From owner-freebsd-questions@FreeBSD.ORG  Fri Jun 20 09:53:42 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C5D1A37B437
	for <freebsd-questions@FreeBSD.ORG>;
	Fri, 20 Jun 2003 09:53:40 -0700 (PDT)
Received: from out003.verizon.net (out003pub.verizon.net [206.46.170.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9142043F85
	for <freebsd-questions@FreeBSD.ORG>;
	Fri, 20 Jun 2003 09:53:39 -0700 (PDT)	(envelope-from cswiger@mac.com)
Received: from mac.com ([141.149.47.46]) by out003.verizon.net
          (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP
          id <20030620165338.TLUQ4805.out003.verizon.net@mac.com>;
          Fri, 20 Jun 2003 11:53:38 -0500
Message-ID: <3EF33C13.8050108@mac.com>
Date: Fri, 20 Jun 2003 12:53:39 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4) Gecko/20030612
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Matthew Ryan <matt@overdose.com>
References: <EB2C8534-A2FC-11D7-B634-0030654886A6@overdose.com>
In-Reply-To: <EB2C8534-A2FC-11D7-B634-0030654886A6@overdose.com>
X-Enigmail-Version: 0.76.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out003.verizon.net from
	[141.149.47.46] at Fri, 20 Jun 2003 11:53:38 -0500
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Limiting closed port RST response
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jun 2003 16:53:43 -0000

Matthew Ryan wrote:
[ ... ]
> I'm getting a lot of these in my security output.
> 
>> Limiting closed port RST response from 220 to 200 packets per second
> 
> They are always on ports between 200- 300.
> 
> Could this be a DOS atttack?
> Where do I find a more detailed log?

Typically, this indicates that someone is port-scanning you.  If they do it very 
often, and it noticably affects your network performance, sure, call it a DoS, 
but that is probably not the intention.

If you want to see what ports they're hitting, do a:

	sysctl net.inet.tcp.log_in_vain=1

-- 
-Chuck