From owner-freebsd-questions  Wed Oct 10  9: 7:11 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1B01B37B405; Wed, 10 Oct 2001 09:07:01 -0700 (PDT)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id CAA10568;
	Thu, 11 Oct 2001 02:06:50 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Thu, 11 Oct 2001 02:06:49 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Randy Lee <bl33z@yahoo.com>
Cc: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: ipfw - DoS ?
In-Reply-To: <20011009233730.11902.qmail@web20907.mail.yahoo.com>
Message-ID: <Pine.BSF.3.96.1011011014500.9941A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Tue, 9 Oct 2001, Randy Lee wrote:

 > Oct  9 12:00:02 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 202.228.131.2:3072
[..]
 > Oct  9 12:00:05 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 202.253.21.75:3072

This source port 3072 was arbitrarily chosen.  It could be any port 1024
and above.  It's not significant.  The varying source addresses are more
likely than not spoofed, or relays, and likely not worth chasing up
either. Hopefully you have no TCP server bound to port 0  :-) 

 > Oct  9 12:00:06 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 202.204.219.111:1024
[..]
 > Oct  9 12:00:10 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 209.5.171.39:1024
[..]

Likely a freshly rebooted win box using the first port allocated, 1024.

 > Oct  9 12:00:11 MY /kernel: Connection attempt to TCP
 > 216.8.77.2:0 from 216.138.54.79:3072

Either 2 kiddies hit you at once, or the scan was distributed via a
couple of other hosts.  Again, most often not worth hotly pursuing.

 > Is someone is DoS'ing my server ?

Running some script looking for a port 0 server, more likely.  If there
were thousands of these you might consider it a try at a DoS attack.

 > How can i deny all connection from port :3072 and
 > :1024 using ipfw ?

Never mind about the 'from' unless you do want to block some particular
site/s sometime; you want (in a nutshell) to allow connections (setup)
to services you are providing (mail, web, whatever), allow established
connections, and then deny everything else.  Use rc.firewall as a guide. 

Cheers, Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message