Re: port scan attacks ?
On Thu, Sep 14, 2000 at 11:28:24AM +0200, Andreas Jellinghaus wrote:
> hi.
>
> my machine 129.13.126.5 is under heavy portscan / denial of service attacks.
> the machine does not much usefull (fileserver), but is a rsync server for
> the debian cd images.
>
> maybe other people are scanned, too ?
>
> it´s something like 50 ip addresses doing a portscan at the same time.
> that´s nothing but a waste of time. other servers in the same room with
> similiar ip´s are not scanned, so i wonder if it has something to do with the
> rsync server.
I kind of doubt it has anything to do with serving rsync. I had a
similar attack on 2000-08-01 on a machine that doesn't serve rsync.
~450 hosts hit ~65000 ports with 2.37 Mpackets over 18 hours before I
noticed I was out of disk space (the log files filled it up). That was
just the packets dropped by iptables firewall rules (and logged).
I had to disconnect from the network to stop the attack.
I audited the services running on the few open ports and couldn't find
any unauthorized access succeeded on those (few, locked down) services.
I did a few stats on the logs but a single grep would take ~15 minutes
so I didn't get very far. I did notice a few things: all the packets
were udp, dest ports seemed randomized, and although most packets seemed
normal enough, some were as long as 65k indicating overflows were being
attempted. The software orchestrating the attack has some earmarks of
being fairly sophisticated.
At first I thought it was a mis-targeted attack. Then a friend suggested
maybe it was a "recruitment" phase building towards a future attack
against a more "interesting" target. Don't know and it doesn't matter.
You need to protect yourself anyway. There are people playing with bad
voodoo out there.
Good luck,
Steve
--
Steve Bowman <sbowman@frostwork.net> (preferred)
Buckeye, AZ <sbowman@goodnet.com> <bowmanc@acm.org>
<http://www.goodnet.com/~sbowman/>
Powered by Debian GNU/Linux <http://www.debian.org>
Reply to: