Hi there,
given the recent widespread attacks on the infrastructure of the Internet via
the SYN Flood tool published in 2600 and Phrack magazine, I decided to
install outgoing filters on the ethernet ports of our portmasters.
I opted for the 'log' option in the final 'deny' line.
To my big surprise, the log started reporting denied packets that should
NEVER have traversed the interface in outbound direction.
After some detailed analysis, it looks like IP traffic that is directed
by far away hosts at a local PPP dialup user who has JUST DISCONNECTED
makes the PM (ComOS 3.3.2 release) feel like putting those packets BACK
on the ethernet. And it's doing this for quite some time: an extreme
case in the logs after a user disconnected shows about 200 logged deny's
over a period of 3 minutes and 40 seconds !
Obviously, this is a bad situation: it makes use of the log statement for
the purpose of detecting spoofed IP packets useless, just at a time when
we need it most: early detection of SYN flood attempts by 15-year-old-
hormon-laden-king-of-the-hill-linux-weilding-IRC-warrrior-warez-trading
"users" , causing thousands of dollars of damages by executing a small
C program....
bye,Kai