Subject: Re: net.inet.tcp.log_refused??
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Ignatios Souvatzis <ignatios@cs.uni-bonn.de>
List: tech-net
Date: 05/27/1999 13:54:51
On Thu, May 27, 1999 at 10:47:45AM +0200, Manuel Bouyer wrote:
> On Wed, May 26, 1999 at 06:44:22PM -0700, Wolfgang Rupprecht wrote:
> > While the source address/port can't be trusted, the destination
> > port/address can be.  That does show interesting patterns.  I use IP
> > filter to log all refused connections.  Running an interpreted filter
> > just to get a log of outgoing reject packets its kind of a big hammer
> > for what should be a simple task.
> > 
> > Until you start logging outgoing rejects you don't know what you are
> > missing. ;-) There are lots of turkeys are out there trying regular
> > probes of all sorts of off-the-wall ports.  If I had a penny for each
> > scan on tcp port 123435, I'd have quite a pile of pennies.
> 
> Really ? I though port were 16 bits :)
> 
> Really, I can see some use for this: automatic blacklist, with an
> IP filter automatically updated from a log analizer ... Well, the same could

Given that the source destination still can't be trusted: a even better
DOS attack hole.

	-is