From owner-freebsd-security Mon Jul 1 5:34: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4475A37B401 for ; Mon, 1 Jul 2002 05:33:55 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id D5DEE43E09 for ; Mon, 1 Jul 2002 05:33:53 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 72557 invoked by uid 85); 1 Jul 2002 12:46:04 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 1 Jul 2002 12:46:03 -0000 Received: (qmail 7537 invoked by uid 1000); 1 Jul 2002 12:32:34 -0000 Date: Mon, 1 Jul 2002 15:32:34 +0300 From: Peter Pentchev To: Tilo Kremer Cc: freebsd-security@freebsd.org Subject: Re: other DoSes Message-ID: <20020701123233.GC376@straylight.oblivion.bg> Mail-Followup-To: Tilo Kremer , freebsd-security@freebsd.org References: <20020701132845.A88200@public.uni-hamburg.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MfFXiAuoTsnnDAfZ" Content-Disposition: inline In-Reply-To: <20020701132845.A88200@public.uni-hamburg.de> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --MfFXiAuoTsnnDAfZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 01, 2002 at 01:28:45PM +0200, Tilo Kremer wrote: > hi, > apart from the apache worm, on friday i saw some other weird thing sgoin= g on on my freebsd machines: > my dns was flooding my mx. resolver:53 -> mx:1032 This is most probably in reverse: I would guess that, in fact, it was your mail exchanger sending lots of requests to your DNS server. The value of the port number at the MX's side - 1032 - seems like an ephemeral port, one that is allocated dynamically for each outgoing connection. Thus, my guess would be that something is actually flooding your MX server (or, to be a bit more pedantic, some service running on that server) with some kind of application requests, and the server is trying to resolve the flooder's IP addresses to hostnames so it can log them properly. Take a look at the logs of all the services running on your mail exchanger at the time; it does not have to be mail-related (web, SSH, FTP come to mind), and even if it is, you still have a choice between SMTP, POP3, IMAP, or some other e-mail related service. Try to find out which service was generating the name resolution requests, then try to find out whether they were indeed a result of an attack or just normal high traffic. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --MfFXiAuoTsnnDAfZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9IEvh7Ri2jRYZRVMRApZBAJwKRighlOIS7l55ziNSDzX+npTkMwCggzdw sldV14x3V+F+VNvli6wjQxc= =itjx -----END PGP SIGNATURE----- --MfFXiAuoTsnnDAfZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message