Re: [freenet-support] SYNs and SMURFs

2004-06-01 Thread freenetproject
Thanks.  I have a SMC router that does have a tough time keeping up with 
Freenet.

On a side note, I've found another use for Freenet as a system stress 
test.  Unlike most applications, with Freenet you can really see a 
differences when you change your system configuration.  If you have bad 
memory, Freenet will find it.  If you have slow disk access, Freenet 
will really show you how slow it is. That new 2.6Ghz processor, Freenet 
will eat it up and ask for dessert.  If your router is crap, Freenet 
will zero in on that weak spot.

p.s. Sorry for the double post.  I'll blame that on my router too.
Salah Coronya wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Roger Hayter wrote:
In message [EMAIL PROTECTED],
[EMAIL PROTECTED] writes

For a long time I've received what looks like SYN floods and SMURF
attacks to my port associated with Freenet.  I've assumed that it's a
fault of my firewall or PC, but what's weird is that the port of the
offending IP increments.  I thought that the port that Freenet uses
was fixed being that it was defined in the .conf file.
Excuse my display of ignorance, but could someone please explain why
the far ends port would need to change?
Example
Time: 05/31/2004, 04:21:52
Message: Smurf
Source: 133.205.255.225, 1905
Time: 05/31/2004, 04:25:38
Message: Smurf
Source: 133.205.255.225, 2600
Etc.
Most likely this is an attempt by a Freenet node on 133.205.255.225 to
connect to your Freenet external port, which is fixed, but is being
prevented by your firewall.  It tries again and chooses the next
available source port.  It has to use a new source port so it can tell
the difference between the present connection and previous ones, should
a packet return. The return packet will be from your Freenet fixed port,
and to the arbitrary source port on the remote machine, 133.205.255.225.
This is normal.  Can you tell your firewall to ignore connections to
your Freenet port?  I think it may well be identifying Freenet packets
as smurf attacks - what does anyone else think?

If this is from a SOHO broadband router - especially a D-Link router,
they should likely be disregarded, as the DoS detection in there doesn't
usually work and it KNOWN to be broken in D-Link's firmware.
There was a version of Freenet, 5023 IIRC, that accidently DID launch a
sort of syn flood as it would try to reconnect relentlessly.
In general, most SOHO router simply cannot handle the kind of traffic
Freenet generates, and it confuses it with a DoS attack.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAu7YxhctESbvQ8ZwRAlhbAJ9Xn5orQIPwNhtdaONP5Ha7vHuNnACfSODp
2eiFYi1hJm8YNcVQSuVA+5o=
=okvI
-END PGP SIGNATURE-
___
Support mailing list
[EMAIL PROTECTED]
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]
___
Support mailing list
[EMAIL PROTECTED]
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]


[freenet-support] SYNs and SMURFs

2004-05-31 Thread freenetproject
For a long time I've received what looks like SYN floods and SMURF 
attacks to my port associated with Freenet.  I've assumed that it's a 
fault of my firewall or PC, but what's weird is that the port of the 
offending IP increments.  I thought that the port that Freenet uses 
was fixed being that it was defined in the .conf file.

Excuse my display of ignorance, but could someone please explain why the 
far ends port would need to change?

Example
Time: 05/31/2004, 04:21:52
Message: Smurf
Source: 133.205.255.225, 1905
Time: 05/31/2004, 04:25:38
Message: Smurf
Source: 133.205.255.225, 2600
Time: 05/31/2004, 04:29:24
Message: Smurf
Source: 133.205.255.225, 3259
Time: 05/31/2004, 04:33:18
Message: Smurf
Source: 133.205.255.225, 3844
Time: 05/31/2004, 04:37:06
Message: Smurf
Source: 133.205.255.225, 4412
Time: 05/31/2004, 04:41:33
Message: Smurf
Source: 133.205.255.225, 
___
Support mailing list
[EMAIL PROTECTED]
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]


[freenet-support] SYNs and SMURFs

2004-05-31 Thread freenetproject
For a long time I've received what looks like SYN floods and SMURF 
attacks to my port associated with Freenet.  I've assumed that it's a 
fault of my firewall or PC, but what's weird is that the port of the 
offending IP increments.  I thought that the port that Freenet uses 
was static being that it was defined in the .conf file.

Excuse my display of ignorance, but could someone please explain why the 
far end port would need to change?

