Date: Sat, 27 Jan 2001 21:16:11 +0100 From: Thomas Seck <tmseck@web.de> To: David <habeeb@cfl.rr.com> Cc: freebsd-security@freebsd.org Subject: Re: Re: ICMP attacks Message-ID: <20010127211611.A6334@basildon.homerun> In-Reply-To: <01012714534001.22722@fortress>; from habeeb@cfl.rr.com on Sa , Jan 27, 2001 at 02:53:40pm -0500 References: <NEBBIEGPMLMKDBMMICFNOEHBECAA.mit@mitayai.net> <20010127170042.A737@basildon.homerun> <01012714534001.22722@fortress>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello David, On Sa , Jan 27, 2001 at 02:53:40pm -0500, David wrote: ... > > I would suggest you setup some sort of local firewall. Using ipfw(8) with a > dummynet(4) to help limit ICMP and SYN. Also i find it useful to use the > following sysctl options so when a UDP or TCP packet is sent to a closed port > on your box or there is no connection the kernel will discard the packet > instead of sending back a reply (usually an RST): > net.inet.udp.blackhole=1 > net.inet.tcp.blackhole=2 Beware that this is not what I would call "well behaved" -- imho there is no need to let others run into timeouts. This is especially nasty when you blackhole the ident service. I do a reset via ipfw (like the kernel defaults to do anyway if the probed ports were closed) and use the bandlim_exceeded warning as an indicator for portscan activity out there, but YMMV of course. Cheers, Thomas Seck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010127211611.A6334>