subject:"RE\: F9 DOS attack"

Re: F9 DOS attack

2008-11-27 Thread Richard England


Dave Feustel wrote:

On Thu, Nov 27, 2008 at 02:25:26AM +1030, Tim wrote:
  

On Wed, 2008-11-26 at 06:54 -0500, Dave Feustel wrote:


I spoke with a Comcast technician yesterday. He said there was nothing
Comcast could do and that the problem was that the 'bomber' was able
to get my ip address by scanning my system. That seems inconsistent to
me.
  

If you're chatting with your ISP, I'd ask them if it's just you being
flooded, or a range of their IP addresses.  Then you'll know if you're a
direct target.  If they can't work that out, they're hopeless.



I just tried whois 68.87.72.130 (the ip address in all the unsolicited
packets that were coming in) and that is a comcast ip address.
(something to do with 'jumpstart'. Does anyone know anything about this?

  

$ whois -vi 68.87.72.130
[Querying whois.arin.net]
[whois.arin.net]
Comcast Cable Communications, Inc. JUMPSTART-2 (NET-68-80-0-0-1)
 68.80.0.0 - 68.87.255.255
Comcast Cable Communications, Inc. COMCAST-18 (NET-68-87-64-0-1)
 68.87.64.0 - 68.87.127.255

# ARIN WHOIS database, last updated 2008-11-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Ran this through   http://cqcounter.com/whois/   and got the following 
back.  Which makes this look like one of the Comcast DNS servers. No?


OrgName:Comcast Cable Communications, Inc. 
OrgID:  CMCS

Address:1800 Bishops Gate Blvd
City:   Mt Laurel
StateProv:  NJ
PostalCode: 08054
Country:US

NetRange:   68.80.0.0  - 68.87.255.255  
CIDR:   68.80.0.0/13 
NetName:JUMPSTART-2

NetHandle:  NET-68-80-0-0-1
Parent: NET-68-0-0-0-0
NetType:Direct Allocation
NameServer: DNS101.COMCAST.NET 

NameServer: DNS102.COMCAST.NET 

NameServer: DNS103.COMCAST.NET 

Comment:ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:2002-01-28
Updated:2008-10-31

RTechHandle: IC161-ARIN
RTechName:   Comcast Cable Communications Inc 
RTechPhone:  +1-856-317-7200
RTechEmail:  [EMAIL PROTECTED]  


OrgAbuseHandle: NAPO-ARIN
OrgAbuseName:   Network Abuse and Policy Observance 
OrgAbusePhone:  +1-856-317-7272

OrgAbuseEmail:  [EMAIL PROTECTED] 


OrgTechHandle: IC161-ARIN
OrgTechName:   Comcast Cable Communications Inc 
OrgTechPhone:  +1-856-317-7200

OrgTechEmail:  [EMAIL PROTECTED] 


CustName:   Comcast Cable Communications, Inc.
Address:1800 Bishops Gate Blvd
City:   Mt Laurel
StateProv:  NJ
PostalCode: 08054
Country:US
RegDate:2007-04-17
Updated:2007-04-17

NetRange:   68.87.64.0  - 68.87.127.255  
CIDR:   68.87.64.0/18 
NetName:COMCAST-18

NetHandle:  NET-68-87-64-0-1
Parent: NET-68-80-0-0-1
NetType:Reassigned
Comment:
RegDate:2007-04-17

Updated:2007-04-17

RTechHandle: IC161-ARIN
RTechName:   Comcast Cable Communications Inc 
RTechPhone:  +1-856-317-7200
RTechEmail:  [EMAIL PROTECTED]  


OrgAbuseHandle: NAPO-ARIN
OrgAbuseName:   Network Abuse and Policy Observance 
OrgAbusePhone:  +1-856-317-7272

OrgAbuseEmail:  [EMAIL PROTECTED] 


OrgTechHandle: IC161-ARIN
OrgTechName:   Comcast Cable Communications Inc 
OrgTechPhone:  +1-856-317-7200

OrgTechEmail:  [EMAIL PROTECTED] 


# ARIN WHOIS database, last updated 2008-11-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-27 Thread Dave Feustel

On Thu, Nov 27, 2008 at 02:25:26AM +1030, Tim wrote:
> On Wed, 2008-11-26 at 06:54 -0500, Dave Feustel wrote:
> > I spoke with a Comcast technician yesterday. He said there was nothing
> > Comcast could do and that the problem was that the 'bomber' was able
> > to get my ip address by scanning my system. That seems inconsistent to
> > me.
> 
> If you're chatting with your ISP, I'd ask them if it's just you being
> flooded, or a range of their IP addresses.  Then you'll know if you're a
> direct target.  If they can't work that out, they're hopeless.

