Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 8 Sep 2001 11:27:22 -0500
From:      Alfred Perlstein <bright@mu.org>
To:        Len Conrad <LConrad@Go2France.com>
Cc:        Freebsd-net@freebsd.org
Subject:   Re: =?iso-8859-1?Q?tracing_an_attack_using_spoofed_ip=B4s?=
Message-ID:  <20010908112722.G2965@elvis.mu.org>
In-Reply-To: <5.1.0.14.0.20010908090440.06337828@mail.Go2France.com>; from LConrad@Go2France.com on Sat, Sep 08, 2001 at 09:09:42AM -0500
References:  <5.1.0.14.0.20010908090440.06337828@mail.Go2France.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
* Len Conrad <LConrad@Go2France.com> [010908 09:10] wrote:
> A client has been receiving an attack on this mail gateway´s port 25 for 3 
> weeks.  We increased the postfix SMTPD processes from 50 to 150, and the 
> hourly msg rejects jumped from 5000 to 15000, roughly. The source addresses 
> used by the attacker(s) are mostly in the various RBL bases, 100´s of them.
> 
> The pb is that the attack is consuming so many SMTPD processes that valid 
> incoming mail is taking several hours to arrive, as the sender MTA can´t 
> get an answer when it connects to port 25.  the definition of DoS.
> 
> Is there anyway to trace the real source of the spoofed packets?

The packets are mostly likely not spoofed, one can not have a 3way
handshake and still spoof without:
a) being on the same local lan (so you can sniff packets)
b) being able to predict the next sequence number.

Even with 'b' it's be quite difficult to get right because not only
does one have to predeict the sequence number, it has to keep 
predicting them to actually send data.

My suggestion is to start using firewall rules or perhaps hook
tcpwrappers such that it looks up incomming connections and
checks them against RBL.  Another suggestion is to call the
ISPs or law enforcement offcials to report this continued
harrassment.

best of luck,
-- 
-Alfred Perlstein [alfred@freebsd.org]
'Instead of asking why a piece of software is using "1970s technology,"
start asking why software is ignoring 30 years of accumulated wisdom.'

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908112722.G2965>