Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 Jan 2003 23:33:39 -0700
From:      <soralx@cydem.zp.ua>
To:        freebsd-hackers@freebsd.org
Subject:   Re: DDoS attacks, packets captured ... not sure what to do.
Message-ID:  <200301052332.59925.soralx@cydem.zp.ua>
In-Reply-To: <20030105145150.N80512-100000@mail.econolodgetulsa.com>
References:  <20030105145150.N80512-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> 1. a ton of   TCP  SYN,   [1658]  -> [106] 3COM-TSMUX   to ports that do
> not exist on the target.

this is not a 'SYN flood'; 'SYN flood'=TCP SYN+FIN
seems like someone is continuosly using TCP SYN "half-open"
scan to get your open ports, or just sends random SYN pakets

> 2. a noticable amount of christmas tree packets aimed at the target:
> TCP  FIN SYN RST PSH ACK,   [1400]  -> [98] TAC-news
> again, to ports not actually open on the target.
> Also some of them are not quite as xmas as other:
> TCP  SYN RST PSH ACK,   [1230]  -> [118] SQL-service
> again, directed at a service that does not exist.

try using 'ipfw' option 'tcpflags' to ignore such packets,
or dummynet

> 3. These seem less frequent, but I am seeing:
> UDP, [21397]  -> [2284] ^M
>     Source port: [21397] ^M
>     Destination port: [2284] ^M
>     UDP length: 908^M
>     Checksum:  0x0000 (data fragment - not able to check)^M
> So .. a UDP fragment sent to a port not open on the target.  This also
> seems like bad news.

UDP scan?
try "options         ICMP_BANDLIM", if not already enabled

> 3. will the solutions given to me actually help ?  I mean, the packets
> will still hit my firewall, and given the cpu utilization and config I
> showed you earlier, will the fixes nullify the effect of these attacks, or

Limiting ICMP pps may help. If you configure 'ipfw' to ignore such
packets (and also other trash packets that are useless), target will not send
RST for closed ports, which may also help. I don't know for certain - you need
to experiment.

05.01.2003; 23:25:10
[SorAlx]  http://cydem.zp.ua/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301052332.59925.soralx>