From owner-freebsd-security  Mon May 24  9: 9:23 1999
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id 7877115469
	for <freebsd-security@FreeBSD.ORG>; Mon, 24 May 1999 09:09:20 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA04281;
	Mon, 24 May 1999 10:03:42 -0600 (MDT)
Message-Id: <4.2.0.37.19990524100208.04727460@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta)
Date: Mon, 24 May 1999 10:03:38 -0600
To: Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Michael Richards <026809r@dragon.acadiau.ca>
From: Brett Glass <brett@lariat.org>
Subject: Re: Denial of service attack from "imagelock.com" 
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <11146.927527966@critter.freebsd.dk>
References: <Your message of "Mon, 24 May 1999 02:00:12 -0300." <Pine.GSO.4.05.9905240157240.20631-100000@dragon>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I like this idea. BUT.... You'll still get their SYNs and use up kernel
memory. (Only the OUTBOUND packets will disappear into a black hole.)
memory for awhile. Any way to filter the incoming ones without installing 
a full-up firewall?

--Brett

At 08:39 AM 5/24/99 +0200, Poul-Henning Kamp wrote:
>In message <Pine.GSO.4.05.9905240157240.20631-100000@dragon>, Michael Richards 
>writes:
> >On Sun, 23 May 1999, Brett Glass wrote:
> >
> >> The Webmasters on this list may want to look over their logs to see
> >> if they've been hit and not known it. grep your logs for imagelock.com;
> >> if you find that they're abusing your server, you may want to firewall 
> >I noticed we were hit by them this evening. 1250 requests in a few
> >minutes. Since we're not running a firewall, is there a recommended method
> >of filtering such people out? I think I did it with apache, but I'm
> >wondering if there is a better method.
>
>Add a blackhole route to them:
>
>         route add -net <IP> -netmask <MASK> 127.0.0.1 -blackhole
>
>--
>Poul-Henning Kamp             FreeBSD coreteam member
>phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
>FreeBSD -- It will take a long time before progress goes too far!
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message