From owner-freebsd-security Wed Dec 8 13:51:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 25CB814BC2 for ; Wed, 8 Dec 1999 13:51:23 -0800 (PST) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.3/8.9.1) with ESMTP id QAA13374 for ; Wed, 8 Dec 1999 16:51:16 -0500 (EST) Message-Id: <4.2.2.19991208162315.00b5f4e0@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 08 Dec 1999 16:51:11 -0500 To: freebsd-security@freebsd.org From: "Scott I. Remick" Subject: What kind of attack is this? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok, I'm observing what may be our first real attack. It's focused on a particular IP address, and we have suspicions as to who it may be, but anyway... Using trafshow, I'm observing tons of UDP packets being sent to one system from seemingly random IP addresses (probably spoofed) all over the place, with the system responding in turn with ICMP packets to each. I know that's what firewalls are for, and that's why I'm working on one. Holdup is time-constraints and red-tape and corporate politics and screwed up priorities and so on, so let's just leave it that the firewall is coming but is not here yet (if you remember back, this is the company that wants to use MS Proxy). I can't just block all incoming UDP packets because they are used by other applications. So how does one protect themselves against such an attack? I have an Ascend Pipeline 50 router which I'm trying to sort out from the manuals a way to use its filters and how it behaves if rules overlap (what I'm thinking is trying to find a way to block all incoming UDP packets EXCEPT the type which are known to be good). And the $1M question: with spoofed source addresses, how does one track down and nail the culprit? Because we have a very good idea as to the source, if we know their router's IP, can we confirm whether a spoofed packet traveled along that route? Anyhow, it died down a moment ago, so there's nothing more for me to watch. Wasn't a big crisis and the person just used someone else's while I let the lamb be sacrificed so I could observe (only thing it did was bog it down). I welcome any input on this (be nice to me), and look forward to using this episode as an educational exercise. Thanks ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message