From owner-freebsd-security Wed Jun 5 7: 9:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from rack.purplecat.net (rack.purplecat.net [208.133.44.46]) by hub.freebsd.org (Postfix) with ESMTP id 14E6337B405 for ; Wed, 5 Jun 2002 07:08:52 -0700 (PDT) Received: (qmail 56377 invoked from network); 5 Jun 2002 14:09:25 -0000 Received: from unknown (HELO micron) (208.150.25.130) by rack.purplecat.net with SMTP; 5 Jun 2002 14:09:25 -0000 From: "Peter Brezny" To: Subject: currently experiencing some kind of DOS attack? Need help! Date: Wed, 5 Jun 2002 10:09:07 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think i'm experiencng some kind of DOS attack and I need some help pinpointing the bad guys, and cutting them off/reporting them. I've attached a tcpdump that was captured during the latest initial attack. They are coming at 10 minute intervals. The system under attack is 208.133.44.46 The error i'm getting in /var/log/messages: Jun 5 10:05:51 rack /kernel: m_clalloc failed, consider increase NMBCLUSTERS value Jun 5 10:05:51 rack /kernel: xl0: no memory for rx list -- packet dropped! Any help is much appreciated. Peter Brezny Skyrunner.net 09:56:44.778211 208.133.44.46.4181 > 64.90.1.81.25: . ack 1 win 33304 (DF ) 09:56:44.778289 208.133.44.46.4204 > 216.248.13.163.25: S 583871681:583871681(0) win 65535 (DF) 09:56:44.778363 208.133.44.46.4205 > 216.248.13.163.25: S 990811731:990811731(0) win 65535 (DF) 09:56:44.778437 208.133.44.46.4179 > 208.44.30.252.25: . ack 1 win 33304 (DF) 09:56:44.778509 208.133.44.46.4195 > 12.107.51.89.25: . ack 1 win 33304 ( DF) 09:56:44.778606 208.133.44.46.4135 > 209.130.32.60.25: P 51:80(29) ack 171 win 33304 (DF) 09:56:44.778685 208.133.44.46.4206 > 209.149.145.242.25: S 4218318996:4218318996(0) win 65535 (DF) 09:56:44.778767 208.133.44.46.4207 > 12.18.94.118.25: S 4233576849:4233576849(0) win 65535 (DF) 09:56:44.778844 208.133.44.46.4208 > 66.7.159.141.25: S 2755991554:2755991554(0) win 65535 (DF) 09:56:44.778931 208.133.44.46.53 > 208.133.44.2.53: 15111+ A? lists.wnpt.net. (32) 09:56:44.779019 208.133.44.46.53 > 208.133.44.2.53: 29381+ A? hammer.bw.vallnet.com. (39) 09:56:44.779303 216.141.198.6.25 > 208.133.44.46.4182: S 2677924182:2677924182(0) ack 3722697590 win 8760 (DF) 09:56:44.779412 208.133.44.46.4182 > 216.141.198.6.25: . ack 1 win 65535 (DF) 09:56:44.780186 209.142.136.248.25 > 208.133.44.46.4173: R 1:1(0) ack 1 win 17520 (DF) 09:56:44.782070 216.183.105.175.25 > 208.133.44.46.4184: S 970622662:970622662(0) ack 611002520 win 5792 (DF) 09:56:44.782230 208.133.44.2.53 > 208.133.44.46.53: 39368 1/2/2 A 12.18.94.118 (131) 09:56:44.782304 208.133.44.46.4184 > 216.183.105.175.25: . ack 1 win 33304 (DF) 09:56:44.782681 24.165.200.11.25 > 208.133.44.46.4191: S 2693592169:2693592169(0) ack 2405761779 win 33304 (DF) 09:56:44.782759 208.133.44.46.4209 > 12.18.94.118.25: S 1124694907:1124694907(0) win 65535 (DF) 09:56:44.782841 208.133.44.46.4191 > 24.165.200.11.25: . ack 1 win 33304 ( DF) 09:56:44.783407 208.133.44.2.53 > 208.133.44.46.53: 20554 1/2/2 A 63.85.209.13 (119) 09:56:44.783735 208.0.133.2.25 > 208.133.44.46.4156: P 94:226(132) ack 26 win 8735 (DF) 09:56:44.783820 208.133.44.46.4210 > 63.85.209.13.25: S 2351909802:2351909802(0) win 65535 (DF) 09:56:44.783973 208.133.44.46.4156 > 208.0.133.2.25: P 26:55(29) ack 226 win 65535 (DF) 