From owner-freebsd-questions@FreeBSD.ORG Sat Mar 8 23:11:08 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10499106566B for ; Sat, 8 Mar 2008 23:11:08 +0000 (UTC) (envelope-from siraj.shaikh@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185]) by mx1.freebsd.org (Postfix) with ESMTP id 941488FC21 for ; Sat, 8 Mar 2008 23:11:07 +0000 (UTC) (envelope-from siraj.shaikh@gmail.com) Received: by rv-out-0910.google.com with SMTP id g13so778668rvb.43 for ; Sat, 08 Mar 2008 15:11:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=3aJY5huP4fy34CAukxvEZXLxqki422c1FcuR2su4R7s=; b=p9XQmzfdTUcJCc2BAW26fgIQtjceP+8cTJCz0TNHdIpvI/iw+Igqf/YHwVXFjNp8jigvK+OcHfWiE6yjuv2QmRGaDAj7iN0RLrJMG8D3EGQPSIU/AWDo1Twe7VMjuDfAtPF8iTc6sJOzQ1AKNtJ3IsNz80NkKvjlU83Ufbk0Arg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YW0J6Hcto72Ed/SADQY4RJ8t46mlrSdaXVe6vSNk1FZf3KZ/rUvzyxvld8zObQVV4I6H7vH86tvZPjWRRkKqBGUtWh3br9xjL2CU7dCLxKbT7yS5WHQ0de7qXHsKVHuvxDFSlp0dKVlkJXwgvH1OKPuCdEA9VzSSmbzD7ayPBb8= Received: by 10.141.141.3 with SMTP id t3mr2180601rvn.72.1205017867037; Sat, 08 Mar 2008 15:11:07 -0800 (PST) Received: by 10.140.162.17 with HTTP; Sat, 8 Mar 2008 15:11:07 -0800 (PST) Message-ID: <3b2ddd940803081511o71170756mbe1f1e8a17c1d6bc@mail.gmail.com> Date: Sat, 8 Mar 2008 23:11:07 +0000 From: "Siraj Shaikh" To: "Robin Becker" In-Reply-To: <47D31490.1040804@jessikat.plus.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47D31490.1040804@jessikat.plus.net> Cc: freebsd-questions@freebsd.org Subject: Re: how to respond to possible attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Mar 2008 23:11:08 -0000 On 08/03/2008, Robin Becker wrote: > Sorry if this is too off topic, but I would like to find out what to do > when you suspect a possible dos attack on your system. I know there are > many experienced sysadmins here. > Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what > steps should I be taking? The originating ip doesn't seem to be reverse > mappable. > -- Robin Are you only interested in finding out about the source of these attacks, have you got some firewall configured? Is there any particular service being targeted, what kind of packets are coming through? Also, making sure if the same ip is targetting any other hosts on your network, or any previous attempts at probing this machine or other hosts.