Date: Sun, 5 Jan 2003 14:57:22 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: freebsd-hackers@freebsd.org Subject: DDoS attacks, packets captured ... not sure what to do. Message-ID: <20030105145150.N80512-100000@mail.econolodgetulsa.com>
index | next in thread | raw e-mail
First off, the target looks like this:
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
3333/tcp open dec-notes
10000/tcp open snet-sensor-mgmt
31337/tcp open Elite
(and yes, port 31337 is legit - this is a linux server and that is not a
trojan running)
The target is behind my FreeBSD firewall - and it is the firewall which
hangs and causes the DoS.
And my firewall is a 4.4-RELEASE, ~500mhz celeron with 256 megs ram. when
I run `top` I see between 17 and 50% idle CPU. I have 900+ ipfw rules in
place, and about 80% of those are just "count" rules. When the attacks
occur, my firewall simply freezes - no response, the network disappears,
and no traffic of any kind flows through it. Here is the obligatory
netstat -m on the firewall:
# netstat -m
405/4768/32768 mbufs in use (current/peak/max):
405 mbufs allocated to data
382/4524/8192 mbuf clusters in use (current/peak/max)
10240 Kbytes allocated to network (41% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
OK, so during the attack, an upstream router captured the packets. I see
two interesting things:
1. a ton of TCP SYN, [1658] -> [106] 3COM-TSMUX to ports that do
not exist on the target. See how this one goes to destination 106, but
the target is not running anything on 106 ? Once in a while the SYN
packets go to an existing port, but most of them go to nonexistent
(seemingly random) ports on the target.
2. a noticable amount of christmas tree packets aimed at the target:
TCP FIN SYN RST PSH ACK, [1400] -> [98] TAC-news
again, to ports not actually open on the target. I guess a xmas tree
packet technically has a URG flag as well, which these do not - but even
still I suspect these are bad news to be seeing.
Also some of them are not quite as xmas as other:
TCP SYN RST PSH ACK, [1230] -> [118] SQL-service
again, directed at a service that does not exist.
3. These seem less frequent, but I am seeing:
UDP, [21397] -> [2284] ^M
Source port: [21397] ^M
Destination port: [2284] ^M
UDP length: 908^M
Checksum: 0x0000 (data fragment - not able to check)^M
So .. a UDP fragment sent to a port not open on the target. This also
seems like bad news.
-----
So that's that - I see this for all three IPs that were being targeted.
So now there are two things I need to know (and ask cordially for your
help with)
1. what can I put into place on a 4.4-RELEASE ipfw firewall to combat
these items ?
2. What are 1 2 and 3 called ? For instance, is #1 a "syn flood" ?
3. will the solutions given to me actually help ? I mean, the packets
will still hit my firewall, and given the cpu utilization and config I
showed you earlier, will the fixes nullify the effect of these attacks, or
am I so underpowered that getting hit with these in any way, no matter
what precautions I have in place will disable me ?
thanks a LOT.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030105145150.N80512-100000>