Date: Thu, 22 Mar 2001 17:33:30 +0200 From: ostap <ostap@ukrpost.net> To: freebsd-security@freebsd.org Subject: Re: DoS attack - advice needed Message-ID: <3ABA1B4A.9301775D@ukrpost.net> References: <3ABA09E0.141711C9@ukrpost.net> <20010322144634.V10016@shady.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for your help, unfortunately i can't analyze it that deep, 'cos it was a one-time attack. i came there late in the evening, saw the problem, rebooted and everything was fine. so, no trafic snapshots unfortunately. looks like the guy issued one command, and the box went mad. i guess this wasn't that sophisticated, logs show traces of a usual portscanning software, it was ran twice or so, and then whole the thing started. it seems like the guy wasn't very experienced and was just playing around with some soft, exploiting some general hack, and then went home. i know that 3.3release is quite old, and should be ugraded of course, but i never thought it could be broken in such an easy way, without efforts, just using some standard tool. any ideas? Marc Rogers wrote: > > Hiya > > First thing you need to do is work out what they are throwing at you. > > You need to find out if the icmp was inward bound or outward. Outward bound > (which to be honest is much more likely) is often a symptom of something > that involves a large number of source addresses. A DDOS attack will generate > a huge amount of outward bound icmp, as will something that involves spoofed > source addresses. > > Blocking icmp in cases such as these will only cure the symptom, not the > disease. In addition you score an own goal, as by blocking that kind of traffic > withing your own network, the attackers still get to saturate your line(s) and > you are less likely to see some of the "clues" that can help you identify the > perpetrator. > > Take a snapshot of your network traffic (just tcpdump on some of the affected > machines will do) and either mail it to me or send it to this list, and I > and various others will look at it for you. Each diffrerent attack family > will require a different countermeasure. > > By the comment you have made that this attack has caused FreeBSD machines to > hang, I would suggest you are looking at something along the lines of a > fragmented packet attack, (which if they were using an often changing spoofed > source address, would explain the large amounts of icmp). > > Something I have noticed recently (and I will be making a separate post to this > list on this matter) is that although our beloved OS has been hardened against > attacks such as this, there are a number of well known software packages that > are affected dramatically by these attacks, and more often than not it is their > behaviour that causes up to date boxes to hang. > > Hope this helps, > > Marc Rogers > Head of Network Operations & Security > EDC Group > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ABA1B4A.9301775D>