Linux IP Masq is vunerable to this internal attack as well. One
program that does this VERY well is a few repeated GameSpy scans.
But, once the first packets timeout, the MASQ box will be ok.
Though its not in there now, there might be a way to throttle the
number of MASQ setups per IP.
Your #2 option is true NAT which Linux also does but not with
IP Masquerade. Normal NAT will use a pool of IP addresses
(say 4 IPs) and translate it to the first FOUR requesting internal
IPs. IPRoute2 is really meant to route something like internal
subnet A through public IP #1 and subnet B though publix IP #2, etc.
--David
>I'm running two different Linux IP Masq servers at two locations. I also
>administrate a Solaris Checkpoint Firewall-1 Server doing NAT on a 500-user
>internal network. Recently, the Firewall-1 server was brought down by a
>Trojan which was initiating connections to different IPs on the internet as
>fast as it could. Apparently, the Firewall-1 software was translating each
>packet and filling up its Kernel NAT table until eventually it crashed.
>
>I would like to recommend that they install a Linux IP Masq server to
>replace the Firewall-1 software. However, there are two things it must be
>able to do:
>1) The firewall should not be vulnerable to this type of flooding attack.
>Is there some sort of 'masq quota' implementation where each IP Address is
>limited to a fixed number of concurrent connections (i.e. 1000)? This would
>stop the server from crashing or allowing that single computer to affect the
>other users.
>2) Is it possible to do NAT with more than one IP Address? A number of the
>servers are behind the Firewall and currently are assigned static IP
>Addresses on a different subnet. The firewall translates the incoming IP
>and forwards the packet to the internal computer.
>
>I read an article describing half of #2 - it explained how to use iproute2
>to masquerade different internal subnets to different external IP
>Addresses(I think the addresses were aliased on the firewall's external
>interface). I can use this to route individual computers or entire subnets
>through a particular IP Address. Perhaps if I used 'ipmasqadm -L <addr>
>80 -R <internaladdr> 80' this would forward packets coming into the aliased
>external interface <addr> to the correct internal computer - but would it
>distinguish between the aliased addresses? Guess I'll have to look at the
>source...
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
