Date: Mon, 19 Feb 2001 16:26:27 -0600 (CST) From: Bryan Bradsby <Bryan.Bradsby@capnet.state.tx.us> To: Thomas Cannon <tcannon@noops.org> Cc: Andy Kim <andy@internetesl.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: ICMP floods Message-ID: <Pine.BSF.4.32.0102191600590.7543-100000@localhost> In-Reply-To: <Pine.BSF.4.21.0102191326050.1468-100000@sonar.noops.org>
next in thread | previous in thread | raw e-mail | index | archive | help
One of our Certified NT techs installed a personal firewall at home that was reporting an ICMP "DOS flood" from one of our DNS servers. So he sent an e-mail to my boss saying he was sure the server was hacked including 10 Megabytes of bitmaps to "prove" it. I checked the logs and saw 9 packets per second from his box from port 137 to port 137 on the FreeBSD DNS server. Of course the FreeBSD server was sending back ICMP port unreach, just as it should, for each of these Netbios queries. It seems to me these personal firewalls are (by default) set too sensitive and lump together dangerous and innocuous packet types, resulting in the customer being very surprised to see all those "people hacking my computer". The vendor looks "good" because their product reports "attacks", the customer feels comfortable that "he is now protected", and legitimate infrastructure operators repeatedly explain to very skeptical consumers that one ICMP echo return (per day) is not an attack on their computer. -bryan bradsby ================================ On Mon, 19 Feb 2001, Thomas Cannon wrote: > > * Andy Kim <andy@internetesl.com> [010219 13:18] wrote: > > > Some of the servers have been getting hit several times with ICMP > > > floods from our FreeBSD server and we can't figure out why. They > > > believe that someone had hacked in and put a trojan on our box. > > > Is there any way of finding out what's going on and more importantly, > > > how to fix the problem? Any help would be greatly appreciated as > > > I am rather new to FreeBSD. > > Hi Andy. > > What is being used to detect these ICMP floods? What version of FreeBSD do > you have? Also, do you see anything in the FBSD machine's logs about icmp > source-quench or bandwidth-limit icmp packets being issued? > > It's possible that the machine is broken, yes, but it's also possible that > the measuring device is broken, or that something is misconfigured, or god > only knows what. > > Cheers, > > tcannon > > > Richard Feynman was a hacker; read any of his books. > -Bruce Schneier > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0102191600590.7543-100000>