I just tried whois 68.87.72.130 (the ip address in all the unsolicited
packets that were coming in) and that is a comcast ip address.
(something to do with 'jumpstart'. Does anyone know anything about this?

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Tim

On Wed, 2008-11-26 at 19:56 -0500, Dave Feustel wrote:
> I don't run any servers.

Does that mean you don't use them, or that you've actually turned them
off?

> Makes me wonder what I did to provoke the attack

Possibly nothing.  For some victims, merely existing is reason enough.

Years ago, I used to notice increased firewall activity any time I made
a public posting.  I wasn't doing anything inflammatory, so I assume
that miscreants were monitoring the list to capture what they hoped were
currently in-use IP addresses.  These days, there's less point in doing
that, with always-on DSL and cable services, many of the IP addresses
will always be in-use.  Though the capturing idea does tend to identify
an IP address and the OS in use, which they might go looking for ones
with vulnerabilities that they know how to exploit.

-- 
[EMAIL PROTECTED] ~]$ uname -r
2.6.27.5-41.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Dave Feustel

On Thu, Nov 27, 2008 at 02:25:26AM +1030, Tim wrote:
> On Wed, 2008-11-26 at 06:54 -0500, Dave Feustel wrote:
> > I spoke with a Comcast technician yesterday. He said there was nothing
> > Comcast could do and that the problem was that the 'bomber' was able
> > to get my ip address by scanning my system. That seems inconsistent to
> > me.
> 
> If you're chatting with your ISP, I'd ask them if it's just you being
> flooded, or a range of their IP addresses.  Then you'll know if you're a
> direct target.  If they can't work that out, they're hopeless.
> 
> As far as security goes, turn off the services you don't need.  And
> configure the ones that you do need, to not listen to the outside world
> unnecessarily (secure the services properly, don't rely on a firewall to
> stand in the way).  Then, add a firewall to your mix.  It's an extra
> layer, not the only thing you should use in your defence.

I don't run any servers. My total activity is email, browsing, and RSS.
I don't even use ssh. Makes me wonder what I did to provoke the attack
(assuming that the attack was specifically directed at me.)
 
> Attempts to crack into your system over SSH, for instance, will be water
> off a duck's back if you don't have an SSH server running, or it never
> listens to the world interface.
> 
> -- 
> [EMAIL PROTECTED] ~]$ uname -r
> 2.6.27.5-41.fc9.i686
> 
> Don't send private replies to my address, the mailbox is ignored.  I
> read messages from the public lists.
> 
> 
> 
> -- 
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

RE: F9 DOS attack

2008-11-26 Thread bruce

yes.. vitalstream!! that was it, with internap...

hey.. is the email address at the bottom valid for you?

-bruce


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Stevens
Sent: Wednesday, November 26, 2008 2:34 PM
To: Community assistance, encouragement,and advice for using Fedora.
Subject: Re: F9 DOS attack


bruce wrote:
> hey rick...
>
> are you the same rick, who used to work with a company in san mateo.. that
> used to deal with akamai...

A couple of friends and I founded "SiteStream" in '99.  In '01 we merged
with another company and renamed the new beast "VitalStream", which was
an Akamai (and SpeedEra) competitor.  We were based in Irvine in SoCal
(San Mateo is in NoCal).

VitalStream was acquired by Internap in February of '06 and they've made
a sad hash of what was a great company.  I left there in April of '08 as
I couldn't stand to watch my baby abused the way it was any longer.
--
- Rick Stevens, Systems Engineer  [EMAIL PROTECTED] -
- AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
--
-   I haven't lost my mind.  It's backed up on tape somewhere, but   -
-   probably not recoverable.-
--

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Rick Stevens


bruce wrote:

hey rick...

are you the same rick, who used to work with a company in san mateo.. that
used to deal with akamai...


A couple of friends and I founded "SiteStream" in '99.  In '01 we merged
with another company and renamed the new beast "VitalStream", which was
an Akamai (and SpeedEra) competitor.  We were based in Irvine in SoCal
(San Mateo is in NoCal).