Example
Time: 05/31/2004, 04:21:52
Message: Smurf
Source: 133.205.255.225, 1905
Time: 05/31/2004, 04:25:38
Message: Smurf
Source: 133.205.255.225, 2600
Time: 05/31/2004, 04:29:24
Message: Smurf
Source: 133.205.255.225, 3259
Time: 05/31/2004, 04:33:18
Message: Smurf
Source: 133.205.255.225, 3844
Time: 05/31/2004, 04:37:06
Message: Smurf
Source: 133.205.255.225, 4412
Time: 05/31/2004, 04:41:33
Message: Smurf
Source: 133.205.255.225, 
___
Support mailing list
[EMAIL PROTECTED]
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]


Re: [freenet-support] SYNs and SMURFs

2004-05-31 Thread Roger Hayter
In message [EMAIL PROTECTED], 
[EMAIL PROTECTED] writes
For a long time I've received what looks like SYN floods and SMURF 
attacks to my port associated with Freenet.  I've assumed that it's a 
fault of my firewall or PC, but what's weird is that the port of the 
offending IP increments.  I thought that the port that Freenet uses 
was fixed being that it was defined in the .conf file.

Excuse my display of ignorance, but could someone please explain why 
the far ends port would need to change?

Example
Time: 05/31/2004, 04:21:52
Message: Smurf
Source: 133.205.255.225, 1905
Time: 05/31/2004, 04:25:38
Message: Smurf
Source: 133.205.255.225, 2600
Etc.
Most likely this is an attempt by a Freenet node on 133.205.255.225 to 
connect to your Freenet external port, which is fixed, but is being 
prevented by your firewall.  It tries again and chooses the next 
available source port.  It has to use a new source port so it can tell 
the difference between the present connection and previous ones, should 
a packet return. The return packet will be from your Freenet fixed port, 
and to the arbitrary source port on the remote machine, 133.205.255.225. 
This is normal.  Can you tell your firewall to ignore connections to 
your Freenet port?  I think it may well be identifying Freenet packets 
as smurf attacks - what does anyone else think?
--
Roger Hayter
___
Support mailing list
[EMAIL PROTECTED]
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]


Re: [freenet-support] SYNs and SMURFs

2004-05-31 Thread Salah Coronya
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Roger Hayter wrote:
 In message [EMAIL PROTECTED],
 [EMAIL PROTECTED] writes

 For a long time I've received what looks like SYN floods and SMURF
 attacks to my port associated with Freenet.  I've assumed that it's a
 fault of my firewall or PC, but what's weird is that the port of the
 offending IP increments.  I thought that the port that Freenet uses
 was fixed being that it was defined in the .conf file.

 Excuse my display of ignorance, but could someone please explain why
 the far ends port would need to change?

 Example

 Time: 05/31/2004, 04:21:52
 Message: Smurf
 Source: 133.205.255.225, 1905

 Time: 05/31/2004, 04:25:38
 Message: Smurf
 Source: 133.205.255.225, 2600

 Etc.

 Most likely this is an attempt by a Freenet node on 133.205.255.225 to
 connect to your Freenet external port, which is fixed, but is being
 prevented by your firewall.  It tries again and chooses the next
 available source port.  It has to use a new source port so it can tell
 the difference between the present connection and previous ones, should
 a packet return. The return packet will be from your Freenet fixed port,
 and to the arbitrary source port on the remote machine, 133.205.255.225.
 This is normal.  Can you tell your firewall to ignore connections to
 your Freenet port?  I think it may well be identifying Freenet packets
 as smurf attacks - what does anyone else think?

If this is from a SOHO broadband router - especially a D-Link router,
they should likely be disregarded, as the DoS detection in there doesn't
usually work and it KNOWN to be broken in D-Link's firmware.

There was a version of Freenet, 5023 IIRC, that accidently DID launch a
sort of syn flood as it would try to reconnect relentlessly.

In general, most SOHO router simply cannot handle the kind of traffic
Freenet generates, and it confuses it with a DoS attack.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAu7YxhctESbvQ8ZwRAlhbAJ9Xn5orQIPwNhtdaONP5Ha7vHuNnACfSODp
2eiFYi1hJm8YNcVQSuVA+5o=
=okvI
-END PGP SIGNATURE-
___
Support mailing list
[EMAIL PROTECTED]
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]