I'm new to the admin game and this is somewhat of a subjective
question, so bear with me...
I run a small network on a home/office broadband connection and I'm
getting more than my fair share of un-solicited traffic (maybe) on
what I believed to be in the "private address range," as per RFC 1918.
I have ipfw(8) setup to block such traffic, but with the volume of
traffic being blocked it makes me wonder if I mis-configured something
or if the RFC is depricated or what not. All of my services work and
all of my clients can access everything they need to both locally and
remotely, but when I read through the ipfw(8) log files there is a
plethora of traffic attempting to connect from "the Internet" on
various ports from various addresses. Most in the 10.0.0.0/8 block.
This is normal, but how much is normal?
For example, here was an interesting one that's been hitting the log
files pretty hard today. Note: "em1" is my Internet-facing interface,
so the following is coming in from the Internet, (ipfw rule followed
by log entry):
03401 1233 30036 deny log logamount 25 ip from 10.0.0.0/8 to any
in via em1
Aug 27 13:03:16 kernel: ipfw: 3401 Deny UDP 10.20.0.2:67
255.255.255.255:68 in via em1
Aug 27 13:06:08 kernel: ipfw: limit 25 reached on entry 3401
It appears to be a dhcp or bootp broadcast...to the entire world? This
is just one of many seemingly ridiculous entries. Did I miss something
here? I'm new to the admin game, so I'm not sure what the 'norm' is as
far as frequency of un-solicited and often humorous traffic.
10.0.0.0/8 is where probably 98% of the un-solicited traffic comes
from. Is this just "normal"? If it's just me, I would almost feel
better than to think there are that many mis-configure servers out
there spewing out crap. What is "normal" for a small business
connection and what does one do when there are a lot of repeated
un-solicited connection attempts from a single source to your server?
I had one day where I got something like 25 attempts to connect to
port 22 (sshd) from a particular IP address somewhere in Romania (and
we're nowhere near there). Sorry for the somewhat vague question.
Just looking for general reassurances and advice, I suppose.
Try capturing and analysing the spoofed datagrams, to see if there are
any routable IPs hidden inside. If your service isn't being interrupted
by the spoofed datagrams, maybe you're being used as a reflection attack
Adam J Richardson
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"