beastie.frontfree.net under SYNFLOOD attack!
I have watched spurious SYN messages and apparantly this has affected beastie.frontfree.net’s networking subsystem, namely, its mail system. The attack is from 18.104.22.168.
Whois indicates 22.214.171.124 is:
inetnum: 126.96.36.199 - 188.8.131.52 netname: NINET descr: Net-Infinity Technology Development Ltd descr: China Internet Service Provider, Beijing country: CN admin-c: EC168-AP tech-c: EC168-AP mnt-by: APNIC-HM mnt-lower: MAINT-CN-NI changed: firstname.lastname@example.org 20020108 status: ALLOCATED PORTABLE source: APNIC
person: Ellis Cheung address: Level B3, Tower E1 address: The Towers, Oriental Plaza address: No. 1 East Chang An Ave. address: Dong Cheng District address: Beijing, 100738, China country: CN phone: +86-10-81586260 fax-no: +86-10-81586287 e-mail: email@example.com nic-hdl: EC168-AP mnt-by: MAINT-CN-NI changed: firstname.lastname@example.org 20011217 source: APNIC
Is this a worm, or an attacker? Not sure.
Apparantly, the security mechanism in BJUT did NOT protected beastie.frontfree.net. As I have stated before, it must protect itself, rather than relying on the badly designed firewall. It’s not a fault of Cisco firewall, but a bad design by the corporation which has designed the firewall system, they apparantly lied.
After enabling pf(4)’s SYN PROXY mechanism, the attack seems to be mitigated. I am not sure whether it is actually defeated, though, but at least, from the log, it does not do anything useful for the attacker.
Archived: 2 Comments
BK6111CNG | June 23, 2004 4:24 PM
kinux | June 29, 2004 11:53 PM
What kind of the SYN FLOOD, why don’t try to use sniffer capture the packets..
But you may try to install SNORT, there should have some rules help you to check what kind of the attack and give you alert..