* Richard A. Steenbergen <[EMAIL PROTECTED]> [001213 11:17] wrote:
> On Wed, 13 Dec 2000, Bosko Milekic wrote:
>
> > Suppressing udp flood/scan: 212/200 pps
> > Suppressing outgoing RST due to port scan: 202/200 pps
> > Suppressing outgoing RST due to ACK flood: 19725/200 pps
> > Suppressing ping flood: 230/200 pps
> > Suppressing icmp tstamp flood: 210/200 pps
> >
> > While the descriptions for the two RST cases can be accused
> > of oversimplification, they should cut down on questions by
> > users confused with the current terminology. Experienced
> > users can always run a packet sniffer if they need more
> > exact knowledge of what's occuring.
>
> I would be extremely careful with those descriptions... When you tell
> people directly that something is an attack, even if its not, there are
> enough who will jump to immediate conclusions and begin making false
> accusations. While it may be highly likely that the reasons for those rate
> limits is some kind of attack, it is not guaranteed, and I would be very
> reluctant to so blatantly tell people that it is...
>
> Personally I'd recommend straight forward descriptions like "RST due to no
> listening socket". I also see no compelling reason to put ICMP Timestamp
> in a seperate queue, but what I would recommend is seperate queues for
> ICMP messages which would be defined as "query/response" and those which
> would be called "error" messages. If someone needs more specific
> protection they can use dummynet.
>
> Just a thought...
I think the word "possible" should be prepended to all of these messages.
Now I have a weird question, I've seen the ICMP responce limit when
getting pegged by a couple hundred hits per second on a port that isn't
open by legimitimate connections.
This would probably fall under:
> > Suppressing outgoing RST due to port scan: 202/200 pps
Which is untrue, it should read something like:
Suppressing outgoing RST due to high rate of connections on an unopen port (possible
portscan): 202/200 pps
--
-Alfred Perlstein - [[EMAIL PROTECTED]|[EMAIL PROTECTED]]
"I have the heart of a child; I keep it in a jar on my desk."
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
