Date: Tue, 22 Aug 2000 01:39:56 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Domas Mituzas <midom@dammit.lt> Cc: noor@comrax.com, freebsd-stable@FreeBSD.ORG Subject: Re: DoS attacks and FreeBSD. Message-ID: <Pine.BSF.4.21.0008220138040.89720-100000@freefall.freebsd.org> In-Reply-To: <Pine.BSF.4.21.0008220757070.26964-100000@mx.nkm.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 22 Aug 2000, Domas Mituzas wrote:
> > I have ipfw running on the server, and managed to block the IP's in
> > question in time. My question is: suppose I was not near the PC at the
> > time of the incident, how can I configure ipfw to automatically block
> > cnnections originating from any IP and that is continuous in a suspecious
> > manner? (let's say 50 concurrent connections to port 80 every second.)
>
> Hi, it is possible to set up your ipfw firewall so it logs all setup
> connections to any socket, you specify. Therefore, your program or smple
> perl script may listen on that socket and make decisions by calling
> external program, e.g. ipfw again.
Trivial DoS attack of another kind by simply spoofing connection attempts
from a valid host and therefore tricking the script into blackholing
it. Same may well go for portsentry depending on how it works (I don't
know).
A much better idea would be to do some kind of application-level rate
limiting so that apache doesnt accept more connections from a source than
it can handle. I don't know how or if it can do that, though.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008220138040.89720-100000>