[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: source limit

ipfw limit option is easy be DoS.
for example: ipfw add tcp from any to 80 limit 1000
it limit 1000 connections from any. but attacker can generate tcp spoofing
packet to make the rule limit counter exceed 1000.
therefore, for pf. it is also possible can be DoS if you limit the states
that are created from some rule.
of course, if you don't limit the state, the DoS also possible.
therefore, my suggestion is limit the state according by protocol.
for icmp, limit the state created by icmp protocol to 1000 states. (it is
not possible lot of ICMP packet session in normal environment.)
for udp, limit to 5000 states or less according to your service. if you
don't provide any UDP service. 5000 is enough for outgoing DNS packet.
for tcp, limit to a high value according to your memory capacity. but the
limit implementation has a little bit different.
limit counter increased by one only after the state become ESTABLISHED and
decreased by one only after the state expired.
----- Original Message -----
From: "Niki Denev" <[email protected]>
To: <[email protected]>
Sent: Friday, March 14, 2003 6:48 PM
Subject: source limit
> Currently with the option to limit the states that are created from some
> rule,
> i can limit the total connections to some machine/service.
> But it would be very nice if it is possible to limit the connections from
> single ip (i mean not
> specific ip, but from 'any'), much like the effect that can be acheived
> ipfw on fbsd with
> 'limit src-addr'.
> Something like counting not only the states created by given rule number,
> but the rules created by given ip address and rule number.
> What do you think?
> --
> Cheers,
> Niki