Date: Mon, 15 Apr 2002 15:41:15 +0200 From: Sheldon Hearn <sheldonh@starjuice.net> To: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de> Cc: freebsd-security@freebsd.org Subject: Re: Limiting closed port RST response from 381 to 200 p Message-ID: <12776.1018878075@axl.seasidesoftware.co.za> In-Reply-To: Your message of "Mon, 15 Apr 2002 09:03:01 %2B0200." <200204150703.g3F731k18347@gil.physik.rwth-aachen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Apr 2002 09:03:01 +0200, Christoph Kukulies wrote: > It looks like the machine is being attacked. Is there a way to trap > the attacker? > > Apr 12 10:32:24 host /kernel: Limiting closed port RST response from 336 to 200 packets per second Unlikely, as the source addresses are almost certainly forged. I use the following RELENG_4-relative patch to allow syslog message coalescing, e.g.: [time] fwadmin3 /kernel: Limiting icmp ping response to 200 packets per second [time] fwadmin3 last message repeated 29 times [time] fwadmin3 last message repeated 17 times You lose the "severity at a glance" value of the messages this way, but I don't find them useful enough to warrant the mess in /var/log/messages. Ciao, Sheldon. Index: ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.39.2.16 diff -u -d -r1.39.2.16 ip_icmp.c --- ip_icmp.c 22 Mar 2002 16:54:18 -0000 1.39.2.16 +++ ip_icmp.c 15 Apr 2002 13:39:53 -0000 @@ -862,9 +862,8 @@ if ((unsigned int)dticks > hz) { if (lpackets[which] > icmplim) { - printf("%s from %d to %d packets per second\n", + printf("%s to %d packets per second\n", bandlimittype[which], - lpackets[which], icmplim ); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12776.1018878075>