Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Dec 2000 14:42:53 -0500 (EST)
From:      "Richard A. Steenbergen" <ras@e-gerbil.net>
To:        Alfred Perlstein <bright@wintelcom.net>
Cc:        Bosko Milekic <bmilekic@technokratis.com>, freebsd-net@FreeBSD.ORG, green@FreeBSD.ORG
Subject:   Re: Ratelimint Enhancement patch (Please Review One Last Time!)
Message-ID:  <Pine.BSF.4.21.0012131432530.816-100000@overlord.e-gerbil.net>
In-Reply-To: <20001213112935.K16205@fw.wintelcom.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 13 Dec 2000, Alfred Perlstein wrote:

> I think the word "possible" should be prepended to all of these messages.
> 
> Now I have a weird question, I've seen the ICMP responce limit when
> getting pegged by a couple hundred hits per second on a port that isn't
> open by legimitimate connections.
> 
> This would probably fall under:
>   > >        Suppressing outgoing RST due to port scan: 202/200 pps
> 
> Which is untrue, it should read something like:
> Suppressing outgoing RST due to high rate of connections on an unopen
> port (possible portscan): 202/200 pps

It could just as easily be a SYN flood against a single port... or a large
number of clients trying to connected to your crashed web server... :P Or
it could just as easily be an ack flood against a port without a listener
and be showing up in the "not the ack flood" counter.

Attaching motives and trying to play intrusion detection pattern analysis
games without complete information is dangerous, and none of these
routines qualify as advanced enough to make any such determination. IMHO
break it down by "RST from ports with or without a listener" (or open
port, whatever floats the boat) and be done with it. The major goal of
this code would seem to be to provide simple but fairly useful protection
against common attacks out of the box, not to provide analysis of the
attacks (since no useful analysis can be performed without looking further
anyways).

-- 
Richard A Steenbergen <ras@e-gerbil.net>   http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012131432530.816-100000>