Date: 14 Apr 2001 11:03:24 -0400 From: Lowell Gilbert <lowell@world.std.com> To: freebsd-security@freebsd.org, mike@coloradosurf.com Subject: Re: a couple boxes getting hammered with ip frags Message-ID: <rd61yqvmslf.fsf@world.std.com> In-Reply-To: mike@coloradosurf.com's message of "13 Apr 2001 17:11:07 %2B0200" References: <20010413090451.A46082@coloradosurf.com>
next in thread | previous in thread | raw e-mail | index | archive | help
mike@coloradosurf.com (mike) writes: > Sorry for posting yet another item on ipfw -1 (especially to Crist), > but... > > I have two web production boxes that were hammered yesterday (from > about 9:30 am to 12:30 pm) with (what I assumed to be) ip frags (a > very long list of > "/kernel: ipfw: -1 Refuse TCP e.f.g.h:54661 a.b.c.d:80 in via rl0"). > > They were coming from many different ips. A brief search did not show > any consistency in the ips that were hitting the two machines. I am > therefore assuming (danger danger) that is was more likely a > network issue that may have been causing the fragments and not some > type of Dos or attempt to 'circumvent' the firewall. > > And, since I'm not so sure, I was hoping someone might be able to > shed a little more light on this one. No, I'm afraid that these fragments definitely constitute some sort of attack. That '-1' rule is for a type of packet that has *no* useful purpose, and it's highly unlikely that a network problem would cause packets fragmented in that way. The fact that the IP addresses were highly varied just implies that they were spoofed anyway; you could always check by seeing who *does* own them, and trying to determine if there are even machines at all of those addresses. That said, it's unlikely that this is a particularly serious problem that you need to fix. These packets are being blocked, and even if they weren't, they'd be rejected by the web servers anyway (because the first packet wouldn't ever arrive). If it's a DOS problem, then the type of packet doesn't matter, because the damage has been done before the traffic ever gets to a node under your control. Good luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?rd61yqvmslf.fsf>