We had an incident this morning where a user was flooding us with pop3
connections. Inetd tripped the 500 requests/minute circuit breaker and
stopped accepting any more connections.
The problem is, it didn't provide any useful information about *where* the
attack was comming from. I would have hoped there would be a log message
somewhere at least giving the IP address of the client, but as far as I can
tell, there isn't. Even turning on debugging (inetd -d) doesn't help; all
it logs is:
> Jun 1 12:07:30 endeavor inetd[20398]: someone wants pop3 fd 19
which isn't particularly useful. Is there anyway to get more information?
PS -- a packet sniffer wasn't practical, for a variety of reasons.
Roy Smith <roy_at_popmail.med.nyu.edu>
New York University School of Medicine
550 First Avenue, New York, NY 10016
Received on Tue Jun 01 1999 - 16:33:27 NZST