On Tue, 5 Nov 2002 17:28:18 -0500
jolan <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 05, 2002 at 02:49:42PM +0100, Michiel van Baak wrote:
> > Anyone who can enlighten me ?
>
> ddos attacks need to be blocked at the router and even then it doesn't
> mean you're going to come away from one unscathed.
On Wed, 6 Nov 2002, Michiel van Baak wrote:
> I know they have to block it in the router.
> But that's not the case with my network and now I want to block them in the router
>here.
> It's a box that does NAT for our internal net and runs smtp,pop3,www,https and ssh
>
> Is there a way to do it w
On Wed, Nov 06, 2002 at 12:02:42PM +0100, Michiel van Baak wrote:
> I know they have to block it in the router.
> But that's not the case with my network and now I want to block them in the router
>here.
> It's a box that does NAT for our internal net and runs smtp,pop3,www,https and ssh
>
> Is
Hi List,
The host that is being attacked, there isn't much you can do about a dDos.
I wonder on the other side what can be done (by pf) to prevent the host
being used as a zombie spawning (spoofed) packets like mad. Anybody a clue?
Sacha
On Wed, Nov 06, 2002 at 12:02:42PM +0100, Michiel van Baak wrote:
> I know they have to block it in the router.
> But that's not the case with my network and now I want to block them
> in the router here.
> It's a box that does NAT for our internal net and runs smtp, pop3,
> www,https and ssh
>
>
On Wed, Nov 06, 2002 at 12:44:38PM +0100, Sacha Ligthert wrote:
> I wonder on the other side what can be done (by pf) to prevent the host
> being used as a zombie spawning (spoofed) packets like mad. Anybody a clue?
you can stop spoofed packets from going out by only passing things out
which have
On Wed, Nov 06, 2002 at 12:44:38PM +0100, Sacha Ligthert wrote:
> I wonder on the other side what can be done (by pf) to prevent the host
> being used as a zombie spawning (spoofed) packets like mad. Anybody a clue?
There are some articles about that on http://www.honeynet.org/papers/honeynet/
as
On Wed, 2002-11-06 at 07:13, Daniel Hartmeier wrote:
> There's a link to a patch for pf that allows further session limiting on
> honeynet.org.
Thanks for the tip. Any plans to include this patch in future releases?
-J.
Thnx all.
The trick with the max states and timeouts works fine.
Michiel
> On Wed, 2002-11-06 at 07:13, Daniel Hartmeier wrote:
> > There's a link to a patch for pf that allows further
> session limiting on
> > honeynet.org.
>
> Thanks for the tip. Any plans to include this patch in
> future releases?
>
> -J.
To answer Jason Dixon's question:
> -Original Mess
On Wed, 2002-11-06 at 07:57, Sacha Ligthert wrote:
> To answer Jason Dixon's question:
>
> > On Wed, Nov 06, 2002 at 01:19:53PM +0100, Sacha Ligthert wrote:
> > > Will this patch be added to the main pf devel repository one day?
> >
> > Have you read it and understand what it does? The tarball li
On Wed, Nov 06, 2002 at 08:11:04AM -0500, Jason Dixon wrote:
> Ok, I'll refine my question (after reviewing the tarball). Any chance
> that the related functionality provided by netfilter (--limit) will be
> built into PF in future releases. Obviously, this type of feature still
> has its limita
On Wed, 2002-11-06 at 08:32, Daniel Hartmeier wrote:
> If I understand it correctly, netfilter's --limit is used to limit the
> number of concurrent connections per source (or destination) address.
Yup, per the iptables manpage (sorry jolan, here it comes again):
limit
This module matc
Michiel van Baak ([EMAIL PROTECTED]) wrote:
> I've been spending 3 days searching on google and reading docs/howto's
> about pf. But I didn't find any information about how to protect you
> server/network against dos and ddos attacks. Anyone who can enlighten
> me ?
>
> I'm pretty new to OpenBS
On Wed, 2002-11-06 at 08:57, Han Boetes wrote:
> firewall stuffed the upload. After that I disabled return-rst I got a
> continous stream of 50kb/s and I barely noticed I was ddossed.
>
> So my suggestion would be to put in triggers in pf that would go of at
> certain levels that would indic
> So my suggestion would be to put in triggers in pf that would go of at
> certain levels that would indicate a ddos, after which logging and
> return-rst is disabled. Perhaps pflog could go in another mode that
> gathers much less detailed info.
this may lead to an attacker DDoS'ing
francisco ([EMAIL PROTECTED]) wrote:
> Han wrote:
>
> > So my suggestion would be to put in triggers in pf that would go of
> > at certain levels that would indicate a ddos, after which logging
> > and return-rst is disabled. Perhaps pflog could go in another mode
> > that gathers much less
On Wed, Nov 06, 2002 at 12:38:33PM +0100, Daniel Hartmeier wrote:
> Well, a real distributed DoS attack involves many hosts fully
> establishing connections to a service you provide to the public, which
> either saturates your uplink or the resources on your server so that
> legitimate connections
On Thu, Nov 07, 2002 at 12:38:56AM +0100, Henning Brauer wrote:
> real life example: we were target to a DDoS about a year ago - sucked a
> total incoming bandwidth of over 1 TByte/s - of course that's far beyond our
gack, I need sleep. It was over 1 GBit/s of course. a TBytes/s would be a
bit muc
19 matches
Mail list logo
