From owner-freebsd-pf@FreeBSD.ORG Fri May 25 23:10:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8897916A468 for ; Fri, 25 May 2007 23:10:04 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id 40CD313C45A for ; Fri, 25 May 2007 23:10:02 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so335947anc for ; Fri, 25 May 2007 16:09:59 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Bfg49fOKkumTtbLfhepLx+Um1QxYqNOuMDSe/4u6PUNf2U+ntA/IDkNajX/tqhm37SkXvjQLsEb2grsBUZapjyQGkjJZx+eikx7a+/VF2pgnc06J9hHHnlpMzcx7uG/QPTYwyI4KMunCbIXj8qDUGIU+YF+soEzVJ0nH2KcbC8s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=XYafa532s0d5ncLv8BkT/zDdBpbJp81PpgL9emaVnazSnNdhnww9CvexoeswAGWyEYJfuxObBNrfT91Ii/Bt6x9oGuRWyAnySd23e/ptseOt1kD3v+/KauuFjWTqNS0oLZKlKTFReKlAcag/BQSe/WozTOnvaSWrt6GiPUh5xEk= Received: by 10.100.13.12 with SMTP id 12mr3066169anm.1180134599158; Fri, 25 May 2007 16:09:59 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Fri, 25 May 2007 16:09:59 -0700 (PDT) Message-ID: <499c70c0705251609s6be5792bl1ca40076c69f6da3@mail.gmail.com> Date: Sat, 26 May 2007 02:09:59 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: alot of State failure on: 2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 May 2007 23:10:04 -0000 Hello, My server is being flooded by a script kiddie against port 7325. Here is the dmesg output. pf: State failure on: 1 | 5 pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4064 [lo=2903116211 high=2903120308 win=0 modulator=0] [lo=3133254124 high=3133254125 win=4096 modulator=0] 4:2 SA seq=3133254123 ack=2903116212 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:1232 [lo=1528732996 high=1528737092 win=65535 modulator=0] [lo=1110233468 high=1110299003 win=4096 modulator=0] 4:2 S seq=1615476339 ack=1110233468 len=0 ackskew=0 pkts=3:4 dir=in,fwd pf: State failure on: 1 | 5 pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4075 [lo=4260964132 high=4260968229 win=0 modulator=0] [lo=524210142 high=524210143 win=4096 modulator=0] 4:2 SA seq=524210141 ack=4260964133 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:1244 [lo=2193693082 high=2193697178 win=65535 modulator=0] [lo=1850636290 high=1850701825 win=4096 modulator=0] 4:2 S seq=2280473825 ack=1850636290 len=0 ackskew=0 pkts=3:4 dir=in,fwd pf: State failure on: 1 | 5 pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4106 [lo=2808910619 high=2808914716 win=0 modulator=0] [lo=70028163 high=70028164 win=4096 modulator=0] 4:2 SA seq=70028162 ack=2808910620 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4142 [lo=3849039689 high=3849043786 win=0 modulator=0] [lo=1357385265 high=1357385266 win=4096 modulator=0] 4:2 SA seq=1357385264 ack=3849039690 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4136 [lo=1765130854 high=1765134951 win=0 modulator=0] [lo=4245636096 high=4245636097 win=4096 modulator=0] 4:2 SA seq=4245636095 ack=1765130855 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4155 [lo=2253582753 high=2253586850 win=0 modulator=0] [lo=578092985 high=578092986 win=4096 modulator=0] 4:2 SA seq=578092984 ack=2253582754 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4165 [lo=550262320 high=550266417 win=0 modulator=0] [lo=3799579754 high=3799579755 win=4096 modulator=0] 4:2 SA seq=3799579753 ack=550262321 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:1203 [lo=490558546 high=490562643 win=0 modulator=0] [lo=3233895008 high=3233895009 win=4096 modulator=0] 4:2 SA seq=3233895007 ack=490558547 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4188 [lo=1709375942 high=1709380039 win=0 modulator=0] [lo=2834491968 high=2834491969 win=4096 modulator=0] 4:2 SA seq=2834491967 ack=1709375943 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4178 [lo=1856654595 high=1856658692 win=0 modulator=0] [lo=1762587611 high=1762587612 win=4096 modulator=0] 4:2 SA seq=1762587610 ack=1856654596 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4211 [lo=438506757 high=438510854 win=0 modulator=0] [lo=3182986845 high=3182986846 win=4096 modulator=0] 4:2 SA seq=3182986844 