From owner-freebsd-net Wed Apr 5 1:52:10 2000 Delivered-To: freebsd-net@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8E20737BC3D; Wed, 5 Apr 2000 01:52:08 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA15452; Wed, 5 Apr 2000 01:52:08 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 5 Apr 2000 01:52:07 -0700 (PDT) From: Kris Kennaway To: Stan Brown Cc: FreeBSD Networking Subject: Re: I am being atacked! In-Reply-To: <200004042236.PAA02469@netcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 4 Apr 2000, Stan Brown wrote: > Apr 4 02:58:21 koala portsentry[336]: attackalert: Connect from host: > c453341-a.pinol1.sfba.home.com/24.6.255.50 to UDP port: 161 > Apr 4 02:58:21 koala portsentry[336]: attackalert: Host 24.6.255.50 > has been blocked via wrappers with string: "ALL: 24.6.255.50" > Apr 4 02:58:21 koala portsentry[336]: attackalert: Host 24.6.255.50 > has been blocked via dropped route using command: "/sbin/route add > 24.6.255.50 333.444.555.666" This is just a run of the mill port scan for an SNMP server - if you're not running one you have nothing to worry about. If it bugs you that people are scanning your host for vulnerabilities then you need to talk to the admins of the originating server, in this case probably abuse@home.com would be a good place to start (provide as much information as you can including logs, of course). Unfortunately port scanning is a very common thing on the internet today - it's not directly a security risk, but it may show attackers where the possible vulnerabilities are on your system. Creating a "default to deny" packet filter with ipfw or ipfilter helps a lot here. For example, attackers can throw all the packets they want at my system and they won't get any information back except for connections on the SSH port, and certain other "honeypot" ports I have set up with fake but juicy-looking targets for them to try and exploit. On a related matter, I don't like the way portsentry responded to this probe. For one, it's not an "attack" in this case, just some door-rattling, and secondly, forcibly routing the apparent source host into /dev/null is the wrong thing to do: UDP packets are trivially spoofable, and so an actual attacker can easily prevent your machine from being able to communicate with any given host on the internet by spoofing an "attack" packet of the sort you logged above as if it came from that host. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message