Date: Sat, 29 Sep 2001 01:39:25 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Mike Tancsa <mike@sentex.net> Cc: Ronan Lucio <ronan@melim.com.br>, freebsd-security@FreeBSD.ORG Subject: Re: flood attacks Message-ID: <20010929013925.C37579@mail.webmonster.de> In-Reply-To: <5.1.0.14.0.20010927125302.048abb10@marble.sentex.ca>; from mike@sentex.net on Thu, Sep 27, 2001 at 12:57:48PM -0400 References: <Pine.BSF.4.33.0109270907350.1695-100000@R181172.resnet.ucsb.edu> <037601c14773$52a23da0$2aa8a8c0@melim.com.br> <5.1.0.14.0.20010927125302.048abb10@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] just as a sidenote: some people from the net.community, prelude nids projects and me are currently thinking about implementing a real network intrusion management system which means that in the future we hopefully will be able to do active countermeasure stuff concerning dos/ddos and other network attacks. there is no single line of code written yet, it's brainstorm and discussion time at the moment. if you want to join the discussion check the archive of the list [http://defender.webmonster.de/lists.html] and subscribe ;-) cheers, /k Mike Tancsa(mike@sentex.net)@2001.09.27 12:57:48 +0000: > > The problem is that once its in your network, its too late so to speak. You > want to involve your ISP to get them to limit it before it traverses your > link. If you are lucky the packets are not random junk and you can block > on the source IP. Are they hitting the same port ? are they coming from > random IPs ? As someone said, > sysctl -w net.inet.tcp.log_in_vain=1 > sysctl -w net.inet.ud.log_in_vain=1 > > If they are not hitting random ports and hitting say your web server, > ipfw add 10 count log tcp from any to me 80;sleep 10;ipfw delete 10 > and look at /var/log/security and see where the junk is coming from. > > ---Mike > > At 01:41 PM 9/27/01 -0300, Ronan Lucio wrote: > >Hi Dave, > > > >But, in my case, I looked at mrtg graphics and saw that > >it had big flow during 1 hour. > >So, I supposed to prevent such situation. > > > >[ ]īs > > > >Ronan Lucio > > > > > > Limiting closed port RST response from 1800 to 200 packets per > >second. > > > > > > Awhile back, I managed to reproduce this by portscanning myself with a > > > very fast scanner which doesn't wait for any kind of response from the > > > server before testing the next port. The 1800 to 200 message thing sounds > > > quite general, so you could be getting flooded with lots of different > > > kinds of data. If the messages come in briefly and then stop for awhile > > > (rather than a continus flow) you could just be getting a fast port scan. > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- > Nuclear war can ruin your whole compile. --Karl Lehenbauer KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7tQotM0BPTilkv0YRAgY8AJ0b41pdhJxY7LdGn6eNIkZOM/0pTACgl3VX ShrRcYWZYU34mVVZ0HcxoP0= =N/3P -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010929013925.C37579>