Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 24 Oct 2000 19:03:15 -0700
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        Craig Beasland <craig@hotmix.com.au>
Cc:        questions@FreeBSD.ORG
Subject:   Re: Possible network attack
Message-ID:  <20001024190315.U75251@149.211.6.64.reflexcom.com>
In-Reply-To: <B1471D5DCC74D4119444004005E23A2001CEA5@CORONA>; from craig@hotmix.com.au on Wed, Oct 25, 2000 at 09:08:54AM %2B0800
References:  <B1471D5DCC74D4119444004005E23A2001CEA5@CORONA>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Oct 25, 2000 at 09:08:54AM +0800, Craig Beasland wrote:
> Hi there,
> 
> This morning I received an email from someone in nz suggesting that may
> system may have been breached, based on some entries in his firewall log.
> There are about 100 of these message he sent back to me, but I have no idea
> what the problem may be.  The system is running
> 
> This machine runs userland ppp -ddial -alias for its internet connection and
> ipfw with an open policy.
> 
> cheers
> craig
> 
> 8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-127.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-126.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-125.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-124.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-123.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-122.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-121.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0

It looks like a bunch of echo requests. Really hard to say if anything
funny is going on. Would you be pinging them multiple times per
second? Is the destination address a broadcast address? Maybe someone
is trying to smurf you?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001024190315.U75251>