2006/10/19

Found DoS attack on web server

My web server logged the following attack couple of days ago :

TCP: Treason uncloaked! Peer 195.166.234.202:1473/80 shrinks window 3626183180:3626183181. Repaired.
TCP: Treason uncloaked! Peer 195.166.234.202:1474/80 shrinks window 3637349364:3637349365. Repaired.
TCP: Treason uncloaked! Peer 195.166.234.202:1478/80 shrinks window 3636828911:3636828912. Repaired.
TCP: Treason uncloaked! Peer 195.166.234.202:1480/80 shrinks window 3633561645:3633561646. Repaired.

The attacker was using a spoofed IP address 195.166.234.202 which is unallocated. In this attack, the remote host was trying to shrink the TCP window size for some malicious purpose.

To avoid any attacks involving internal IP addresses or spoofing IP address by unallocated ones, or Class D addresses, I decided to input these lists for iptables to screen them out.

No comments: