Responses can be combined across layers, just as attacks can be. For example, a firewall rule could be instantiated against an attacker at the same time that a TCP RST is sent using a combination of tools like fwsnort and psad (see Chapter 11).
One way to knock down a malicious TCP connection would be to use the iptables REJECT target and then instantiate a persistent blocking rule against the source address of the attack. The persistent blocking rule is the network layer response, which prevents any further communication from the attacker's current IP address with the target of the initial attack.
Although this may sound effective, note that a blocking rule in a firewall can frequently be circumvented by an attacker routing attacks over the The Onion Router (Tor) network.10 By sending an attack over Tor, the source address of the attack is not predictable by the target.
iptables -I INPUT 1 -m limit --limit 10/sec -s 144.202.X.X -j ACCEPT iptables -I INPUT 2 -s 144.202.X.X -j DROP
iptables -I OUTPUT 1 -m limit --limit 10/sec -d 144.202.X.X -j ACCEPT iptables -I OUTPUT 2 -d 144.202.X.X -j DROP
iptables -I FORWARD 1 -m limit --limit 10/sec -s 144.202.X.X -j ACCEPT iptables -I FORWARD 2 -s 144.202.X.X -j DROP
iptables -I FORWARD 1 -m limit --limit 10/sec -d 144.202.X.X -j ACCEPT iptables -I FORWARD 2 -d 144.202.X.X -j DROP
10 Tor anonymizes network communications by sending packets through a cloud of nodes called onion routers in an encrypted and randomized fashion. Tor only supports TCP, so it cannot be used to anonymize attacks over other protocols such as UDP.
The same is true for attacks where the source IP address is spoofed by the attacker. Spoofed attacks do not require bidirectional communication, and so it is risky to respond to them; doing so essentially gives control to the attacker over who gets blocked in your firewall! It is unlikely that all important IP addresses (such as DNS servers, upstream routers, remote VPN tunnel terminations, and so on) are whitelisted in your firewall policy, and so giving this control to an attacker is risky. Some of the suspicious traffic examples earlier in this chapter, such as spoofed UDP strings, packets with low TTL values, and Nmap ICMP Echo Requests, are perfect examples of traffic that it is not a good idea to actively respond to.
As we will see in later chapters, there are only a few classes of traffic that are best met with automated responses.
Was this article helpful?