From owner-freebsd-security  Sat Jan 27 12:14:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from public.ndh.com (public.ndh.net [195.94.90.21])
	by hub.freebsd.org (Postfix) with ESMTP id 2343A37B400
	for <freebsd-security@freebsd.org>; Sat, 27 Jan 2001 12:14:10 -0800 (PST)
Received: from localhost (port1093.duesseldorf.ndh.net [62.40.8.93]) by public.ndh.com (8.9.3/8.8.0) with ESMTP id VAA05244; Sat, 27 Jan 2001 21:13:24 +0100 (MET)
Received: from tmseck by localhost with local (Exim 3.20 #1)
	id 14Mblb-0001f6-00; Sat, 27 Jan 2001 21:16:11 +0100
Date: Sat, 27 Jan 2001 21:16:11 +0100
From: Thomas Seck <tmseck@web.de>
To: David <habeeb@cfl.rr.com>
Cc: freebsd-security@freebsd.org
Subject: Re: Re: ICMP attacks
Message-ID: <20010127211611.A6334@basildon.homerun>
Mail-Followup-To: Thomas Seck <tmseck@web.de>, David <habeeb@cfl.rr.com>,
	freebsd-security@freebsd.org
References: <NEBBIEGPMLMKDBMMICFNOEHBECAA.mit@mitayai.net> <20010127170042.A737@basildon.homerun> <01012714534001.22722@fortress>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <01012714534001.22722@fortress>; from habeeb@cfl.rr.com on Sa , Jan 27, 2001 at 02:53:40pm -0500
Organization: Die Teilchenbeschleuniger
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello David,

On Sa , Jan 27, 2001 at 02:53:40pm -0500, David wrote:

...

> 
> I would suggest you setup some sort of local firewall.  Using ipfw(8) with a 
> dummynet(4) to help limit ICMP and SYN.  Also i find it useful to use the 
> following sysctl options so when a UDP or TCP packet is sent to a closed port 
> on your box or there is no connection the kernel will discard the packet 
> instead of sending back a reply (usually an RST):
> net.inet.udp.blackhole=1
> net.inet.tcp.blackhole=2

Beware that this is not what I would call "well behaved" -- imho there is no 
need to let others run into timeouts.  This is especially nasty when you 
blackhole the ident service.

I do a reset via ipfw (like the kernel defaults to do anyway if the probed 
ports were closed) and use the bandlim_exceeded warning as an indicator for 
portscan activity out there, but YMMV of course.

Cheers,
Thomas Seck


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message