From owner-freebsd-hackers Sun Jan 5 22:34:14 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A02DF37B401 for ; Sun, 5 Jan 2003 22:34:12 -0800 (PST) Received: from 002.216-123-229-0.interbaun.com (002.216-123-229-0.interbaun.com [216.123.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8384143E4A for ; Sun, 5 Jan 2003 22:34:10 -0800 (PST) (envelope-from soralx@cydem.zp.ua) Received: from 128.216-123-229-0.interbaun.com (vasya [192.168.0.3]) by 002.216-123-229-0.interbaun.com (8.11.6/8.11.6) with ESMTP id h066Y8620823 for ; Sun, 5 Jan 2003 23:34:09 -0700 (MST) (envelope-from soralx@cydem.zp.ua) Content-Type: text/plain; charset="iso-8859-1" From: To: freebsd-hackers@freebsd.org Subject: Re: DDoS attacks, packets captured ... not sure what to do. Date: Sun, 5 Jan 2003 23:33:39 -0700 X-Mailer: KMail [version 1.4] References: <20030105145150.N80512-100000@mail.econolodgetulsa.com> In-Reply-To: <20030105145150.N80512-100000@mail.econolodgetulsa.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200301052332.59925.soralx@cydem.zp.ua> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > 1. a ton of TCP SYN, [1658] -> [106] 3COM-TSMUX to ports that do > not exist on the target. this is not a 'SYN flood'; 'SYN flood'=TCP SYN+FIN seems like someone is continuosly using TCP SYN "half-open" scan to get your open ports, or just sends random SYN pakets > 2. a noticable amount of christmas tree packets aimed at the target: > TCP FIN SYN RST PSH ACK, [1400] -> [98] TAC-news > again, to ports not actually open on the target. > Also some of them are not quite as xmas as other: > TCP SYN RST PSH ACK, [1230] -> [118] SQL-service > again, directed at a service that does not exist. try using 'ipfw' option 'tcpflags' to ignore such packets, or dummynet > 3. These seem less frequent, but I am seeing: > UDP, [21397] -> [2284] ^M > Source port: [21397] ^M > Destination port: [2284] ^M > UDP length: 908^M > Checksum: 0x0000 (data fragment - not able to check)^M > So .. a UDP fragment sent to a port not open on the target. This also > seems like bad news. UDP scan? try "options ICMP_BANDLIM", if not already enabled > 3. will the solutions given to me actually help ? I mean, the packets > will still hit my firewall, and given the cpu utilization and config I > showed you earlier, will the fixes nullify the effect of these attacks, or Limiting ICMP pps may help. If you configure 'ipfw' to ignore such packets (and also other trash packets that are useless), target will not send RST for closed ports, which may also help. I don't know for certain - you need to experiment. 05.01.2003; 23:25:10 [SorAlx] http://cydem.zp.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message