From owner-freebsd-security Thu Mar 22 7:35:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from news.lucky.net (news.lucky.net [193.193.193.102]) by hub.freebsd.org (Postfix) with ESMTP id E632137B71A for ; Thu, 22 Mar 2001 07:35:20 -0800 (PST) (envelope-from ostap@ukrpost.net) Received: (from mail@localhost) by news.lucky.net (8.Who.Cares/8.Who.Cares) id RNO01350 for freebsd-security@freebsd.org; Thu, 22 Mar 2001 17:35:15 +0200 (envelope-from ostap@ukrpost.net) From: ostap To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed Date: Thu, 22 Mar 2001 17:33:30 +0200 Organization: Unknown Message-ID: <3ABA1B4A.9301775D@ukrpost.net> References: <3ABA09E0.141711C9@ukrpost.net> <20010322144634.V10016@shady.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit X-Trace: news.lucky.net 985275191 1276 193.193.192.142 (22 Mar 2001 15:33:11 GMT) X-Complaints-To: usenet@news.lucky.net X-Mailer: Mozilla 4.75 [en] (Win95; U) X-Accept-Language: en Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thank you for your help, unfortunately i can't analyze it that deep, 'cos it was a one-time attack. i came there late in the evening, saw the problem, rebooted and everything was fine. so, no trafic snapshots unfortunately. looks like the guy issued one command, and the box went mad. i guess this wasn't that sophisticated, logs show traces of a usual portscanning software, it was ran twice or so, and then whole the thing started. it seems like the guy wasn't very experienced and was just playing around with some soft, exploiting some general hack, and then went home. i know that 3.3release is quite old, and should be ugraded of course, but i never thought it could be broken in such an easy way, without efforts, just using some standard tool. any ideas? Marc Rogers wrote: > > Hiya > > First thing you need to do is work out what they are throwing at you. > > You need to find out if the icmp was inward bound or outward. Outward bound > (which to be honest is much more likely) is often a symptom of something > that involves a large number of source addresses. A DDOS attack will generate > a huge amount of outward bound icmp, as will something that involves spoofed > source addresses. > > Blocking icmp in cases such as these will only cure the symptom, not the > disease. In addition you score an own goal, as by blocking that kind of traffic > withing your own network, the attackers still get to saturate your line(s) and > you are less likely to see some of the "clues" that can help you identify the > perpetrator. > > Take a snapshot of your network traffic (just tcpdump on some of the affected > machines will do) and either mail it to me or send it to this list, and I > and various others will look at it for you. Each diffrerent attack family > will require a different countermeasure. > > By the comment you have made that this attack has caused FreeBSD machines to > hang, I would suggest you are looking at something along the lines of a > fragmented packet attack, (which if they were using an often changing spoofed > source address, would explain the large amounts of icmp). > > Something I have noticed recently (and I will be making a separate post to this > list on this matter) is that although our beloved OS has been hardened against > attacks such as this, there are a number of well known software packages that > are affected dramatically by these attacks, and more often than not it is their > behaviour that causes up to date boxes to hang. > > Hope this helps, > > Marc Rogers > Head of Network Operations & Security > EDC Group > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message