Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 May 2003 22:53:21 +0200
From:      Thomas Krause -CI- <freebsd-isp@chef-ingenieur.de>
To:        freebsd-isp@freebsd.org
Subject:   router stops working because of udp packets
Message-ID:  <3EC54FC1.3090104@chef-ingenieur.de>
next in thread | raw e-mail | index | archive | help 

Hello,
today, Friday after work finished, our Ethernet-Ethernet router stops
forwarding packets. I was not able to log in over the network.
At the console I found that networking is not working. A tcpdump
displayed massive udp packets from on of our customers src port
1713 dst port 1434:

05/16/2003 19:00:14.781385 x.y.z.170.1713 > 79.122.10.21.1434:  udp 376
05/16/2003 19:00:14.782150 x.y.z.170.1713 > 16.137.137.128.1434:  udp 376
05/16/2003 19:00:14.783416 x.y.z.170.1713 > 150.141.172.126.1434:  udp 376
05/16/2003 19:00:14.783844 x.y.z.170.1713 > 205.160.58.42.1434:  udp 376
05/16/2003 19:00:14.784187 x.y.z.170.1713 > 59.43.151.138.1434:  udp 376
05/16/2003 19:00:14.784714 x.y.z.170.1713 > 76.38.166.145.1434:  udp 376
05/16/2003 19:00:14.785305 x.y.z.170.1713 > 25.185.92.104.1434:  udp 376
05/16/2003 19:00:14.786015 x.y.z.170.1713 > 178.116.158.27.1434:  udp 376
05/16/2003 19:00:14.787341 x.y.z.170.1713 > 72.166.154.87.1434:  udp 376
05/16/2003 19:00:14.787930 x.y.z.170.1713 > 37.41.114.136.1434:  udp 376
05/16/2003 19:00:14.788581 x.y.z.170.1713 > 142.84.69.189.1434:  udp 376
05/16/2003 19:00:14.789169 x.y.z.170.1713 > 83.182.142.184.1434:  udp 376
05/16/2003 19:00:14.789880 x.y.z.170.1713 > 4.229.249.105.1434:  udp 376
05/16/2003 19:00:14.790531 x.y.z.170.1713 > 42.233.42.241.1434:  udp 376
05/16/2003 19:00:14.791304 x.y.z.170.1713 > 128.126.251.198.1434:  udp 376
05/16/2003 19:00:14.792017 x.y.z.170.1713 > 125.128.102.124.1434:  udp 376
05/16/2003 19:00:14.792602 x.y.z.170.1713 > 134.174.163.206.1434:  udp 376
05/16/2003 19:00:14.793251 x.y.z.170.1713 > 107.136.65.162.1434:  udp 376
05/16/2003 19:00:14.793901 x.y.z.170.1713 > 188.206.247.162.1434:  udp 376

After blocking the port 1713, the bsd box routing is working normal.
(I've no access to the customers PC).

I belive the host of the customer was hacked. Does anybody know what's
running on the host? How I can prevent such attacks? There are any
kernel-options? Or should I limit the udp traffic?

BTW: 4.6.2-RELEASE-p9 is running on the router.

Regards,
Thomas.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EC54FC1.3090104>