From owner-freebsd-net  Wed Jun  5 13:46:19 2002
Delivered-To: freebsd-net@freebsd.org
Received: from omta04.mta.everyone.net (sitemail3.everyone.net [216.200.145.37])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0EAC137B407; Wed,  5 Jun 2002 13:45:43 -0700 (PDT)
Received: from sitemail.everyone.net (dsnat [216.200.145.62])
	by omta04.mta.everyone.net (Postfix) with ESMTP
	id DE74F4FD3D; Wed,  5 Jun 2002 13:45:42 -0700 (PDT)
Received: by sitemail.everyone.net (Postfix, from userid 99)
	id AEE962756; Wed,  5 Jun 2002 13:45:42 -0700 (PDT)
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Date: Wed, 5 Jun 2002 13:45:42 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: "Peter Brezny" <pbrezny@purplecat.net>, freebsd-net@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: Re: currently experiencing some kind of DOS attack?  Need help!
Reply-To: mfrd@attitudex.com
X-Originating-Ip: [202.5.134.230]
Message-Id: <20020605204542.AEE962756@sitemail.everyone.net>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

It looks like either distributed port scanning via source port 25.
Or maybe a stealth scan, which send spoofed syn packets along with the real sender's packet in order to confuse the victim that who actually scanned.
Are you using any firewall?
and proper mailing list for such an event is 
freebsd-security@freebsd.org

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk


--- "Peter Brezny" <pbrezny@purplecat.net> wrote:
>I think i'm experiencng some kind of DOS attack and I need some help
>pinpointing the bad guys, and cutting them off/reporting them.
>
>I've attached a tcpdump that was captured during the latest initial attack.
>They are coming at 10 minute intervals.
>
>The system under attack is 208.133.44.46
>
>The error i'm getting in /var/log/messages:
>Jun  5 10:05:51 rack /kernel: m_clalloc failed, consider increase
>NMBCLUSTERS value
>Jun  5 10:05:51 rack /kernel: xl0: no memory for rx list -- packet dropped!
>
>Any help is much appreciated.
>
>Peter Brezny
>Skyrunner.net
>
>
>09:56:44.778211 208.133.44.46.4181 > 64.90.1.81.25: . ack 1 win 33304
><nop,nop,timestamp 119714228 348692854> (DF
>)
>09:56:44.778289 208.133.44.46.4204 > 216.248.13.163.25: S
>583871681:583871681(0) win 65535 <mss 1460,nop,wscale 1
>,nop,nop,timestamp 119714228 0> (DF)
>09:56:44.778363 208.133.44.46.4205 > 216.248.13.163.25: S
>990811731:990811731(0) win 65535 <mss 1460,nop,wscale 1
>,nop,nop,timestamp 119714228 0> (DF)
>09:56:44.778437 208.133.44.46.4179 > 208.44.30.252.25: . ack 1 win 33304
><nop,nop,timestamp 119714228 0> (DF)
>09:56:44.778509 208.133.44.46.4195 > 12.107.51.89.25: . ack 1 win 33304
><nop,nop,timestamp 119714228 611001367> (
>DF)
>09:56:44.778606 208.133.44.46.4135 > 209.130.32.60.25: P 51:80(29) ack 171
>win 33304 <nop,nop,timestamp 119714228
> 9191680> (DF)
>09:56:44.778685 208.133.44.46.4206 > 209.149.145.242.25: S
>4218318996:4218318996(0) win 65535 <mss 1460,nop,wscal
>e 1,nop,nop,timestamp 119714228 0> (DF)
>09:56:44.778767 208.133.44.46.4207 > 12.18.94.118.25: S
>4233576849:4233576849(0) win 65535 <mss 1460,nop,wscale 1
>,nop,nop,timestamp 119714228 0> (DF)
>09:56:44.778844 208.133.44.46.4208 > 66.7.159.141.25: S
>2755991554:2755991554(0) win 65535 <mss 1460,nop,wscale 1
>,nop,nop,timestamp 119714228 0> (DF)
>09:56:44.778931 208.133.44.46.53 > 208.133.44.2.53:  15111+ A?
>lists.wnpt.net. (32)
>09:56:44.779019 208.133.44.46.53 > 208.133.44.2.53:  29381+ A?
>hammer.bw.vallnet.com. (39)
>09:56:44.779303 216.141.198.6.25 > 208.133.44.46.4182: S
>2677924182:2677924182(0) ack 3722697590 win 8760 <mss 14
>60> (DF)
>09:56:44.779412 208.133.44.46.4182 > 216.141.198.6.25: . ack 1 win 65535
>(DF)
>09:56:44.780186 209.142.136.248.25 > 208.133.44.46.4173: R 1:1(0) ack 1 win
>17520 (DF)
>09:56:44.782070 216.183.105.175.25 > 208.133.44.46.4184: S
>970622662:970622662(0) ack 611002520 win 5792 <mss 146
>0,nop,nop,timestamp 814152703 119714222,nop,wscale 0> (DF)
>09:56:44.782230 208.133.44.2.53 > 208.133.44.46.53:  39368 1/2/2 A
>12.18.94.118 (131)
>09:56:44.782304 208.133.44.46.4184 > 216.183.105.175.25: . ack 1 win 33304
><nop,nop,timestamp 119714229 814152703
>> (DF)
>09:56:44.782681 24.165.200.11.25 > 208.133.44.46.4191: S
>2693592169:2693592169(0) ack 2405761779 win 33304 <nop,n
>op,timestamp 53982485 119714224,nop,wscale 1,mss 1460> (DF)
>09:56:44.782759 208.133.44.46.4209 > 12.18.94.118.25: S
>1124694907:1124694907(0) win 65535 <mss 1460,nop,wscale 1
>,nop,nop,timestamp 119714229 0> (DF)
>09:56:44.782841 208.133.44.46.4191 > 24.165.200.11.25: . ack 1 win 33304
><nop,nop,timestamp 119714229 53982485> (
>DF)
>09:56:44.783407 208.133.44.2.53 > 208.133.44.46.53:  20554 1/2/2 A
>63.85.209.13 (119)
>09:56:44.783735 208.0.133.2.25 > 208.133.44.46.4156: P 94:226(132) ack 26
>win 8735 (DF)
>09:56:44.783820 208.133.44.46.4210 > 63.85.209.13.25: S
>2351909802:2351909802(0) win 65535 <mss 1460,nop,wscale 1
>,nop,nop,timestamp 119714229 0> (DF)
>09:56:44.783973 208.133.44.46.4156 > 208.0.133.2.25: P 26:55(29) ack 226 win
>65535 (DF)
>09:56:44.784436 216.141.198.5.25 > 208.133.44.46.4189: S
>3128014607:3128014607(0) ack 3231361719 win 8760 <mss 14
>60> (DF)
>09:56:44.784528 64.90.1.81.25 > 208.133.44.46.4192: S
>1792359129:1792359129(0) ack 122564349 win 10136 <nop,nop,t
>imestamp 348692855 119714224,nop,wscale 0,mss 1460> (DF)
>09:56:44.784592 208.133.44.46.4189 > 216.141.198.5.25: . ack 1 win 65535
>(DF)
>09:56:44.784663 208.133.44.46.4192 > 64.90.1.81.25: . ack 1 win 33304
><nop,nop,timestamp 119714229 348692855> (DF
>)
>09:56:44.785415 208.133.44.2.53 > 208.133.44.46.53:  10424* 1/3/4
>MX[|domain]
>09:56:44.786007 208.133.44.46.53 > 208.133.44.2.53:  9865+ A?
