From owner-freebsd-security Mon Aug 28 10:36:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 0169B37B43C for ; Mon, 28 Aug 2000 10:36:02 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e7SHa0S12379; Mon, 28 Aug 2000 10:36:00 -0700 (PDT) Date: Mon, 28 Aug 2000 10:36:00 -0700 From: Alfred Perlstein To: Shane Hale Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20000828103600.P1209@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from shale@bricsnet.com on Mon, Aug 28, 2000 at 01:31:06PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Shane Hale [000828 10:31] wrote: > > Hello > > I have a machine that's getting attacked regularly. > > (Yes i know my clock is wrong... 1886809 seconds fast to be exact) > > Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:17:55 shell /kernel: icmp-response bandwidth limit 3499/200 pps > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > Sep 19 00:18:00 shell /kernel: icmp-response bandwidth limit 3488/200 pps > Sep 19 00:18:01 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:18:02 shell /kernel: icmp-response bandwidth limit 3494/200 pps > Sep 19 00:18:03 shell /kernel: icmp-response bandwidth limit 3491/200 pps > Sep 19 00:18:04 shell /kernel: icmp-response bandwidth limit 3497/200 pps > Sep 19 00:18:05 shell /kernel: icmp-response bandwidth limit 3501/200 pps > Sep 19 00:18:06 shell /kernel: icmp-response bandwidth limit 3504/200 pps > Sep 19 00:18:07 shell /kernel: icmp-response bandwidth limit 3485/200 pps > Sep 19 00:18:27 shell /kernel: icmp-response bandwidth limit 1599/200 pps > > (This went on for about 15 minutes, and caused my network to be slow as > molasses and a traceroute from home stopped at the router that routes my > C-Class) > > I have ICMP bandwith limiting on the machine being attacked, but... > > - how can i trace who's attacking me > - what exactly are they trying to do > - how does ICMP_BANDWITH Limiting work > > If there is anyone who can help me, i'd appreciate it. Well, you'd want to run tcpdump to see what's actually going on, however the problem is that most likely the attack is from a spoofed source so that unless the attacker is a complete knob you're probably out of luck unless you can co-operate with your upstream and trace this thing across the net. A better option is to figure out why it's happening, your box is named 'shell' so it sounds like one of your Lusers got into a pissing contest with someone, I would try to figure out who started it and remove the account. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message