From owner-freebsd-security Mon May 24 21:30:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.aac.dev.com (unknown [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 0395F14E91 for ; Mon, 24 May 1999 21:30:15 -0700 (PDT) (envelope-from rgrimes@gndrsh.aac.dev.com) Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.9.3/8.9.3) id VAA08832; Mon, 24 May 1999 21:24:16 -0700 (PDT) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199905250424.VAA08832@gndrsh.aac.dev.com> Subject: Re: Denial of service attack from "imagelock.com" In-Reply-To: <4.2.0.37.19990524100208.04727460@localhost> from Brett Glass at "May 24, 1999 10:03:38 am" To: brett@lariat.org (Brett Glass) Date: Mon, 24 May 1999 21:24:16 -0700 (PDT) Cc: phk@critter.freebsd.dk (Poul-Henning Kamp), 026809r@dragon.acadiau.ca (Michael Richards), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I like this idea. BUT.... You'll still get their SYNs and use up kernel > memory. (Only the OUTBOUND packets will disappear into a black hole.) > memory for awhile. Any way to filter the incoming ones without installing > a full-up firewall? Yea, but they aren't going to crawl very far around your website when it looks like your not responding. Also it should consume thier resources at least a little bit, and I LIKE THAT IDEA!!! Hummm... lets see.. how can I consume more of thier resources and less of mine.... ahhh. got it... ipdivert 209.133.111.0/24 www.imagelock.com. Yea, that outa confuse the snot out of them....... and if they change IP's it'll still get em :-) > --Brett > > At 08:39 AM 5/24/99 +0200, Poul-Henning Kamp wrote: > >In message , Michael Richards > >writes: > > >On Sun, 23 May 1999, Brett Glass wrote: > > > > > >> The Webmasters on this list may want to look over their logs to see > > >> if they've been hit and not known it. grep your logs for imagelock.com; > > >> if you find that they're abusing your server, you may want to firewall > > >I noticed we were hit by them this evening. 1250 requests in a few > > >minutes. Since we're not running a firewall, is there a recommended method > > >of filtering such people out? I think I did it with apache, but I'm > > >wondering if there is a better method. > > > >Add a blackhole route to them: > > > > route add -net -netmask 127.0.0.1 -blackhole > > > >-- > >Poul-Henning Kamp FreeBSD coreteam member > >phk@FreeBSD.ORG "Real hackers run -current on their laptop." > >FreeBSD -- It will take a long time before progress goes too far! > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD http://www.aai.dnsmgr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message