Date: Mon, 15 Apr 2002 11:14:22 -0400 From: The Anarcat <anarcat@anarcat.dyndns.org> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: Andrew Johns <johnsa@kpi.com.au>, Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>, freebsd-security@FreeBSD.ORG Subject: General Rate-limiting in syslog(3) (was: Limiting closed port RST response from 381 to 200 p) Message-ID: <20020415151422.GA302@lenny.anarcat.dyndns.org> In-Reply-To: <13814.1018882311@axl.seasidesoftware.co.za> References: <3CBAE191.9010200@kpi.com.au> <13814.1018882311@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
--qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Branching off the topic here... On Mon Apr 15, 2002 at 04:51:51PM +0200, Sheldon Hearn wrote: >=20 > On Tue, 16 Apr 2002 00:20:01 +1000, Andrew Johns wrote: >=20 > > Actually Sheldon I think that's a great idea - helps with > > syslog DoS somewhat as well. Anybody else care to contemplate > > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) >=20 > In CURRENT, logging is conditional on a sysctl value; the message > format is unchanged from that of STABLE, but logging can be turned off > completely if desired. This seems to keep most people happy. >=20 > I don't think my preference (always seeing the messages, but having > syslog coalesce them) is representative of the majority of folks to whom > this matters. Actually, what I would like would be a generic rate-limiting facility in syslog(3) itself. That would make DOS much harder. In particular, I got this idea from linux's ipchains (or another fw product, i don't remember which) which allows rule logging to be explicitly rate-limited. That, IMHO, is much better that our logamount facility, which is DOS-able easily, somehow. Just pour enough packets in and ipfw doesn't log anything anymore. If we rate-limit this, with logamount=3D0, we have a much better control. A. --=20 =46rom the age of uniformity, from the age of solitude, from the age of Big Brother, from the age of doublethink - greetings! --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjy67k4ACgkQttcWHAnWiGf9NQCgoZ4jtExkbHUPL2BPE6U/YN10 kIYAn1OiLkF8o+Eb5uTuhrHp1OTyC/TR =PLql -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020415151422.GA302>