From owner-freebsd-net  Wed Dec 13 11:17:20 2000
From owner-freebsd-net@FreeBSD.ORG  Wed Dec 13 11:17:15 2000
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247])
	by hub.freebsd.org (Postfix) with ESMTP
	id 755EB37B400; Wed, 13 Dec 2000 11:17:15 -0800 (PST)
Received: by overlord.e-gerbil.net (Postfix, from userid 1001)
	id 0E886E4F4D; Wed, 13 Dec 2000 14:16:53 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
	by overlord.e-gerbil.net (Postfix) with ESMTP
	id E3B25E4F4C; Wed, 13 Dec 2000 14:16:53 -0500 (EST)
Date: Wed, 13 Dec 2000 14:16:53 -0500 (EST)
From: "Richard A. Steenbergen" <ras@e-gerbil.net>
To: Bosko Milekic <bmilekic@technokratis.com>
Cc: freebsd-net@freebsd.org, green@freebsd.org
Subject: Re: Ratelimint Enhancement patch (Please Review One Last Time!)
In-Reply-To: <Pine.BSF.4.21.0012131150310.24654-100000@jehovah.technokratis.com>
Message-ID: <Pine.BSF.4.21.0012131408570.816-100000@overlord.e-gerbil.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 13 Dec 2000, Bosko Milekic wrote:

>        Suppressing udp flood/scan: 212/200 pps
>        Suppressing outgoing RST due to port scan: 202/200 pps
>        Suppressing outgoing RST due to ACK flood: 19725/200 pps
>        Suppressing ping flood: 230/200 pps
>        Suppressing icmp tstamp flood: 210/200 pps
> 
>   While the descriptions for the two RST cases can be accused
>   of oversimplification, they should cut down on questions by
>   users confused with the current terminology.  Experienced
>   users can always run a packet sniffer if they need more
>   exact knowledge of what's occuring.

I would be extremely careful with those descriptions... When you tell
people directly that something is an attack, even if its not, there are
enough who will jump to immediate conclusions and begin making false
accusations. While it may be highly likely that the reasons for those rate
limits is some kind of attack, it is not guaranteed, and I would be very
reluctant to so blatantly tell people that it is...

Personally I'd recommend straight forward descriptions like "RST due to no
listening socket". I also see no compelling reason to put ICMP Timestamp
in a seperate queue, but what I would recommend is seperate queues for
ICMP messages which would be defined as "query/response" and those which
would be called "error" messages. If someone needs more specific
protection they can use dummynet.

Just a thought...

-- 
Richard A Steenbergen <ras@e-gerbil.net>   http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message