[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Latest virus kills m0n0wall
 Date:  Sat, 11 Aug 2007 01:48:50 -0400
On 8/11/07, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> I use m0n0wall in a lot of hotels.  This means that insecure computers
> are on the network.  This latest virus spawns several hunderd states,
> fills the outbound pipe, and makes the connection slow to the point of
> unusable.  If two infected machines get on, it can lock m0n0wall
> totally.  Any thought on a quick bandage?

Yeah, that's the state table filling up. Depends on what kind of
traffic the particular thing you're seeing is generating. If it's
something you can block, block it. If not, the best you can do is
detect it (syslog analysis the best way I can think of offhand).

IPFilter doesn't have the ability to limit states by host like pf and
ipfw in 6.x do, which would be a solution to at least keep it from
effectively DoS'ing you. If you're using a 6.x version you can
probably load ipfw and manually add rules using its "limit" directive
(see the man page).