On Wed, 13 Dec 2000, Alfred Perlstein wrote:
> I think the word "possible" should be prepended to all of these messages.
>
> Now I have a weird question, I've seen the ICMP responce limit when
> getting pegged by a couple hundred hits per second on a port that isn't
> open by legimitimate connections.
>
> This would probably fall under:
> > > Suppressing outgoing RST due to port scan: 202/200 pps
>
> Which is untrue, it should read something like:
> Suppressing outgoing RST due to high rate of connections on an unopen
> port (possible portscan): 202/200 pps
It could just as easily be a SYN flood against a single port... or a large
number of clients trying to connected to your crashed web server... :P Or
it could just as easily be an ack flood against a port without a listener
and be showing up in the "not the ack flood" counter.
Attaching motives and trying to play intrusion detection pattern analysis
games without complete information is dangerous, and none of these
routines qualify as advanced enough to make any such determination. IMHO
break it down by "RST from ports with or without a listener" (or open
port, whatever floats the boat) and be done with it. The major goal of
this code would seem to be to provide simple but fairly useful protection
against common attacks out of the box, not to provide analysis of the
attacks (since no useful analysis can be performed without looking further
anyways).
--
Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