09:56:44.784436 216.141.198.5.25 > 208.133.44.46.4189: S 3128014607:3128014607(0) ack 3231361719 win 8760 (DF) 09:56:44.784528 64.90.1.81.25 > 208.133.44.46.4192: S 1792359129:1792359129(0) ack 122564349 win 10136 (DF) 09:56:44.784592 208.133.44.46.4189 > 216.141.198.5.25: . ack 1 win 65535 (DF) 09:56:44.784663 208.133.44.46.4192 > 64.90.1.81.25: . ack 1 win 33304 (DF ) 09:56:44.785415 208.133.44.2.53 > 208.133.44.46.53: 10424* 1/3/4 MX[|domain] 09:56:44.786007 208.133.44.46.53 > 208.133.44.2.53: 9865+ A? mail.milanmirrorexchange.com. (46) 09:56:44.786890 208.133.44.2.53 > 208.133.44.46.53: 10699 1/3/4 A 63.238.52.32 (175) 09:56:44.787268 64.12.137.121.25 > 208.133.44.46.4141: P 383:391(8) ack 55 win 33304 (DF) 09:56:44.787376 208.133.44.46.4211 > 63.238.52.89.25: S 822989022:822989022(0) win 65535 (DF) 09:56:44.787529 208.133.44.46.4141 > 64.12.137.121.25: P 55:83(28) ack 391 win 33304 (DF) 09:56:44.787615 64.12.136.121.25 > 208.133.44.46.4134: . ack 8974 win 32768 09:56:44.787689 216.141.198.7.25 > 208.133.44.46.4183: S 2740973361:2740973361(0) ack 3477352929 win 8760 (DF) 09:56:44.787917 208.133.44.2.53 > 208.133.44.46.53: 32840 1/2/2 A 216.248.18.11 (116) 09:56:44.788420 208.133.44.46.4134 > 64.12.136.121.25: . 12642:13166(524) ack 455 win 33012 (DF) 09:56:44.788914 208.133.44.46.4134 > 64.12.136.121.25: . 13166:13690(524) ack 455 win 33012 (DF) 09:56:44.789469 208.133.44.46.4134 > 64.12.136.121.25: . 13690:14214(524) ack 455 win 33012 (DF) 09:56:44.790024 208.133.44.46.4134 > 64.12.136.121.25: . 14214:14738(524) ack 455 win 33012 (DF) 09:56:44.790577 208.133.44.46.4134 > 64.12.136.121.25: . 14738:15262(524) ack 455 win 33012 (DF) 09:56:44.790706 208.133.44.46.4183 > 216.141.198.7.25: . ack 1 win 65535 (DF) 09:56:44.790936 208.133.44.2.53 > 208.133.44.46.53: 65451 1/2/2 A 216.248.18.12 (116) 09:56:44.791024 208.44.30.252.25 > 208.133.44.46.4188: S 1467598258:1467598258(0) ack 1322705327 win 17520 (DF) 09:56:44.791266 208.133.44.2.53 > 208.133.44.46.53: 30931 1/5/5 A[|domain] 09:56:44.791527 208.133.44.46.4188 > 208.44.30.252.25: . ack 1 win 33304 (DF) 09:56:44.792030 208.44.30.252.25 > 208.133.44.46.4190: S 2949454116:2949454116(0) ack 2714795533 win 17520 (DF) 09:56:44.792102 216.53.195.54.25 > 208.133.44.46.4200: S 414963656:414963656(0) ack 1200813988 win 24616 (DF) 09:56:44.792208 64.12.137.184.25 > 208.133.44.46.4144: . ack 26 win 33304 (DF) 09:56:44.792296 208.133.44.46.4190 > 208.44.30.252.25: . ack 1 win 33304 (DF) 09:56:44.792399 208.133.44.46.4200 > 216.53.195.54.25: . ack 1 win 33304 (DF) 09:56:44.792540 64.12.136.121.25 > 208.133.44.46.4134: . ack 10022 win 32768 09:56:44.792614 64.12.136.121.25 > 208.133.44.46.4134: . ack 10022 win 32768 09:56:44.793129 208.133.44.46.4134 > 64.12.136.121.25: . 15262:15786(524) ack 455 win 33012 (DF) 09:56:44.793680 208.133.44.46.4134 > 64.12.136.121.25: . 15786:16310(524) ack 455 win 33012 (DF) 09:56:44.794369 208.133.44.46.4134 > 64.12.136.121.25: . 16310:16834(524) ack 455 win 33012 (DF) 09:56:44.794513 208.133.44.46.53 > 208.133.44.2.53: 49539+ A? mx2.mail.twtelecom.net. (40) 09:56:44.795064 64.12.137.184.25 > 208.133.44.46.4144: P 329:383(54) ack 26 win 33304 (DF) 09:56:44.795225 208.133.44.2.53 > 208.133.44.46.53: 23829* 1/2/2 MX[|domain] 09:56:44.795304 205.152.58.3.25 > 208.133.44.46.4158: . ack 55 win 10136 (DF) 09:56:44.795376 64.12.136.121.25 > 208.133.44.46.4134: . ack 12118 win 32768 09:56:44.795924 208.133.44.46.4134 > 64.12.136.121.25: . 