From owner-freebsd-security Tue Nov 16 19: 9:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id 9BF2F14C85 for ; Tue, 16 Nov 1999 19:09:19 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id WAA20029; Tue, 16 Nov 1999 22:09:09 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.1.19991116215418.03da5a60@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 16 Nov 1999 22:09:27 -0500 To: The Mad Scientist , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Tracing Spoofed Packets In-Reply-To: <4.1.19991116182120.0094d280@mail.thegrid.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:47 PM 11/16/99 , The Mad Scientist wrote: >I doubt it, but is there ANY way to trace spoofed packets coming in from >the Internet? I've been getting these packets showing up at my boarder >router pretty regularly for the past few days now: Not really... You would probably have to get on the phone with each of your upstreams, and they in turn with their upstreams and so on and so on until you found where the cruft was comming from. How regular is it ? It might not be your case, but lately, I have seen SPAM coming from rouge sites that have reserved addresses for MX records and such, or are pointing the domains back to various core routers. If a mailer on your system wants to bounce back the message to them, and your upstream is actually routing those reserved IPs, you might get IMCP messages about them other than host unreachables... Or if its pointed to a router somewhere, and you have a lot in your queue, you will see a whack of 3.3 ICMP unreachable messages... >Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 >ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 >10.0.1.2 in >via ed0 Is this your ipfw rule blocking the incoming icmp packet ? or your ipfw rule saying block said ip packets from 10.1.6.6. If so, what is 10.1.6.6 sending you ? try something like ipfw add 398 count log ip from 10.0.0.0/12 to any ipfw add 399 count log icmp from 10.0.0.0/12 to any and then your ipfw add 400 deny log ip from 10.0.0.0/12 .... ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 519 651 3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message