From owner-freebsd-net Wed Dec 13 11:43:21 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 13 11:43:19 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247]) by hub.freebsd.org (Postfix) with ESMTP id DB56937B400; Wed, 13 Dec 2000 11:43:18 -0800 (PST) Received: by overlord.e-gerbil.net (Postfix, from userid 1001) id F04C7E4F4D; Wed, 13 Dec 2000 14:42:53 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by overlord.e-gerbil.net (Postfix) with ESMTP id C0B54E4F4C; Wed, 13 Dec 2000 14:42:53 -0500 (EST) Date: Wed, 13 Dec 2000 14:42:53 -0500 (EST) From: "Richard A. Steenbergen" To: Alfred Perlstein Cc: Bosko Milekic , freebsd-net@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Ratelimint Enhancement patch (Please Review One Last Time!) In-Reply-To: <20001213112935.K16205@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Dec 2000, Alfred Perlstein wrote: > I think the word "possible" should be prepended to all of these messages. > > Now I have a weird question, I've seen the ICMP responce limit when > getting pegged by a couple hundred hits per second on a port that isn't > open by legimitimate connections. > > This would probably fall under: > > > Suppressing outgoing RST due to port scan: 202/200 pps > > Which is untrue, it should read something like: > Suppressing outgoing RST due to high rate of connections on an unopen > port (possible portscan): 202/200 pps It could just as easily be a SYN flood against a single port... or a large number of clients trying to connected to your crashed web server... :P Or it could just as easily be an ack flood against a port without a listener and be showing up in the "not the ack flood" counter. Attaching motives and trying to play intrusion detection pattern analysis games without complete information is dangerous, and none of these routines qualify as advanced enough to make any such determination. IMHO break it down by "RST from ports with or without a listener" (or open port, whatever floats the boat) and be done with it. The major goal of this code would seem to be to provide simple but fairly useful protection against common attacks out of the box, not to provide analysis of the attacks (since no useful analysis can be performed without looking further anyways). -- Richard A Steenbergen http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message