From owner-freebsd-isp@FreeBSD.ORG Fri Jun 27 20:53:03 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 337C537B401 for ; Fri, 27 Jun 2003 20:53:03 -0700 (PDT) Received: from mail.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 721C04401A for ; Fri, 27 Jun 2003 20:53:02 -0700 (PDT) (envelope-from munk@mail.munk.nu) Received: from munk by mail.munk.nu with local (Exim 4.20) id 19W6lp-000Hoa-UJ for freebsd-isp@freebsd.org; Sat, 28 Jun 2003 04:53:01 +0100 Date: Sat, 28 Jun 2003 04:53:01 +0100 From: Jez Hancock To: FreeBSD ISP List Message-ID: <20030628035301.GC67871@users.munk.nu> Mail-Followup-To: FreeBSD ISP List References: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00ce01c33d05$4af86730$152ea8c0@M2551.tfil.com> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: Shell Provider - DDoS Attacks - IPFW Ratelimiting X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jun 2003 03:53:03 -0000 Hi, Regarding your main question I'm afraid I can't really help - although what the other person said about not being able to do a whole lot about it I think is generally the case unfortunately. I run a number of eggdrop bots on my home network (about 20 full time bots in all, around 100 shell users in all) and have seen a few similar DDoS attacks from botnets (characterized by open ports 80 and 113) which really clogged the system. Luckily in my case the last attack was a relatively simple ICMP attack with fragmented packets (_lots_ of them, around 30MB in 5 minutes on a 512k ADSL connection). This was easy enough to block with ipf (incidentally you are using ipf aren't you:). Very annoying and generally I just felt like stopping my users from running their eggdrops (as you no doubt know there's little way to tell exactly what/who caused the attack to be brought about, banning one user who has brought it on isn't possible). > And a last thing, I use right now tcpdump, trafshow, ipfm to trace the source(attackers) and the destination(which one of my ips is attacked) ips. Do you suggest any other tools to make my life easier? lsof is very useful for gaining additional insight into network connections. I found the perl scripts located in the scripts directory to be very insightful, particularly in how to incorporate lsof into a custom tool. I particularly needed to know which eggdrop was attempting to connect to private address ranges which were blocked by the firewall and causing lots of log entries. lsof easily allowed me to determine what user owned the process that spawned these connection attempts (sockstat/netstat is ok, but filtering lsof output is a lot easier). Anyway, good luck, Regards, Jez