Date: Mon, 15 Apr 2002 15:41:15 +0200 From: Sheldon Hearn <sheldonh@starjuice.net> To: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de> Cc: freebsd-security@freebsd.org Subject: Re: Limiting closed port RST response from 381 to 200 p Message-ID: <12776.1018878075@axl.seasidesoftware.co.za> In-Reply-To: Your message of "Mon, 15 Apr 2002 09:03:01 %2B0200." <200204150703.g3F731k18347@gil.physik.rwth-aachen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Apr 2002 09:03:01 +0200, Christoph Kukulies wrote:
> It looks like the machine is being attacked. Is there a way to trap
> the attacker?
>
> Apr 12 10:32:24 host /kernel: Limiting closed port RST response from 336 to 200 packets per second
Unlikely, as the source addresses are almost certainly forged.
I use the following RELENG_4-relative patch to allow syslog message
coalescing, e.g.:
[time] fwadmin3 /kernel: Limiting icmp ping response to 200 packets per second
[time] fwadmin3 last message repeated 29 times
[time] fwadmin3 last message repeated 17 times
You lose the "severity at a glance" value of the messages this way, but
I don't find them useful enough to warrant the mess in
/var/log/messages.
Ciao,
Sheldon.
Index: ip_icmp.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.39.2.16
diff -u -d -r1.39.2.16 ip_icmp.c
--- ip_icmp.c 22 Mar 2002 16:54:18 -0000 1.39.2.16
+++ ip_icmp.c 15 Apr 2002 13:39:53 -0000
@@ -862,9 +862,8 @@
if ((unsigned int)dticks > hz) {
if (lpackets[which] > icmplim) {
- printf("%s from %d to %d packets per second\n",
+ printf("%s to %d packets per second\n",
bandlimittype[which],
- lpackets[which],
icmplim
);
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12776.1018878075>