Date: Tue, 21 Mar 2000 15:38:42 +0000 (GMT) From: Paul Robinson <wigstah@akitanet.co.uk> To: Mikel <mikel@upan.org> Cc: Alexander Langer <alex@big.endian.de>, freebsd-net@FreeBSD.ORG Subject: Re: ipfw fwd to requester's ip Message-ID: <Pine.BSF.4.21.0003211534220.59528-100000@jake.akitanet.co.uk> In-Reply-To: <38D76AE9.3375FE3B@upan.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Mar 2000, Mikel wrote: > On a side note, you can run ipfw/divert/stealth in combonation with > tcpwrappers to accomplish any of these tasks. Wether it be recording the time > stamp et ceterra, or altering your ruleset to reroute the scanners scans back > at them...personally as much of a nusaince as it it is I prefer to let them > scan and I still contact the offenders isp and go all through the motions...I > just don't hold my breath any more...;| Again, there is a DoS problem inherent in dynamically updating rulesets. First of it requires additional processing to add the ruleset and secondly it requires additional processing incoming traffic. Distributed Denial-of-Service tools would be able to get your box down to a grind far quicker than if you just let them flood you with traffic. The solution here, is rahter than update the rulesets on the box itself, update them one hop up at the router. This way, your box stays alive, you're protected against the DoS and you're going to be adding additional load to your server (which is what the attackers want). I have to say at the moment I let most of the scans go un-noticed unless it's one of my own users. I will however retain all the packets and try and do a little bit of pattern matching - same host scans every night etc., and try and inform in those situations as it could be a signature of a compromised host. -- Paul Robinson - Developer/Systems Administrator @ Akitanet Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003211534220.59528-100000>