Site Navigation

Date:      Sat, 08 Sep 2001 12:53:05 -0500
From:      Len Conrad <LConrad@Go2France.com>
To:        Freebsd-net@freebsd.org
Subject:   Re: tracing an attack using spoofed ip´s
Message-ID:  <5.1.0.14.0.20010908114909.02a00920@mail.Go2France.com>
In-Reply-To: <20010908112722.G2965@elvis.mu.org>
References:  <5.1.0.14.0.20010908090440.06337828@mail.Go2France.com> <5.1.0.14.0.20010908090440.06337828@mail.Go2France.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

>My suggestion is to start using firewall rules or perhaps hook
>tcpwrappers such that it looks up incomming connections and
>checks them against RBL.

good idea, but I´m not a c programmer.

>   Another suggestion is to call the
>ISPs or law enforcement offcials to report this continued
>harrassment.

postfix´s RBL_domains is already doing the rejects, sample:

   RCPT
     blocked using or.orbl.org
         2362   pat-app.lil.completel.fr
         1665   210.220.162.100
         1270   62.81.157.15
         1086   216.122.113.44
         1028   mirapoint2.brutele.be
          715   pacific.net.sg
          438   esat.net
          410   ada.net.tr
          405   202.47.250.4
          357   203.181.53.2
          310   optusnet.com.au
          286   211.94.65.199
          265   dialup.ptt.ru
          215   210.102.127.253
          193   202.122.64.129
          192   hinet.net
          182   deviet-f.a2000.nl
          172   211.58.91.125
          158   202.183.230.254
          141   62.159.145.94
          137   mail.nsu.ru
          130   216.18.85.4
          128   212.49.90.182
          117   210.192.246.201
          113   xidian.edu.cn
          113   211.55.167.44
           etc

and

     blocked using relays.ordb.org
         2547   202.71.144.104
         1863   211.100.6.104
         1733   62.110.249.67
         1732   tne.net.au
         1724   mymap.net
         1615   delta.sote.poznan.pl
         1594   194.206.55.241
         1514   203.121.10.198
         1506   kingston-internet.net
         1485   ntgroup.com.pe
         1450   211.116.17.240
         1443   server.szfkszi.sulinet.hu
         1419   203.239.165.42
         1404   195.211.46.82
         1369   202.54.124.25
         1363   202.104.84.88
         1355   202.157.191.22
         1290   128.134.193.246
         1285   202.94.1.201
         1271   202.108.249.73
         1183   202.43.71.123
         1148   195.224.253.56
         1138   202.186.154.1
         1125   seeder.net
         1120   213.219.55.156
         1054   controller.com.ua
         1045   203.239.1.125
         etc

The above section of the maillog report is about 3600 lines, so are you 
saying that 3600 unspoofed, different ip´s are doing the attack?  That´s 
"distributed" if I ever saw one.

I suppose one "master" PC could be relaying through all those open relays 
against this one MX host.

thanks
Len


http://MenAndMice.com/DNS-training
http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
http://IMGate.MEIway.com  : Build free, hi-perf, anti-abuse mail gateways


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010908114909.02a00920>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact