From owner-freebsd-questions Tue May 9 4:43: 3 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhub.unibe.ch (mailhub.unibe.ch [130.92.254.109]) by hub.freebsd.org (Postfix) with ESMTP id E828737BE0B for ; Tue, 9 May 2000 04:42:59 -0700 (PDT) (envelope-from roth@iamexwi.unibe.ch) Received: from CONVERSION-DAEMON by mailhub.unibe.ch (PMDF V5.2-32 #42480) id <0FUA00I01J2PG9@mailhub.unibe.ch> for FreeBSD-questions@FreeBSD.ORG; Tue, 9 May 2000 13:40:04 +0200 (MET DST) Received: from iamexwi.unibe.ch (haegar.unibe.ch [130.92.71.10]) by mailhub.unibe.ch (PMDF V5.2-32 #42480) with ESMTP id <0FUA00DPLJ2OJT@mailhub.unibe.ch> for FreeBSD-questions@FreeBSD.ORG; Tue, 09 May 2000 13:40:01 +0200 (MET DST) Received: from warhol.unibe.ch (warhol [130.92.62.20]) by iamexwi.unibe.ch (8.8.8+Sun/8.8.8) with ESMTP id NAA26881 for ; Tue, 09 May 2000 13:44:00 +0200 (MET DST) Received: from localhost (roth@localhost) by warhol.unibe.ch (8.9.1b+Sun/8.9.1) with ESMTP id NAA08698 for ; Tue, 09 May 2000 13:43:59 +0200 (MET DST) Date: Tue, 09 May 2000 13:43:58 +0200 (MET DST) From: Tobias Roth Subject: my first dos attack In-reply-to: <20000506000205.44FD837BD16@hub.freebsd.org> X-Sender: roth@warhol To: FreeBSD-questions@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT X-Authentication-warning: warhol.unibe.ch: roth owned process doing -bs Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello So I put up my server two weeks ago and it already happened: I got dos attacked. The reason for this is probably that my box runs an ircd, besides a webserver, popserver and mta. I must have been rude to someone on the ircnetwork :) However, this is how my logs looked: May 9 12:03:06 mybox /kernel: icmp redirect from 203.169.158.145: 203.169.158.151 => 203.169.158.151 May 9 12:03:06 mybox iplog[89103]: ICMP: (203.169.158.151) redirect 203.169.158.145 to network 203.169.158.151 Those IP's are not from inside my ISPs domain. I received about a hundred of those packets in a very short time, then everything stopped. Before that, I received a few telnet connection attempts from various places. I don't think this is related, but I mention it anyway. I run a two-week-old 4.0 STABLE with the following kernel options: options TCP_RESTRICT_RST #restrict emission od TCP RST options ICMP_BANDLIM #Rate limit bad replies I have TCP_DROP_SYNFIN not enabled because in LINT it says that this is not recommended for webservers. So, should I be worried about that? Should I do anythiong else than maybe change my behaviour on irc? Should I just drop that route for good? Should I try to find out who is responsible for that and make a complaint? If so, how? Thanks for help, Tobe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message