From owner-freebsd-security Thu Sep 27 10: 3:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id B7D6937B434 for ; Thu, 27 Sep 2001 10:03:39 -0700 (PDT) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f8RH3Pq15136; Thu, 27 Sep 2001 13:03:25 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010927125302.048abb10@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 27 Sep 2001 12:57:48 -0400 To: "Ronan Lucio" From: Mike Tancsa Subject: Re: flood attacks Cc: In-Reply-To: <037601c14773$52a23da0$2aa8a8c0@melim.com.br> References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The problem is that once its in your network, its too late so to speak. You= =20 want to involve your ISP to get them to limit it before it traverses your=20 link. If you are lucky the packets are not random junk and you can block=20 on the source IP. Are they hitting the same port ? are they coming from=20 random IPs ? As someone said, sysctl -w net.inet.tcp.log_in_vain=3D1 sysctl -w net.inet.ud.log_in_vain=3D1 If they are not hitting random ports and hitting say your web server, ipfw add 10 count log tcp from any to me 80;sleep 10;ipfw delete 10 and look at /var/log/security and see where the junk is coming from. ---Mike At 01:41 PM 9/27/01 -0300, Ronan Lucio wrote: >Hi Dave, > >But, in my case, I looked at mrtg graphics and saw that >it had big flow during 1 hour. >So, I supposed to prevent such situation. > >[ ]=B4s > >Ronan Lucio > > > > Limiting closed port RST response from 1800 to 200 packets per >second. > > > > Awhile back, I managed to reproduce this by portscanning myself with a > > very fast scanner which doesn't wait for any kind of response from the > > server before testing the next port. The 1800 to 200 message thing= sounds > > quite general, so you could be getting flooded with lots of different > > kinds of data. If the messages come in briefly and then stop for awhile > > (rather than a continus flow) you could just be getting a fast port= scan. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message