Date: Tue, 16 Nov 1999 20:15:03 -0800 From: The Mad Scientist <madscientist@thegrid.net> To: freebsd-security@freebsd.org Subject: Re: Tracing Spoofed Packets Message-ID: <4.1.19991116200004.0094ded0@mail.thegrid.net> In-Reply-To: <4.1.19991116215418.03da5a60@granite.sentex.ca> References: <4.1.19991116182120.0094d280@mail.thegrid.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:09 PM 11/16/99 -0500, you wrote: >At 09:47 PM 11/16/99 , The Mad Scientist wrote: >>I doubt it, but is there ANY way to trace spoofed packets coming in from >>the Internet? I've been getting these packets showing up at my boarder >>router pretty regularly for the past few days now: > >Not really... You would probably have to get on the phone with each of your >upstreams, and they in turn with their upstreams and so on and so on until >you found where the cruft was comming from. How regular is it ? That's what I was afraid of. My most immediate upstream is Pac Bell and their oh-so-intelligent customer service department, so I'm not even going to try.... Maybe I'll send an email complaining that they should be dropping these sort of packets. >It might >not be your case, but lately, I have seen SPAM coming from rouge sites that >have reserved addresses for MX records and such, or are pointing the >domains back to various core routers. If a mailer on your system wants to >bounce back the message to them, and your upstream is actually routing >those reserved IPs, you might get IMCP messages about them other than host >unreachables... Or if its pointed to a router somewhere, and you have a lot >in your queue, you will see a whack of 3.3 ICMP unreachable messages... Very clever. I get my incoming mail from my IPS's pop server and block smtp connections at the boarders, so it doesn't sound like that. I wonder if one of my applications is trying to connect to some reserved IP. >>Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 >>ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 >>10.0.1.2 in >>via ed0 > >Is this your ipfw rule blocking the incoming icmp packet ? or your ipfw >rule saying block said ip packets from 10.1.6.6. If so, what is 10.1.6.6 >sending you ? try something like This is my boarder filter reporting that it dropped a packet from 10.1.6.6 destined for 10.0.1.2 of type 3.13. I don't use 10.1.6.6 in my internal networks, but 10.0.1.2 is one of my workstations. If I notice the packets again, I'll set up a sniffer and dump the packets. >ipfw add 398 count log ip from 10.0.0.0/12 to any >ipfw add 399 count log icmp from 10.0.0.0/12 to any >and then your >ipfw add 400 deny log ip from 10.0.0.0/12 .... > > ---Mike >********************************************************************** >Mike Tancsa, Network Admin * mike@sentex.net >Sentex Communications Corp, * http://www.sentex.net/mike >Cambridge, Ontario * 519 651 3400 >Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19991116200004.0094ded0>