> echo "CONTROL-D
|
|
will exit from this shell and continue system startup."</tt>
|
|
<br><tt> echo</tt>
|
|
<br><tt> # Start a single
|
|
user shell on the console</tt>
|
|
<br><tt> /sbin/sulogin
|
|
$CONSOLE</tt>
|
|
<br><tt> fi</tt>
|
|
<p>If you cannot do this, you can manually insert rules to protect every
|
|
interface. This requires knowledge of each interface. The 2.1
|
|
kernels automatically reject packets claiming to come from the 127.* addresses
|
|
(reserved for the local loopback interface, lo).
|
|
</body>
|
|
</html>
|