Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: heartbleed OpenSSL bug CVE-2014-0160
From: Reindl Harald <h.reindl () thelounge net>
Date: Wed, 09 Apr 2014 21:24:25 +0200

you are opening the doors for a DOS attack with the log-rule!

iptables logging needs to be rate-limit always because how it works
otherwise you have a problem the first time it really happens seriously

 -m limit --limit 1/m

Am 09.04.2014 12:39, schrieb Fabien Bourdaire:
We've created some iptables rules to block all heartbeat queries using
the very powerful u32 module.

The rules allow you to mitigate systems that can't yet be patched by
blocking ALL the heartbeat handshakes. We also like the capability to
log external scanners ;)

The rules have been specifically created for HTTPS traffic and may be
adapted for other protocols; SMTPS/IMAPS/...

# Log rules
iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
"52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"

# Block rules
iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
"52=0x18030000:0x1803FFFF" -j DROP

# Wireshark rules
$ tshark  -i interface port 443 -R 'frame[68:1] == 18'
$ tshark  -i interface port 443 -R 'ssl.record.content_type == 24'

We believe that this should only be used as a temporary fix to decrease
the exposure window. The log rule should allow you to test the firewall
rules before being used in production. It goes without saying that if
you have any suggested improvements to these rules we would be grateful
if you could share them with the security community.

Clearly, use of these rules is at your own risk :)

Attachment: signature.asc
Description: OpenPGP digital signature

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]