On Mon, Feb 27, 2006 at 10:21:22AM -0500, Chris Smith wrote:
> On Saturday 25 February 2006 19:34, Morten Larsen wrote:
> > It would be nice if you cold do something like:
> >
> > block in on $ext_if proto {tcp, udp} from any to any port 135:139
> > overload <infected> flush global
>
> That would sure clean up the Internet! Quite funny.
>
> But it would really be nice to load a table during blocks, maybe with
> something like a max-conn-attempts-rate.
This would also mean allocating memory for addresses you don't want to
accept connections from. Think of how someone might exhaust your memory
with a flood of spoofed SYNs. It might pay off for non-spoofed floods,
but it certainly makes you more vulnerable to spoofed ones.
Right now, we only keep track (allocate memory) of addresses when you
actually want to accept at least a few connections from someone. The
idea is that if you're willing to allocate a state entry, keeping track
of how many connection attempts that address made recently is ok.
Daniel
