Date: Wed, 22 Jun 2005 10:30:57 +0700 (ICT) From: Olivier Nicole <on@cs.ait.ac.th> To: troyg@digitek-solutions.com Cc: freebsd-questions@freebsd.org Subject: Re: Possible Attack? Message-ID: <200506220330.j5M3UvuT087574@banyan.cs.ait.ac.th> In-Reply-To: <42B8D72C.1080609@digitek-solutions.com> (troyg@digitek-solutions.com) References: <42B8D72C.1080609@digitek-solutions.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Jun 21 21:50:55 mx1 /kernel: Limiting closed port RST response from 230 > to 200 packets per second > Jun 21 21:51:23 mx1 /kernel: Limiting closed port RST response from 222 > to 200 packets per second > Jun 21 21:53:02 mx1 /kernel: Limiting closed port RST response from 230 > to 200 packets per second That is a guy scanning your machine a bit too fast, or a tentative of DoS. If the problem persis, run tcpdump on that machine to try to locate the source. A tentative connection to an unexisting service should return such RST packet, from host amanda I tried to connect TCP 27 on the host sysl, on the host sysl I can see: sysl<root>44: tcpdump host amanda tcpdump: listening on fxp0 10:27:39.891050 amanda.xx.yy.net.1758 > sysl.xx.yy.net.nsw-fe: S 3520569314:3520569314(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 68799367 0> (DF) [tos 0x10] 10:27:39.891122 sysl.xx.yy.net.nsw-fe > amanda.xx.yy.net.1758: R 0:0(0) ack 3520569315 win 0 The second packet it the RST Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506220330.j5M3UvuT087574>