Date: Wed, 23 May 2001 15:38:24 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: mudman <mudman@R181204.resnet.ucsb.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: service attacks Message-ID: <3B0C3BE0.F263E036@globalstar.com> References: <Pine.BSF.4.30.0105231507370.73655-100000@R181204.resnet.ucsb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
mudman wrote: > > I'm somewhat of a greenhorn on how packets are handled in FreeBSD. > Apparently, some character has been throwing some bad packets at me. > Kernel message like: > > arp: bad hardware address format (0x800) > > Then like 3 hours later (probably after a very slow, stealthly port scan), > two of my services on high ports segfault. The two are not likely related. The 'bad hardware address format' error indicates that there is some problem, or something the kernel does not understand anyway, in the link layer header. A link layer header does not cross the Internet. Unless your attacker is on your LAN, i.e. no router between you two, he could not be causing the ARP messages. > If someone sends a packet to port XXXX, does it get dropped or filtered by > the kernel if it is bad, or is the information processing up to the > service on port XXXX? Depends on what you mean by "bad information." As for your ARP messages, those frames are never going to even get processed at the IP layer. If the information in packet headers is "bad," the kernel will not understand them and drop the packet. If the kernel understands the headers, the information is not "bad" and it gets to where it is supposed to go. > Actually, a few of those services really don't need to be accessed by the > outside world. I'm thinking of setting up IPFW. Good. > Anyway, what should I make of this? If people are crashing your services, you need to (a) turn them off if you don't really need them, (b) patch them if they have known problems, or (c) firewall them so only the people you have some trust in can access them. > Oh yeah, one more thing. tcpdump has bogus ip addresses (japan, france, > korea, etc..). Err, not to assert these places are bogus, but with the > way they vary I think it is the same person falsifying packets w/ > different sources. Why do you think that? > This individual has been bothering me since January actually (with this > stuff as well as DoS/packet spam). I would like to get him sent to > prison. Any suggestions how I go about finding out who he is and how to > put him out? How do you know this is one person now? All you can (should) do is collect information about the data being sent to you and try to trace it back to the attacker(s). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B0C3BE0.F263E036>