On Wed, 2006-08-16 at 12:13 +0100, Tom Brown wrote: > >> I wonder if there is a way that a firewall rule could be written, that > >> would let a trickle of the connection from Joe through, so as his > >> dictionary attack gets backed up with a huge number of connections which > >> are trickling through at such a slow rate, with maybe just enough delay > >> built in to make it keep trying.... Basically making Joe's compromised > >> computer useless.. and maybe he'd at least turn it off if it didn't lock > >> up all by itself.... > > i knew someone once that wrote a countermeasures script that basically > kept a look out for script kiddie type attacks. It was pretty good and > he showed me once where he pointed a win2k box at his firewall and > launched an 'attack' at which point the firewall did its thing and the > win2k workstation bluescreened - was pretty funny to watch but not > entirely sure about the legality of counterattacks. A very bad idea because it could be used to convert your system into an attack zombie by spoofing the source address. Your system then could be used to send attacks to .mil & .gov systems and you might end up being asked some questions by men wearing black. Any active response is a BAD IDEA (tm) The original idea is not quite so back since it's passive, though I don't know how practical it is. Now with XP SP 2 MS does limit the maximum number of outgoing concurrent TCP/IP connections, so it might be effective against newer systems, but totally ineffective against older OSes and unpatched XP systems. Regards, Paul Berger