Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Simple DOS attack on FW-1
From: jason.rhoads () SABERNET NET (Jason R. Rhoads)
Date: Fri, 30 Jul 1999 18:48:00 -0700


I have written a small perl script, fwconwatch.pl to monitor the status
of the FW-1 connection table.  When the table reaches a predefined
limit, the script sends an alert and emails a listing of the top
connection source addresses.  The script also monitors CPU utilization
as I have found this to be another good indicator of abnormal activity.

Once the script has been configured and tested, it can be added to the
/etc/init.d/firewall1 script:

  #!/bin/sh
  # FW-1 Start
  if [ -f /etc/fw/bin/fwstart ]; then
    FWDIR=/etc/fw
    export FWDIR
    /etc/fw/bin/fwstart
    /etc/fw/bin/fwconwatch.pl&
  fi
  # FW-1 END

fwconwatch can be found here: http://www.sabernet.net/software/

Lance Spitzner's fwtable.pl script is used to list the top connection
sources which can be found here:
http://www.enteract.com/~lspitz/fwtable.html

Regards,
Jason


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]