From owner-freebsd-questions@FreeBSD.ORG Fri Jun 20 09:53:42 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5D1A37B437 for ; Fri, 20 Jun 2003 09:53:40 -0700 (PDT) Received: from out003.verizon.net (out003pub.verizon.net [206.46.170.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9142043F85 for ; Fri, 20 Jun 2003 09:53:39 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([141.149.47.46]) by out003.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030620165338.TLUQ4805.out003.verizon.net@mac.com>; Fri, 20 Jun 2003 11:53:38 -0500 Message-ID: <3EF33C13.8050108@mac.com> Date: Fri, 20 Jun 2003 12:53:39 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030612 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew Ryan References: In-Reply-To: X-Enigmail-Version: 0.76.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out003.verizon.net from [141.149.47.46] at Fri, 20 Jun 2003 11:53:38 -0500 cc: freebsd-questions@FreeBSD.ORG Subject: Re: Limiting closed port RST response X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 16:53:43 -0000 Matthew Ryan wrote: [ ... ] > I'm getting a lot of these in my security output. > >> Limiting closed port RST response from 220 to 200 packets per second > > They are always on ports between 200- 300. > > Could this be a DOS atttack? > Where do I find a more detailed log? Typically, this indicates that someone is port-scanning you. If they do it very often, and it noticably affects your network performance, sure, call it a DoS, but that is probably not the intention. If you want to see what ports they're hitting, do a: sysctl net.inet.tcp.log_in_vain=1 -- -Chuck