From owner-freebsd-security Thu Mar 22 6:43:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 43A6F37B71E for ; Thu, 22 Mar 2001 06:43:14 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 27536 invoked by uid 1000); 22 Mar 2001 14:46:34 -0000 Date: Thu, 22 Mar 2001 14:46:34 +0000 From: Marc Rogers To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed Message-ID: <20010322144634.V10016@shady.org> References: <3ABA09E0.141711C9@ukrpost.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <3ABA09E0.141711C9@ukrpost.net>; from ostap@ukrpost.net on Thu, Mar 22, 2001 at 04:19:12PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hiya First thing you need to do is work out what they are throwing at you. You need to find out if the icmp was inward bound or outward. Outward bound (which to be honest is much more likely) is often a symptom of something that involves a large number of source addresses. A DDOS attack will generate a huge amount of outward bound icmp, as will something that involves spoofed source addresses. Blocking icmp in cases such as these will only cure the symptom, not the disease. In addition you score an own goal, as by blocking that kind of traffic withing your own network, the attackers still get to saturate your line(s) and you are less likely to see some of the "clues" that can help you identify the perpetrator. Take a snapshot of your network traffic (just tcpdump on some of the affected machines will do) and either mail it to me or send it to this list, and I and various others will look at it for you. Each diffrerent attack family will require a different countermeasure. By the comment you have made that this attack has caused FreeBSD machines to hang, I would suggest you are looking at something along the lines of a fragmented packet attack, (which if they were using an often changing spoofed source address, would explain the large amounts of icmp). Something I have noticed recently (and I will be making a separate post to this list on this matter) is that although our beloved OS has been hardened against attacks such as this, there are a number of well known software packages that are affected dramatically by these attacks, and more often than not it is their behaviour that causes up to date boxes to hang. Hope this helps, Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message