Date: Sun, 5 Jan 2003 14:03:08 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: Lars Eggert <larse@ISI.EDU> Cc: freebsd-net@freebsd.org Subject: Re: Need help dealing with (D)DoS attacks (desperately) - MORE INFO Message-ID: <20030105135310.U80512-100000@mail.econolodgetulsa.com> In-Reply-To: <3E18A1BA.8000607@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, I am now armed with quite a bit more info regarding these attacks.
First off, the target looks like this:
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
3333/tcp open dec-notes
10000/tcp open snet-sensor-mgmt
31337/tcp open Elite
(and yes, port 31337 is legit - this is a linux server and that is not a
trojan running)
OK, so during the attack, an upstream router captured the packets. I see
two interesting things:
1. a ton of TCP SYN, [1658] -> [106] 3COM-TSMUX to ports that do
not exist on the target. See how this one goes to destination 106, but
the target is not running anything on 106 ? Once in a while the SYN
packets go to an existing port, but most of them go to nonexistent
(seemingly random) ports on the target.
2. a noticable amount of christmas tree packets aimed at the target:
TCP FIN SYN RST PSH ACK, [1400] -> [98] TAC-news
again, to ports not actually open on the target. I guess a xmas tree
packet technically has a URG flag as well, which these do not - but even
still I suspect these are bad news to be seeing.
Also some of them are not quite as xmas as other:
TCP SYN RST PSH ACK, [1230] -> [118] SQL-service
again, directed at a service that does not exist.
3. These seem less frequent, but I am seeing:
UDP, [21397] -> [2284] ^M
Source port: [21397] ^M
Destination port: [2284] ^M
UDP length: 908^M
Checksum: 0x0000 (data fragment - not able to check)^M
So .. a UDP fragment sent to a port not open on the target. This also
seems like bad news.
-----
So that's that - I see this for all three IPs that were being targeted.
So now there are two things I need to know (and ask cordially for your
help with)
1. what can I put into place on a 4.4-RELEASE ipfw firewall to combat
these items
2. What are 1 2 and 3 called ? For instance, is #1 a "syn flood" ?
3. will the solutions given to me actually help ? I mean, the packets
will still hit my firewall, and given the cpu utilization and config I
showed you earlier, will the fixes nullify the effect of these attacks, or
am I so underpowered that getting hit with these in any way, no matter
what precautions I have in place will disable me ?
thanks a LOT.
On Sun, 5 Jan 2003, Lars Eggert wrote:
> On 1/5/2003 1:05 PM, Josh Brooks wrote:
> >
> > I am running this as my firewall/router:
> >
> > 4.4-RELEASE FreeBSD 4.4-RELEASE #0
> >
> > And I have no ability to change that anytime soon. Recently I have been
> > having a lot of trouble with floods/ddos/etc. When these attacks occur,
> > my firewall is totally unresponsive, I cannot ssh in to type a single
> > command (and thus cannot tcpdump anything) and clients of systems on the
> > inside either get no response, or get:
>
> What processor and NICs do you use? This sounds like your machine is
> being pushed into livelock, which shouldn't happen at the traffic load
> you described (when you say "megs", do you mean Mb/s or MB/s?)
> Complicated firewall rule sets also eat CPU time.
>
> Lars
> --
> Lars Eggert <larse@isi.edu> USC Information Sciences Institute
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030105135310.U80512-100000>