Date: Mon, 28 Aug 2000 14:16:21 -0400 (EDT) From: Matt Ayres <matta@unixshell.com> To: "Col.Panic" <panic@satan.antix.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail (fwd) Message-ID: <Pine.BSF.4.21.0008281415440.30185-100000@wopr.chc-chimes.com> In-Reply-To: <Pine.BSF.4.21.0008281105250.60987-100000@satan.antix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
FreeBSD will also give the message below when UDP has gone over 100pps. -Matt On Mon, 28 Aug 2000, Col.Panic wrote: > I have an interesting appendage to add to this answer. I have ICMP shut > down at the router, and I get the same messages from my new 4.1-STABLE > system. I can understand if somebody is spoofing ICMP packets, but if > they are, how are the replies getting to my machine? > > I've looked into it, and there isn't anybody logged into the machine for > when this occurs. I'm at a loss. > > Thanks, > > -Jason > > > > ---------- Forwarded message ---------- > Date: Mon, 28 Aug 2000 10:36:00 -0700 > From: Alfred Perlstein <bright@wintelcom.net> > To: Shane Hale <shale@bricsnet.com> > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: your mail > > * Shane Hale <shale@bricsnet.com> [000828 10:31] wrote: > > > > Hello > > > > I have a machine that's getting attacked regularly. > > > > (Yes i know my clock is wrong... 1886809 seconds fast to be exact) > > > > Sep 19 00:17:54 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:17:55 shell /kernel: icmp-response bandwidth limit 3499/200 pps > > Sep 19 00:17:56 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:57 shell /kernel: icmp-response bandwidth limit 3503/200 pps > > Sep 19 00:17:58 shell /kernel: icmp-response bandwidth limit 3505/200 pps > > Sep 19 00:17:59 shell /kernel: icmp-response bandwidth limit 3502/200 pps > > Sep 19 00:18:00 shell /kernel: icmp-response bandwidth limit 3488/200 pps > > Sep 19 00:18:01 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:18:02 shell /kernel: icmp-response bandwidth limit 3494/200 pps > > Sep 19 00:18:03 shell /kernel: icmp-response bandwidth limit 3491/200 pps > > Sep 19 00:18:04 shell /kernel: icmp-response bandwidth limit 3497/200 pps > > Sep 19 00:18:05 shell /kernel: icmp-response bandwidth limit 3501/200 pps > > Sep 19 00:18:06 shell /kernel: icmp-response bandwidth limit 3504/200 pps > > Sep 19 00:18:07 shell /kernel: icmp-response bandwidth limit 3485/200 pps > > Sep 19 00:18:27 shell /kernel: icmp-response bandwidth limit 1599/200 pps > > > > (This went on for about 15 minutes, and caused my network to be slow as > > molasses and a traceroute from home stopped at the router that routes my > > C-Class) > > > > I have ICMP bandwith limiting on the machine being attacked, but... > > > > - how can i trace who's attacking me > > - what exactly are they trying to do > > - how does ICMP_BANDWITH Limiting work > > > > If there is anyone who can help me, i'd appreciate it. > > Well, you'd want to run tcpdump to see what's actually going on, however > the problem is that most likely the attack is from a spoofed source > so that unless the attacker is a complete knob you're probably out > of luck unless you can co-operate with your upstream and trace this > thing across the net. > > A better option is to figure out why it's happening, your box is named > 'shell' so it sounds like one of your Lusers got into a pissing contest > with someone, I would try to figure out who started it and remove the > account. > > -Alfred > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008281415440.30185-100000>