From owner-freebsd-security Mon Aug 28 11:13:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from wopr.chc-chimes.com (wopr.chc-chimes.com [216.234.105.162]) by hub.freebsd.org (Postfix) with ESMTP id AEFFD37B423 for ; Mon, 28 Aug 2000 11:13:26 -0700 (PDT) Received: from localhost (matta@localhost) by wopr.chc-chimes.com (8.9.3/8.9.3) with ESMTP id OAA30924; Mon, 28 Aug 2000 14:16:29 -0400 (EDT) (envelope-from matta@unixshell.com) Date: Mon, 28 Aug 2000 14:16:21 -0400 (EDT) From: Matt Ayres X-Sender: matta@wopr.chc-chimes.com To: "Col.Panic" Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD will also give the message below when UDP has gone over 100pps. -Matt On Mon, 28 Aug 2000, Col.Panic wrote: > I have an interesting appendage to add to this answer. I have ICMP shut > down at the router, and I get the same messages from my new 4.1-STABLE > system. I can understand if somebody is spoofing ICMP packets, but if > they are, how are the replies getting to my machine? > > I've looked into it, and there isn't anybody logged into the machine for > when this occurs. I'm at a loss. > > Thanks, > > -Jason > > > > ---------- Forwarded message ---------- > Date: Mon, 28 Aug 2000 10:36:00 -0700 > From: Alfred Perlstein > To: Shane Hale > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: your mail > > * Shane Hale [000828 10:31] wrote: > > > > Hello > > > > I have a machine that's getting attacked regularly. > > > > (Yes i know my clock is wrong... 1886809 seconds fast to be exact) > > > > Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:17:55 shell /kernel: icmp-response bandwidth limit 3499/200 pps > > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > > Sep 19 00:18:00 shell /kernel: icmp-response bandwidth limit 3488/200 pps > > Sep 19 00:18:01 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:18:02 shell /kernel: icmp-response bandwidth limit 3494/200 pps > > Sep 19 00:18:03 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:18:04 shell /kernel: icmp-response bandwidth limit 3497/200 pps > > Sep 19 00:18:05 shell /kernel: icmp-response bandwidth limit 3501/200 pps > > Sep 19 00:18:06 shell /kernel: icmp-response bandwidth limit 3504/200 pps > > Sep 19 00:18:07 shell /kernel: icmp-response bandwidth limit 3485/200 pps > > Sep 19 00:18:27 shell /kernel: icmp-response bandwidth limit 1599/200 pps > > > > (This went on for about 15 minutes, and caused my network to be slow as > > molasses and a traceroute from home stopped at the router that routes my > > C-Class) > > > > I have ICMP bandwith limiting on the machine being attacked, but... > > > > - how can i trace who's attacking me > > - what exactly are they trying to do > > - how does ICMP_BANDWITH Limiting work > > > > If there is anyone who can help me, i'd appreciate it. > > Well, you'd want to run tcpdump to see what's actually going on, however > the problem is that most likely the attack is from a spoofed source > so that unless the attacker is a complete knob you're probably out > of luck unless you can co-operate with your upstream and trace this > thing across the net. > > A better option is to figure out why it's happening, your box is named > 'shell' so it sounds like one of your Lusers got into a pissing contest > with someone, I would try to figure out who started it and remove the > account. > > -Alfred > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message