> > Ok, I am now armed with quite a bit more info regarding these attacks. > > First off, the target looks like this: > > Port State Service > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 53/tcp open domain > 80/tcp open http > 110/tcp open pop-3 > 3333/tcp open dec-notes > 10000/tcp open snet-sensor-mgmt > 31337/tcp open Elite > > (and yes, port 31337 is legit - this is a linux server and that is not a > trojan running) > > OK, so during the attack, an upstream router captured the packets. I see > two interesting things: > > 1. a ton of TCP SYN, [1658] -> [106] 3COM-TSMUX to ports that do > not exist on the target. See how this one goes to destination 106, but > the target is not running anything on 106 ? Once in a while the SYN > packets go to an existing port, but most of them go to nonexistent > (seemingly random) ports on the target. > > 2. a noticable amount of christmas tree packets aimed at the target: > > TCP FIN SYN RST PSH ACK, [1400] -> [98] TAC-news > > again, to ports not actually open on the target. I guess a xmas tree > packet technically has a URG flag as well, which these do not - but even > still I suspect these are bad news to be seeing. > > Also some of them are not quite as xmas as other: > > TCP SYN RST PSH ACK, [1230] -> [118] SQL-service > > again, directed at a service that does not exist. > > > 3. These seem less frequent, but I am seeing: > > UDP, [21397] -> [2284] ^M > Source port: [21397] ^M > Destination port: [2284] ^M > UDP length: 908^M > Checksum: 0x0000 (data fragment - not able to check)^M > > So .. a UDP fragment sent to a port not open on the target. This also > seems like bad news. > > ----- > > So that's that - I see this for all three IPs that were being targeted. > > So now there are two things I need to know (and ask cordially for your > help with) > > 1. what can I put into place on a 4.4-RELEASE ipfw firewall to combat > these items ipfw add 1 allow tcp from any to server_IP 21,22,25,53,80,110,3333,10000,31337 ipfw add 1 allow udp from any to server_IP 53 ipfw add 2 deny ip from any to server_IP ipfw add 2 allow ip from any to any out
If you do not separate in and out in rules and have a lot of count rules. This is very aggresive for your server, but save your router. may be you have to tweak this rules (it depends) More detailed description of router/net and original ruleset can help. Also sysctl: net.inet.ip.fastforwarding net.inet.ip.fw.one_pass net.link.ether.inet.proxyall net.inet.ip.redirect net.link.ether.ipfw net.inet.ip.fw.enable net.inet.ip.check_interface Substitute userland traffic counter for count rules helps to low CPU usage > 2. What are 1 2 and 3 called ? For instance, is #1 a "syn flood" ? > > 3. will the solutions given to me actually help ? I mean, the packets > will still hit my firewall, and given the cpu utilization and config I > showed you earlier, will the fixes nullify the effect of these attacks, or > am I so underpowered that getting hit with these in any way, no matter > what precautions I have in place will disable me ? > > thanks a LOT. > > On Sun, 5 Jan 2003, Lars Eggert wrote: > > > On 1/5/2003 1:05 PM, Josh Brooks wrote: > > > > > > I am running this as my firewall/router: > > > > > > 4.4-RELEASE FreeBSD 4.4-RELEASE #0 > > > > > > And I have no ability to change that anytime soon. Recently I have been > > > having a lot of trouble with floods/ddos/etc. When these attacks occur, > > > my firewall is totally unresponsive, I cannot ssh in to type a single > > > command (and thus cannot tcpdump anything) and clients of systems on the > > > inside either get no response, or get: > > > > What processor and NICs do you use? This sounds like your machine is > > being pushed into livelock, which shouldn't happen at the traffic load > > you described (when you say "megs", do you mean Mb/s or MB/s?) > > Complicated firewall rule sets also eat CPU time. > > > > Lars > > -- > > Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > -- @BABOLO http://links.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
