* Modification to iptables (block IP addresses)
[not found] <Pine.LNX.4.21.1010221832550.715-100000@hybel173.grm.hia.no>
@ 2002-10-28 16:31 ` rwc
2002-10-28 18:13 ` Antony Stone
0 siblings, 1 reply; 4+ messages in thread
From: rwc @ 2002-10-28 16:31 UTC (permalink / raw)
Cc: netfilter
Is anyone working on the following modification to iptables? Dynamically
watch for connections coming from any source IP addresses that exceeds a
predefined number of connections per unit time. When seen, block all
subsequent connections from that source for a predefined period of time or
indefinitely. Currently, one can do this for specific predefined source IP
addresses, but it would be good to have the ability to do this without
having prior knowledge of the the offending IP source.
Roger
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Modification to iptables (block IP addresses)
2002-10-28 16:31 ` rwc
@ 2002-10-28 18:13 ` Antony Stone
0 siblings, 0 replies; 4+ messages in thread
From: Antony Stone @ 2002-10-28 18:13 UTC (permalink / raw)
To: netfilter
On Monday 28 October 2002 4:31 pm, rwc@lanl.gov wrote:
> Is anyone working on the following modification to iptables? Dynamically
> watch for connections coming from any source IP addresses that exceeds a
> predefined number of connections per unit time. When seen, block all
> subsequent connections from that source for a predefined period of time or
> indefinitely. Currently, one can do this for specific predefined source IP
> addresses, but it would be good to have the ability to do this without
> having prior knowledge of the the offending IP source.
You might want to investigate the "recent" match in p-o-m.
Antony.
--
Software development can be quick, high-quality, or low-cost.
The customer gets to pick any two out of three.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Modification to iptables (block IP addresses)
@ 2002-10-28 19:49 rwc
2002-10-28 20:11 ` Michael Atighetchi
0 siblings, 1 reply; 4+ messages in thread
From: rwc @ 2002-10-28 19:49 UTC (permalink / raw)
To: netfilter
Is anyone working on the following modification to iptables?
Dynamically watch for connections coming from any source IP addresses
that exceeds a
predefined number of connections per unit time. When seen, block all
subsequent connections from that source for a predefined period of time
or
indefinitely. Currently, one can do this for specific predefined source
IP
addresses, but it would be good to have the ability to do this without
having prior knowledge of the offending IP source.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Modification to iptables (block IP addresses)
2002-10-28 19:49 Modification to iptables (block IP addresses) rwc
@ 2002-10-28 20:11 ` Michael Atighetchi
0 siblings, 0 replies; 4+ messages in thread
From: Michael Atighetchi @ 2002-10-28 20:11 UTC (permalink / raw)
To: rwc; +Cc: netfilter
We have implemented and Red Team tested such a defense against TCP
connection floods. The software is available open-source at
http://apod.bbn.com/release/latest
and documented at
http://apod.bbn.com/release/latest/docs/quo/apod/docs/manual/pdf/ApodToolkit.pdf
in section 3.9
Michael
On Mon, Oct 28, 2002 at 12:49:35PM -0700, rwc@lanl.gov wrote:
> Is anyone working on the following modification to iptables?
>
> Dynamically watch for connections coming from any source IP addresses
> that exceeds a
> predefined number of connections per unit time. When seen, block all
> subsequent connections from that source for a predefined period of time
> or
> indefinitely. Currently, one can do this for specific predefined source
> IP
> addresses, but it would be good to have the ability to do this without
> having prior knowledge of the offending IP source.
>
>
>
>
--
matighet@bbn.com BBN Technologies
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-10-28 20:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-28 19:49 Modification to iptables (block IP addresses) rwc
2002-10-28 20:11 ` Michael Atighetchi
[not found] <Pine.LNX.4.21.1010221832550.715-100000@hybel173.grm.hia.no>
2002-10-28 16:31 ` rwc
2002-10-28 18:13 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.