On Sat, Nov 12, 2005 at 01:14:08AM +0000, Stuart Henderson wrote: > On 2005/11/12 01:11:02, Joachim Schipper wrote: > > > pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep > > > state > > > (max-src-conn-rate 3/10, overload <attackers> flush) > > > > This sort of thing is really popular, but I don't see the point. > > See pf.conf(5) about max-src-conn, and compare it with max-src-states.
That's true. Sorry, should have RTFMP. Regardless, while this makes the attack more difficult, the added difficulty doesn't amount to much. Hubs will allow sniffing easily, and switches can usually be degraded to hubs. Methinks a combination of sniffing the return traffic (SYN/ACK) and forging the response is enough (this is assuming the spoofed host does not return a RST for nonsense SYN/ACKs - I'm fairly certain that there's a way around that too, most likely just racing the gateway, but that would complicate matters unnecessarily). I'm thinking of a couple of hosts, attached to a hub (or 'hubbable' switch). If this attack really doesn't work, well, I'll be happy to learn something new and/or Read Some More FMP... but in the meanwhile, I can live with the log entries. (Of course, the real Braindead Error above was me seemingly thinking that dropping the default gateway would help. Instead, drop some other, more interesting host.) Joachim