beastie.frontfree.net under SYNFLOOD attack!
I have watched spurious SYN messages and apparantly this has affected beastie.frontfree.net’s networking subsystem, namely, its mail system. The attack is from 184.108.40.206.
Whois indicates 220.127.116.11 is:
inetnum: 18.104.22.168 - 22.214.171.124 netname: NINET descr: Net-Infinity Technology Development Ltd descr: China Internet Service Provider, Beijing country: CN admin-c: EC168-AP tech-c: EC168-AP mnt-by: APNIC-HM mnt-lower: MAINT-CN-NI changed: email@example.com 20020108 status: ALLOCATED PORTABLE source: APNIC
person: Ellis Cheung address: Level B3, Tower E1 address: The Towers, Oriental Plaza address: No. 1 East Chang An Ave. address: Dong Cheng District address: Beijing, 100738, China country: CN phone: +86-10-81586260 fax-no: +86-10-81586287 e-mail: firstname.lastname@example.org nic-hdl: EC168-AP mnt-by: MAINT-CN-NI changed: email@example.com 20011217 source: APNIC
Is this a worm, or an attacker? Not sure.
Apparantly, the security mechanism in BJUT did NOT protected beastie.frontfree.net. As I have stated before, it must protect itself, rather than relying on the badly designed firewall. It’s not a fault of Cisco firewall, but a bad design by the corporation which has designed the firewall system, they apparantly lied.
After enabling pf(4)’s SYN PROXY mechanism, the attack seems to be mitigated. I am not sure whether it is actually defeated, though, but at least, from the log, it does not do anything useful for the attacker.