On Sat, 22 Nov 2014 07:17:49 -0700 Andy Ruhl <[email protected]> wrote: > > So why would packets continue to come in for 2.5 hours? My guess is > > that the hacker is keeping the connection open and attacking over it > > for 2.5 hours. Does the packet filter not apply to existing > > connections? Is there some way to change that behaviour? > > > > Are you sure. that the connection stays open? Have you been watching > it in netstat?
No, I only see it the next day when I notice how big my log file was yesterday. I am reasonably sure that it is the same connection though because the sending port remains the same. Unless someone is writing code at an extremely low level that suggests to me that it is the same connection. > Restarting the application would close connections, or rebooting of > course but I'm guessing you knew that... Of course but it's a phone switch and users might get a bit pissed off if I did that in the middle of their conversations. I am also going to ask on the Asterisk list if there is a config option to close connections on failure. -- D'Arcy J.M. Cain <[email protected]> http://www.NetBSD.org/ IM:[email protected]
