delphij's Chaos

选择chaos这个词是因为~~实在很难找到一个更合适的词来形容这儿了……

22 Jun 2004

beastie.frontfree.net under SYNFLOOD attack!

I have watched spurious SYN messages and apparantly this has affected beastie.frontfree.net’s networking subsystem, namely, its mail system. The attack is from 203.81.27.11.

Whois indicates 203.81.27.11 is:

inetnum:      203.81.16.0 - 203.81.31.255
netname:      NINET
descr:        Net-Infinity Technology Development Ltd
descr:        China Internet Service Provider, Beijing
country:      CN
admin-c:      EC168-AP
tech-c:       EC168-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CN-NI
changed:      hostmaster@apnic.net 20020108
status:       ALLOCATED PORTABLE
source:       APNIC
person:       Ellis Cheung
address:      Level B3, Tower E1
address:      The Towers, Oriental Plaza
address:      No. 1 East Chang An Ave.
address:      Dong Cheng District
address:      Beijing, 100738, China
country:      CN
phone:        +86-10-81586260
fax-no:       +86-10-81586287
e-mail:       ellis.cheung@net-infinity.net
nic-hdl:      EC168-AP
mnt-by:       MAINT-CN-NI
changed:      ellis.cheung@net-infinity.net 20011217
source:       APNIC

Is this a worm, or an attacker? Not sure.

Apparantly, the security mechanism in BJUT did NOT protected beastie.frontfree.net. As I have stated before, it must protect itself, rather than relying on the badly designed firewall. It’s not a fault of Cisco firewall, but a bad design by the corporation which has designed the firewall system, they apparantly lied.

After enabling pf(4)’s SYN PROXY mechanism, the attack seems to be mitigated. I am not sure whether it is actually defeated, though, but at least, from the log, it does not do anything useful for the attacker.


Archived: 2 Comments

BK6111CNG | June 23, 2004 4:24 PM

现在访问不了了,是因为这个么?

kinux | June 29, 2004 11:53 PM

What kind of the SYN FLOOD, why don’t try to use sniffer capture the packets..
But you may try to install SNORT, there should have some rules help you to check what kind of the attack and give you alert..