Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-23-2006, 11:27 AM
|
#1
|
LQ Newbie
Registered: Aug 2005
Posts: 10
Rep:
|
unblockable ip/port by apf?
someone's been flooding my server with UDP.. and i tried to ban IP and/or port with APF, but no available... any clue how to ban it?
problem is, it doesn't show up on netstat.
but it DOES show up on IPTraf/Ethereal.
it's UDP (46 byte) spam from 213.92.42.41:32913 to myserver:9898
another being UDP from 213.30.153.62(forgot the port)...
I DO use BFD + APF. and I've added those IPs into deny_hosts.rules and port 9898 into common drop ports, but no available.
I've tried to block it from iptables, didn't work. tried to use firestarter.. backfired and blocked myself.XD
|
|
|
05-23-2006, 12:19 PM
|
#2
|
LQ Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094
|
Is there any chance that the flood is originating from your server? I had a problem once where a machine on my network (winblows of course) was the origination. Since I was only dropping packets originating from outside the firewall, it didn't deny the flood. So I denied that port/IP outgoing from my network until I could track down the machine and isolate it.
Not familiar with firestarter, I always use fwbuilder to make my own custom firewalls. It's pretty robust and allows me to make some pretty complex rules fairly easily.
|
|
|
05-23-2006, 12:22 PM
|
#3
|
LQ Newbie
Registered: Aug 2005
Posts: 10
Original Poster
Rep:
|
looking at the IPs, i doubt it? my server is 64.92.xx.xx
|
|
|
05-23-2006, 12:49 PM
|
#4
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
|
There are a few things to note:
If you're sniffing with Ethereal from inside your network and the traffic is originating within your network, you're going to see it, even if you've a firewall rule in place to block the traffic.
Sometimes when using sniffers, its easy to misinterpret the traffic's direction, depending on the events happening. With snort, its usually easy to misinterpret web traffic because the tool alarms on system response. I've no idea about Ethereal, though, but I'm betting this traffic is coming from within your network...OR, its coming from outside your network but you haven't blocked the traffic properly...OR, you have blocked the inbound traffic correctly but the exploit is possibly taking advantage or a firewall vulnerability or is somehome circumventing your border firewall.
Can you post your Ethereal capture, if you're willing?
Last edited by unixfool; 05-23-2006 at 12:51 PM.
|
|
|
05-23-2006, 01:22 PM
|
#5
|
LQ Newbie
Registered: Aug 2005
Posts: 10
Original Poster
Rep:
|
attack has been stopped.
when attack was on-going, leaving ethereal on for, let's say, 3 sec, would create 15MB file.. lol. =d
and "destination" was my server. so i would say either "its coming from outside your network but you haven't blocked the traffic properly...OR, you have blocked the inbound traffic correctly but the exploit is possibly taking advantage or a firewall vulnerability or is somehome circumventing your border firewall." but possibly latter, since it is bypassing iptables/apf's IP ban.
*edited*
hmm, the person started attack again. i would get you ethereal capture, but i can't connect to the server due to high bandwidth usage.. but ya, port 9898 again.
*edited 2*
appearantly it IS hard to drop... he's claiming that he took tibia.com/muonline.com with same/similar method
Last edited by vicious_pucca; 05-23-2006 at 03:45 PM.
|
|
|
05-31-2006, 09:37 AM
|
#7
|
Member
Registered: Sep 2003
Location: India
Distribution: Debian
Posts: 50
Rep:
|
YOU DID THAT MISTAKE AGAIN. Revealing your IPs through screenshot.
Damn.. Try to block that IP from the router or anything that is connected to your firewall, Or better still convince your ISP to block everything coming from that IP.
regards
Manjunath
|
|
|
06-01-2006, 10:30 PM
|
#8
|
LQ Newbie
Registered: Aug 2005
Posts: 10
Original Poster
Rep:
|
who said it was my current IP? =p
tried to block all udp. no success.
tried to block IP. no success(as it is forged, most likely)
tried to secure as much as possible. no success.
tried to contact the host. they denied the request. >_>
=d
|
|
|
All times are GMT -5. The time now is 07:37 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|