From owner-freebsd-net@FreeBSD.ORG Sat Feb 21 04:09:45 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11BFE106566B for ; Sat, 21 Feb 2009 04:09:45 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 62BF38FC0A for ; Sat, 21 Feb 2009 04:09:44 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n1L49alN087476; Sat, 21 Feb 2009 15:09:37 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 21 Feb 2009 15:09:36 +1100 (EST) From: Ian Smith To: Bakul Shah In-Reply-To: <20090220205003.301AB5B3E@mail.bitblocks.com> Message-ID: <20090221135053.J46613@sola.nimnet.asn.au> References: <20090220055936.035255B1B@mail.bitblocks.com> <20090220235840.I46613@sola.nimnet.asn.au> <20090220205003.301AB5B3E@mail.bitblocks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: net@freebsd.org Subject: Re: A more pliable firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2009 04:09:45 -0000 On Fri, 20 Feb 2009, Bakul Shah wrote: > Thanks to everyone who responded. Looks like all the pieces > to do this exist. All I have to do is to package it all in > one program "sheriff" that watches various log files and > pulls the trigger on the bad guy(s) at appropriate time. Wild West imagery indeed :) > I think I will add a program to keep running stats on *all* > the tcp/udp senders to find all those annoyingly pesky repeat > senders who have no business talking to my network. Be prepared for a very, very large list! Maybe needing some sort of tree/trie or hashing algorithm to handle quickly as it grows. You'll also need some expiry mechanism after a period, as many if not most of these are transient scans from infected 'doze boxes, trojans du jour. And that after you've ignored the near-constant 'background radiation' from 'doze boxes to eg TCP dst-ports 135,139,445,1433 and others, and UDP dst-ports 135,137,138,1433,1434,1900 etc; no use chasing such more or less constant misconfigs, they'll only mask more interesting stuff. > What would be nice is a standard interface to report > suspicious failures (sort of like syslog). If the same guy > sends N DNS requests for the same thing and every request > fails, chances are he is a bad guy (or a zombie acting on > behalf of one). Perhaps some day a trusted network of such > daemons can be used to "back pressure" the closest ISP to the > sender -- who can then shut him down for a while. One note of caution: TCP is straightforward enough, the three-way handshake verifying the source address (if it proceeds to connection). However it's trivial to forge UDP source addresses, as the recent DNS amplification attacks I mentioned amply demonstrate. In such cases, the address appearing to be sending DNS requests logged as, say, "address#port query (cache) './NS/IN' denied" is the *victim* of such attacks, and blocking all access to/from such addresses, often nameservers of large ISPs, amounts to shooting yourself in the foot as well as further punishing the victim - the unknown attacker's intention! In that case it's sufficient to block 'from $victim to $me 53', still allowing $me to query their nameservers, eg to send them some mail :) good luck, Ian