From owner-freebsd-hackers Mon Jan 6 11:18: 6 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3D2437B401 for ; Mon, 6 Jan 2003 11:18:04 -0800 (PST) Received: from bluejay.mail.pas.earthlink.net (bluejay.mail.pas.earthlink.net [207.217.120.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id A353843ED1 for ; Mon, 6 Jan 2003 11:18:02 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0398.cvx40-bradley.dialup.earthlink.net ([216.244.43.143] helo=mindspring.com) by bluejay.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 18Vckz-0005hc-00; Mon, 06 Jan 2003 11:17:54 -0800 Message-ID: <3E19D613.84622ADE@mindspring.com> Date: Mon, 06 Jan 2003 11:16:35 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: soralx@cydem.zp.ua Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: DDoS attacks, packets captured ... not sure what to do. References: <20030105145150.N80512-100000@mail.econolodgetulsa.com> <200301052332.59925.soralx@cydem.zp.ua> <3E192770.43B3D489@mindspring.com> <200301060021.39502.soralx@cydem.zp.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a403c5e00945e80c27e61b19b521f0bc6d666fa475841a1c7a350badd9bab72f9c350badd9bab72f9c Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG soralx@cydem.zp.ua wrote: > I doubt that all the packets are sent from one real IP. But, I tnink, > it may be possible to determine the IP of an attacker, because it's > not just a DoS attack. He may use other methods later. I am almost > sure he tried to scan ports earlier, probably with `nmap -v -O` to > determine the OS, and now he knows what packets to send. Knowing his IP address is useless, if it's a denial of service, unless you have a peering agreement with his NSP/ISP, and/or are within driving distance, and own a shotgun. > BTW, what were the UDP packets for? Scanning? I don't know. You didn't characterize them well enough for anyone to make a guess. If they were all frags, with one frag missing, then they were an intentional denial of service on your UDP packet reassembly buffer, which is relatively sucky in FreeBSD. Otherwise, they might have been a Linux NFS over UDP client (same thing, really), or some other attack (e.g. attempted DNS poisoning, etc.). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message