Date: Wed, 5 Jun 2002 10:09:07 -0400 From: "Peter Brezny" <pbrezny@purplecat.net> To: <freebsd-net@freebsd.org> Subject: currently experiencing some kind of DOS attack? Need help! Message-ID: <NEBBIGLHNDFEJMMIEGOOIENBFBAA.pbrezny@purplecat.net>
next in thread | raw e-mail | index | archive | help
I think i'm experiencng some kind of DOS attack and I need some help pinpointing the bad guys, and cutting them off/reporting them. I've attached a tcpdump that was captured during the latest initial attack. They are coming at 10 minute intervals. The system under attack is 208.133.44.46 The error i'm getting in /var/log/messages: Jun 5 10:05:51 rack /kernel: m_clalloc failed, consider increase NMBCLUSTERS value Jun 5 10:05:51 rack /kernel: xl0: no memory for rx list -- packet dropped! Any help is much appreciated. Peter Brezny Skyrunner.net 09:56:44.778211 208.133.44.46.4181 > 64.90.1.81.25: . ack 1 win 33304 <nop,nop,timestamp 119714228 348692854> (DF ) 09:56:44.778289 208.133.44.46.4204 > 216.248.13.163.25: S 583871681:583871681(0) win 65535 <mss 1460,nop,wscale 1 ,nop,nop,timestamp 119714228 0> (DF) 09:56:44.778363 208.133.44.46.4205 > 216.248.13.163.25: S 990811731:990811731(0) win 65535 <mss 1460,nop,wscale 1 ,nop,nop,timestamp 119714228 0> (DF) 09:56:44.778437 208.133.44.46.4179 > 208.44.30.252.25: . ack 1 win 33304 <nop,nop,timestamp 119714228 0> (DF) 09:56:44.778509 208.133.44.46.4195 > 12.107.51.89.25: . ack 1 win 33304 <nop,nop,timestamp 119714228 611001367> ( DF) 09:56:44.778606 208.133.44.46.4135 > 209.130.32.60.25: P 51:80(29) ack 171 win 33304 <nop,nop,timestamp 119714228 9191680> (DF) 09:56:44.778685 208.133.44.46.4206 > 209.149.145.242.25: S 4218318996:4218318996(0) win 65535 <mss 1460,nop,wscal e 1,nop,nop,timestamp 119714228 0> (DF) 09:56:44.778767 208.133.44.46.4207 > 12.18.94.118.25: S 4233576849:4233576849(0) win 65535 <mss 1460,nop,wscale 1 ,nop,nop,timestamp 119714228 0> (DF) 09:56:44.778844 208.133.44.46.4208 > 66.7.159.141.25: S 2755991554:2755991554(0) win 65535 <mss 1460,nop,wscale 1 ,nop,nop,timestamp 119714228 0> (DF) 09:56:44.778931 208.133.44.46.53 > 208.133.44.2.53: 15111+ A? lists.wnpt.net. (32) 09:56:44.779019 208.133.44.46.53 > 208.133.44.2.53: 29381+ A? hammer.bw.vallnet.com. (39) 09:56:44.779303 216.141.198.6.25 > 208.133.44.46.4182: S 2677924182:2677924182(0) ack 3722697590 win 8760 <mss 14 60> (DF) 09:56:44.779412 208.133.44.46.4182 > 216.141.198.6.25: . ack 1 win 65535 (DF) 09:56:44.780186 209.142.136.248.25 > 208.133.44.46.4173: R 1:1(0) ack 1 win 17520 (DF) 09:56:44.782070 216.183.105.175.25 > 208.133.44.46.4184: S 970622662:970622662(0) ack 611002520 win 5792 <mss 146 0,nop,nop,timestamp 814152703 119714222,nop,wscale 0> (DF) 09:56:44.782230 208.133.44.2.53 > 208.133.44.46.53: 39368 1/2/2 A 12.18.94.118 (131) 09:56:44.782304 208.133.44.46.4184 > 216.183.105.175.25: . ack 1 win 33304 <nop,nop,timestamp 119714229 814152703 > (DF) 09:56:44.782681 24.165.200.11.25 > 208.133.44.46.4191: S 2693592169:2693592169(0) ack 2405761779 win 33304 <nop,n op,timestamp 53982485 119714224,nop,wscale 1,mss 1460> (DF) 09:56:44.782759 208.133.44.46.4209 > 12.18.94.118.25: S 1124694907:1124694907(0) win 65535 <mss 1460,nop,wscale 1 ,nop,nop,timestamp 119714229 0> (DF) 09:56:44.782841 208.133.44.46.4191 > 24.165.200.11.25: . ack 1 win 33304 <nop,nop,timestamp 119714229 53982485> ( DF) 09:56:44.783407 208.133.44.2.53 > 208.133.44.46.53: 20554 1/2/2 A 63.85.209.13 (119) 09:56:44.783735 208.0.133.2.25 > 208.133.44.46.4156: P 94:226(132) ack 26 win 8735 (DF) 09:56:44.783820 208.133.44.46.4210 > 63.85.209.13.25: S 2351909802:2351909802(0) win 65535 <mss 1460,nop,wscale 1 ,nop,nop,timestamp 119714229 0> (DF) 09:56:44.783973 208.133.44.46.4156 > 208.0.133.2.25: P 26:55(29) ack 226 win 65535 (DF) 09:56:44.784436 216.141.198.5.25 > 208.133.44.46.4189: S 3128014607:3128014607(0) ack 3231361719 win 8760 <mss 14 60> (DF) 09:56:44.784528 64.90.1.81.25 > 208.133.44.46.4192: S 1792359129:1792359129(0) ack 122564349 win 10136 <nop,nop,t imestamp 348692855 119714224,nop,wscale 0,mss 1460> (DF) 09:56:44.784592 208.133.44.46.4189 > 216.141.198.5.25: . ack 1 win 65535 (DF) 09:56:44.784663 208.133.44.46.4192 > 64.90.1.81.25: . ack 1 win 33304 <nop,nop,timestamp 119714229 348692855> (DF ) 09:56:44.785415 208.133.44.2.53 > 208.133.44.46.53: 10424* 1/3/4 MX[|domain] 09:56:44.786007 208.133.44.46.53 > 208.133.44.2.53: 9865+ A? mail.milanmirrorexchange.com. (46) 09:56:44.786890 208.133.44.2.53 > 208.133.44.46.53: 10699 1/3/4 A 63.238.52.32 (175) 09:56:44.787268 64.12.137.121.25 > 208.133.44.46.4141: P 383:391(8) ack 55 win 33304 <nop,nop,timestamp 243325248 119714225> (DF) 09:56:44.787376 208.133.44.46.4211 > 63.238.52.89.25: S 822989022:822989022(0) win 65535 <mss 1460,nop,wscale 1,n op,nop,timestamp 119714229 0> (DF) 09:56:44.787529 208.133.44.46.4141 > 64.12.137.121.25: P 55:83(28) ack 391 win 33304 <nop,nop,timestamp 119714230 243325248> (DF) 09:56:44.787615 64.12.136.121.25 > 208.133.44.46.4134: . ack 8974 win 32768 <nop,nop,timestamp 1156210109 1197142 25> 09:56:44.787689 216.141.198.7.25 > 208.133.44.46.4183: S 2740973361:2740973361(0) ack 3477352929 win 8760 <mss 14 60> (DF) 09:56:44.787917 208.133.44.2.53 > 208.133.44.46.53: 32840 1/2/2 A 216.248.18.11 (116) 09:56:44.788420 208.133.44.46.4134 > 64.12.136.121.25: . 12642:13166(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210109> (DF) 09:56:44.788914 208.133.44.46.4134 > 64.12.136.121.25: . 13166:13690(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210109> (DF) 09:56:44.789469 208.133.44.46.4134 > 64.12.136.121.25: . 13690:14214(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210109> (DF) 09:56:44.790024 208.133.44.46.4134 > 64.12.136.121.25: . 14214:14738(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210109> (DF) 09:56:44.790577 208.133.44.46.4134 > 64.12.136.121.25: . 14738:15262(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210109> (DF) 09:56:44.790706 208.133.44.46.4183 > 216.141.198.7.25: . ack 1 win 65535 (DF) 09:56:44.790936 208.133.44.2.53 > 208.133.44.46.53: 65451 1/2/2 A 216.248.18.12 (116) 09:56:44.791024 208.44.30.252.25 > 208.133.44.46.4188: S 1467598258:1467598258(0) ack 1322705327 win 17520 <mss 1 460,nop,wscale 0,nop,nop,timestamp 0 0> (DF) 09:56:44.791266 208.133.44.2.53 > 208.133.44.46.53: 30931 1/5/5 A[|domain] 09:56:44.791527 208.133.44.46.4188 > 208.44.30.252.25: . ack 1 win 33304 <nop,nop,timestamp 119714230 0> (DF) 09:56:44.792030 208.44.30.252.25 > 208.133.44.46.4190: S 2949454116:2949454116(0) ack 2714795533 win 17520 <mss 1 460,nop,wscale 0,nop,nop,timestamp 0 0> (DF) 09:56:44.792102 216.53.195.54.25 > 208.133.44.46.4200: S 414963656:414963656(0) ack 1200813988 win 24616 <nop,nop ,timestamp 248050614 119714226,nop,wscale 0,mss 1460> (DF) 09:56:44.792208 64.12.137.184.25 > 208.133.44.46.4144: . ack 26 win 33304 <nop,nop,timestamp 187499960 119714225> (DF) 09:56:44.792296 208.133.44.46.4190 > 208.44.30.252.25: . ack 1 win 33304 <nop,nop,timestamp 119714230 0> (DF) 09:56:44.792399 208.133.44.46.4200 > 216.53.195.54.25: . ack 1 win 33304 <nop,nop,timestamp 119714230 248050614> (DF) 09:56:44.792540 64.12.136.121.25 > 208.133.44.46.4134: . ack 10022 win 32768 <nop,nop,timestamp 1156210109 119714 225> 09:56:44.792614 64.12.136.121.25 > 208.133.44.46.4134: . ack 10022 win 32768 <nop,nop,timestamp 1156210109 119714 225> 09:56:44.793129 208.133.44.46.4134 > 64.12.136.121.25: . 15262:15786(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210109> (DF) 09:56:44.793680 208.133.44.46.4134 > 64.12.136.121.25: . 15786:16310(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210109> (DF) 09:56:44.794369 208.133.44.46.4134 > 64.12.136.121.25: . 16310:16834(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210109> (DF) 09:56:44.794513 208.133.44.46.53 > 208.133.44.2.53: 49539+ A? mx2.mail.twtelecom.net. (40) 09:56:44.795064 64.12.137.184.25 > 208.133.44.46.4144: P 329:383(54) ack 26 win 33304 <nop,nop,timestamp 18749996 1 119714225> (DF) 09:56:44.795225 208.133.44.2.53 > 208.133.44.46.53: 23829* 1/2/2 MX[|domain] 09:56:44.795304 205.152.58.3.25 > 208.133.44.46.4158: . ack 55 win 10136 <nop,nop,timestamp 124110683 119714219> (DF) 09:56:44.795376 64.12.136.121.25 > 208.133.44.46.4134: . ack 12118 win 32768 <nop,nop,timestamp 1156210110 119714 225> 09:56:44.795924 208.133.44.46.4134 > 64.12.136.121.25: . 16834:17358(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210110> (DF) 09:56:44.796419 208.133.44.46.4134 > 64.12.136.121.25: . 17358:17882(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210110> (DF) 09:56:44.796918 208.133.44.46.4134 > 64.12.136.121.25: . 17882:18406(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210110> (DF) 09:56:44.797408 208.133.44.46.4134 > 64.12.136.121.25: . 18406:18930(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210110> (DF) 09:56:44.797895 208.133.44.46.4134 > 64.12.136.121.25: . 18930:19454(524) ack 455 win 33012 <nop,nop,timestamp 11 9714230 1156210110> (DF) 09:56:44.797994 208.133.44.46.4144 > 64.12.137.184.25: P 26:55(29) ack 383 win 33304 <nop,nop,timestamp 119714230 187499961> (DF) 09:56:44.798158 208.133.44.46.53 > 208.133.44.2.53: 54617+ A? lucy.multipro.com. (35) 09:56:44.798233 205.152.58.132.25 > 208.133.44.46.4152: . ack 55 win 10136 <nop,nop,timestamp 124078565 119714219 > (DF) 09:56:44.798307 64.12.136.121.25 > 208.133.44.46.4134: . ack 10546 win 32768 <nop,nop,timestamp 1156210110 119714 225> 09:56:44.798426 206.102.201.11.25 > 208.133.44.46.4199: S 31341815:31341815(0) ack 329832920 win 8760 <mss 