From owner-freebsd-security Fri Apr 13 8:10:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from coloradosurf.com (c1520339-a.lakwod1.co.home.com [24.179.159.58]) by hub.freebsd.org (Postfix) with ESMTP id 366A737B449 for ; Fri, 13 Apr 2001 08:10:19 -0700 (PDT) (envelope-from mike@coloradosurf.com) Received: (from mike@localhost) by coloradosurf.com (8.9.3/8.9.3) id JAA46096 for freebsd-security@freebsd.org; Fri, 13 Apr 2001 09:04:51 -0600 (MDT) (envelope-from mike) Date: Fri, 13 Apr 2001 09:04:51 -0600 From: mike To: freebsd-security@freebsd.org Subject: a couple boxes getting hammered with ip frags Message-ID: <20010413090451.A46082@coloradosurf.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, Sorry for posting yet another item on ipfw -1 (especially to Crist), but... I have two web production boxes that were hammered yesterday (from about 9:30 am to 12:30 pm) with (what I assumed to be) ip frags (a very long list of "/kernel: ipfw: -1 Refuse TCP e.f.g.h:54661 a.b.c.d:80 in via rl0"). They were coming from many different ips. A brief search did not show any consistency in the ips that were hitting the two machines. I am therefore assuming (danger danger) that is was more likely a network issue that may have been causing the fragments and not some type of Dos or attempt to 'circumvent' the firewall. And, since I'm not so sure, I was hoping someone might be able to shed a little more light on this one. Thanks! mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message