I've blocked a dozen or so addresses using ipfilter:

block in quick on fxp0 from to any
block in quick on fxp0 from to any


but I still see a lot of traffic those hosts in trafshow, snort and
other packet capturing utils.  Why is this?

Is there any alternative method of blocking access from certain hosts
so that this traffic is not 'seen' by higher level /userland apps?

As background, the blocked hosts were part of a denial of service attack
which has been going on for a few hours now.  The attack was aimed at
port 80, although an odd artifact is that no httpd log entries were made
for any of the hosts attempting to connect on port 80.

A cursory nmap scan of a few of the hosts shows that all hosts had both
port 25 and 80 open, but none of the hosts accepted connections on
either of those ports.  Any idea what kind of attack this could be?

Jez Hancock
 - System Administrator / PHP Developer

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to