Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Oct 2001 02:06:49 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Randy Lee <bl33z@yahoo.com>
Cc:        questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject:   Re: ipfw - DoS ?
Message-ID:  <Pine.BSF.3.96.1011011014500.9941A-100000@gaia.nimnet.asn.au>
In-Reply-To: <20011009233730.11902.qmail@web20907.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 9 Oct 2001, Randy Lee wrote:

 > Oct  9 12:00:02 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 202.228.131.2:3072
[..]
 > Oct  9 12:00:05 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 202.253.21.75:3072

This source port 3072 was arbitrarily chosen.  It could be any port 1024
and above.  It's not significant.  The varying source addresses are more
likely than not spoofed, or relays, and likely not worth chasing up
either. Hopefully you have no TCP server bound to port 0  :-) 

 > Oct  9 12:00:06 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 202.204.219.111:1024
[..]
 > Oct  9 12:00:10 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 209.5.171.39:1024
[..]

Likely a freshly rebooted win box using the first port allocated, 1024.

 > Oct  9 12:00:11 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 216.138.54.79:3072

Either 2 kiddies hit you at once, or the scan was distributed via a
couple of other hosts.  Again, most often not worth hotly pursuing.

 > Is someone is DoS'ing my server ?

Running some script looking for a port 0 server, more likely.  If there
were thousands of these you might consider it a try at a DoS attack.

 > How can i deny all connection from port :3072 and
 > :1024 using ipfw ?

Never mind about the 'from' unless you do want to block some particular
site/s sometime; you want (in a nutshell) to allow connections (setup)
to services you are providing (mail, web, whatever), allow established
connections, and then deny everything else.  Use rc.firewall as a guide. 

Cheers, Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1011011014500.9941A-100000>