Hello, You could try using a rate limit -- you could allow a machine to make lets say 10 outbound connections a second and then ... Depending on your network policy you could drop or log all other outbound request. Michael. On Tue, 9 Dec 2003 18:51:46 +0200 Pasi Kärkkäinen <pasik@xxxxxx> wrote: > On Tue, Dec 09, 2003 at 09:40:47AM -0700, Michael Gale wrote: > > Hello, > > > > Can you provide more detail on the type of traffic that caused the DOS -- this may help people in the list with suggestions on how to block it :) > > > > Yep. It was tcp-connections from the windows box (infected by the worm) to > some network-ranges on the internet. source-port was pretty much random, but > the destination was always 80. So the normal 'allow web browsing' rules > allowed the worm to DoS the linux-firewall. > > It just opened the connections all the time, but didn't close them. > > > Michael. > > > > -- Pasi Kärkkäinen > > ^ > . . > Linux > / - \ > Choice.of.the > .Next.Generation. > -- Michael Gale Network Administrator Utilitran Corporation
