Date: Tue, 1 Aug 2000 00:45:26 -0400 (EDT) From: Greg Hormann <ghormann@alumni.indiana.edu> To: security@freebsd.org Message-ID: <Pine.BSF.4.05.10008010024290.89472-100000@hormann.tzo.cc>
next in thread | raw e-mail | index | archive | help
Today I noticed that my FreeBSD nat server was getting a extremely high number of packet hits. Turns out that my socks5 server was under some type of attack from multiple host. Looks like it started at about 2pm and ran until I shut Socks5 down just after midnight. Turns out the permit line in my socks5.conf just contained "-", a left over from my dialup days. Not understanding exactly how the SOCKS protocol works, I wonder (1) What damage might this have done? The destination port appears to always be 6112. Anybody know what is on this port? (2) Whats the best way to block this? If I block external access to the Socks5 port in my firewall will socks5 still work? Should I just use a permit/auth statement? Thanks for any input. Greg. Aug 1 00:13:51 hormann Socks5[89393]: TCP Connection Established: Connect (24.141.20.175:3560 to 216.148.246.9:6112) for user Aug 1 00:13:52 hormann Socks5[89394]: TCP Connection Request: Connect (24.141.20.175:3561 to 216.148.246.9:6112) for user Aug 1 00:14:06 hormann Socks5[89397]: TCP Connection Terminated: Normal (24.141.20.175:3580 to 216.148.246.9:6112) for user : 1 bytes out, 0 bytes in To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10008010024290.89472-100000>