From owner-freebsd-security  Wed May 23 15:15:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204])
	by hub.freebsd.org (Postfix) with ESMTP id 5C9F437B423
	for <freebsd-security@freebsd.org>; Wed, 23 May 2001 15:15:15 -0700 (PDT)
	(envelope-from mudman@R181204.resnet.ucsb.edu)
Received: from localhost (mudman@localhost)
	by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f4NMOtk73666
	for <freebsd-security@freebsd.org>; Wed, 23 May 2001 15:24:55 -0700 (PDT)
	(envelope-from mudman@R181204.resnet.ucsb.edu)
Date: Wed, 23 May 2001 15:24:55 -0700 (PDT)
From: mudman <mudman@R181204.resnet.ucsb.edu>
To: <freebsd-security@freebsd.org>
Subject: service attacks
Message-ID: <Pine.BSF.4.30.0105231507370.73655-100000@R181204.resnet.ucsb.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


I'm somewhat of a greenhorn on how packets are handled in FreeBSD.
Apparently, some character has been throwing some bad packets at me.
Kernel message like:

arp: bad hardware address format (0x800)


Then like 3 hours later (probably after a very slow, stealthly port scan),
two of my services on high ports segfault.

If someone sends a packet to port XXXX, does it get dropped or filtered by
the kernel if it is bad, or is the information processing up to the
service on port XXXX?

Actually, a few of those services really don't need to be accessed by the
outside world.  I'm thinking of setting up IPFW.

Anyway, what should I make of this?


Oh yeah, one more thing.  tcpdump has bogus ip addresses (japan, france,
korea, etc..).  Err, not to assert these places are bogus, but with the
way they vary I think it is the same person falsifying packets w/
different sources.

This individual has been bothering me since January actually (with this
stuff as well as DoS/packet spam).  I would like to get him sent to
prison.  Any suggestions how I go about finding out who he is and how to
put him out?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message