Date: Tue, 22 Aug 2000 11:43:53 +0200 From: "Noor Dawod" <noor@comrax.com> To: "Kris Kennaway" <kris@FreeBSD.org>, "Domas Mituzas" <midom@dammit.lt> Cc: <freebsd-stable@FreeBSD.ORG> Subject: RE: DoS attacks and FreeBSD. Message-ID: <PHEBIOJOBJJLIIJCOINKEEFACHAA.noor@comrax.com> In-Reply-To: <Pine.BSF.4.21.0008220138040.89720-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, it can, and I've alreaedy done just that. But then again, all other
legitimate visitors will be locked out...
Noor
-----Original Message-----
From: Kris Kennaway [mailto:kris@FreeBSD.org]
Sent: Tuesday, August 22, 2000 10:40 AM
To: Domas Mituzas
Cc: noor@comrax.com; freebsd-stable@FreeBSD.ORG
Subject: Re: DoS attacks and FreeBSD.
On Tue, 22 Aug 2000, Domas Mituzas wrote:
> > I have ipfw running on the server, and managed to block the IP's in
> > question in time. My question is: suppose I was not near the PC at the
> > time of the incident, how can I configure ipfw to automatically block
> > cnnections originating from any IP and that is continuous in a
suspecious
> > manner? (let's say 50 concurrent connections to port 80 every second.)
>
> Hi, it is possible to set up your ipfw firewall so it logs all setup
> connections to any socket, you specify. Therefore, your program or smple
> perl script may listen on that socket and make decisions by calling
> external program, e.g. ipfw again.
Trivial DoS attack of another kind by simply spoofing connection attempts
from a valid host and therefore tricking the script into blackholing
it. Same may well go for portsentry depending on how it works (I don't
know).
A much better idea would be to do some kind of application-level rate
limiting so that apache doesnt accept more connections from a source than
it can handle. I don't know how or if it can do that, though.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PHEBIOJOBJJLIIJCOINKEEFACHAA.noor>