Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Jun 1999 12:28:02 -0600 (MDT)
From:      Brendan Conoboy <synk@swcp.com>
To:        avalon@coombs.anu.edu.au, jwyatt@RWSystems.net
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: ipf howto, tada
Message-ID:  <199906181828.MAA04041@kitsune.swcp.com>

next in thread | raw e-mail | index | archive | help
> > FWIW, you might like to mention the "log-or-block" option where it will
> > block a packet to be pass'd and logged if it cannot log it due to the
> > log buffer being too full.
> > 
> > i.e.
> > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state
> > 
> > Here we say only log the first packet for this connection as recorded by
> > "keep state", but if it can't be logged, then block it.
> 
> Neat trick! Could this easily be used for DOS? I like, this idea, but want
> to understand it. If you filled the syslogs with dummy attempts, would it
> block access, preventing you from cycling syslog files?

I suspect the idea is to thwart the attack method where the attacker
first fills the log drive, then proceeds with the attack, knowing their
actions won't be logged.  That's what I'm putting in the howto, anyway :-)

I'll add the obvious caveat (network can be shutdown by causing log
failure), too.

-Brendan (synk@swcp.com)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906181828.MAA04041>