From owner-freebsd-security Fri Jun 29 14:15:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 0573B37B403 for ; Fri, 29 Jun 2001 14:15:18 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id 5F5FF2FAE; Fri, 29 Jun 2001 14:15:04 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id OAA06336; Fri, 29 Jun 2001 14:15:04 -0700 From: appleseed@hushmail.com Message-Id: <200106292115.OAA06336@user7.hushmail.com> Date: Fri, 29 Jun 2001 14:05:12 -0500 (PDT) Cc: Cc:@hushmail.com, freebsd-security@FreeBSD.ORG To: To:@hushmail.com, George.Giles@mcmail.vanderbilt.edu Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_RWLcMrsQHdLLtTrWGhnDlLOMKlpjhyAF" Subject: Re: What is ipfw telling me ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_RWLcMrsQHdLLtTrWGhnDlLOMKlpjhyAF Content-type: text/plain Sup, # First I check to see who controls the subnet attacking u define.northern_ % host -t ns 46.239.216.in-addr.arpa 46.239.216.in-addr.arpa name server NS2.GOOGLE.COM 46.239.216.in-addr.arpa name server NS3.GOOGLE.COM 46.239.216.in-addr.arpa name server NS4.GOOGLE.COM 46.239.216.in-addr.arpa name server NS1.GOOGLE.COM # looks like our friend Google.com controls the NS at least. # lets check to see if these are really google's hosts by picking # random nodes define.northern_ % host -t any 216.239.46.1 1.46.239.216.IN-ADDR.ARPA domain name pointer crawl1.googlebot.com define.northern_ % host -t any 216.239.46.90 90.46.239.216.IN-ADDR.ARPA domain name pointer crawl4.googlebot.com define.northern_ % host -t any 216.239.46.127 127.46.239.216.IN-ADDR.ARPA domain name pointer crawl5.googlebot.com define.northern_ % host -t any 216.239.46.200 200.46.239.216.IN-ADDR.ARPA domain name pointer crawl8.googlebot.com define.northern_ % host -t any 216.239.46.254 254.46.239.216.IN-ADDR.ARPA domain name pointer sjbi1-gige-6-1.google.com define.northern_ % According to our findings (and PTR->A lookup confirms) this subnet consists mainly of Google's botnet, which, scours the net searching for new sites to index. ;-) I am going to assume here that someone is not spoofing google just to target your host on port 80. More than likely its just good `ol Google trying to see if you have anything interesting to index on your website (if u have one). If you want to close off access to that subnet creating incoming tcp/udp sessions I suggest u upgrade to ipf (;-)) and define keep state rules as well as deny incoming session initialization attempts. This way u can still access google's nifty database but they cant access u =) much love.. northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_RWLcMrsQHdLLtTrWGhnDlLOMKlpjhyAF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message