[Dailydave] nkiller2

David_Falloon at kaltire.com David_Falloon at kaltire.com
Thu Jun 11 16:29:06 EDT 2009 

Something like this should do it in iptables ( assuming I've got the
right bytes in the tcp header ;) :

iptables -N ZERO_WINDOW_RECENT 
iptables -A -m u32 --u32 "6&0xFF=0x6 && 4&0x1FFF=0 &&
0>>22&0x3C at 12&0xFFFF=0x0000" -j ZERO_WINDOW_RECENT
iptables -A ZERO_WINDOW_RECENT -m recent --set --name ZERO_WINDOW
iptables -A ZERO_WINDOW_RECENT -m recent --update --seconds 60
--hitcount 2 --name ZERO_WINDOW -j LOG --log-level info --log-prefix
"Zero size Window DoS blocked: "
iptables -A ZERO_WINDOW_RECENT -m recent --update --seconds 60
--hitcount 2 --name ZERO_WINDOW -j DROP

You'll have to tune the hit count and seconds, I haven't played with the
attack enough to determine appropriate numbers, but you'd want to drop
any new acks with a zero window size long enough to tombstone and reap
the connection.

--Dave


________________________________

	From: dailydave-bounces at lists.immunitysec.com
[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Michael
Graham
	Sent: Thursday, June 11, 2009 11:05 AM
	To: dailydave at lists.immunityinc.com
	Subject: Re: [Dailydave] nkiller2
	
	
	OK after a few minutes with this I'm not sure you can
efficiently do much about it outside of a complex IPS watching for and
killing connections that send too many "windows size 0" in response to
probes from your server, and then hopefully blocking the IP entirely.
	
	
	On Thu, Jun 11, 2009 at 12:43 PM, Michael Graham
<jmgraham at gmail.com> wrote:
	

		filter on Windows size = 0 and total connections to a
host from a host thought whatever you're using for a statefull firewall 


		On Thu, Jun 11, 2009 at 11:39 AM, dave
<dave at immunityinc.com> wrote:
		

			-----BEGIN PGP SIGNED MESSAGE-----
			Hash: SHA1
			
	
http://www.phrack.org/issues.html?issue=66&id=9#article
			
			Is it just me or can pretty much every web site
in the world get turned
			off now?
			
			I guess you could use iptables to drop the
Window Size 0 packets?
			
			- -dave
			-----BEGIN PGP SIGNATURE-----
			Version: GnuPG v1.4.9 (GNU/Linux)
			Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
			
	
iEYEARECAAYFAkoxJSgACgkQtehAhL0ghepRSACfUL94jijBDRck2MlOggEKja3e
			fbIAn0l6fMpWNlOy9ttVmRYubGDoUqfa
			=mGZB
			-----END PGP SIGNATURE-----
			_______________________________________________
			Dailydave mailing list
			Dailydave at lists.immunitysec.com
	
http://lists.immunitysec.com/mailman/listinfo/dailydave

More information about the Dailydave mailing list