> My personal opinion is that logging useless information is less
> harmful than throwing information away. If the stupid fools didn't
> forge their source address, or are behind a router that correctly only
> allows "internal IP addresses" to go out, you would at least have
> the ISP that they operate from....
I wonder how many ISP's and NSP's enforce that kind of filtering? I do
that on our internet gateway router in our Gainesville POP, but in
Tallahassee, Sprint provides our T1 and router and gives me 0 access to
it. They were doing no such filtering until I emailed their NOC a few
times and then started sending unusual packets to their NOC.
Recently, I made some holes in the filter in GNV, so I could send presents
to/from certain netblocks, and it appears UUNet (our provider in GNV)
doesn't do such filtering either.
Do any of the NSP's do such sensible filtering, or do they all leave it up
to the customer, which in most cases means no filtering?
Back to the point...I've patched my kernel to display the synflood info
liek this:
Warning: possible SYN flood from 199.185.131.45 on port 25. Sending cookies.
validated probe(199.185.131.45:2285, 205.229.48.20:25, -149058382)
figuring, some info, even if it's forged, is better than not having a clue
where it came from if I wasn't able to do a netstat at the time. Note
that the default behavior is to not log any source addresses if a possible
SYN flood failed to be validated. This way, if there is a real one, I'll
know the source address used.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
________Finger jlewis@inorganic5.fdt.net for PGP public key_______