[SAtalk] DOS Attack?

Mike Vanecek Wed, 09 Jul 2003 07:59:59 -0700

I think I am under a DOS attack on port 25. I have received 2172 smtp packets
from the same location yesterday. Due to this activity I have set my firewall
to reject all incoming packets from Japan. I notified [EMAIL PROTECTED],
[EMAIL PROTECTED], and [EMAIL PROTECTED] of the problem.


Is there anything else I should do?

Sample from iptables log (all packets dropped):

Jul  8 00:00:07 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=45087 DF PROTO=TCP
SPT=43869 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:00:31 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=45088 DF PROTO=TCP
SPT=43869 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:01:19 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=45089 DF PROTO=TCP
SPT=43869 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:03:46 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=18487 DF PROTO=TCP
SPT=43872 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:03:49 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=18488 DF PROTO=TCP
SPT=43872 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:03:55 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=18489 DF PROTO=TCP
SPT=43872 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:04:07 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=18490 DF PROTO=TCP
SPT=43872 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:04:31 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=18491 DF PROTO=TCP
SPT=43872 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:05:19 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=18492 DF PROTO=TCP
SPT=43872 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 00:07:46 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=65339 DF PROTO=TCP
SPT=43880 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
.....
Jul  8 23:47:49 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=13116 DF PROTO=TCP
SPT=50658 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 23:47:55 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=13117 DF PROTO=TCP
SPT=50658 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 23:48:07 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=13118 DF PROTO=TCP
SPT=50658 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 23:48:31 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=13119 DF PROTO=TCP
SPT=50658 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Jul  8 23:49:19 www kernel: Asia1 IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=61.121.253.8
DST=192.168.1.95 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=13120 DF PROTO=TCP
SPT=50658 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0



-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] DOS Attack?

Reply via email to