[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Does IPTables do port randomization?

Posted on 2012-12-30
11
Medium Priority
?
650 Views
Last Modified: 2013-01-04
Simple question, does IPTables do port randomization?  If so, does it do this by default?  

Thanks.
0
Comment
Question by:NYGiantsFan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 38731955
Port Randomization? Usually when you have multiple IPs, you would do IP randomization.  It does not do it automatically, it has to be configured by altering the postrouting table.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UOEiZKzNnTo

http://www.experts-exchange.com/OS/Linux/Q_26775594.html
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38733900
probably need to clarify what your doing

in other words I can set a rule in IPTables to accept ALL SOURCE traffic using and Ipaddress or port 1024:65535
going to DEST location x

or I could be discussing NAT
and I only have a few IP addresses so I am going to use ports in addition to this one...or these few address so I can have a large address range
and those ports can be assigned randomly

plus some ALGs use random ports

so simple answer YES - IPTables can work with ports
0
 

Author Comment

by:NYGiantsFan
ID: 38733941
Thanks for your follow up!!!!!


I ask, because it appears people are punching holes through the IPTables firewall using UDP packets.  

I can find no information how this was fixed in IP tables.  All the articles are years old and each of them say it cannot be solved, except through port randomization.

Your thoughts?
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 80

Expert Comment

by:arnold
ID: 38733945
Are there no originating udp packets to which these are responses?

You do not have an open udp port?  Are the destination the same port?
0
 

Author Comment

by:NYGiantsFan
ID: 38733950
The originating IP address is an unknown external.  The UDP packet (which IDS is detecting as a form of attack) is hitting a server interal to the network with a private IP address (10.16.0.55)

The source IP address port was 25033 and the destination IP address is 2877.
0
 
LVL 80

Expert Comment

by:arnold
ID: 38733959
What does the UDP packet contains?
Do you have UDP port redirect or is the System with IP 10.16.0.55 setup in a DMZ or has a rule that directs all traffic to WAN IP to this LAN IP?  I.e. you have a NAT rule x.x.x.x -> 10.16.0.55?
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38733968
same line of thinking
NAT often redirects and uses random ports
depending on how it was setup
some firewalls allow NAT with and without Ports
depending on the IP address pool
0
 

Author Comment

by:NYGiantsFan
ID: 38734737
It appears to be some type of SQL server attack.  The server is not in the DMZ.

According to the IDS, the packet attempts to execute an old SQL vulnerability.  

What I think is happening is that the attacker knows the location of the boxes (or IP ranges) and is using a UDP Pentration technique and punching a hole in the Firewall.  From what I have read, this type of attack was a vulnerability in IPTables Firewall solution (and many others).  

The
0
 

Author Comment

by:NYGiantsFan
ID: 38734741
Is it true that the only way to prevent this type of attack is using IP port randomization?  I think if the IP port is constantly assigned to a different server or device, a UDP packet cannot be sent in the exhaust port (sorry, firewall).  

Thanks.
0
 
LVL 80

Accepted Solution

by:
arnold earned 1500 total points
ID: 38734798
I think you are looking for a block as referenced
http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html

I think your issue seems to be that your iptables accept the packet and unnecessarily routes it.  Double deck to make sure it is not a packet that originates from your internal system and is returning.

Not sure how you envision port randomization.
Ports are usually randomly selected by the system and he remapped by the NAT on the router before letting the packet flow out to its destination.
0
 

Author Closing Comment

by:NYGiantsFan
ID: 38744751
This question was too vague on my part.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question