ack=438506758 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325 91.120.91.178:4277 [lo=2147987817 high=2147991914 win=0 modulator=0] [lo=1434323249 high=1434323250 win=4096 modulator=0] 4:2 SA seq=1434323248 ack=2147987818 len=0 ackskew=-1 pkts=1:1 dir=out,rev pf: State failure on: 2 | Here is my pf.conf ext_if="fxp0" int_if="lo0" tcp_services = "{ domain, www, 123, 5999, 7325, 7771, 59999 }" udp_services = "{ domain, 123, 514 }" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 240.0.0.0/4 }" icmp_types = "8" table persist set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface $ext_if set skip on $int_if set optimization normal set block-policy drop set require-order yes set debug loud set fingerprints "/etc/pf.os" scrub in all #scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400 #scrub in on $ext_if all no-df #scrub on $ext_if all reassemble tcp antispoof for $ext_if inet antispoof for $int_if block in log on $ext_if all block in quick on $ext_if from any to 255.255.255.255 block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block quick log from # Pass ICMP Type 8 (echo-reply) only with state pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state pass proto udp to any port $udp_services keep state # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass out on $ext_if inet proto udp from any to any \ port 33433 >< 33626 keep state pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \ flags S/SA keep state \ (max-src-conn 30, max-src-conn-rate 30/3, \ overload flush global) pass out proto tcp to any flags S/SA keep state pass out proto udp to any keep state # End pfctl -vvsTables -pa-r- bruteforce Addresses: 579 Cleared: Thu Jan 1 00:00:00 1970 References: [ Anchors: 0 Rules: 219 ] Evaluations: [ NoMatch: 60918665 Match: 51919907 ] In/Block: [ Packets: 51919907 Bytes: 2562926165 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 000000 rule 77/0(match): block in on fxp0: 24.39.30.107.1340 > 66.90.108.40.7325: S 2502809781:2502809781(0) win 64240 000007 rule 77/0(match): block in on fxp0: 24.39.30.107.1341 > 66.90.108.40.7325: S 2502851269:2502851269(0) win 64240 000125 rule 77/0(match): block in on fxp0: 24.39.30.107.1343 > 66.90.108.40.7325: S 2502964552:2502964552(0) win 64240 000039 rule 77/0(match): block in on fxp0: 84.1.154.50.3741 > 66.90.108.40.7325: S 1022062798:1022062798(0) win 65535 000006 rule 77/0(match): block in on fxp0: 24.39.30.107.1342 > 66.90.108.40.7325: S 2502906432:2502906432(0) win 64240 000087 rule 77/0(match): block in on fxp0: 24.39.30.107.1344 > 66.90.108.40.7325: S 2503024257:2503024257(0) win 64240 000005 rule 77/0(match): block in on fxp0: 24.39.30.107.1350 > 66.90.108.40.7325: S 2503165130:2503165130(0) win 64240 000026 rule 77/0(match): block in on fxp0: 24.39.30.107.1345 > 66.90.108.40.7325: S 2503084885:2503084885(0) win 64240 000179 rule 77/0(match): block in on fxp0: 24.39.30.107.1346 > 66.90.108.40.7325: S 2503131377:2503131377(0) win 64240 000018 rule 77/0(match): block in on fxp0: 84.0.144.75.1416 > 66.90.108.40.7325: S 2025750048:2025750048(0) win 65535 000008 rule 77/0(match): block in on fxp0: 82.127.41.104.2831 > 66.90.108.40.7325: S 4128598212:4128598212(0) win 65535 000366 rule 77/0(match): block in on fxp0: 84.5.97.92.1972 > 66.90.108.40.7325: S 3823128639:3823128639(0) win 16384 000086 rule 77/0(match): block in on fxp0: 193.6.6.135.3819 > 66.90.108.40.7325: S 4260080384:4260080384(0) win 65535 000112 rule 77/0(match): block in on fxp0: 82.50.127.107.2684 > 66.90.108.40.7325: S 3307955851:3307955851(0) win 65535 003003 rule 77/0(match): block in on fxp0: 84.9.32.123.4869 > 66.90.108.40.7325: S 3742698697:3742698697(0) win 65535 000011 rule 77/0(match): block in on fxp0: 201.51.254.195.2546 > 66.90.108.40.7325: S 4092558202:4092558202(0) win 65535 000005 rule 77/0(match): block in on fxp0: 201.51.254.195.2545 > 66.90.108.40.7325: S 1627281497:1627281497(0) win 65535 150 packets captured 10780 packets received by filter 9934 packets dropped by kernel -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/