Date: Fri, 28 Nov 2003 19:28:53 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: FreeBSD questions List <freebsd-questions@freebsd.org> Subject: Re: security issue. Message-ID: <20031129012853.GK39368@seekingfire.com> In-Reply-To: <5.2.0.9.2.20031128200802.0210dc40@pop.voyager.net> References: <20031128202947.M29020@kifco.net> <5.2.0.9.2.20031128200802.0210dc40@pop.voyager.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 28, 2003 at 08:11:23PM -0500, Dragoncrest wrote:
> >Limiting closed port RST response from 272 to 200 packets per second
<snip>
> > Can you disable all PINGS from router to my server?
<snip>
> It may be best to do two things. 1st would be to disable pings to
> and from the server at the router by putting in an ACL on the router.
No. The problem is clearly TCP related, not ICMP. Disabling pings won't
help and it can make future network troubleshooting more difficult.
The clue is that is said "port" and "RST". TCP reset packets are sent in
response to TCP connectins, not in response to ICMP packets.
> The second thing you'll want to do is block access to that machine via
> the router from any suspect IP's or IP blocks that you suspect might
> be attacking your machine. They already know it's there, so they're
> going to begin or continue to try to attack it now, so you'll want to
> block them from being able to access it now. Once you've done that,
> keep an eye on your machine for a while for any other possible
> attacks. Once they stop and nothing shows up for about 2 weeks it
> should be safe to remove the ACL's from the router, but continue to
> monitor it for a while longer just to be sure and add them back if
> nessisary.
This is a much better idea. Though the rate of 272 packets per second is
not terribly high - you could probably just put the ACL on the server
itself (via IPFW or IPF) if the hardware and bandwidth aren't horribly
undersized.
-T
--
"The secret to creativity is knowing how to hide your sources."
- Albert Einstein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031129012853.GK39368>