From owner-freebsd-security  Sun Jun 13 10:33:28 1999
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id E712514FA4
	for <security@FreeBSD.ORG>; Sun, 13 Jun 1999 10:33:26 -0700 (PDT)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.1) id TAA30798;
	Sun, 13 Jun 1999 19:33:21 +0200 (CEST)
	(envelope-from des)
To: Jay Nelson <jdn@acp.qiv.com>
Cc: security@FreeBSD.ORG
Subject: Re: Connection attempts to port 7
References: <Pine.BSF.4.05.9906131218430.678-100000@acp.qiv.com>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 13 Jun 1999 19:33:21 +0200
In-Reply-To: Jay Nelson's message of "Sun, 13 Jun 1999 12:25:47 -0500 (CDT)"
Message-ID: <xzpzp24rony.fsf@flood.ping.uio.no>
Lines: 19
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Jay Nelson <jdn@acp.qiv.com> writes:
> Recently, I've been getting _many_ attempts to connect to the echo
> service (which I have disabled) -- mostly non-resolvable addresses
> that disappear somewhere behind doubleclick.net.

If the source address is spoofed, it's not a connection attempt, but a
syn flood. Set up a firewall to drop connection attempts to all ports
except those you want to keep open. This won't help if the attacker
finds out and switches to a port you want to keep open; if that
happens, install the SYN rate limiting patch which was posted here a
while ago (search the BUGTRAQ archives on www.geek-girl.com).

> Does anyone know of a legitimate reason why they would do this?

No.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message