Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 27 Sep 2001 12:57:48 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        "Ronan Lucio" <ronan@melim.com.br>
Cc:        <freebsd-security@FreeBSD.ORG>
Subject:   Re: flood attacks
Message-ID:  <5.1.0.14.0.20010927125302.048abb10@marble.sentex.ca>
In-Reply-To: <037601c14773$52a23da0$2aa8a8c0@melim.com.br>
References:  <Pine.BSF.4.33.0109270907350.1695-100000@R181172.resnet.ucsb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 


The problem is that once its in your network, its too late so to speak. You 
want to involve your ISP to get them to limit it before it traverses your 
link.  If you are lucky the packets are not random junk and you can block 
on the source IP.   Are they hitting the same port ? are they coming from 
random IPs ?  As someone said,
sysctl -w net.inet.tcp.log_in_vain=1
sysctl -w net.inet.ud.log_in_vain=1

If they are not hitting random ports and hitting say your web server,
ipfw add 10 count log tcp from any to me 80;sleep 10;ipfw delete 10
and look at /var/log/security and see where the junk is coming from.

         ---Mike

At 01:41 PM 9/27/01 -0300, Ronan Lucio wrote:
>Hi Dave,
>
>But, in my case, I looked at mrtg graphics and saw that
>it had big flow during 1 hour.
>So, I supposed to prevent such situation.
>
>[ ]īs
>
>Ronan Lucio
>
> > >     Limiting closed port RST response from 1800 to 200 packets per
>second.
> >
> > Awhile back, I managed to reproduce this by portscanning myself with a
> > very fast scanner which doesn't wait for any kind of response from the
> > server before testing the next port.  The 1800 to 200 message thing sounds
> > quite general, so you could be getting flooded with lots of different
> > kinds of data.  If the messages come in briefly and then stop for awhile
> > (rather than a continus flow) you could just be getting a fast port scan.
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> >
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010927125302.048abb10>