This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: inetd should provide a way to better prevent DOS attacks ( "connection refused" IP based) From: Alan Cox <alan@lxorguk.ukuu.org.uk> Date: Mon, 13 Sep 1999 10:37:57 +0100 (BST) > It's easy to make an inetd service unusable on Redhat Linux, by simple > flooding the port with connections. Its easy to set it up in inetd.conf to change the time limits if you wish > You should add a feature in inetd which limits the number of connections per > minute based on the source IP addr. > With this addition we can easily block the attacker, while keeping the services > enabled for regular users. You can't do that. Then you have a denial of service attack. I can force you to remember 2^32 IP addresses who tried to connect. That takes, oh 16Gb of memory. Whoops bang. If you do it by class C then you only need 64Mb for the table worst case but you now have another problem. A single host can take out a whole class C so typically one problem on a local network takes out everything on that network. There are some alternative schemes. They require tracking the current number of sessions and maintaining a connections/period limit as well. The best you can do is increase the bandwidth an attacker needs which also conveniently reduces the potential dead time. Take a look at xinetd. It handles some of this better than inetd ===