From owner-freebsd-security Sat Apr 14 8: 3:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from sgi04-e.std.com (sgi04-e.std.com [199.172.62.134]) by hub.freebsd.org (Postfix) with ESMTP id 575D037B506 for ; Sat, 14 Apr 2001 08:03:27 -0700 (PDT) (envelope-from lowell@world.std.com) Received: from world.std.com (world-f.std.com [199.172.62.5]) by sgi04-e.std.com (8.9.3/8.9.3) with ESMTP id LAA2086900; Sat, 14 Apr 2001 11:03:25 -0400 (EDT) Received: (from lowell@localhost) by world.std.com (8.9.3/8.9.3) id LAA11109; Sat, 14 Apr 2001 11:03:25 -0400 (EDT) To: freebsd-security@freebsd.org, mike@coloradosurf.com Subject: Re: a couple boxes getting hammered with ip frags References: <20010413090451.A46082@coloradosurf.com> From: Lowell Gilbert Date: 14 Apr 2001 11:03:24 -0400 In-Reply-To: mike@coloradosurf.com's message of "13 Apr 2001 17:11:07 +0200" Message-ID: Lines: 35 X-Mailer: Gnus v5.7/Emacs 20.5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org mike@coloradosurf.com (mike) writes: > Sorry for posting yet another item on ipfw -1 (especially to Crist), > but... > > I have two web production boxes that were hammered yesterday (from > about 9:30 am to 12:30 pm) with (what I assumed to be) ip frags (a > very long list of > "/kernel: ipfw: -1 Refuse TCP e.f.g.h:54661 a.b.c.d:80 in via rl0"). > > They were coming from many different ips. A brief search did not show > any consistency in the ips that were hitting the two machines. I am > therefore assuming (danger danger) that is was more likely a > network issue that may have been causing the fragments and not some > type of Dos or attempt to 'circumvent' the firewall. > > And, since I'm not so sure, I was hoping someone might be able to > shed a little more light on this one. No, I'm afraid that these fragments definitely constitute some sort of attack. That '-1' rule is for a type of packet that has *no* useful purpose, and it's highly unlikely that a network problem would cause packets fragmented in that way. The fact that the IP addresses were highly varied just implies that they were spoofed anyway; you could always check by seeing who *does* own them, and trying to determine if there are even machines at all of those addresses. That said, it's unlikely that this is a particularly serious problem that you need to fix. These packets are being blocked, and even if they weren't, they'd be rejected by the web servers anyway (because the first packet wouldn't ever arrive). If it's a DOS problem, then the type of packet doesn't matter, because the damage has been done before the traffic ever gets to a node under your control. Good luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message