[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Simple DOS attack on FW-1
From: "Jason R. Rhoads" <jason.rhoads () SABERNET ! NET>
Date: 1999-07-31 1:48:00
[Download RAW message or body]
I have written a small perl script, fwconwatch.pl to monitor the status
of the FW-1 connection table. When the table reaches a predefined
limit, the script sends an alert and emails a listing of the top
connection source addresses. The script also monitors CPU utilization
as I have found this to be another good indicator of abnormal activity.
Once the script has been configured and tested, it can be added to the
/etc/init.d/firewall1 script:
#!/bin/sh
# FW-1 Start
if [ -f /etc/fw/bin/fwstart ]; then
FWDIR=/etc/fw
export FWDIR
/etc/fw/bin/fwstart
/etc/fw/bin/fwconwatch.pl&
fi
# FW-1 END
fwconwatch can be found here: http://www.sabernet.net/software/
Lance Spitzner's fwtable.pl script is used to list the top connection
sources which can be found here:
http://www.enteract.com/~lspitz/fwtable.html
Regards,
Jason
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic