From owner-freebsd-security Tue May 7 18:16:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from utility.clubscholarship.com (utility.clubscholarship.com [198.78.70.175]) by hub.freebsd.org (Postfix) with ESMTP id AD6EF37B406 for ; Tue, 7 May 2002 18:16:27 -0700 (PDT) Received: from localhost (root@localhost) by utility.clubscholarship.com (8.11.6/8.11.6) with ESMTP id g481DIP09106 for ; Tue, 7 May 2002 18:13:18 -0700 (PDT) (envelope-from root@utility.clubscholarship.com) Date: Tue, 7 May 2002 18:13:18 -0700 (PDT) From: Patrick Thomas To: Subject: what does a syncookies attack look like ? Message-ID: <20020507180602.T8475-100000@utility.clubscholarship.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a server that is under attack, and crashes as a result of those attacks. However, we are not sure if this is just a standard traffic attack, or if something more elegant such as the syncookies vulnerability is being exploited. Therefore, I am wondering if someone can: a) describe what a system that has been attacked in this manner looks like b) describe (if possible) a way to look for this attack in tcpdump output --- My system has the following behavior when it crashes: you can still ping the server, and you can still open connections on ports where services are running. However, no responses are given on those ports - for instance, if you ssh, and use the verbose option, you will see that the connection is established, but nothing more. Same is tru for telneting to IMAP or POP ports, etc. Cron jobs do not run after it has crashed. But again, you can ping it just fine. I was told on -hackers that this sounds like a system whose kernel is still running, but the userland has halted. I am always running tcpdump -v logging into a file when it crashes, so as to see if something over the network is causing it - but I do not know what to look for. --- So, does this sound like system behavior to expect from a system that got attacked using a syncookies exploit, or does a syncookies exploited system behave differently ? (reset itself, or lock hard without being able to be pinged, etc.) Also, what can I look for on the system and on my firewall in the results of my `tcpdump -v >> /logfile` to confirm or deny that this is the case ? thanks, PT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message