Re: Unusual outbound traffic on NetBSD 5_Stable Firewall

To: yancm%SDF.ORG@localhost
Subject: Re: Unusual outbound traffic on NetBSD 5_Stable Firewall
From: eric%cirr.com@localhost (Eric Schnoebelen)
Date: Sat, 04 Jan 2014 14:31:53 -0600

yancm%SDF.ORG@localhost writes:
- I have a long serving 5_Stable i386 firewall/nat/server box between my
- home network and a cable modem. I'm the only user, I do not permit root
- login. SSH and www are the only direct incoming protocols I allow.

- Just recently my network started coming to a crawl and I noticed high
- outbound traffic on my outward facing interface wm0 with no reciprocal
- traffic from my home network on wm1.

It sounds a bit like an amplification attack..

Are you running ntp on the firewall?  Is it allowing/accepting
connections from the public network? 

I ask because I've seen several of my own systems used as amplifiers
in NTP amplification DDOS attacks on others.  (in the process,
saturating my uplinks, effectively DOSing my networks.. :( )

- 1) How do I figure out what's happening?

``tcpdump -i wm0'' will probably prove enlightening as to the source
and type of the traffic.

- 2) Has my firewall been compromised?

doubtful, but you never know.

- 3) Could my cable box be compromised?

see (2)

--
Eric Schnoebelen                eric%cirr.com@localhost         
http://www.cirr.com
    Seagull Manager - A manager who flies in, makes a lot of noise, craps
                over everything and then leaves. -- Dilbert

References:
- Unusual outbound traffic on NetBSD 5_Stable Firewall
  - From: yancm

Prev by Date: Unusual outbound traffic on NetBSD 5_Stable Firewall
Next by Date: Re: Unusual outbound traffic on NetBSD 5_Stable Firewall
Previous by Thread: Unusual outbound traffic on NetBSD 5_Stable Firewall
Next by Thread: Re: Unusual outbound traffic on NetBSD 5_Stable Firewall
Indexes:

Home | Main Index | Thread Index | Old Index