Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Dec 2003 00:24:12 +0000
From:      Jez Hancock <jez.hancock@munk.nu>
To:        FreeBSD Questions List <freebsd-questions@freebsd.org>
Subject:   ipfilter traffic blocking and tcpdump snort etc
Message-ID:  <20031205002412.GA37507@users.munk.nu>

next in thread | raw e-mail | index | archive | help
Hi,

I've blocked a dozen or so addresses using ipfilter:

block in quick on fxp0 from 208.186.60.116 to any
block in quick on fxp0 from 216.230.149.11 to any

etc

but I still see a lot of traffic those hosts in trafshow, snort and
other packet capturing utils.  Why is this?

Is there any alternative method of blocking access from certain hosts
so that this traffic is not 'seen' by higher level /userland apps?

As background, the blocked hosts were part of a denial of service attack
which has been going on for a few hours now.  The attack was aimed at
port 80, although an odd artifact is that no httpd log entries were made
for any of the hosts attempting to connect on port 80.

A cursory nmap scan of a few of the hosts shows that all hosts had both
port 25 and 80 open, but none of the hosts accepted connections on
either of those ports.  Any idea what kind of attack this could be?

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031205002412.GA37507>