From owner-freebsd-net@FreeBSD.ORG Fri Jun 6 08:49:51 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C47537B401 for ; Fri, 6 Jun 2003 08:49:51 -0700 (PDT) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CDC243FDD for ; Fri, 6 Jun 2003 08:49:49 -0700 (PDT) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.9/8.12.9) with ESMTP id h56FnmIm072878; Fri, 6 Jun 2003 11:49:48 -0400 (EDT) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.9/8.12.9/Submit) id h56FnlIT072877; Fri, 6 Jun 2003 11:49:47 -0400 (EDT) Date: Fri, 6 Jun 2003 11:49:47 -0400 From: Barney Wolff To: Kristian Rask Message-ID: <20030606154947.GA72695@pit.databus.com> References: <007601c32c06$9e242260$0a01a8c0@example.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <007601c32c06$9e242260$0a01a8c0@example.lan> User-Agent: Mutt/1.4.1i X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) cc: FreeBSD-net@freebsd.org Subject: Re: Choices for security X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2003 15:49:51 -0000 On Fri, Jun 06, 2003 at 10:34:19AM +0200, Kristian Rask wrote: > > snort is listening for 80,443 setups on DMZ and logging to a MySQL server Since the database is deliberately ephemeral, I would keep it in an in-core hash table. > Another thing that has me wondering is something that would look kinda like route aggregation... > like... if i have more than X registrations of certified bad boys pr. Y bits of network.. i would like > to detect this and recreate a network rule instead of a handfull of host rules.. eg.: > If i detect say 16+ rules belonging to the same /24 then i would like to detect this and replace the 16+ rules with 1 rule for the entire /26. The basic idea is to reduce the number of rules in the firewall for performance reasons. > Reviewing the last 3 days log files of ipfw rules shows a lot of cases where 10 - 20 machines came from a very narrow range of IP's. > I'm not asking anyone to invent the above... but if somebody has pointers to algorithms that will work well in the above scenario, i would be gratefull to know about them. If performance is good without this added complexity, there is no reason to add it. If not, I would look at doing a binary search with skipto rules, rather than trying to discern aggregates. Or just block a /26 or /27 automatically when you detect abuse from any host in it. How often do you get abuse and legitimate requests from adjacent hosts? Finally, if the problem is strictly http(s) requests, you can put an allow tcp established rule before the blocking rules, and take the hit only on setup packets. That doesn't stop an attacker using hping or equivalent, but does stop request bots. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.