[Dshield] Spoofs

security@admin.fulgan.com security at admin.fulgan.com
Thu Nov 8 10:02:59 GMT 2001

LF> Stephane,

LF> RE:  In any case, you should try to catch the outgoing
>> SYN packet: it will
>> tell you what protocol is concerned and you'll be
>> able to act on that.
LF> Could yo tell how I can act once I know the protocol?

Well, it really depends on what the SYN will tell you. Basically, you
have two choices: Bane the guilty application by closing it's outgoing
port (the target port in the SYN packet) or try to work out a behavior
rule for the application, if it can be applied (Some applications
allow you to specify that you're behind a NAT router and will stop
sending internal addresses).

Another thing you can do is to filter packet to private IP ranges at
your router: that way, they won't be reaching the external network.
Depending on how your router's filter behave, you might still get the
network unreachable packets, but only from your own router.

Good luck,

More information about the list mailing list