Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there any chance that the flood is originating from your server? I had a problem once where a machine on my network (winblows of course) was the origination. Since I was only dropping packets originating from outside the firewall, it didn't deny the flood. So I denied that port/IP outgoing from my network until I could track down the machine and isolate it.
Not familiar with firestarter, I always use fwbuilder to make my own custom firewalls. It's pretty robust and allows me to make some pretty complex rules fairly easily.
If you're sniffing with Ethereal from inside your network and the traffic is originating within your network, you're going to see it, even if you've a firewall rule in place to block the traffic.
Sometimes when using sniffers, its easy to misinterpret the traffic's direction, depending on the events happening. With snort, its usually easy to misinterpret web traffic because the tool alarms on system response. I've no idea about Ethereal, though, but I'm betting this traffic is coming from within your network...OR, its coming from outside your network but you haven't blocked the traffic properly...OR, you have blocked the inbound traffic correctly but the exploit is possibly taking advantage or a firewall vulnerability or is somehome circumventing your border firewall.
Can you post your Ethereal capture, if you're willing?
when attack was on-going, leaving ethereal on for, let's say, 3 sec, would create 15MB file.. lol. =d
and "destination" was my server. so i would say either "its coming from outside your network but you haven't blocked the traffic properly...OR, you have blocked the inbound traffic correctly but the exploit is possibly taking advantage or a firewall vulnerability or is somehome circumventing your border firewall." but possibly latter, since it is bypassing iptables/apf's IP ban.
*edited*
hmm, the person started attack again. i would get you ethereal capture, but i can't connect to the server due to high bandwidth usage.. but ya, port 9898 again.
*edited 2*
appearantly it IS hard to drop... he's claiming that he took tibia.com/muonline.com with same/similar method
Last edited by vicious_pucca; 05-23-2006 at 02:45 PM.
YOU DID THAT MISTAKE AGAIN. Revealing your IPs through screenshot.
Damn.. Try to block that IP from the router or anything that is connected to your firewall, Or better still convince your ISP to block everything coming from that IP.
tried to block all udp. no success.
tried to block IP. no success(as it is forged, most likely)
tried to secure as much as possible. no success.
tried to contact the host. they denied the request. >_>
=d
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.