From owner-freebsd-isp@FreeBSD.ORG Fri May 16 13:50:46 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14AAB37B401 for ; Fri, 16 May 2003 13:50:46 -0700 (PDT) Received: from nemesis.webmatic.de (nemesis.webmatic.de [212.78.99.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C16F43F3F for ; Fri, 16 May 2003 13:50:45 -0700 (PDT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: from gateway.private.lan (hll9-d9ba107a.pool.mediaWays.net [217.186.16.122]) by nemesis.webmatic.de (Postfix) with ESMTP id D5B1E40E2A for ; Fri, 16 May 2003 22:50:36 +0200 (CEST) Received: from chef-ingenieur.de (pc-254.private.lan [192.168.1.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gateway.private.lan (Postfix) with ESMTP id C875234D91 for ; Fri, 16 May 2003 22:50:40 +0200 (CEST) Message-ID: <3EC54FC1.3090104@chef-ingenieur.de> Date: Fri, 16 May 2003 22:53:21 +0200 From: Thomas Krause -CI- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.3) Gecko/20030312 X-Accept-Language: de-at, de, en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: router stops working because of udp packets X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2003 20:50:46 -0000 Hello, today, Friday after work finished, our Ethernet-Ethernet router stops forwarding packets. I was not able to log in over the network. At the console I found that networking is not working. A tcpdump displayed massive udp packets from on of our customers src port 1713 dst port 1434: 05/16/2003 19:00:14.781385 x.y.z.170.1713 > 79.122.10.21.1434: udp 376 05/16/2003 19:00:14.782150 x.y.z.170.1713 > 16.137.137.128.1434: udp 376 05/16/2003 19:00:14.783416 x.y.z.170.1713 > 150.141.172.126.1434: udp 376 05/16/2003 19:00:14.783844 x.y.z.170.1713 > 205.160.58.42.1434: udp 376 05/16/2003 19:00:14.784187 x.y.z.170.1713 > 59.43.151.138.1434: udp 376 05/16/2003 19:00:14.784714 x.y.z.170.1713 > 76.38.166.145.1434: udp 376 05/16/2003 19:00:14.785305 x.y.z.170.1713 > 25.185.92.104.1434: udp 376 05/16/2003 19:00:14.786015 x.y.z.170.1713 > 178.116.158.27.1434: udp 376 05/16/2003 19:00:14.787341 x.y.z.170.1713 > 72.166.154.87.1434: udp 376 05/16/2003 19:00:14.787930 x.y.z.170.1713 > 37.41.114.136.1434: udp 376 05/16/2003 19:00:14.788581 x.y.z.170.1713 > 142.84.69.189.1434: udp 376 05/16/2003 19:00:14.789169 x.y.z.170.1713 > 83.182.142.184.1434: udp 376 05/16/2003 19:00:14.789880 x.y.z.170.1713 > 4.229.249.105.1434: udp 376 05/16/2003 19:00:14.790531 x.y.z.170.1713 > 42.233.42.241.1434: udp 376 05/16/2003 19:00:14.791304 x.y.z.170.1713 > 128.126.251.198.1434: udp 376 05/16/2003 19:00:14.792017 x.y.z.170.1713 > 125.128.102.124.1434: udp 376 05/16/2003 19:00:14.792602 x.y.z.170.1713 > 134.174.163.206.1434: udp 376 05/16/2003 19:00:14.793251 x.y.z.170.1713 > 107.136.65.162.1434: udp 376 05/16/2003 19:00:14.793901 x.y.z.170.1713 > 188.206.247.162.1434: udp 376 After blocking the port 1713, the bsd box routing is working normal. (I've no access to the customers PC). I belive the host of the customer was hacked. Does anybody know what's running on the host? How I can prevent such attacks? There are any kernel-options? Or should I limit the udp traffic? BTW: 4.6.2-RELEASE-p9 is running on the router. Regards, Thomas.