[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another seeming attack on my server's DirPort

To: or-talk@xxxxxxxxxxxxx
Subject: Re: another seeming attack on my server's DirPort
From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Wed, 19 Dec 2007 09:11:02 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Wed, 19 Dec 2007 09:15:47 -0500
In-reply-to: <200712190846.lBJ8k4ql008543@xxxxxxxxxxxxx>
References: <200712190846.lBJ8k4ql008543@xxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (X11/20071022)

The symptom, like the last time, was that output rate on my
machine's main Ethernet interface was running steadily around the transmit
rate limit imposed by my ADSL line.

tweak as desired ... this would permit 1 connection per minute from agiven IP. Replace (torDirPort) with whatever TCP port you're serving theDIR on.


iptables -A INPUT -p tcp --dport (torDirPort) -m state --state NEW -m recent --set --name TORdir -j ACCEPT
iptables -A INPUT -p tcp --dport (torDirPort) -m recent --update --seconds 60 --hitcount 1 --rttl --name TORdir -j LOG --log-prefix "TORdir flood"
iptables -A INPUT -p tcp --dport (torDirPort) -m recent --update --seconds 60 --hitcount 1 --rttl --name TORdir -j DROP

(adapted from a SSH bruteforce mitigation rule to do a similar thing..)

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

References:
- another seeming attack on my server's DirPort
  - From: Scott Bennett

Prev by Author: Re: Encrypted Web Pages?
Next by Author: Re: another seeming attack on my server's DirPort
Previous by thread: Re: another seeming attack on my server's DirPort
Next by thread: Re: another seeming attack on my server's DirPort
Index(es):
- Author
- Thread