Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Dec 2000 14:16:53 -0500 (EST)
From:      "Richard A. Steenbergen" <ras@e-gerbil.net>
To:        Bosko Milekic <bmilekic@technokratis.com>
Cc:        freebsd-net@freebsd.org, green@freebsd.org
Subject:   Re: Ratelimint Enhancement patch (Please Review One Last Time!)
Message-ID:  <Pine.BSF.4.21.0012131408570.816-100000@overlord.e-gerbil.net>
In-Reply-To: <Pine.BSF.4.21.0012131150310.24654-100000@jehovah.technokratis.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 13 Dec 2000, Bosko Milekic wrote:

>        Suppressing udp flood/scan: 212/200 pps
>        Suppressing outgoing RST due to port scan: 202/200 pps
>        Suppressing outgoing RST due to ACK flood: 19725/200 pps
>        Suppressing ping flood: 230/200 pps
>        Suppressing icmp tstamp flood: 210/200 pps
> 
>   While the descriptions for the two RST cases can be accused
>   of oversimplification, they should cut down on questions by
>   users confused with the current terminology.  Experienced
>   users can always run a packet sniffer if they need more
>   exact knowledge of what's occuring.

I would be extremely careful with those descriptions... When you tell
people directly that something is an attack, even if its not, there are
enough who will jump to immediate conclusions and begin making false
accusations. While it may be highly likely that the reasons for those rate
limits is some kind of attack, it is not guaranteed, and I would be very
reluctant to so blatantly tell people that it is...

Personally I'd recommend straight forward descriptions like "RST due to no
listening socket". I also see no compelling reason to put ICMP Timestamp
in a seperate queue, but what I would recommend is seperate queues for
ICMP messages which would be defined as "query/response" and those which
would be called "error" messages. If someone needs more specific
protection they can use dummynet.

Just a thought...

-- 
Richard A Steenbergen <ras@e-gerbil.net>   http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012131408570.816-100000>