From owner-freebsd-security  Thu Sep 27  7:19:19 2001
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 8091337B401
	for <freebsd-security@freebsd.org>; Thu, 27 Sep 2001 07:19:15 -0700 (PDT)
Received: (qmail 78212 invoked by uid 1000); 27 Sep 2001 14:19:14 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 27 Sep 2001 14:19:14 -0000
Date: Thu, 27 Sep 2001 09:19:14 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Ronan Lucio <ronan@melim.com.br>
Cc: <freebsd-security@freebsd.org>
Subject: Re: flood attacks
In-Reply-To: <01eb01c14757$f699b580$2aa8a8c0@melim.com.br>
Message-ID: <20010927091553.N78196-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Thu, 27 Sep 2001, Ronan Lucio wrote:

> Hi All,
>
> Some times I=B4m having troubles with somebody attacking
> my network by RST flood
>
> I have two questions:
>
> 1. My FreeBSD-4.3 only show the message
>     Limiting closed port RST response from 1800 to 200 packets per second=
=2E
>     But, it don=B4t show the source IP of attack. I already looked at
>     /var/log/messages, security and ipfw files and I saw nothing about th=
is.
>     Does anybody knows what option should I configure to FreeBSD show
>     me such IP?

When it says "Limiting closed port RST response", what this means is that
*your* response is being limited.  They could be throwing almost any type
of packet at you.  In order to detect what's happening, you could install
a network IDS such as snort, or take captures with tcpdump.

Note that if the attack is spoofed, tracing it backs to its source may be
a lot of effort, and not worth it in this case.  Others on this list can
probably tell you more info about how to go about this.

Mike "Silby" Silbersacks


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message