From owner-freebsd-questions@FreeBSD.ORG Sat Mar 8 22:54:37 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E27331065670 for ; Sat, 8 Mar 2008 22:54:37 +0000 (UTC) (envelope-from bill@ayn.mi.celestial.com) Received: from ayn.mi.celestial.com (hayek.celestial.com [192.136.111.12]) by mx1.freebsd.org (Postfix) with ESMTP id C15E68FC18 for ; Sat, 8 Mar 2008 22:54:37 +0000 (UTC) (envelope-from bill@ayn.mi.celestial.com) Received: from localhost (localhost [127.0.0.1]) by ayn.mi.celestial.com (Postfix) with ESMTP id F39676895001F; Sat, 8 Mar 2008 14:54:35 -0800 (PST) X-Virus-Scanned: amavisd-new at mi.celestial.com Received: from ayn.mi.celestial.com ([127.0.0.1]) by localhost (ayn.mi.celestial.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 2YukfdSrZ89a; Sat, 8 Mar 2008 14:54:35 -0800 (PST) Received: by ayn.mi.celestial.com (Postfix, from userid 203) id CE37168621E89; Sat, 8 Mar 2008 14:54:35 -0800 (PST) Date: Sat, 8 Mar 2008 14:54:35 -0800 From: Bill Campbell To: freebsd-questions@freebsd.org Message-ID: <20080308225435.GA14280@ayn.mi.celestial.com> Mail-Followup-To: freebsd-questions@freebsd.org References: <47D31490.1040804@jessikat.plus.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47D31490.1040804@jessikat.plus.net> User-Agent: Mutt/1.5.11 OpenPKG/2.5 Subject: Re: how to respond to possible attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@celestial.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Mar 2008 22:54:38 -0000 On Sat, Mar 08, 2008, Robin Becker wrote: >Sorry if this is too off topic, but I would like to find out what to do >when you suspect a possible dos attack on your system. I know there are >many experienced sysadmins here. >Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what >steps should I be taking? The originating ip doesn't seem to be reverse >mappable. The first thing to do is ``whois ipaddress'' which probably will identify the owner of the ip block. One can also identify name servers by reversing the octets in the IP address, then querying for the name server(s) responsible for the reverse dns. This if the IP address is 1.2.3.4, one would try the following searches until one returns something useful. dig 4.3.2.in-addr.arpa. ns dig 3.2.in-addr.arpa. ns dig 2.in-addr.arpa. ns The next step would be to attempt to contact the owners of the name servers. Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 We'll show the world we are prosperous, even if we have to go broke to do it. -- Will Rogers