From owner-freebsd-security Sun Sep 23 18: 1:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 2968837B428 for ; Sun, 23 Sep 2001 18:01:21 -0700 (PDT) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6) with ESMTP id f8O11HS00711; Sun, 23 Sep 2001 21:01:17 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010923205904.03bb7bb8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 23 Sep 2001 21:01:16 -0400 To: Chris BeHanna From: Mike Tancsa Subject: Re: New worm protection Cc: security@FreeBSD.ORG In-Reply-To: <20010923205118.Y52704-100000@topperwein.dyndns.org> References: <200109230836.f8N8akx29012@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:57 PM 9/23/2001 -0400, Chris BeHanna wrote: > The trouble with triggering ipfw/ipchain rules is that as the >ruleset gets large, network performance gets slow (rulesets are >searched linearly). A nice compromisse would be to gather statistics >on the attackers and just firewall out the top 10 or 20 or so. Another option is to null route the IP address-- e.g. add a /32 route to ds0. One problem with this and blocking in general is that in some cases, the infected machines are from dynamic IP addresses. You would be punishing innocent users. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message