1460> (DF) 09:56:44.798559 208.133.44.46.4199 > 206.102.201.11.25: . ack 1 win 65535 (DF) 09:56:44.799241 208.133.44.3.53 > 208.133.44.46.53: 15267* 1/3/3 (191) 09:56:44.800389 208.133.44.3.53 > 208.133.44.46.53: 64791* 1/3/3 (194) 09:56:44.801324 208.133.44.46.4212 > 64.75.1.251.25: S 728130978:728130978(0) win 65535 <mss 1460,nop,wscale 1,no p,nop,timestamp 119714231 0> (DF) 09:56:44.803151 209.130.32.61.25 > 208.133.44.46.4136: . ack 51 win 49152 <nop,nop,timestamp 7067072 119714221> ( DF) 09:56:44.803364 209.130.32.61.25 > 208.133.44.46.4136: P 82:173(91) ack 51 win 49152 <nop,nop,timestamp 7067072 1 19714221> (DF) 09:56:44.803482 152.163.224.26.25 > 208.133.44.46.4143: P 329:383(54) ack 26 win 32768 <nop,nop,timestamp 1156952 985 119714223> 09:56:44.803601 208.133.44.46.4136 > 209.130.32.61.25: P 51:80(29) ack 173 win 33304 <nop,nop,timestamp 119714231 7067072> (DF) 09:56:44.803695 208.133.44.46.4143 > 152.163.224.26.25: P 26:55(29) ack 383 win 33012 <nop,nop,timestamp 11971423 1 1156952985> (DF) 09:56:44.804003 12.153.11.240.25 > 208.133.44.46.4177: P 81:121(40) ack 26 win 16535 <nop,nop,timestamp 41316743 119714228> (DF) 09:56:44.804192 208.133.44.46.4177 > 12.153.11.240.25: P 26:51(25) ack 121 win 32832 <nop,nop,timestamp 119714231 41316743> (DF) 09:56:44.804430 63.93.245.3.25 > 208.133.44.46.4198: S 143862244:143862244(0) ack 3178198484 win 16352 <mss 1460> 09:56:44.804611 208.133.44.46.4198 > 63.93.245.3.25: . ack 1 win 65535 (DF) 09:56:44.804743 208.27.252.10.25 > 208.133.44.46.4176: P 118:188(70) ack 26 win 17495 <nop,nop,timestamp 7714269 119714228> (DF) 09:56:44.804851 205.152.58.1.25 > 208.133.44.46.4157: . ack 55 win 10136 <nop,nop,timestamp 124173080 119714220> (DF) 09:56:44.806461 149.48.46.26.25 > 208.133.44.46.4140: P 281:322(41) ack 92 win 64296 <nop,nop,timestamp 230419760 119714227> (DF) 09:56:44.806696 208.133.44.46.4140 > 149.48.46.26.25: P 92:98(6) ack 322 win 32832 <nop,nop,timestamp 119714231 2 30419760> (DF) 09:56:44.807059 208.0.133.2.25 > 208.133.44.46.4175: P 1:94(93) ack 1 win 8760 (DF) 09:56:44.807192 203.176.60.186.25 > 208.133.44.46.4166: P 1:77(76) ack 1 win 24616 <nop,nop,timestamp 396223055 1 19714218> (DF) 09:56:44.807284 208.133.44.46.4175 > 208.0.133.2.25: P 1:26(25) ack 94 win 65535 (DF) 09:56:44.807413 208.133.44.46.4166 > 203.176.60.186.25: P 1:26(25) ack 77 win 33304 <nop,nop,timestamp 119714232 396223055> (DF) 09:56:44.807622 208.45.133.107.25 > 208.133.44.46.4180: P 1:68(67) ack 1 win 5840 (DF) 09:56:44.807809 208.133.44.46.4180 > 208.45.133.107.25: P 1:26(25) ack 68 win 65535 (DF) 09:56:44.808143 208.133.44.46.53 > 208.133.44.2.53: 4340+ ANY? care-communications.com. (41) 09:56:44.809188 204.78.60.100.25 > 208.133.44.46.4150: P 101:131(30) ack 26 win 17495 <nop,nop,timestamp 35058036 119714225> (DF) 09:56:44.809257 216.145.68.3.25 > 208.133.44.46.4174: S 809889280:809889280(0) ack 2587056518 win 17520 <mss 1460 ,wscale 0,eol> (DF) 09:56:44.809360 207.69.235.6.25 > 208.133.44.46.4138: P 104:133(29) ack 26 win 16535 <nop,nop,timest^C 30245 packets received by filter 4276 packets dropped by kernel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBIGLHNDFEJMMIEGOOIENBFBAA.pbrezny>