>mail.milanmirrorexchange.com. (46)
>09:56:44.786890 208.133.44.2.53 > 208.133.44.46.53:  10699 1/3/4 A
>63.238.52.32 (175)
>09:56:44.787268 64.12.137.121.25 > 208.133.44.46.4141: P 383:391(8) ack 55
>win 33304 <nop,nop,timestamp 243325248
> 119714225> (DF)
>09:56:44.787376 208.133.44.46.4211 > 63.238.52.89.25: S
>822989022:822989022(0) win 65535 <mss 1460,nop,wscale 1,n
>op,nop,timestamp 119714229 0> (DF)
>09:56:44.787529 208.133.44.46.4141 > 64.12.137.121.25: P 55:83(28) ack 391
>win 33304 <nop,nop,timestamp 119714230
> 243325248> (DF)
>09:56:44.787615 64.12.136.121.25 > 208.133.44.46.4134: . ack 8974 win 32768
><nop,nop,timestamp 1156210109 1197142
>25>
>09:56:44.787689 216.141.198.7.25 > 208.133.44.46.4183: S
>2740973361:2740973361(0) ack 3477352929 win 8760 <mss 14
>60> (DF)
>09:56:44.787917 208.133.44.2.53 > 208.133.44.46.53:  32840 1/2/2 A
>216.248.18.11 (116)
>09:56:44.788420 208.133.44.46.4134 > 64.12.136.121.25: . 12642:13166(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210109> (DF)
>09:56:44.788914 208.133.44.46.4134 > 64.12.136.121.25: . 13166:13690(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210109> (DF)
>09:56:44.789469 208.133.44.46.4134 > 64.12.136.121.25: . 13690:14214(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210109> (DF)
>09:56:44.790024 208.133.44.46.4134 > 64.12.136.121.25: . 14214:14738(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210109> (DF)
>09:56:44.790577 208.133.44.46.4134 > 64.12.136.121.25: . 14738:15262(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210109> (DF)
>09:56:44.790706 208.133.44.46.4183 > 216.141.198.7.25: . ack 1 win 65535
>(DF)
>09:56:44.790936 208.133.44.2.53 > 208.133.44.46.53:  65451 1/2/2 A
>216.248.18.12 (116)
>09:56:44.791024 208.44.30.252.25 > 208.133.44.46.4188: S
>1467598258:1467598258(0) ack 1322705327 win 17520 <mss 1
>460,nop,wscale 0,nop,nop,timestamp 0 0> (DF)
>09:56:44.791266 208.133.44.2.53 > 208.133.44.46.53:  30931 1/5/5 A[|domain]
>09:56:44.791527 208.133.44.46.4188 > 208.44.30.252.25: . ack 1 win 33304
><nop,nop,timestamp 119714230 0> (DF)
>09:56:44.792030 208.44.30.252.25 > 208.133.44.46.4190: S
>2949454116:2949454116(0) ack 2714795533 win 17520 <mss 1
>460,nop,wscale 0,nop,nop,timestamp 0 0> (DF)
>09:56:44.792102 216.53.195.54.25 > 208.133.44.46.4200: S
>414963656:414963656(0) ack 1200813988 win 24616 <nop,nop
>,timestamp 248050614 119714226,nop,wscale 0,mss 1460> (DF)
>09:56:44.792208 64.12.137.184.25 > 208.133.44.46.4144: . ack 26 win 33304
><nop,nop,timestamp 187499960 119714225>
> (DF)
>09:56:44.792296 208.133.44.46.4190 > 208.44.30.252.25: . ack 1 win 33304
><nop,nop,timestamp 119714230 0> (DF)
>09:56:44.792399 208.133.44.46.4200 > 216.53.195.54.25: . ack 1 win 33304
><nop,nop,timestamp 119714230 248050614>
>(DF)
>09:56:44.792540 64.12.136.121.25 > 208.133.44.46.4134: . ack 10022 win 32768
><nop,nop,timestamp 1156210109 119714
>225>
>09:56:44.792614 64.12.136.121.25 > 208.133.44.46.4134: . ack 10022 win 32768
><nop,nop,timestamp 1156210109 119714
>225>
>09:56:44.793129 208.133.44.46.4134 > 64.12.136.121.25: . 15262:15786(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210109> (DF)
>09:56:44.793680 208.133.44.46.4134 > 64.12.136.121.25: . 15786:16310(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210109> (DF)
>09:56:44.794369 208.133.44.46.4134 > 64.12.136.121.25: . 16310:16834(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210109> (DF)
>09:56:44.794513 208.133.44.46.53 > 208.133.44.2.53:  49539+ A?
