Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 27 Sep 2001 12:57:48 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        "Ronan Lucio" <ronan@melim.com.br>
Cc:        <freebsd-security@FreeBSD.ORG>
Subject:   Re: flood attacks
Message-ID:  <5.1.0.14.0.20010927125302.048abb10@marble.sentex.ca>
In-Reply-To: <037601c14773$52a23da0$2aa8a8c0@melim.com.br>
References:  <Pine.BSF.4.33.0109270907350.1695-100000@R181172.resnet.ucsb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 

The problem is that once its in your network, its too late so to speak. You=
=20
want to involve your ISP to get them to limit it before it traverses your=20
link.  If you are lucky the packets are not random junk and you can block=20
on the source IP.   Are they hitting the same port ? are they coming from=20
random IPs ?  As someone said,
sysctl -w net.inet.tcp.log_in_vain=3D1
sysctl -w net.inet.ud.log_in_vain=3D1

If they are not hitting random ports and hitting say your web server,
ipfw add 10 count log tcp from any to me 80;sleep 10;ipfw delete 10
and look at /var/log/security and see where the junk is coming from.

         ---Mike

At 01:41 PM 9/27/01 -0300, Ronan Lucio wrote:
>Hi Dave,
>
>But, in my case, I looked at mrtg graphics and saw that
>it had big flow during 1 hour.
>So, I supposed to prevent such situation.
>
>[ ]=B4s
>
>Ronan Lucio
>
> > >     Limiting closed port RST response from 1800 to 200 packets per
>second.
> >
> > Awhile back, I managed to reproduce this by portscanning myself with a
> > very fast scanner which doesn't wait for any kind of response from the
> > server before testing the next port.  The 1800 to 200 message thing=
 sounds
> > quite general, so you could be getting flooded with lots of different
> > kinds of data.  If the messages come in briefly and then stop for awhile
> > (rather than a continus flow) you could just be getting a fast port=
 scan.
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> >
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010927125302.048abb10>