From owner-freebsd-net  Sat Sep  8 11:40:25 2001
Delivered-To: freebsd-net@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 032B437B409
	for <Freebsd-net@freebsd.org>; Sat,  8 Sep 2001 11:40:23 -0700 (PDT)
Received: (qmail 23307 invoked by uid 1000); 8 Sep 2001 18:40:21 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 8 Sep 2001 18:40:21 -0000
Date: Sat, 8 Sep 2001 13:40:21 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Len Conrad <LConrad@Go2France.com>
Cc: <Freebsd-net@freebsd.org>
Subject: =?X-UNKNOWN?Q?Re=3A_tracing_an_attack_using_spoofed_ip=B4s?=
In-Reply-To: <5.1.0.14.0.20010908114909.02a00920@mail.Go2France.com>
Message-ID: <20010908133516.K23209-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Sat, 8 Sep 2001, Len Conrad wrote:

> The above section of the maillog report is about 3600 lines, so are you
> saying that 3600 unspoofed, different ip=B4s are doing the attack?  That=
=B4s
> "distributed" if I ever saw one.
>
> I suppose one "master" PC could be relaying through all those open relays
> against this one MX host.

If someone's vicious enough, that doesn't sound too unbelieveable.

But, regarding the possibility of tcp spoofing:  What version of FreeBSD
is the client running?  If it's < 4.2 that is a possibility.  However,
given that the IPs are almost all from open relays, it seems much more
likely that this has nothing to do with spoofing.

What is the content of these e-mails?  I wonder if it's possible that
someone is spamming with an e-mail address at your client's domain.
Subsequently, those being spammed at using ordb/rbl to reject the message,
and the open relay is then sending your client the bounce message.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message