From owner-freebsd-net Sat Sep 8 9:27:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id B532837B405 for ; Sat, 8 Sep 2001 09:27:27 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 82E4781D05; Sat, 8 Sep 2001 11:27:22 -0500 (CDT) Date: Sat, 8 Sep 2001 11:27:22 -0500 From: Alfred Perlstein To: Len Conrad Cc: Freebsd-net@freebsd.org Subject: Re: =?iso-8859-1?Q?tracing_an_attack_using_spoofed_ip=B4s?= Message-ID: <20010908112722.G2965@elvis.mu.org> References: <5.1.0.14.0.20010908090440.06337828@mail.Go2France.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010908090440.06337828@mail.Go2France.com>; from LConrad@Go2France.com on Sat, Sep 08, 2001 at 09:09:42AM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Len Conrad [010908 09:10] wrote: > A client has been receiving an attack on this mail gateway´s port 25 for 3 > weeks. We increased the postfix SMTPD processes from 50 to 150, and the > hourly msg rejects jumped from 5000 to 15000, roughly. The source addresses > used by the attacker(s) are mostly in the various RBL bases, 100´s of them. > > The pb is that the attack is consuming so many SMTPD processes that valid > incoming mail is taking several hours to arrive, as the sender MTA can´t > get an answer when it connects to port 25. the definition of DoS. > > Is there anyway to trace the real source of the spoofed packets? The packets are mostly likely not spoofed, one can not have a 3way handshake and still spoof without: a) being on the same local lan (so you can sniff packets) b) being able to predict the next sequence number. Even with 'b' it's be quite difficult to get right because not only does one have to predeict the sequence number, it has to keep predicting them to actually send data. My suggestion is to start using firewall rules or perhaps hook tcpwrappers such that it looks up incomming connections and checks them against RBL. Another suggestion is to call the ISPs or law enforcement offcials to report this continued harrassment. best of luck, -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message