From owner-freebsd-security@FreeBSD.ORG  Fri Aug 13 22:08:10 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1AEC716A4CE
	for <freebsd-security@freebsd.org>;
	Fri, 13 Aug 2004 22:08:10 +0000 (GMT)
Received: from www.beco.hu (mail.beco.hu [212.108.197.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A986743D1F
	for <freebsd-security@freebsd.org>;
	Fri, 13 Aug 2004 22:08:08 +0000 (GMT)	(envelope-from berta@beco.hu)
Received: from [127.0.0.1] (apache.beco.hu [82.131.147.112])
	by www.beco.hu (8.12.11/8.12.11) with ESMTP id i7DM1Z2A031882
	for <freebsd-security@freebsd.org>;
	Sat, 14 Aug 2004 00:01:37 +0200 (CEST)	(envelope-from berta@beco.hu)
Message-ID: <411D3BC3.6050402@beco.hu>
Date: Sat, 14 Aug 2004 00:08:03 +0200
From: Sandor Berta <berta@beco.hu>
User-Agent: Mozilla Thunderbird 0.7.1 (Windows/20040626)
X-Accept-Language: hu-hu, hu
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: heavy load on port 443
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Aug 2004 22:08:10 -0000

Hi,

While I was working, the follwing message flud the screen.

Aug 13 23:32:28 www /kernel: Limiting closed port RST response from 213 
to 200 packets per second

The /var/log/apache_ssl_engine.log started
to grow with similar messages:

[13/Aug/2004 23:43:49 66440] [error] SSL handshake failed (server 
www.beco.hu:443, client 217.102.90.240) (OpenSSL library error follows)
[13/Aug/2004 23:43:49 66440] [error] OpenSSL: error:1406908F:SSL 
routines:GET_CLIENT_FINISHED:connection id is different
[13/Aug/2004 23:43:50 31633] [info]  Connection to child 38 established 
(server www.beco.hu:443, client 217.102.90.240)
[13/Aug/2004 23:43:50 31633] [info]  Seeding PRNG with 1160 bytes of entropy
[13/Aug/2004 23:43:51 31633] [error] SSL handshake failed (server 
www.beco.hu:443, client 217.102.90.240) (OpenSSL library error follows)
[13/Aug/2004 23:43:51 31633] [error] OpenSSL: error:1406908F:SSL 
routines:GET_CLIENT_FINISHED:connection id is different

I don't have the output of the following command:
netstat -anfinet
but it showed a lot of connection from the above IP. on port 443.

Has any other effect of such attacks beside
filling the /var/log?

bye
Sandor Berta