From owner-freebsd-questions  Tue Oct 24 19: 3:30 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 89ACE37B479
	for <questions@freebsd.org>; Tue, 24 Oct 2000 19:03:27 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Tue, 24 Oct 2000 19:02:02 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9P23Fb20035;
	Tue, 24 Oct 2000 19:03:16 -0700 (PDT)
	(envelope-from cjc)
Date: Tue, 24 Oct 2000 19:03:15 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Craig Beasland <craig@hotmix.com.au>
Cc: questions@FreeBSD.ORG
Subject: Re: Possible network attack
Message-ID: <20001024190315.U75251@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <B1471D5DCC74D4119444004005E23A2001CEA5@CORONA>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <B1471D5DCC74D4119444004005E23A2001CEA5@CORONA>; from craig@hotmix.com.au on Wed, Oct 25, 2000 at 09:08:54AM +0800
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Oct 25, 2000 at 09:08:54AM +0800, Craig Beasland wrote:
> Hi there,
> 
> This morning I received an email from someone in nz suggesting that may
> system may have been breached, based on some entries in his firewall log.
> There are about 100 of these message he sent back to me, but I have no idea
> what the problem may be.  The system is running
> 
> This machine runs userland ppp -ddial -alias for its internet connection and
> ipfw with an open policy.
> 
> cheers
> craig
> 
> 8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-127.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-126.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-125.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-124.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-123.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-122.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0
>  8:02:44 drop   trex-public >qfe0 proto icmp src kipco.mydomain.com.au dst
> 95-121.team.xtra.co.nz rule 64 icmp-type 8 icmp-code 0

It looks like a bunch of echo requests. Really hard to say if anything
funny is going on. Would you be pinging them multiple times per
second? Is the destination address a broadcast address? Maybe someone
is trying to smurf you?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message