From owner-freebsd-security Tue Nov 16 20:25:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id 62D32150A9 for ; Tue, 16 Nov 1999 20:25:11 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta2.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FLB009EDQP1KC@mta2.snfc21.pbi.net> for freebsd-security@freebsd.org; Tue, 16 Nov 1999 20:19:51 -0800 (PST) Date: Tue, 16 Nov 1999 20:15:03 -0800 From: The Mad Scientist Subject: Re: Tracing Spoofed Packets In-reply-to: <4.1.19991116215418.03da5a60@granite.sentex.ca> X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.19991116200004.0094ded0@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" References: <4.1.19991116182120.0094d280@mail.thegrid.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:09 PM 11/16/99 -0500, you wrote: >At 09:47 PM 11/16/99 , The Mad Scientist wrote: >>I doubt it, but is there ANY way to trace spoofed packets coming in from >>the Internet? I've been getting these packets showing up at my boarder >>router pretty regularly for the past few days now: > >Not really... You would probably have to get on the phone with each of your >upstreams, and they in turn with their upstreams and so on and so on until >you found where the cruft was comming from. How regular is it ? That's what I was afraid of. My most immediate upstream is Pac Bell and their oh-so-intelligent customer service department, so I'm not even going to try.... Maybe I'll send an email complaining that they should be dropping these sort of packets. >It might >not be your case, but lately, I have seen SPAM coming from rouge sites that >have reserved addresses for MX records and such, or are pointing the >domains back to various core routers. If a mailer on your system wants to >bounce back the message to them, and your upstream is actually routing >those reserved IPs, you might get IMCP messages about them other than host >unreachables... Or if its pointed to a router somewhere, and you have a lot >in your queue, you will see a whack of 3.3 ICMP unreachable messages... Very clever. I get my incoming mail from my IPS's pop server and block smtp connections at the boarders, so it doesn't sound like that. I wonder if one of my applications is trying to connect to some reserved IP. >>Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 >>ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 >>10.0.1.2 in >>via ed0 > >Is this your ipfw rule blocking the incoming icmp packet ? or your ipfw >rule saying block said ip packets from 10.1.6.6. If so, what is 10.1.6.6 >sending you ? try something like This is my boarder filter reporting that it dropped a packet from 10.1.6.6 destined for 10.0.1.2 of type 3.13. I don't use 10.1.6.6 in my internal networks, but 10.0.1.2 is one of my workstations. If I notice the packets again, I'll set up a sniffer and dump the packets. >ipfw add 398 count log ip from 10.0.0.0/12 to any >ipfw add 399 count log icmp from 10.0.0.0/12 to any >and then your >ipfw add 400 deny log ip from 10.0.0.0/12 .... > > ---Mike >********************************************************************** >Mike Tancsa, Network Admin * mike@sentex.net >Sentex Communications Corp, * http://www.sentex.net/mike >Cambridge, Ontario * 519 651 3400 >Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message