On 12:32 Thu 07 Aug , David DeSimone wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tom Huppi <[EMAIL PROTECTED]> wrote:
> >
> > Anyway, I am getting what I believe to be syn floods
> > periodically. They dwarf my production traffic and sometimes
> > get close to producing as much bandwith as we are paying for. A
> > representative sample looks like so when viewed with tcpdump on
> > my outward interface ('em1'):
> >
> > 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S
> > 27394048:27394048(0) win 16384
> > 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S
> > 1793916928:1793916928(0) win 16384
>
> Since you went to the trouble of obscuring the source IP, I presume that
> the source IP is your IP. So, these look like responses, i.e. outbound
> traffic, not inbound, since they are sourced from your IP. You can use
> tcpdump's -e flag to be sure who is sending and who is receiving.
I obscured my own IP range which is the 74.nnn.nnn. one and it
is a /24. Interestingly most of the IP's on my side are ones
where I have no host.
The reason why is that I figured that if I myself were a
semi-sophisticated cracker, I would look for targets of
opertunity on the various mailing lists where one could identify
both networks administered by newbie/part-time personel, and
often a fair amount about the configuration of said :)
The IP '125.21.176.19' is exactly as it appeared on my tcpdump.
It shows as a telcom company in India in this case...usually
it's some network company or another in China.
My network looks like so:
------------- em0 <---> internal range
Network Provider <----> em1 | pf firewall |
(Internap) ------------- bce1 <---> dmz range
I took the tcpdump output to indicate that Syn packets showing an Indian Origin
were showing up addressed to (mainly non-existant) IP addresses within my /24
network.
I'll look at 'tcpdump -e'. Thanks for the hint!
- Tom
>
> - --
> David DeSimone == Network Admin == [EMAIL PROTECTED]
> "I don't like spinach, and I'm glad I don't, because if I
> liked it I'd eat it, and I just hate it." -- Clarence Darrow
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFImzGpFSrKRjX5eCoRAmQWAJ42P3j3LgD9gE5aqIs+A9ytFAzUgACeLU1g
> 0F9BDmubpLI37Bz/OKW420Y=
> =Nm7c
> -----END PGP SIGNATURE-----
>
>
> This email message is intended for the use of the person to whom it has been
> sent, and may contain information that is confidential or legally protected.
> If you are not the intended recipient or have received this message in error,
> you are not authorized to copy, distribute, or otherwise use this message or
> its attachments. Please notify the sender immediately by return e-mail and
> permanently delete this message and any attachments. Verio, Inc. makes no
> warranty that this email is error or virus free. Thank you.
> _______________________________________________
> [email protected] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
