Re: How to log the OSFP in PF

Mon, 28 Aug 2006 14:58:17 -0700 

Joachim Schipper wrote:

However, *if* he did, you might have some interesting tricks to play on
him. Many scanners [1], for instance, will not send a SYN twice - and
(almost?) all TCP/IP stacks will. Dropping the first SYN from a new IP
can be done easily with pf, and while the impact on legitimate users
would be significant with interactive services (it adds ~ 1 sec to the
loading time of your front page), it might be worth the trade-off.


Might be interesting to test just to see the results.


Hmm, greylisting IP connections...



That was one of my idea in a previous email. Not sure the gain it could 
have. But here as the attack looks like is more interested as draining 
more traffic then blocking access to it, I thought that in case like 
this, using "greylisting IP connections" to slowdown the access to these 
webbot ( assuming it is webbot anyway) might have a positive impact. 
Again, I don't know if the same computer part of the webbot network 
could initiate more then one connections, but if they all get trap 
somehow, I guess it makes the webbot useless may be. So, it might send 
the attack else where in the end.



I don't really know if the idea was any good however, but there might be 
some merit to it. I already started to look at how spamd works to see if 
something like that might be any good. Obviously spamd talks smtp, so 
this can't be use, but httpspamd or what not talking http might be useful.


Anyway, so far my finger printing show:

src OS: Windows XP SP1, Windows 2000 SP4
src OS: Windows XP SP1, Windows 2000 SP3
src OS: Windows XP SP1, Windows 2000 SP2+
src OS: Windows 2000, Windows XP
src OS: short-pkt
src OS: unknown

and

1 from src OS: Linux 2.4 ts
1 from src OS: Cisco Content Engine
1 from src OS: Windows 98
1 from src OS: Windows 2000 RFC1323, Windows XP RFC1323

where almost all are only from the first three above, 85% so far.


One interesting finding however so far is that every single bad sources 
from Windows OS variations ALL have the (len 48). Most likely useless 
regardless, but interesting to see.


This exercise is good learning however. (;>























					Reply via email to