reducing the scan rate of worms?
pol-admin at uni-duisburg.de
Wed Sep 29 13:57:00 CEST 2004
hi netfilter folks!
i would like to reduce the amount of damage that scanning worms such
as slammer can do by limiting the number of destination ips per
second that a host in my network can connect to.
ideally, the host would be blackholed after repeatedly hitting this
limit, and a LOG message would trigger an alert to the admin.
the way i understand the _limit_ match, it can only be used to
reduce throughput to or from particular address, but does not have
enough state information that would allow to correlate different
connections from the same host.
now i have googled up
which mentions the _dstlimit_ match, but i'm not sure how it works.
i found the source file in netfilter cvs, but did not really
understand it. might it be what i'm looking for?
if this has been discussed before, please point me to the relevant
threads - i searched far and wide, but nothing.
i would appreciate a cc: on replies, since i'm not subscribed to the
"Some universities are dead set against giving [software code] away.
But I don't think universities should be in the moneymaking
business. They ought to be in the changing-the-world business, and
open source is a great vehicle for changing the world."
- Larry Smarr, supercomputing expert and
professor of computer science at UCSD
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Campus Duisburg
Tel.: 0203/379-1419, Fax: 0203/379-2318
More information about the netfilter