16834:17358(524) ack 455 win 33012 (DF) 09:56:44.796419 208.133.44.46.4134 > 64.12.136.121.25: . 17358:17882(524) ack 455 win 33012 (DF) 09:56:44.796918 208.133.44.46.4134 > 64.12.136.121.25: . 17882:18406(524) ack 455 win 33012 (DF) 09:56:44.797408 208.133.44.46.4134 > 64.12.136.121.25: . 18406:18930(524) ack 455 win 33012 (DF) 09:56:44.797895 208.133.44.46.4134 > 64.12.136.121.25: . 18930:19454(524) ack 455 win 33012 (DF) 09:56:44.797994 208.133.44.46.4144 > 64.12.137.184.25: P 26:55(29) ack 383 win 33304 (DF) 09:56:44.798158 208.133.44.46.53 > 208.133.44.2.53: 54617+ A? lucy.multipro.com. (35) 09:56:44.798233 205.152.58.132.25 > 208.133.44.46.4152: . ack 55 win 10136 (DF) 09:56:44.798307 64.12.136.121.25 > 208.133.44.46.4134: . ack 10546 win 32768 09:56:44.798426 206.102.201.11.25 > 208.133.44.46.4199: S 31341815:31341815(0) ack 329832920 win 8760 (DF) 09:56:44.798559 208.133.44.46.4199 > 206.102.201.11.25: . ack 1 win 65535 (DF) 09:56:44.799241 208.133.44.3.53 > 208.133.44.46.53: 15267* 1/3/3 (191) 09:56:44.800389 208.133.44.3.53 > 208.133.44.46.53: 64791* 1/3/3 (194) 09:56:44.801324 208.133.44.46.4212 > 64.75.1.251.25: S 728130978:728130978(0) win 65535 (DF) 09:56:44.803151 209.130.32.61.25 > 208.133.44.46.4136: . ack 51 win 49152 ( DF) 09:56:44.803364 209.130.32.61.25 > 208.133.44.46.4136: P 82:173(91) ack 51 win 49152 (DF) 09:56:44.803482 152.163.224.26.25 > 208.133.44.46.4143: P 329:383(54) ack 26 win 32768 09:56:44.803601 208.133.44.46.4136 > 209.130.32.61.25: P 51:80(29) ack 173 win 33304 (DF) 09:56:44.803695 208.133.44.46.4143 > 152.163.224.26.25: P 26:55(29) ack 383 win 33012 (DF) 09:56:44.804003 12.153.11.240.25 > 208.133.44.46.4177: P 81:121(40) ack 26 win 16535 (DF) 09:56:44.804192 208.133.44.46.4177 > 12.153.11.240.25: P 26:51(25) ack 121 win 32832 (DF) 09:56:44.804430 63.93.245.3.25 > 208.133.44.46.4198: S 143862244:143862244(0) ack 3178198484 win 16352 09:56:44.804611 208.133.44.46.4198 > 63.93.245.3.25: . ack 1 win 65535 (DF) 09:56:44.804743 208.27.252.10.25 > 208.133.44.46.4176: P 118:188(70) ack 26 win 17495 (DF) 09:56:44.804851 205.152.58.1.25 > 208.133.44.46.4157: . ack 55 win 10136 (DF) 09:56:44.806461 149.48.46.26.25 > 208.133.44.46.4140: P 281:322(41) ack 92 win 64296 (DF) 09:56:44.806696 208.133.44.46.4140 > 149.48.46.26.25: P 92:98(6) ack 322 win 32832 (DF) 09:56:44.807059 208.0.133.2.25 > 208.133.44.46.4175: P 1:94(93) ack 1 win 8760 (DF) 09:56:44.807192 203.176.60.186.25 > 208.133.44.46.4166: P 1:77(76) ack 1 win 24616 (DF) 09:56:44.807284 208.133.44.46.4175 > 208.0.133.2.25: P 1:26(25) ack 94 win 65535 (DF) 09:56:44.807413 208.133.44.46.4166 > 203.176.60.186.25: P 1:26(25) ack 77 win 33304 (DF) 09:56:44.807622 208.45.133.107.25 > 208.133.44.46.4180: P 1:68(67) ack 1 win 5840 (DF) 09:56:44.807809 208.133.44.46.4180 > 208.45.133.107.25: P 1:26(25) ack 68 win 65535 (DF) 09:56:44.808143 208.133.44.46.53 > 208.133.44.2.53: 4340+ ANY? care-communications.com. (41) 09:56:44.809188 204.78.60.100.25 > 208.133.44.46.4150: P 101:131(30) ack 26 win 17495 (DF) 09:56:44.809257 216.145.68.3.25 > 208.133.44.46.4174: S 809889280:809889280(0) ack 2587056518 win 17520 (DF) 09:56:44.809360 207.69.235.6.25 > 208.133.44.46.4138: P 104:133(29) ack 26 win 16535