Daniel Hartmeier wrote:
> On Mon, Feb 27, 2006 at 10:21:22AM -0500, Chris Smith wrote:
>
>> On Saturday 25 February 2006 19:34, Morten Larsen wrote:
>>> It would be nice if you cold do something like:
>>>
>>> block in on $ext_if proto {tcp, udp} from any to any port 135:139
>>> overload <infected> flush global
>> That would sure clean up the Internet! Quite funny.
>>
>> But it would really be nice to load a table during blocks, maybe with
>> something like a max-conn-attempts-rate.
>
> This would also mean allocating memory for addresses you don't want to
> accept connections from. Think of how someone might exhaust your memory
> with a flood of spoofed SYNs. It might pay off for non-spoofed floods,
> but it certainly makes you more vulnerable to spoofed ones.
>
> Right now, we only keep track (allocate memory) of addresses when you
> actually want to accept at least a few connections from someone. The
> idea is that if you're willing to allocate a state entry, keeping track
> of how many connection attempts that address made recently is ok.
>
> Daniel
Yes, you are right of course. It would be a stupid way of doing it.
You would need to use tcp, and wait for the 3-way handshake to complete,
to make sure it was not spoofed.
Maybe with some sort of tarpit daemon running on the loopback interface.
rdr pass on $ext_if proto tcp from any to ($ext_if) port {135:139, 445}
-> 127.0.0.1 $tarpit_port
pass in on lo0 proto tcp from any to 127.0.0.1 \
port {135:139, 445} flags S/SA synproxy state \
(max-src-conn 0, max-src-conn-rate 0/1, \
overload <infected> flush)
But then it would probably be better to have the tarpit daemon add the
host to the table.
