Date: Wed, 8 Dec 1999 17:25:57 -0500 (EST) From: Robert Mooney <rmooney@iss.net> To: "Scott I. Remick" <scott@computeralt.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: What kind of attack is this? Message-ID: <Pine.LNX.3.95.991208170102.30438R-100000@arden.iss.net> In-Reply-To: <4.2.2.19991208162315.00b5f4e0@mail.computeralt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Dec 1999, Scott I. Remick wrote: > I know that's what firewalls are for, and that's why I'm working on > one. Holdup is time-constraints and red-tape and corporate politics and > screwed up priorities and so on, so let's just leave it that the firewall > is coming but is not here yet (if you remember back, this is the company > that wants to use MS Proxy). What about changing that machine's IP, or throwing up a temporary firewall in between the outside and this machine (sounds illogical, but possible, especially in a situation where a temporary fix is needed ASAP)? Are people on the net supposed to be able to get to this machine? > I can't just block all incoming UDP packets because they are used by other > applications. What machines in your militarized zone do you have that require incoming UDP packets that don't send outgoing UDP packets first? IPF is neato in this respect, as you can block all incoming UDP, yet give outgoing UDP state. > So how does one protect themselves against such an attack? I have an > Ascend Pipeline 50 router which I'm trying to sort out from the manuals a > way to use its filters and how it behaves if rules overlap (what I'm > thinking is trying to find a way to block all incoming UDP packets EXCEPT > the type which are known to be good). Yes, definately block everything except what's needed. And then question yourself and others on what really is needed. If Ascend's ruleset isn't as flexible as you'd like, you could probably set up a BSD box on the local network side of the Ascend, and use it as a firewall. Seriously consider IPF. > And the $1M question: with spoofed source addresses, how does one track > down and nail the culprit? Because we have a very good idea as to the > source, if we know their router's IP, can we confirm whether a spoofed > packet traveled along that route? Contact your upstream provider as soon as possible and let them know what's up. When the attack happens again, they can do the same (ie, contact their provider, or people within the organization) and hopefully track down the offender (and subsequently remove him from the planet). > Anyhow, it died down a moment ago, so there's nothing more for me to > watch. Wasn't a big crisis and the person just used someone else's while I > let the lamb be sacrificed so I could observe (only thing it did was bog it > down). I welcome any input on this (be nice to me), and look forward to > using this episode as an educational exercise. BTW, what port were these packets going to? Any idea what kind of ICMP packets were being returned? - Rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.95.991208170102.30438R-100000>