reducing the scan rate of worms?

[Jörn Nettingsmeier]

hi netfilter folks!


i would like to reduce the amount of damage that scanning worms such 
as slammer can do by limiting the number of destination ips per 
second that a host in my network can connect to.
ideally, the host would be blackholed after repeatedly hitting this 
limit, and a LOG message would trigger an alert to the admin.

the way i understand the _limit_ match, it can only be used to 
reduce throughput to or from particular address, but does not have 
enough state information that would allow to correlate different 
connections from the same host.

now i have googled up 
http://www.ukuug.org/events/linux2004/programme/paper-AStone-2/Firewalls.pdf, 
which mentions the _dstlimit_ match, but i'm not sure how it works. 
i found the source file in netfilter cvs, but did not really 
understand it. might it be what i'm looking for?


if this has been discussed before, please point me to the relevant 
threads - i searched far and wide, but nothing.

i would appreciate a cc: on replies, since i'm not subscribed to the 
list.


best regards,

jörn

-- 
"Some universities are dead set against giving [software code] away.
But I don't think universities should be in the moneymaking
business. They ought to be in the changing-the-world business, and
open source is a great vehicle for changing the world."
	- Larry Smarr, supercomputing expert and
	  professor of computer science at UCSD

Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Campus Duisburg
Tel.: 0203/379-1419, Fax: 0203/379-2318