Date: Wed, 5 Apr 2000 01:52:07 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Stan Brown <stanb@netcom.com> Cc: FreeBSD Networking <freebsd-net@FreeBSD.ORG> Subject: Re: I am being atacked! Message-ID: <Pine.BSF.4.21.0004050143050.10783-100000@freefall.freebsd.org> In-Reply-To: <200004042236.PAA02469@netcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Apr 2000, Stan Brown wrote:
> Apr 4 02:58:21 koala portsentry[336]: attackalert: Connect from host:
> c453341-a.pinol1.sfba.home.com/24.6.255.50 to UDP port: 161
> Apr 4 02:58:21 koala portsentry[336]: attackalert: Host 24.6.255.50
> has been blocked via wrappers with string: "ALL: 24.6.255.50"
> Apr 4 02:58:21 koala portsentry[336]: attackalert: Host 24.6.255.50
> has been blocked via dropped route using command: "/sbin/route add
> 24.6.255.50 333.444.555.666"
This is just a run of the mill port scan for an SNMP server - if you're
not running one you have nothing to worry about. If it bugs you that
people are scanning your host for vulnerabilities then you need to talk to
the admins of the originating server, in this case probably abuse@home.com
would be a good place to start (provide as much information as you can
including logs, of course).
Unfortunately port scanning is a very common thing on the internet today -
it's not directly a security risk, but it may show attackers where the
possible vulnerabilities are on your system. Creating a "default to deny"
packet filter with ipfw or ipfilter helps a lot here. For example,
attackers can throw all the packets they want at my system and they won't
get any information back except for connections on the SSH port, and
certain other "honeypot" ports I have set up with fake but juicy-looking
targets for them to try and exploit.
On a related matter, I don't like the way portsentry responded to this
probe. For one, it's not an "attack" in this case, just some
door-rattling, and secondly, forcibly routing the apparent source host
into /dev/null is the wrong thing to do: UDP packets are trivially
spoofable, and so an actual attacker can easily prevent your machine from
being able to communicate with any given host on the internet by spoofing
an "attack" packet of the sort you logged above as if it came from that
host.
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004050143050.10783-100000>