Re: flood attacks
From: Mike Tancsa (mike@sentex.net)
Date: 09/27/01
- Next message: Greg Shenaut: "Re: How to config IPFW for enable ping and traceroute"
- Previous message: Brett Glass: "Re: LaBrea for BSD?"
- In reply to: Ronan Lucio: "Re: flood attacks"
- Next in thread: Karsten W. Rohrbach: "Re: flood attacks"
- Reply: Karsten W. Rohrbach: "Re: flood attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Sep 2001 12:57:48 -0400 To: "Ronan Lucio" <ronan@melim.com.br> From: Mike Tancsa <mike@sentex.net>
The problem is that once its in your network, its too late so to speak. You
want to involve your ISP to get them to limit it before it traverses your
link. If you are lucky the packets are not random junk and you can block
on the source IP. Are they hitting the same port ? are they coming from
random IPs ? As someone said,
sysctl -w net.inet.tcp.log_in_vain=1
sysctl -w net.inet.ud.log_in_vain=1
If they are not hitting random ports and hitting say your web server,
ipfw add 10 count log tcp from any to me 80;sleep 10;ipfw delete 10
and look at /var/log/security and see where the junk is coming from.
---Mike
At 01:41 PM 9/27/01 -0300, Ronan Lucio wrote:
>Hi Dave,
>
>But, in my case, I looked at mrtg graphics and saw that
>it had big flow during 1 hour.
>So, I supposed to prevent such situation.
>
>[ ]īs
>
>Ronan Lucio
>
> > > Limiting closed port RST response from 1800 to 200 packets per
>second.
> >
> > Awhile back, I managed to reproduce this by portscanning myself with a
> > very fast scanner which doesn't wait for any kind of response from the
> > server before testing the next port. The 1800 to 200 message thing sounds
> > quite general, so you could be getting flooded with lots of different
> > kinds of data. If the messages come in briefly and then stop for awhile
> > (rather than a continus flow) you could just be getting a fast port scan.
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> >
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Greg Shenaut: "Re: How to config IPFW for enable ping and traceroute"
- Previous message: Brett Glass: "Re: LaBrea for BSD?"
- In reply to: Ronan Lucio: "Re: flood attacks"
- Next in thread: Karsten W. Rohrbach: "Re: flood attacks"
- Reply: Karsten W. Rohrbach: "Re: flood attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
