From owner-freebsd-security Wed May 12 7: 7: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 349C014DCA for ; Wed, 12 May 1999 07:07:06 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA02330; Wed, 12 May 1999 07:08:21 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda02328; Wed May 12 07:08:05 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA09671; Wed, 12 May 1999 07:06:47 -0700 (PDT) Message-Id: <199905121406.HAA09671@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdjc9667; Wed May 12 07:06:39 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 2.2.8-RELEASE X-Sender: cy To: Jim Cassata Cc: freebsd-security@FreeBSD.ORG Subject: Re: new type of attack? In-reply-to: Your message of "Tue, 11 May 1999 18:57:38 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 12 May 1999 07:06:39 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Jim Cas sata writes: > i just received this.... > > > We have been tracking a long series of subtle network probes that > >use TCP packets constructed with ACK and RST bits set. This bit > >combination allows these packets to pass through common packet filters. > >The attackers have breached many systems around the net, focusing on > >Linux and FreeBSD systems. These breached systems are used to either > >receive directly or through packet sniffing the responses from forged > >packets sent by the attackers. On Sunday (5-9-99), we collected some > >probe packets from address 209.54.43.133. This host is called > >sex.fiend.cx and appears to be part of your network. There is a strong > >possiblity that this host or one very near it has been breached and is > >being used to collect data probed from other networks. Our logs go back > >over a month and this is the first time this particular host has been > >seen on our network. The attackers seem to be able to move on to new > >systems very quickly as there are apparently plenty of vulnerable > >systems to breach. Our mail server was breached back in December and > >was used for similar activities for 2 days. The attackers created 2 > >accounts, udp and reboot. The udp account had root privs and no > >password. > > > >The time of the probe was 14:05 CDT > > has anyone seen this kind of thing? A lot of this depends on how well your packet filter rules are structured to mitigate the effectiveness of this kind of probing. Disallowing all outgoing sessions (any and all sessions), except through a bastion host on a DMZ, would be the best approach. The other approach would be to place the rules that allow outgoing packets with SYN at the end of the rule list prior to the global deny rule. All of this would, of course, depend on the rules prior to the last few rules. In other words there is no band-aid solution. Your rules need to be carefully thought out and in a sequence that will make each one effective, especially the last ones. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message