[tech] hydra

Duncan Sargeant dunc-mail-131574E at rcpt.to
Thu Aug 30 18:10:17 WST 2001


Grahame Bowland wrote on Thu August 30, at 17:46 +0800:
> On Thu, Aug 30, 2001 at 05:26:05PM +0800, Duncan Sargeant wrote:
> > Bryden was running a DNS bomb.
> > 
> > Bryden - stop it or we will tell on you.
> 
> access-list 144 deny   ip any host 130.95.3.3
> access-list 144 deny   ip any host 130.95.3.87
> access-list 144 deny   ip any host 130.95.3.144
> access-list 144 deny   ip host 130.95.3.3 any
> access-list 144 deny   ip host 130.95.3.87 any
> access-list 144 deny   ip host 130.95.3.144 any
> access-list 144 permit ip any any
> 
> int fa 0/0/0.1
> ip access-group 144 out

I took a snapshot of /proc/net/ip_conntrack ... 

hydra:/tmp# wc -l /tmp/ip_conntrack 
   7138 /tmp/ip_conntrack
hydra:/tmp# egrep -c 'src=130\.95\.13\.18 dst=130\.95\.128\.[0-9]+ [^ ]+
dport=53' /tmp/ip_conntrack 
7018

It seems stupid to me that ip_conntrack keeps track of /every/
connection ...  it would be useful if you could specify a chain which
determined which connections are tracked.  In this example, we don't
need to track these connections because we don't need to masquerade
it.

Anyway, I've only learnt about it in the last 20 minutes ... anyone
with more experience with it know any better?

,dunc



More information about the tech mailing list