Re: TCP SYN packets which have the FIN flag set.

To: debian-security@lists.debian.org
Subject: Re: TCP SYN packets which have the FIN flag set.
From: "George Georgalis" <george@galis.org>
Date: Mon, 8 Nov 2004 10:01:59 -0500
Message-id: <20041108150159.GB9381@run>
In-reply-to: <Pine.LNX.4.61.0411080927480.5286@capitanata.ca.astro.it>
References: <20041104111432.GB28422@kontryhel.haltyr.dyndns.org> <1099590509.3233.58.camel@localhost> <20041104184140.GA21369@cirrus.madduck.net> <1099654161.3571.48.camel@baruch.hamilton.local> <20041105142706.GA12771@cirrus.madduck.net> <1099667073.3571.56.camel@baruch.hamilton.local> <20041105171321.GA20258@sta> <1099677438.3571.66.camel@baruch.hamilton.local> <20041105220407.GA30503@sta> <Pine.LNX.4.61.0411080927480.5286@capitanata.ca.astro.it>

On Mon, Nov 08, 2004 at 09:36:43AM +0100, Giacomo Mulas wrote:
>On Fri, 5 Nov 2004, George Georgalis wrote:
>
>>and for anybody who is interested, I've found the limit function works
>>well to manage logging and types of deny.
>>
>> -m limit --limit-burst 50 --limit 1/s
>>
>>At the end of my "NEW ACCEPT" set, I call a chain that, within the
>>limit, logs and rejects remaining connections, beyond the limit it
>>returns. the next two rules log some (with limit again) of the remaining
>>connections and drops them all. The setup gives a balance between the
>>problems of logging and rejecting everything bad and just dropping
>>everything bad.
>
>Doesn't that open the possibility for a DOS, simply by sending a stream of 
>new attempted connections to your computers? Then this would continuously 
>saturate the rate of new attempted connections, and your legitimate 
>connections would be virtually impossible. Or is the netfilter limit code 
>as smart as to use separate limits to separate source IP numbers?

Unfortunately the limit function doesn't easily apply
to specific ip addresses (I think there is a way to do
it but it's not easy and I don't know how).

and a "stream" of new connections will dos me. :)

Maybe I wasn't clear, I don't limit good connections.
(though it might be a good idea to limit port 80 to
a rate my apache can sustain, otherwise route to a
lightweight httpd that responds with try again later).

I'm using limit for REJECT of bad connections when
they connect, when the limit is reached I stop
rejecting the bad ones and just DROP them.

for logging, I log the rejected ones but only some
of the dropped ones.

REJECT means I respond, DROP means the client may
continue to try until it times out, So generally
there is less bandwidth with REJECT, unless you
are being attacked, then there is less with DROP.

and for certain abusive subnets I request that
they be dropped (or whatever) at my ISP router.

// George

-- 
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george@galis.org

Reply to:

References:
- Re: TCP SYN packets which have the FIN flag set.
  - From: Jan Minar <jjminar@fastmail.fm>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Luis Pérez Meliá <luisp.m@ono.com>
- Re: TCP SYN packets which have the FIN flag set.
  - From: martin f krafft <madduck@debian.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Baruch Even <baruch@ev-en.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: martin f krafft <madduck@debian.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Baruch Even <baruch@ev-en.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: "George Georgalis" <george@galis.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Baruch Even <baruch@ev-en.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: "George Georgalis" <george@galis.org>
- Re: TCP SYN packets which have the FIN flag set.
  - From: Giacomo Mulas <gmulas@ca.astro.it>

Prev by Date: Re: TCP SYN packets which have the FIN flag set.
Next by Date: Re: [SECURITY] [DSA 588-1] New gzip packages fix insecure temporary files
Previous by thread: Re: TCP SYN packets which have the FIN flag set.
Next by thread: Re: TCP SYN packets which have the FIN flag set.
Index(es):
- Date
- Thread