From owner-freebsd-security Tue Nov 16 20: 8:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id F18CF14FBE for ; Tue, 16 Nov 1999 20:08:48 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id UAA20089; Tue, 16 Nov 1999 20:08:38 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911170408.UAA20089@gndrsh.dnsmgr.net> Subject: Re: Tracing Spoofed Packets In-Reply-To: <4.1.19991116182120.0094d280@mail.thegrid.net> from The Mad Scientist at "Nov 16, 1999 06:47:49 pm" To: madscientist@thegrid.net (The Mad Scientist) Date: Tue, 16 Nov 1999 20:08:37 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I doubt it, but is there ANY way to trace spoofed packets coming in from > the Internet? I've been getting these packets showing up at my boarder > router pretty regularly for the past few days now: First step is to complain to your peering ISP on this boarder router, they should be dropping all RFC1918 src or dst addressed packets at their boarder. They probably have an internal leak, or one of their customers does. The only way of tracking these down is getting good cooperation from the technical people you are connected to on this link and having them search their boarders for the source, then instituting correct AS policy and dropping these things like they already should be. Many people have long used a poor filter list for this, simply filtering for dst only, current best practice is to filter on either src or dst being in RFC1918 space (and a few others too, like unless you support mcast peering with your adjacent AS's you should drop src or dst 224/12 as well, and don't forget to filter 127/8, etc, etc... :-) > > Nov 15 19:47:43 wormhole /kernel: icmp-response bandwidth limit 284/100 > ppsNov 15 19:57:06 wormhole /kernel: ipfw: 400 Deny ICMP:3.13 10.1.6.6 > 10.0.1.2 in > via ed0 > Nov 15 19:57:37 wormhole last message repeated 36 times > Nov 15 19:59:38 wormhole last message repeated 175 times > Nov 15 20:00:53 wormhole last message repeated 96 times > > This goes on for about two hours. The logs don't show anything else > abnormal from what I can discern. I don't see any performance hit or > bandwidth drop, so it doesn't really bother me. I'd just like to figure > out what's going on. > Thanks in advance, > -Dean > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message