Date: Fri, 6 Jun 2003 11:49:47 -0400 From: Barney Wolff <barney@databus.com> To: Kristian Rask <krask@isupport.dk> Cc: FreeBSD-net@freebsd.org Subject: Re: Choices for security Message-ID: <20030606154947.GA72695@pit.databus.com> In-Reply-To: <007601c32c06$9e242260$0a01a8c0@example.lan> References: <007601c32c06$9e242260$0a01a8c0@example.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 06, 2003 at 10:34:19AM +0200, Kristian Rask wrote: > > snort is listening for 80,443 setups on DMZ and logging to a MySQL server Since the database is deliberately ephemeral, I would keep it in an in-core hash table. > Another thing that has me wondering is something that would look kinda like route aggregation... > like... if i have more than X registrations of certified bad boys pr. Y bits of network.. i would like > to detect this and recreate a network rule instead of a handfull of host rules.. eg.: > If i detect say 16+ rules belonging to the same /24 then i would like to detect this and replace the 16+ rules with 1 rule for the entire /26. The basic idea is to reduce the number of rules in the firewall for performance reasons. > Reviewing the last 3 days log files of ipfw rules shows a lot of cases where 10 - 20 machines came from a very narrow range of IP's. > I'm not asking anyone to invent the above... but if somebody has pointers to algorithms that will work well in the above scenario, i would be gratefull to know about them. If performance is good without this added complexity, there is no reason to add it. If not, I would look at doing a binary search with skipto rules, rather than trying to discern aggregates. Or just block a /26 or /27 automatically when you detect abuse from any host in it. How often do you get abuse and legitimate requests from adjacent hosts? Finally, if the problem is strictly http(s) requests, you can put an allow tcp established rule before the blocking rules, and take the hit only on setup packets. That doesn't stop an attacker using hping or equivalent, but does stop request bots. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030606154947.GA72695>