From owner-freebsd-pf@FreeBSD.ORG Thu Aug 7 18:00:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FE0A106564A for ; Thu, 7 Aug 2008 18:00:56 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: from nuumen.pair.com (nuumen.pair.com [209.68.1.119]) by mx1.freebsd.org (Postfix) with SMTP id D8A928FC13 for ; Thu, 7 Aug 2008 18:00:55 +0000 (UTC) (envelope-from thuppi@nuumen.pair.com) Received: (qmail 40782 invoked by uid 55300); 7 Aug 2008 18:00:54 -0000 Date: Thu, 7 Aug 2008 14:00:54 -0400 From: Tom Huppi To: freebsd-pf@freebsd.org Message-ID: <20080807180054.GE10818@huppi.com> References: <20080807101825.GC10818@huppi.com> <20080807173225.GA17926@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080807173225.GA17926@verio.net> User-Agent: Mutt/1.4.2.2i Subject: Re: syn flood, tcpdump readings X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2008 18:00:56 -0000 On 12:32 Thu 07 Aug , David DeSimone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Huppi wrote: > > > > Anyway, I am getting what I believe to be syn floods > > periodically. They dwarf my production traffic and sometimes > > get close to producing as much bandwith as we are paying for. A > > representative sample looks like so when viewed with tcpdump on > > my outward interface ('em1'): > > > > 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384 > > 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384 > > Since you went to the trouble of obscuring the source IP, I presume that > the source IP is your IP. So, these look like responses, i.e. outbound > traffic, not inbound, since they are sourced from your IP. You can use > tcpdump's -e flag to be sure who is sending and who is receiving. I obscured my own IP range which is the 74.nnn.nnn. one and it is a /24. Interestingly most of the IP's on my side are ones where I have no host. The reason why is that I figured that if I myself were a semi-sophisticated cracker, I would look for targets of opertunity on the various mailing lists where one could identify both networks administered by newbie/part-time personel, and often a fair amount about the configuration of said :) The IP '125.21.176.19' is exactly as it appeared on my tcpdump. It shows as a telcom company in India in this case...usually it's some network company or another in China. My network looks like so: ------------- em0 <---> internal range Network Provider <----> em1 | pf firewall | (Internap) ------------- bce1 <---> dmz range I took the tcpdump output to indicate that Syn packets showing an Indian Origin were showing up addressed to (mainly non-existant) IP addresses within my /24 network. I'll look at 'tcpdump -e'. Thanks for the hint! - Tom > > - -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFImzGpFSrKRjX5eCoRAmQWAJ42P3j3LgD9gE5aqIs+A9ytFAzUgACeLU1g > 0F9BDmubpLI37Bz/OKW420Y= > =Nm7c > -----END PGP SIGNATURE----- > > > This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --