Subject: Re: Distributed denial of service attacks.
To: None <tech-security@netbsd.org>
From: Stephen M Jones <smj@cirr.com>
List: tech-security
Date: 09/07/2001 17:04:51
I've been running tcpdump without any webserver running just listening
to connections.  I admit, it is difficult with a popular site to see what
are legit and what aren' but while running apache there are no logs showing
what files are being accessed (the only logged connections seem to be
legitimate ones).  The IP addresses I've logged (currently 1,293 unique IPs)
do not show up in the apache log files.. 

From the tcpdump which ran about 45 minutes, I was able to determine "top"
requests sources:

IPaddr		   # of requests
--------------------------------
216.136.171.200 :     6237
205.188.137.185 :     4998
211.12.224.124 :     3542
66.28.10.194 :     3199
216.231.105.251 :     1447
200.45.110.138 :      877
207.246.152.33 :      791
211.132.76.83 :      762
163.232.4.209 :      550
213.66.76.243 :      527
24.42.123.18 :      508
 .. et cetera .. (again there are 1,293 unique IPs I've recorded).

I think its obvious who I need to write firewall rules for .. I am not
sure if this is spoofing or if those are actual IPs.  But they do seem
to respond (though no PTRs or CNAMES map to the first two).  I'll continue
to monitor and if these are legit IPs actually port flooding my system then
a firewall rule should work ..

SMJ

(for the record this is netbsd 1.5.x running on an alpha 5305)