[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: any middlemen seeing DoS currently?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: any middlemen seeing DoS currently?
From: Hans Schnehl <torvallenator@xxxxxxxxx>
Date: Fri, 7 Nov 2008 17:02:16 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Fri, 07 Nov 2008 11:02:47 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=bl6p8VUb9YcsM0zhGdi2GMmXyPq4JJkV+MozfMs+51o=; b=grCbnlSXVjvZbZda6wmagH2a8QH4eZD8rs0Q4SVDjAk/7HfOAqokCAetYlzqDj9Vku rURNtIHz+qceCh6YQgIGWJIco3/21CeBBkX8rPrc5MRUzaZXGZ56cGz8KB1tehhfQzI/ NpqEc9sSMCICDT7qVNdeOcbiQ1cWVW/FsZgtM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=K7UfVAzOYwfAWOOYJAszsIDSGYH8y4OL7CYIWwL0B7BvRpExgNmt/KKIqHOnUKGJfF OyR+irs1oBtKgDbPvvw1l8HZx5ch0Xi1zJUm/bzPM+L0gp+u8/XFK/Ux9ECgTIkUhEgd 2v7O2oc/1ul+TKwX4rJNWRV/cDabymJmqA680=
In-reply-to: <20081107134947.GM11544@xxxxxxxxx>
References: <20081107123828.GK11544@xxxxxxxxx> <49143E48.3060700@xxxxxxxxxxxx> <20081107134947.GM11544@xxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)

On Fri, Nov 07, 2008 at 02:49:47PM +0100, Eugen Leitl wrote:
> On Fri, Nov 07, 2008 at 02:10:32PM +0100, Olaf Selke wrote:
> > Eugen Leitl wrote:
> > > I've seen continuous table state increase since about >3.5 hours.
> > > It went up from 1 k baseline to 5 k.
> > > 
> > > Anyone else seeing this?
> > 
> > yes, the same here
> 
> Anyone knows which kind of attack that is? Any suggestions
> how to block it (pf here) yet?



you  may set the timeout values in pf.conf to rather low values.

Actually I start wondering if larger values are of any use anyway.

maybe like:
-----------------------------
set timeout interval 2
set timeout frag 5  
set timeout tcp.first 5
set timeout tcp.opening 5
set timeout tcp.established 600
set timeout tcp.closing 5 
set timeout tcp.finwait 3
set timeout tcp.closed 5
------------------------------

besides the default.
this will kick yourself too if the line is idle for too long.

Hans

Follow-Ups:
- Re: any middlemen seeing DoS currently?
  - From: Dominik Schaefer

References:
- any middlemen seeing DoS currently?
  - From: Eugen Leitl
- Re: any middlemen seeing DoS currently?
  - From: Olaf Selke
- Re: any middlemen seeing DoS currently?
  - From: Eugen Leitl

Prev by Author: Re: any middlemen seeing DoS currently?
Next by Author: Re: any middlemen seeing DoS currently?
Previous by thread: Re: any middlemen seeing DoS currently?
Next by thread: Re: any middlemen seeing DoS currently?
Index(es):
- Author
- Thread