> Hmm... I installed pre5 on all my boxes (I was getting targeted for
> that nice ip_fragment attack) One problem I have with it is that
> it dosn't tell you which forged source address sent it. Only useful
> if you have multiple ingress routes, and want to tcpdump to find the
> mac address it's coming from... or find if it's a local machine!
I thought about that when I saw Alan's one line patch, and quickly
realized why I think he didn't bother logging anything. Unlike the
oversized ping problem where the first sources of that were actual win95
boxes not forging saddr, teardrop will almost always be used with forged
saddr...so knowing the source does little good. Since it only takes one
hit with teardrop to kill a linux box (at least the ones I tested), it's
unlikely anyone would send streams of overlapping frags long enough for
you to trace it back to them router by router.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____