From owner-freebsd-pf@FreeBSD.ORG  Tue May 16 05:01:06 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EE55716A55D
	for <freebsd-pf@freebsd.org>; Tue, 16 May 2006 05:01:06 +0000 (UTC)
	(envelope-from solinym@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4D1C143D45
	for <freebsd-pf@freebsd.org>; Tue, 16 May 2006 05:01:06 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so647004uge
	for <freebsd-pf@freebsd.org>; Mon, 15 May 2006 22:01:05 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=SookBQ9yme2AkUNLRcR7ICmZzj9uXT9K4Fk0qu+lySCSCmbrRIDFBAILmKdoVzCnGPapKoyXVnOvz4z+z+05ZKnpURGXcIgOY83dXJUvyKh1P0I7biKYnrjAJdsOV1gowTFtABXC6jDzQWEizYAVyE9gf3CZW/jqJ3KAc/BtGL4=
Received: by 10.78.20.13 with SMTP id 13mr788929hut;
	Mon, 15 May 2006 22:01:05 -0700 (PDT)
Received: by 10.78.58.20 with HTTP; Mon, 15 May 2006 22:01:04 -0700 (PDT)
Message-ID: <d4f1333a0605152201w71e197a2ye15b10ab4c9acad3@mail.gmail.com>
Date: Tue, 16 May 2006 00:01:05 -0500
From: "Travis H." <solinym@gmail.com>
To: "Max Laier" <max@love2party.net>
In-Reply-To: <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru>
	<55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com>
	<200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de>
	<fee88ee40605151617x75001284x54b9f33f89b7c339@mail.gmail.com>
	<55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org>
Cc: freebsd-pf@freebsd.org
Subject: Re: promt solution with max-src-conn-rate
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2006 05:01:12 -0000

> You have to be aware that this otoh might open you to DoS attacks.  Peopl=
e
> spoofing connections from your address will lock you out from your own
> server.

It requires spoofing a full TCP connect, which is more difficult than
most DoS types are willing to do.  Even harder if you're doing
"reassemble tcp" to protect the weak hosts's SYN packets.

I've never heard a report of this kind of DoS in practice.
--=20
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wrig=
ht
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484