Date: Sat, 29 Sep 2001 01:39:25 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Mike Tancsa <mike@sentex.net> Cc: Ronan Lucio <ronan@melim.com.br>, freebsd-security@FreeBSD.ORG Subject: Re: flood attacks Message-ID: <20010929013925.C37579@mail.webmonster.de> In-Reply-To: <5.1.0.14.0.20010927125302.048abb10@marble.sentex.ca>; from mike@sentex.net on Thu, Sep 27, 2001 at 12:57:48PM -0400 References: <Pine.BSF.4.33.0109270907350.1695-100000@R181172.resnet.ucsb.edu> <037601c14773$52a23da0$2aa8a8c0@melim.com.br> <5.1.0.14.0.20010927125302.048abb10@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--wxDdMuZNg1r63Hyj Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable just as a sidenote: some people from the net.community, prelude nids projects and me are currently thinking about implementing a real network intrusion management system which means that in the future we hopefully will be able to do active countermeasure stuff concerning dos/ddos and other network attacks.=20 there is no single line of code written yet, it's brainstorm and discussion time at the moment. if you want to join the discussion check the archive of the list [http://defender.webmonster.de/lists.html] and subscribe ;-) cheers, /k Mike Tancsa(mike@sentex.net)@2001.09.27 12:57:48 +0000: >=20 > The problem is that once its in your network, its too late so to speak. Y= ou=20 > want to involve your ISP to get them to limit it before it traverses your= =20 > link. If you are lucky the packets are not random junk and you can block= =20 > on the source IP. Are they hitting the same port ? are they coming from= =20 > random IPs ? As someone said, > sysctl -w net.inet.tcp.log_in_vain=3D1 > sysctl -w net.inet.ud.log_in_vain=3D1 >=20 > If they are not hitting random ports and hitting say your web server, > ipfw add 10 count log tcp from any to me 80;sleep 10;ipfw delete 10 > and look at /var/log/security and see where the junk is coming from. >=20 > ---Mike >=20 > At 01:41 PM 9/27/01 -0300, Ronan Lucio wrote: > >Hi Dave, > > > >But, in my case, I looked at mrtg graphics and saw that > >it had big flow during 1 hour. > >So, I supposed to prevent such situation. > > > >[ ]=B4s > > > >Ronan Lucio > > > > > > Limiting closed port RST response from 1800 to 200 packets per > >second. > > > > > > Awhile back, I managed to reproduce this by portscanning myself with a > > > very fast scanner which doesn't wait for any kind of response from the > > > server before testing the next port. The 1800 to 200 message thing s= ounds > > > quite general, so you could be getting flooded with lots of different > > > kinds of data. If the messages come in briefly and then stop for awh= ile > > > (rather than a continus flow) you could just be getting a fast port s= can. > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Nuclear war can ruin your whole compile. --Karl Lehenbauer KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --wxDdMuZNg1r63Hyj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7tQotM0BPTilkv0YRAgY8AJ0b41pdhJxY7LdGn6eNIkZOM/0pTACgl3VX ShrRcYWZYU34mVVZ0HcxoP0= =N/3P -----END PGP SIGNATURE----- --wxDdMuZNg1r63Hyj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010929013925.C37579>