From owner-freebsd-security Tue Oct 16 22:55:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from netra.netcologne.de (netra.netcologne.de [194.8.194.106]) by hub.freebsd.org (Postfix) with ESMTP id 1639737B408 for ; Tue, 16 Oct 2001 22:55:16 -0700 (PDT) Received: from emre.de (sys-125.netcologne.de [194.8.193.125]) by netra.netcologne.de (8.9.1/8.9.1) with ESMTP id HAA22093 for ; Wed, 17 Oct 2001 07:55:12 +0200 (MET DST) X-Ncc-Regid: de.netcologne Message-ID: <3BCD1DFB.2030103@emre.de> Date: Wed, 17 Oct 2001 07:58:19 +0200 From: Emre Bastuz User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:0.9.2) Gecko/20010726 Netscape6/6.1 X-Accept-Language: de-DE MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: DoS ? Limiting closed port RST response ? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, just this morning I have noticed the following messages in my /var/log/messages that somehow make me nervous: Oct 16 20:55:53 MyHost inetd[5492]: warning: can't get client address: Connection reset by peer Oct 16 20:55:53 MyHost inetd[5493]: warning: can't get client address: Connection reset by peer Oct 16 20:55:53 MyHost inetd[5493]: refused connection from unknown, service imapd (tcp) Oct 16 20:55:53 MyHost inetd[5493]: refused connection from unknown, service imapd (tcp) Oct 16 20:55:53 MyHost inetd[5492]: refused connection from unknown, service teapop (tcp) Oct 16 20:55:53 MyHost inetd[5492]: refused connection from unknown, service teapop (tcp) Oct 16 20:55:54 MyHost /kernel: Limiting closed port RST response from 371 to 200 packets per second Oct 16 20:55:54 MyHost inetd[5494]: warning: can't get client address: Connection reset by peer Oct 16 20:55:54 MyHost inetd[5494]: refused connection from unknown, service ftpd (tcp) Oct 16 20:55:54 MyHost inetd[5494]: refused connection from unknown, service ftpd (tcp) Oct 16 20:55:54 MyHost mysqld[375]: warning: can't get client address: Connection reset by peer Oct 16 20:55:54 MyHost mysqld[375]: warning: can't get client address: Connection reset by peer Oct 16 20:55:54 MyHost mysqld[375]: refused connect from unknown Oct 16 20:55:54 MyHost mysqld[375]: refused connect from unknown Oct 16 20:56:24 MyHost /kernel: Limiting closed port RST response from 480 to 200 packets per second [... goes on like this for a *lot* of lines ...] These messages are repeated several times. It seems that somebody is trying to contact a certain service twice and then causing the "RST" messages, then again trying another service twice, etc.. Iīve checked some websites and found out that the RST messages can be caused by portscans which would make sense somehow. What I donīt get is, why canīt I see any IP addresses as source of the portscans ? Even if this is some kind of DoS Attack thing where the source IP is spoofed (the victimīs IP) I should see it in the log, right ? My system is a FreeBSD 4.3-RELEASE running Snort Version 1.8.1-RELEASE (Build 74). In case this was an attack Iīm wondering why Snort did not detect it. Anyway, any help finding out whatīs going on with my box will be appreciated. Regards, Emre -- Emre Bastuz info@emre.de http://www.emre.de UIN: 561260 PGP Key ID: 0xEA0E2CA1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message