>mx2.mail.twtelecom.net. (40)
>09:56:44.795064 64.12.137.184.25 > 208.133.44.46.4144: P 329:383(54) ack 26
>win 33304 <nop,nop,timestamp 18749996
>1 119714225> (DF)
>09:56:44.795225 208.133.44.2.53 > 208.133.44.46.53:  23829* 1/2/2
>MX[|domain]
>09:56:44.795304 205.152.58.3.25 > 208.133.44.46.4158: . ack 55 win 10136
><nop,nop,timestamp 124110683 119714219>
>(DF)
>09:56:44.795376 64.12.136.121.25 > 208.133.44.46.4134: . ack 12118 win 32768
><nop,nop,timestamp 1156210110 119714
>225>
>09:56:44.795924 208.133.44.46.4134 > 64.12.136.121.25: . 16834:17358(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210110> (DF)
>09:56:44.796419 208.133.44.46.4134 > 64.12.136.121.25: . 17358:17882(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210110> (DF)
>09:56:44.796918 208.133.44.46.4134 > 64.12.136.121.25: . 17882:18406(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210110> (DF)
>09:56:44.797408 208.133.44.46.4134 > 64.12.136.121.25: . 18406:18930(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210110> (DF)
>09:56:44.797895 208.133.44.46.4134 > 64.12.136.121.25: . 18930:19454(524)
>ack 455 win 33012 <nop,nop,timestamp 11
>9714230 1156210110> (DF)
>09:56:44.797994 208.133.44.46.4144 > 64.12.137.184.25: P 26:55(29) ack 383
>win 33304 <nop,nop,timestamp 119714230
> 187499961> (DF)
>09:56:44.798158 208.133.44.46.53 > 208.133.44.2.53:  54617+ A?
>lucy.multipro.com. (35)
>09:56:44.798233 205.152.58.132.25 > 208.133.44.46.4152: . ack 55 win 10136
><nop,nop,timestamp 124078565 119714219
>> (DF)
>09:56:44.798307 64.12.136.121.25 > 208.133.44.46.4134: . ack 10546 win 32768
><nop,nop,timestamp 1156210110 119714
>225>
>09:56:44.798426 206.102.201.11.25 > 208.133.44.46.4199: S
>31341815:31341815(0) ack 329832920 win 8760 <mss 1460>
>(DF)
>09:56:44.798559 208.133.44.46.4199 > 206.102.201.11.25: . ack 1 win 65535
>(DF)
>09:56:44.799241 208.133.44.3.53 > 208.133.44.46.53:  15267* 1/3/3 (191)
>09:56:44.800389 208.133.44.3.53 > 208.133.44.46.53:  64791* 1/3/3 (194)
>09:56:44.801324 208.133.44.46.4212 > 64.75.1.251.25: S
>728130978:728130978(0) win 65535 <mss 1460,nop,wscale 1,no
>p,nop,timestamp 119714231 0> (DF)
>09:56:44.803151 209.130.32.61.25 > 208.133.44.46.4136: . ack 51 win 49152
><nop,nop,timestamp 7067072 119714221> (
>DF)
>09:56:44.803364 209.130.32.61.25 > 208.133.44.46.4136: P 82:173(91) ack 51
>win 49152 <nop,nop,timestamp 7067072 1
>19714221> (DF)
>09:56:44.803482 152.163.224.26.25 > 208.133.44.46.4143: P 329:383(54) ack 26
>win 32768 <nop,nop,timestamp 1156952
>985 119714223>
