From owner-freebsd-security Mon Apr 15 8:15:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 2C54537B416 for ; Mon, 15 Apr 2002 08:15:32 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.94.186.97]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with ESMTP id <20020415151531.FJFP28421.tomts5-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Mon, 15 Apr 2002 11:15:31 -0400 Received: from lenny.anarcat.dyndns.org (lenny.anarcat.dyndns.org [192.168.0.4]) by khan.anarcat.dyndns.org (Postfix) with SMTP id 95B491AA7; Mon, 15 Apr 2002 11:15:26 -0400 (EDT) Received: by lenny.anarcat.dyndns.org (sSMTP sendmail emulation); Mon, 15 Apr 2002 11:14:22 -0400 Date: Mon, 15 Apr 2002 11:14:22 -0400 From: The Anarcat To: Sheldon Hearn Cc: Andrew Johns , Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: General Rate-limiting in syslog(3) (was: Limiting closed port RST response from 381 to 200 p) Message-ID: <20020415151422.GA302@lenny.anarcat.dyndns.org> Mail-Followup-To: Sheldon Hearn , Andrew Johns , Christoph Kukulies , freebsd-security@FreeBSD.ORG References: <3CBAE191.9010200@kpi.com.au> <13814.1018882311@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: <13814.1018882311@axl.seasidesoftware.co.za> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Branching off the topic here... On Mon Apr 15, 2002 at 04:51:51PM +0200, Sheldon Hearn wrote: >=20 > On Tue, 16 Apr 2002 00:20:01 +1000, Andrew Johns wrote: >=20 > > Actually Sheldon I think that's a great idea - helps with > > syslog DoS somewhat as well. Anybody else care to contemplate > > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) >=20 > In CURRENT, logging is conditional on a sysctl value; the message > format is unchanged from that of STABLE, but logging can be turned off > completely if desired. This seems to keep most people happy. >=20 > I don't think my preference (always seeing the messages, but having > syslog coalesce them) is representative of the majority of folks to whom > this matters. Actually, what I would like would be a generic rate-limiting facility in syslog(3) itself. That would make DOS much harder. In particular, I got this idea from linux's ipchains (or another fw product, i don't remember which) which allows rule logging to be explicitly rate-limited. That, IMHO, is much better that our logamount facility, which is DOS-able easily, somehow. Just pour enough packets in and ipfw doesn't log anything anymore. If we rate-limit this, with logamount=3D0, we have a much better control. A. --=20 =46rom the age of uniformity, from the age of solitude, from the age of Big Brother, from the age of doublethink - greetings! --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjy67k4ACgkQttcWHAnWiGf9NQCgoZ4jtExkbHUPL2BPE6U/YN10 kIYAn1OiLkF8o+Eb5uTuhrHp1OTyC/TR =PLql -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message