After reading the inital post on Bugtraq concerning DoS attacks involving port zero (and being basically a paretty paranoid person), I took a chance that it was not a stack-disabling attack, and dropped in some ip firewalling rules (linux, stable kernel) to block and log connections from any machine using source port 0, or connections from any machine, destined to port 0 here. As bizarre as it sounds, apparently someone IS up to something, since I've now logged this many blocked connections thus far. I'm posting this because the inital post made the statement that these incidences involved imapd (port 143) and as we can see here, it's not limited to just that one service. I'd love sit and wait with a packet dumper to have more information before speaking, but I'm about to go to San Francisco for several days, and simply don't have the time. :/ Possibly this confirmation of the rumor will get more people interested in hunting down whatever the heck this is... Jun 10 00:21:04 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:143 L=40 S=0x00 I=37635 F=0x0000 T=233 Jun 10 00:21:16 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:53 L=40 S=0x00 I=37635 F=0x0000 T=233 Jun 10 00:21:27 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:23 L=40 S=0x00 I=37635 F=0x0000 T=233 Jun 10 00:37:36 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:8010 L=40 S=0x00 I=37635 F=0x0000 T=233 Jun 11 23:12:57 think kernel: IP fw-in deny eth1 TCP 208.201.47.80:0 think.kung.foo:53 L=40 S=0x00 I=62720 F=0x0000 T=234 Jun 15 17:56:53 think kernel: IP fw-in deny eth1 TCP 205.182.88.180:0 think.kung.foo:53 L=40 S=0x00 I=26881 F=0x0000 T=232 Jun 16 05:00:45 think kernel: IP fw-in deny eth1 TCP 134.50.8.42:0 think.kung.foo:53 L=40 S=0x00 I=11268 F=0x0000 T=236 Jun 17 00:10:06 think kernel: IP fw-in deny eth1 TCP 24.112.51.71:0 think.kung.foo:23 L=40 S=0x00 I=30723 F=0x0000 T=239 think.kung.foo is the internal name of the machine, and the appearance of the name are the results of some sanitizing code in my log filters. Don't anyone panic. ;)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:39 PDT