Date: Tue, 16 Apr 2002 11:29:10 -0700 From: faSty <fasty@i-sphere.com> To: admin <admin@crimelords.org> Cc: freebsd-security@freebsd.org Subject: Re: Limiting closed port RST response from 381 to 200 p Message-ID: <20020416112910.A59668@i-sphere.com> In-Reply-To: <Pine.BSF.4.44.0204161118120.33917-100000@crimelords.org>; from admin@crimelords.org on Tue, Apr 16, 2002 at 11:22:29AM -0500 References: <20020415201908.O5071-100000@patrocles.silby.com> <Pine.BSF.4.44.0204161118120.33917-100000@crimelords.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Just install snort with guardian. It helps stop the abusers attack your server. Snort is monitor the packets when find DoS detected and it send to syslog so the guardian find snort's alert on syslog and it will place a deny firewall on hostname with certain timer to remove deny rule. That's how i recieved lot DoS pretty often. I was fed up and put snort/guardian helped lot. -trev On Tue, Apr 16, 2002 at 11:22:29AM -0500, admin wrote: > > > On Mon, 15 Apr 2002, Mike Silbersack wrote: > > > > > On Tue, 16 Apr 2002, Andrew Johns wrote: > > > > > Actually Sheldon I think that's a great idea - helps with > > > syslog DoS somewhat as well. Anybody else care to contemplate > > > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) > > > > > > AJ > > > > As the messages are limited to once per second, it's not really a syslog > > DoS. Just an annoyance, as Sheldon mentions. I think that seeing the > > rate is useful, although having a sysctl which allows one to switch over > > to the format Sheldon uses could be useful. I have considered MFCing the > > sysctl which disables the display of these messages and making off the > > default, given that many people seem to panic when seeing "limiting blah". > > > > As the rate of incoming packets seems pretty steady, I'd wager that > > Christoph is being scanned by nmap or some similar tool. A true DoS would > > probably involve a much higher packet rate. > > > > Mike "Silby" Silbersack > > Higher rate like what I see on a few of my irc shell servers: > Limiting icmp unreach response from 5263 to 200 packets per second > Limiting icmp unreach response from 5202 to 200 packets per second > Limiting icmp unreach response from 5233 to 200 packets per second > Limiting icmp unreach response from 5216 to 200 packets per second > Limiting icmp unreach response from 5228 to 200 packets per second > > This fills dmesg and messages constantly and the coelescing is a God-send > when you have a few hours of DoS. I agree with having a sysctl to switch > so that I can decide myself and also diferentiate btwn scans and attacks > > -emac > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Heuristics are bug ridden by definition. If they didn't have bugs, then they'd be algorithms. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020416112910.A59668>