From owner-freebsd-security Mon Jul 31 21:45:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from hormann.tzo.cc (cvg-29-15-234.cinci.rr.com [24.29.15.234]) by hub.freebsd.org (Postfix) with ESMTP id 100E737BE06 for ; Mon, 31 Jul 2000 21:45:46 -0700 (PDT) (envelope-from ghormann@alumni.indiana.edu) Received: from localhost (ghormann@localhost) by hormann.tzo.cc (8.9.3/8.9.3) with ESMTP id AAA89536 for ; Tue, 1 Aug 2000 00:45:27 -0400 (EDT) (envelope-from ghormann@alumni.indiana.edu) X-Authentication-Warning: hormann.tzo.cc: ghormann owned process doing -bs Date: Tue, 1 Aug 2000 00:45:26 -0400 (EDT) From: Greg Hormann X-Sender: ghormann@hormann.tzo.cc To: security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Today I noticed that my FreeBSD nat server was getting a extremely high number of packet hits. Turns out that my socks5 server was under some type of attack from multiple host. Looks like it started at about 2pm and ran until I shut Socks5 down just after midnight. Turns out the permit line in my socks5.conf just contained "-", a left over from my dialup days. Not understanding exactly how the SOCKS protocol works, I wonder (1) What damage might this have done? The destination port appears to always be 6112. Anybody know what is on this port? (2) Whats the best way to block this? If I block external access to the Socks5 port in my firewall will socks5 still work? Should I just use a permit/auth statement? Thanks for any input. Greg. Aug 1 00:13:51 hormann Socks5[89393]: TCP Connection Established: Connect (24.141.20.175:3560 to 216.148.246.9:6112) for user Aug 1 00:13:52 hormann Socks5[89394]: TCP Connection Request: Connect (24.141.20.175:3561 to 216.148.246.9:6112) for user Aug 1 00:14:06 hormann Socks5[89397]: TCP Connection Terminated: Normal (24.141.20.175:3580 to 216.148.246.9:6112) for user : 1 bytes out, 0 bytes in To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message