Hello
since last week I keep getting this weird traffic towards my
webserver, traffic wich I can't understand. There are several
connections per second from only one source IP. I created a rule to
overload the brutforce table on my www port like this:
pass log inet proto tcp from any to $ext_if port www \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/3, \
overload <bruteforce> flush global) \
label "R:$nr www"
I have a rule that blocks the bruteforcers like this:
block drop log quick on $ext_if from <bruteforce> to any
Testing this from a remote server with nc -v -w 3 MYIP 80 & nc -v -w 3
MYIP 80 & nc -v -w 3 MYIP 80 nc -v -w 3 MYIP 80 & ... everthing seems to
work fine. The tcpdump -nettti pflog0 command shows the first tree
connection passing.. and the 4'th blocked. It overloads the sourceip
into the bruteforce table like this:
Apr 19 14:36:14.170442 rule 30/(match) pass in on sis0:
82.77.145.193.44595 > 193.231.240.66.80: [|tcp] (DF)
Apr 19 14:36:14.186938 rule 30/(match) pass in on sis0:
82.77.145.193.29956 > 193.231.240.66.80: [|tcp] (DF)
Apr 19 14:36:14.192805 rule 30/(match) pass in on sis0:
82.77.145.193.40188 > 193.231.240.66.80: [|tcp] (DF)
Apr 19 14:36:14.206847 rule 30/(match) pass in on sis0:
82.77.145.193.24171 > 193.231.240.66.80: [|tcp] (DF)
--- from now on the source ip is blocked. ---
Apr 19 14:36:17.215484 rule 3/(match) block in on sis0:
82.77.145.193.44595 > 193.231.240.66.80: [|tcp] (DF)
Apr 19 14:36:17.226593 rule 3/(match) block in on sis0:
82.77.145.193.29956 > 193.231.240.66.80: [|tcp] (DF)
Apr 19 14:36:17.231342 rule 3/(match) block in on sis0:
82.77.145.193.40188 > 193.231.240.66.80: [|tcp] (DF)
Apr 19 14:36:17.238024 rule 3/(match) block in on sis0: 82.77.145.193.22
> 193.231.240.66.46929: [|tcp] (DF)
Apr 19 14:36:17.238032 rule 3/(match) block in on sis0:
82.77.145.193.24171 > 193.231.240.66.80: [|tcp] (DF)
Apr 19 14:36:17.240979 rule 3/(match) block in on sis0: 82.77.145.193.22
> 193.231.240.66.46929: [|tcp] (DF)
Apr 19 14:36:17.240984 rule 3/(match) block in on sis0: 82.77.145.193.22
> 193.231.240.66.46929: [|tcp] (DF)
Apr 19 14:36:17.241965 rule 3/(match) block in on sis0: 82.77.145.193.22
> 193.231.240.66.46929: [|tcp] (DF)
Apr 19 14:36:17.242976 rule 3/(match) block in on sis0: 82.77.145.193.22
> 193.231.240.66.46929: [|tcp] (DF)
The problem is that I keep getting this strage connections from unknown
servers, more then 5, 6 per second which my pf does not overload into
the brutefoce.
Apr 19 14:36:17.334308 rule 30/(match) pass in on sis0:
213.17.170.34.49187 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:17.452987 rule 30/(match) pass in on sis0:
213.17.170.34.45818 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:17.570618 rule 30/(match) pass in on sis0:
213.17.170.34.32041 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:17.689765 rule 30/(match) pass in on sis0:
213.17.170.34.59581 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:17.808512 rule 30/(match) pass in on sis0:
213.17.170.34.23824 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:17.928151 rule 30/(match) pass in on sis0:
213.17.170.34.52428 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:18.046504 rule 30/(match) pass in on sis0:
213.17.170.34.43061 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:18.165392 rule 30/(match) pass in on sis0:
213.17.170.34.47762 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:18.284315 rule 30/(match) pass in on sis0:
213.17.170.34.22329 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:18.403545 rule 30/(match) pass in on sis0:
213.17.170.34.58953 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:18.522695 rule 30/(match) pass in on sis0:
213.17.170.34.12441 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
Apr 19 14:36:18.641853 rule 30/(match) pass in on sis0:
213.17.170.34.62537 > 193.231.240.66.80: [|tcp] (DF) [tos 0x90]
The only difference is that [tos 0x90] ... wich I can't explain. And
this ip does not get into the brutefoce..
anybody know why ?