I''m looking to adjust the timeouts of softflowd so that I can get "closer to real-time" detection of port scans, etc. 99.99% of my flows on this web server farm are short-lived, so it appears that the TCP timeout of 3600s is a little high. What sort of negative effects could I expect if I set the TCP timeout to, say, 300s? Surely something drove setting the TCP timeout to 1 hour? ==ml -- Michael W. Lucas mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com
Michael W. Lucas wrote:> I''m looking to adjust the timeouts of softflowd so that I can get > "closer to real-time" detection of port scans, etc. 99.99% of my > flows on this web server farm are short-lived, so it appears that the > TCP timeout of 3600s is a little high. > > What sort of negative effects could I expect if I set the TCP timeout > to, say, 300s? Surely something drove setting the TCP timeout to 1 > hour?The 1 hour timeout is for established TCP connections and should be long so it doesn''t time out quiescent sessions (e.g. long lived FTP or ssh sessions) For portscan detection, you should probably adjust the TCP FIN and RST timeouts. I should add a timeout for "unanswered" connections, which would be useful for hosts that are packet filtered - this is already in the TODO. -d
On Mon, May 02, 2005 at 08:43:43AM -0400, Michael W. Lucas wrote:> I''m looking to adjust the timeouts of softflowd so that I can get > "closer to real-time" detection of port scans, etc. 99.99% of my > flows on this web server farm are short-lived, so it appears that the > TCP timeout of 3600s is a little high. > > What sort of negative effects could I expect if I set the TCP timeout > to, say, 300s? Surely something drove setting the TCP timeout to 1 > hour?And sorry to follow up on myself: Damien said the timeouts are 30min, but on a default install on FreeBSD I see: # softflowctl timeouts softflowd[57604]: Printing timeouts: TCP timeout: 3600s TCP post-RST timeout: 120s TCP post-FIN timeout: 300s UDP timeout: 300s ICMP timeout: 300s General timeout: 3600s Maximum lifetime: 604800s Expiry interval: 60s -- Michael W. Lucas mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com