>09:56:44.803601 208.133.44.46.4136 > 209.130.32.61.25: P 51:80(29) ack 173
>win 33304 <nop,nop,timestamp 119714231
> 7067072> (DF)
>09:56:44.803695 208.133.44.46.4143 > 152.163.224.26.25: P 26:55(29) ack 383
>win 33012 <nop,nop,timestamp 11971423
>1 1156952985> (DF)
>09:56:44.804003 12.153.11.240.25 > 208.133.44.46.4177: P 81:121(40) ack 26
>win 16535 <nop,nop,timestamp 41316743
>119714228> (DF)
>09:56:44.804192 208.133.44.46.4177 > 12.153.11.240.25: P 26:51(25) ack 121
>win 32832 <nop,nop,timestamp 119714231
> 41316743> (DF)
>09:56:44.804430 63.93.245.3.25 > 208.133.44.46.4198: S
>143862244:143862244(0) ack 3178198484 win 16352 <mss 1460>
>09:56:44.804611 208.133.44.46.4198 > 63.93.245.3.25: . ack 1 win 65535 (DF)
>09:56:44.804743 208.27.252.10.25 > 208.133.44.46.4176: P 118:188(70) ack 26
>win 17495 <nop,nop,timestamp 7714269
>119714228> (DF)
>09:56:44.804851 205.152.58.1.25 > 208.133.44.46.4157: . ack 55 win 10136
><nop,nop,timestamp 124173080 119714220>
>(DF)
>09:56:44.806461 149.48.46.26.25 > 208.133.44.46.4140: P 281:322(41) ack 92
>win 64296 <nop,nop,timestamp 230419760
> 119714227> (DF)
>09:56:44.806696 208.133.44.46.4140 > 149.48.46.26.25: P 92:98(6) ack 322 win
>32832 <nop,nop,timestamp 119714231 2
>30419760> (DF)
>09:56:44.807059 208.0.133.2.25 > 208.133.44.46.4175: P 1:94(93) ack 1 win
>8760 (DF)
>09:56:44.807192 203.176.60.186.25 > 208.133.44.46.4166: P 1:77(76) ack 1 win
>24616 <nop,nop,timestamp 396223055 1
>19714218> (DF)
>09:56:44.807284 208.133.44.46.4175 > 208.0.133.2.25: P 1:26(25) ack 94 win
>65535 (DF)
>09:56:44.807413 208.133.44.46.4166 > 203.176.60.186.25: P 1:26(25) ack 77
>win 33304 <nop,nop,timestamp 119714232
>396223055> (DF)
>09:56:44.807622 208.45.133.107.25 > 208.133.44.46.4180: P 1:68(67) ack 1 win
>5840 (DF)
>09:56:44.807809 208.133.44.46.4180 > 208.45.133.107.25: P 1:26(25) ack 68
>win 65535 (DF)
>09:56:44.808143 208.133.44.46.53 > 208.133.44.2.53:  4340+ ANY?
>care-communications.com. (41)
>09:56:44.809188 204.78.60.100.25 > 208.133.44.46.4150: P 101:131(30) ack 26
>win 17495 <nop,nop,timestamp 35058036
> 119714225> (DF)
>09:56:44.809257 216.145.68.3.25 > 208.133.44.46.4174: S
>809889280:809889280(0) ack 2587056518 win 17520 <mss 1460
>,wscale 0,eol> (DF)
>09:56:44.809360 207.69.235.6.25 > 208.133.44.46.4138: P 104:133(29) ack 26
>win 16535 <nop,nop,timest^C
>30245 packets received by filter
>4276 packets dropped by kernel
>
>
>
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net  http://www.everyone.net/?btn=tag

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message