System under attack via FTP, trying to understand the intended action

mikeyt_333 · 05-04-2006, 11:44 AM

I was hoping somebody might be able to interpret this log output from iptables. I blocked the offending IP because they were generating hundreds of unknown user log entries for ftp, I think they're probably hoping to DoS. I get lost when specific combinations of TCP flags are sent, in this case the ACK and PSH, I'm not sure why sending an ACK and PSH would cause any problems. Thanks for any insight you can provide, I appreciate it! To shorten the entry, I've removed repeated information from the beginning of each line, so each line begins with:

Code:

IN=eth0 OUT= MAC= SRC= DST=

With sensitive information removed.

Code:

LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=13584 DF PROTO=TCP SPT=51321 DPT=21 WINDOW=6732 RES=0x00 ACK PSH URGP=0
LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=13585 DF PROTO=TCP SPT=51321 DPT=21 WINDOW=6732 RES=0x00 ACK URGP=0
LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=13586 DF PROTO=TCP SPT=51321 DPT=21 WINDOW=6732 RES=0x00 ACK PSH URGP=0
LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=13587 DF PROTO=TCP SPT=51321 DPT=21 WINDOW=6732 RES=0x00 ACK URGP=0
LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=13588 DF PROTO=TCP SPT=51321 DPT=21 WINDOW=6732 RES=0x00 ACK PSH URGP=0
LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=13589 DF PROTO=TCP SPT=51321 DPT=21 WINDOW=6732 RES=0x00 ACK URGP=0

Thanks again!

Mike.

nx5000 · 05-05-2006, 04:04 AM

With this log we can't do much.
Put the complete log (all exchanges with timings) but make a replace on the IPs but don't remove them.
Seems like a DoS and you can't do much about it. Maybe improve your firewall settings would mitigate the effect.

mikeyt_333 · 05-05-2006, 09:44 AM

Thanks for the reply! Here's a snippet of my messages log, the only thing that happened was hundreds of failed logins, and if they're DoS'ing, I would expect it to come from multiple IP's (but I may be way off base...). Thanks for your help!

Code:

May  4 09:46:16 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May  4 09:46:20 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May  4 09:46:20 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May  4 09:46:27 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May  4 09:46:27 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May  4 09:46:31 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May  4 09:46:31 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May  4 09:46:35 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May  4 09:46:35 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May  4 09:46:39 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown
May  4 09:46:39 [SERVER] vsftpd(pam_unix)[29801]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[ATTACK IP]
May  4 09:46:43 [SERVER] vsftpd(pam_unix)[29801]: check pass; user unknown

As an immidiate, but temporary, fix, I've added the offending IP's to iptables, droping any connections from them. You mentioned that maybe better firewall rules would help, but that, are you refering to limiting connections etc...? The difficulty I have with setting a limit on connections is it already causes hell with SSH when people are running things that can't do connection multiplexing. FTP might be better since it doesn't intiate a ton of connections, but it's still possible that somebody might connect 10 times in 10 minutes, legitimately. Thanks for the input!!

Mike.