Re: a couple boxes getting hammered with ip frags
From: Lowell Gilbert (lowell@world.std.com)
Date: 04/14/01
- Next message: Félix-Antoine Paradis: "RE: PGP signed SAs."
- Previous message: David Erickson: "Re: IPSEC/VPN/NAT and filtering"
- Maybe in reply to: mike: "a couple boxes getting hammered with ip frags"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: freebsd-security@freebsd.org, mike@coloradosurf.com From: Lowell Gilbert <lowell@world.std.com> Date: 14 Apr 2001 11:03:24 -0400
mike@coloradosurf.com (mike) writes:
> Sorry for posting yet another item on ipfw -1 (especially to Crist),
> but...
>
> I have two web production boxes that were hammered yesterday (from
> about 9:30 am to 12:30 pm) with (what I assumed to be) ip frags (a
> very long list of
> "/kernel: ipfw: -1 Refuse TCP e.f.g.h:54661 a.b.c.d:80 in via rl0").
>
> They were coming from many different ips. A brief search did not show
> any consistency in the ips that were hitting the two machines. I am
> therefore assuming (danger danger) that is was more likely a
> network issue that may have been causing the fragments and not some
> type of Dos or attempt to 'circumvent' the firewall.
>
> And, since I'm not so sure, I was hoping someone might be able to
> shed a little more light on this one.
No, I'm afraid that these fragments definitely constitute some sort of
attack. That '-1' rule is for a type of packet that has *no* useful
purpose, and it's highly unlikely that a network problem would cause
packets fragmented in that way. The fact that the IP addresses were
highly varied just implies that they were spoofed anyway; you could
always check by seeing who *does* own them, and trying to determine if
there are even machines at all of those addresses.
That said, it's unlikely that this is a particularly serious problem
that you need to fix. These packets are being blocked, and even if
they weren't, they'd be rejected by the web servers anyway (because
the first packet wouldn't ever arrive). If it's a DOS problem, then
the type of packet doesn't matter, because the damage has been done
before the traffic ever gets to a node under your control.
Good luck.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Félix-Antoine Paradis: "RE: PGP signed SAs."
- Previous message: David Erickson: "Re: IPSEC/VPN/NAT and filtering"
- Maybe in reply to: mike: "a couple boxes getting hammered with ip frags"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
