From owner-freebsd-security Tue Nov 16 20:13: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8C2A914FBE for ; Tue, 16 Nov 1999 20:13:02 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id UAA20102; Tue, 16 Nov 1999 20:12:44 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911170412.UAA20102@gndrsh.dnsmgr.net> Subject: Re: Tracing Spoofed Packets In-Reply-To: <4.1.19991116215418.03da5a60@granite.sentex.ca> from Mike Tancsa at "Nov 16, 1999 10:09:27 pm" To: mike@sentex.net (Mike Tancsa) Date: Tue, 16 Nov 1999 20:12:44 -0800 (PST) Cc: madscientist@thegrid.net (The Mad Scientist), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At 09:47 PM 11/16/99 , The Mad Scientist wrote: > >I doubt it, but is there ANY way to trace spoofed packets coming in from > >the Internet? I've been getting these packets showing up at my boarder > >router pretty regularly for the past few days now: > > Not really... You would probably have to get on the phone with each of your > upstreams, and they in turn with their upstreams and so on and so on until > you found where the cruft was comming from. How regular is it ? It might > not be your case, but lately, I have seen SPAM coming from rouge sites that > have reserved addresses for MX records and such, or are pointing the > domains back to various core routers. If a mailer on your system wants to That reminds me of a hack I started working on that someone really should do. In gated for routing we have the ``martians list'' of ip addresses that it won't listen to nobody nohow about routing for, well, it would be really sweet if bind/named could also have this, so that these bogus NS records with RFC1918 addresses in them (mostly due to misconfigured internal nameservers leaking info to the internet) could be easily ignored by those of us who know how to do it correctly. Just to see how bad it is go do an ndc dump on a nameserver handling any large mailing list and search for rfc1918 address, or turning on filter logging to rfc1918 space and watch how often your mail server hits on them... > bounce back the message to them, and your upstream is actually routing > those reserved IPs, you might get IMCP messages about them other than host > unreachables... Or if its pointed to a router somewhere, and you have a lot > in your queue, you will see a whack of 3.3 ICMP unreachable messages... > > >Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 > >ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 > >10.0.1.2 in > >via ed0 > > Is this your ipfw rule blocking the incoming icmp packet ? or your ipfw > rule saying block said ip packets from 10.1.6.6. If so, what is 10.1.6.6 > sending you ? try something like > ipfw add 398 count log ip from 10.0.0.0/12 to any > ipfw add 399 count log icmp from 10.0.0.0/12 to any > and then your > ipfw add 400 deny log ip from 10.0.0.0/12 .... > > ---Mike > ********************************************************************** > Mike Tancsa, Network Admin * mike@sentex.net > Sentex Communications Corp, * http://www.sentex.net/mike > Cambridge, Ontario * 519 651 3400 > Canada * > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message