Sessionlimit is a tool designed to interact with OpenBSD's PF in order to contain the intruders activities after a compromise of a honeypot. It can detect when a scan or DoS is initiated from a honeypot -- once the activity is detected a rule is inserted to PF in order to block the outgoing traffic. This rule is removed after specified time.
The sessionlimit program works by monitoring the state table for the outgoing sessions. It blocks source IPs according to one of the following criterias:
1. When the number of states associated with a source IP is increasing too fast;
2. When the source IP has reached a predefined limit of outgoing connections. The default is 20 connections.
3. When the number of bytes associated with an ICMP state has reached a predefined limit. The default is 65k. This was developed to block stupid DoS attacks, like ping -f victim;
If any of the above conditions is true sessionlimit inserts a new rule at the top of the active ruleset, blocking all traffic from the offending IP to the outside. The offending outgoing traffic will be blocked, but it is important to note that the intruder's interactive session won't be affected, since he is using an incoming keep state rule.
After some time (the default is 30 minutes), the rule will expire and will be removed from the active ruleset.
It is important to note that the original intruder's incoming session is not affected by the new rule. This means that the intruder can still interact with the honeupot, but any new outgoing connection he tries to initiate will be blocked.
