On Mon, Jul 07, 2003 at 01:47:51AM +0200, Arnt Karlsen scribbled: [snip] > > clogged (it's configured to accept 50k connections, keep alives are at > > 1000 since setting > > ..1000 seconds??? Shave off a zero or two, you should be able to serve > any valid traffic within 5 seconds. They are not 1000 seconds - 1000 keepalive slots tux keeps active around. After there are more than that, it starts killing connections in the LRU order. > > them to 0 makes tux close any connection immediately, no logging > > etc,). Apache sits on port 81 and when accessed directly it works > > fine, that's good enough, but I'd like to do more. And here I come to > > the real question I want to ask to the list. Is it possible and if > > yes, then how, to redirect the offending packets from within tux to > > the TARPIT chain? > > ..does your TARPIT traffic cost _you_ anything? A little bit, a tiny bit. Works better than a DROP, actually. And it has the added advantage that it ties resources of the attacker somewhat. > > net/ipv4/icmp_echo_ignore_broadcasts=1 > > ..also possible to lie and say the box is a crashing, > or hung dead wintendo. > > > fs/file-max=70000 > > fs/dir-notify-enable=0 > > net/ipv4/tcp_keepalive_time=30 > > net/core/rmem_max=262143 > > net/core/rmem_default=262143 > > net/core/wmem_max=262143 > > net/core/wmem_default=262143 > > net/ipv4/tcp_sack=0 > > net/ipv4/tcp_timestamps=0 > > net/ipv4/tcp_syncookies=1 > > net/ipv4/icmp_echo_ignore_all =1 > > net/ipv4/icmp_ignore_bogus_error_responses = 1 > > net/ipv4/tcp_syn_retries = 1 > > net/ipv4/tcp_synack_retries = 1 > > net/ipv4/tcp_keepalive_probes = 1 > > net/ipv4/tcp_keepalive_intvl = 10 > > net/ipv4/tcp_max_syn_backlog = 64 > > net/ipv4/tcp_low_latency = 1 > > net/ipv4/tcp_abort_on_overflow = 1 > > net/ipv4/ipfrag_time = 30 > > net/ipv4/tcp_fin_timeout = 10 > > net/ipv4/tcp_max_orphans = 2048 > > ..why so many? Most of these would come from "google", no? That's not a lot... Well, the ones that come from "google" constitute perhaps 1/3 of the total. And I still have to think about the legit clients. regards, marek
Attachment:
pgp00499.pgp
Description: PGP signature
