Date: Thu, 27 Sep 2001 09:19:14 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Ronan Lucio <ronan@melim.com.br> Cc: <freebsd-security@freebsd.org> Subject: Re: flood attacks Message-ID: <20010927091553.N78196-100000@achilles.silby.com> In-Reply-To: <01eb01c14757$f699b580$2aa8a8c0@melim.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Sep 2001, Ronan Lucio wrote: > Hi All, > > Some times I=B4m having troubles with somebody attacking > my network by RST flood > > I have two questions: > > 1. My FreeBSD-4.3 only show the message > Limiting closed port RST response from 1800 to 200 packets per second= =2E > But, it don=B4t show the source IP of attack. I already looked at > /var/log/messages, security and ipfw files and I saw nothing about th= is. > Does anybody knows what option should I configure to FreeBSD show > me such IP? When it says "Limiting closed port RST response", what this means is that *your* response is being limited. They could be throwing almost any type of packet at you. In order to detect what's happening, you could install a network IDS such as snort, or take captures with tcpdump. Note that if the attack is spoofed, tracing it backs to its source may be a lot of effort, and not worth it in this case. Others on this list can probably tell you more info about how to go about this. Mike "Silby" Silbersacks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010927091553.N78196-100000>