hi netfilter folks!
i would like to reduce the amount of damage that scanning worms such as slammer can do by limiting the number of destination ips per second that a host in my network can connect to.
ideally, the host would be blackholed after repeatedly hitting this limit, and a LOG message would trigger an alert to the admin.
the way i understand the _limit_ match, it can only be used to reduce throughput to or from particular address, but does not have enough state information that would allow to correlate different connections from the same host.
now i have googled up http://www.ukuug.org/events/linux2004/programme/paper-AStone-2/Firewalls.pdf, which mentions the _dstlimit_ match, but i'm not sure how it works. i found the source file in netfilter cvs, but did not really understand it. might it be what i'm looking for?
if this has been discussed before, please point me to the relevant threads - i searched far and wide, but nothing.
i would appreciate a cc: on replies, since i'm not subscribed to the list.
best regards,
jörn
-- "Some universities are dead set against giving [software code] away. But I don't think universities should be in the moneymaking business. They ought to be in the changing-the-world business, and open source is a great vehicle for changing the world." - Larry Smarr, supercomputing expert and professor of computer science at UCSD
Jörn Nettingsmeier, EDV-Administrator Institut für Politikwissenschaft Universität Duisburg-Essen, Campus Duisburg Tel.: 0203/379-1419, Fax: 0203/379-2318
