|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sheldon Hearn (sheldonh
starjuice.net)Date: Mon Apr 15 2002 - 08:41:15 CDT
On Mon, 15 Apr 2002 09:03:01 +0200, Christoph Kukulies wrote:
> It looks like the machine is being attacked. Is there a way to trap
> the attacker?
>
> Apr 12 10:32:24 host /kernel: Limiting closed port RST response from 336 to 200 packets per second
Unlikely, as the source addresses are almost certainly forged.
I use the following RELENG_4-relative patch to allow syslog message
coalescing, e.g.:
[time] fwadmin3 /kernel: Limiting icmp ping response to 200 packets per second
[time] fwadmin3 last message repeated 29 times
[time] fwadmin3 last message repeated 17 times
You lose the "severity at a glance" value of the messages this way, but
I don't find them useful enough to warrant the mess in
/var/log/messages.
Ciao,
Sheldon.
Index: ip_icmp.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.39.2.16
diff -u -d -r1.39.2.16 ip_icmp.c
--- ip_icmp.c 22 Mar 2002 16:54:18 -0000 1.39.2.16
+++ ip_icmp.c 15 Apr 2002 13:39:53 -0000
-862,9 +862,8
if ((unsigned int)dticks > hz) {
if (lpackets[which] > icmplim) {
- printf("%s from %d to %d packets per second\n",
+ printf("%s to %d packets per second\n",
bandlimittype[which],
- lpackets[which],
icmplim
);
}
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]