From owner-freebsd-stable  Tue Aug 22  1:46:15 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from dns.comrax.com (dns.comrax.com [194.90.246.124])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0881337B424; Tue, 22 Aug 2000 01:46:12 -0700 (PDT)
Received: from NOOR (unknown [156.27.243.27])
	by dns.comrax.com (Postfix) with SMTP
	id 1573E1C99E; Tue, 22 Aug 2000 11:46:06 +0300 (IDT)
From: "Noor Dawod" <noor@comrax.com>
To: "Kris Kennaway" <kris@FreeBSD.org>,
	"Domas Mituzas" <midom@dammit.lt>
Cc: <freebsd-stable@FreeBSD.ORG>
Subject: RE: DoS attacks and FreeBSD.
Date: Tue, 22 Aug 2000 11:43:53 +0200
Message-ID: <PHEBIOJOBJJLIIJCOINKEEFACHAA.noor@comrax.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Importance: Normal
In-Reply-To: <Pine.BSF.4.21.0008220138040.89720-100000@freefall.freebsd.org>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Yes, it can, and I've alreaedy done just that. But then again, all other
legitimate visitors will be locked out...

Noor

-----Original Message-----
From: Kris Kennaway [mailto:kris@FreeBSD.org]
Sent: Tuesday, August 22, 2000 10:40 AM
To: Domas Mituzas
Cc: noor@comrax.com; freebsd-stable@FreeBSD.ORG
Subject: Re: DoS attacks and FreeBSD.


On Tue, 22 Aug 2000, Domas Mituzas wrote:

> > I have ipfw running on the server, and managed to block the IP's in
> > question in time. My question is: suppose I was not near the PC at the
> > time of the incident, how can I configure ipfw to automatically block
> > cnnections originating from any IP and that is continuous in a
suspecious
> > manner? (let's say 50 concurrent connections to port 80 every second.)
>
> Hi, it is possible to set up your ipfw firewall so it logs all setup
> connections to any socket, you specify. Therefore, your program or smple
> perl script may listen on that socket and make decisions by calling
> external program, e.g. ipfw again.

Trivial DoS attack of another kind by simply spoofing connection attempts
from a valid host and therefore tricking the script into blackholing
it. Same may well go for portsentry depending on how it works (I don't
know).

A much better idea would be to do some kind of application-level rate
limiting so that apache doesnt accept more connections from a source than
it can handle. I don't know how or if it can do that, though.

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message