From owner-freebsd-questions@FreeBSD.ORG  Thu Dec  4 16:24:14 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4E55E16A4CE
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2003 16:24:14 -0800 (PST)
Received: from munk.nu (mail.munk.nu [213.152.51.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 659AB43F93
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2003 16:24:13 -0800 (PST)	(envelope-from munk@munk.nu)
Received: from munk by munk.nu with local (Exim 4.24; FreeBSD)
	id 1AS3lU-000ACt-9a
	for freebsd-questions@freebsd.org; Fri, 05 Dec 2003 00:24:12 +0000
Date: Fri, 5 Dec 2003 00:24:12 +0000
From: Jez Hancock <jez.hancock@munk.nu>
To: FreeBSD Questions List <freebsd-questions@freebsd.org>
Message-ID: <20031205002412.GA37507@users.munk.nu>
Mail-Followup-To: FreeBSD Questions List <freebsd-questions@freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Sender: User Munk <munk@munk.nu>
Subject: ipfilter traffic blocking and tcpdump snort etc
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2003 00:24:14 -0000

Hi,

I've blocked a dozen or so addresses using ipfilter:

block in quick on fxp0 from 208.186.60.116 to any
block in quick on fxp0 from 216.230.149.11 to any

etc

but I still see a lot of traffic those hosts in trafshow, snort and
other packet capturing utils.  Why is this?

Is there any alternative method of blocking access from certain hosts
so that this traffic is not 'seen' by higher level /userland apps?

As background, the blocked hosts were part of a denial of service attack
which has been going on for a few hours now.  The attack was aimed at
port 80, although an odd artifact is that no httpd log entries were made
for any of the hosts attempting to connect on port 80.

A cursory nmap scan of a few of the hosts shows that all hosts had both
port 25 and 80 open, but none of the hosts accepted connections on
either of those ports.  Any idea what kind of attack this could be?

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/