Date: Tue, 16 Apr 2002 11:22:29 -0500 (CDT) From: admin <admin@crimelords.org> To: Mike Silbersack <silby@silby.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Limiting closed port RST response from 381 to 200 p Message-ID: <Pine.BSF.4.44.0204161118120.33917-100000@crimelords.org> In-Reply-To: <20020415201908.O5071-100000@patrocles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Apr 2002, Mike Silbersack wrote: > > On Tue, 16 Apr 2002, Andrew Johns wrote: > > > Actually Sheldon I think that's a great idea - helps with > > syslog DoS somewhat as well. Anybody else care to contemplate > > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) > > > > AJ > > As the messages are limited to once per second, it's not really a syslog > DoS. Just an annoyance, as Sheldon mentions. I think that seeing the > rate is useful, although having a sysctl which allows one to switch over > to the format Sheldon uses could be useful. I have considered MFCing the > sysctl which disables the display of these messages and making off the > default, given that many people seem to panic when seeing "limiting blah". > > As the rate of incoming packets seems pretty steady, I'd wager that > Christoph is being scanned by nmap or some similar tool. A true DoS would > probably involve a much higher packet rate. > > Mike "Silby" Silbersack Higher rate like what I see on a few of my irc shell servers: Limiting icmp unreach response from 5263 to 200 packets per second Limiting icmp unreach response from 5202 to 200 packets per second Limiting icmp unreach response from 5233 to 200 packets per second Limiting icmp unreach response from 5216 to 200 packets per second Limiting icmp unreach response from 5228 to 200 packets per second This fills dmesg and messages constantly and the coelescing is a God-send when you have a few hours of DoS. I agree with having a sysctl to switch so that I can decide myself and also diferentiate btwn scans and attacks -emac > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.44.0204161118120.33917-100000>