VitalStream was acquired by Internap in February of '06 and they've made
a sad hash of what was a great company.  I left there in April of '08 as
I couldn't stand to watch my baby abused the way it was any longer.
--
- Rick Stevens, Systems Engineer  [EMAIL PROTECTED] -
- AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
--
-   I haven't lost my mind.  It's backed up on tape somewhere, but   -
-   probably not recoverable.-
--

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

RE: F9 DOS attack

2008-11-26 Thread bruce

hey rick...

are you the same rick, who used to work with a company in san mateo.. that
used to deal with akamai...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Stevens
Sent: Wednesday, November 26, 2008 10:18 AM
To: Community assistance, encouragement,and advice for using Fedora.
Subject: Re: F9 DOS attack

Dave Feustel wrote:
> On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote:
>> hi dave...
>>
>> just saw this thread. are you running a static ip on your external
internet
>> connection. if you aren't, you could simply force the cable modem to
reset
>> to another ip address..
>
> I tried reseting the cable modem but I'm not sure it changes my ip
> address.
>
>> you might have to work with comcast tech support to accomplish this. (get
a
>> 2nd/3rd level guy who actually knows/wants to help you out)
>
> I'm going to try to talk with them about this tomorrow.
>
>> if you've already done this, has it managed to slow the offender down?
>
> No. But the attack had ceased when I got up this morning.
>
>> do you have a router connected to the cable modem? does it log the ip
>> addresses of the offending client?
>
> I use pf with a block all incoming rule. I don't see any traffic with
> pftop, but I saw a lot of incoming packets by observing the leds on my
> cable modem. It's pretty clear to me that both F9 and Suse11 are
> vulnerable to attack from the internet. I'm starting to get very
> interested in linux security and preventing dos attacks.

ANYTHING connected to the internet is vulnerable to attack, be it SYN
floods, brute force SSH attempts, any number of others.  Wait till you
get a DC++ attack!  The only way to block that sucker is to do a deep
packet inspection of the payload and drop the connections or find the
hub that has you listed and kill it somehow.

It's totally irrelevant what OS you run, it's an attack against the
interface.  Different OSes handle it differently.  It's best to have a
hardware firewall out front, but then internal software firewalls like
iptables are your second level of defense.  Next is making sure only
the network "listeners" you NEED are enabled.  I manage a network
that seems to have a big, red target painted on it.  I deal with this
all the time.  Thank goodness for our Cisco, Foundry and Radware gear
out front!  They block most of it, the rest we deal with via iptables
and we monitor EVERYTHING (my cell phone has almost melted on occasion
from the SMS text alerts when a DOS is attempted).

As to your problem, Comcast's first level techs (and I'm being generous
using that term) are notoriously crappy as far as solving problems.
They're not much more than telemarketers and work off a script. Ask them
something off script and they're at sea.  Can't say Time Warner is much
better.  One problem I had with them:

Me: "I'm not getting a DHCP address from you, your DHCP servers are down."
Them: "Which OS?"
Me: "Linux."
Them: "Oh, we don't support Linux."
Me: "DHCP is DHCP you twit.  The OS has nothing to do with it!  Let me
talk to a level 3 tech."
(this went on for about five minutes, I threatened dire vengeance,
then I got a level 3 guy [skipped level 2, they're idiots, too])
Level3Guy: "What's the problem?"
Me: "You're not giving out DHCP addresses.  Your servers are down."
L3G: "I don't think so."
Me: "Dude, I'm watching a tcpdump of it.  I'm sending requests and
you're not answering.  No denials, no responses, nada."
L3G: "Let me check."
(long pause)
L3G: "Yeah, six of them crashed."
Me: "You don't monitor that sort of thing?"
L3G: "Uh, guess not."
Me: "ARRGHHH!"

--
- Rick Stevens, Systems Engineer  [EMAIL PROTECTED] -
- AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
--
-   If the enemy's in range...so are you!-
--

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

RE: F9 DOS attack

2008-11-26 Thread bruce

hey rick...

are you the same rick, who used to work with a company in san mateo.. that
used to deal with akamai...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rick Stevens
Sent: Wednesday, November 26, 2008 10:18 AM
To: Community assistance, encouragement,and advice for using Fedora.
Subject: Re: F9 DOS attack

Dave Feustel wrote:
> On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote:
>> hi dave...
>>
>> just saw this thread. are you running a static ip on your external
internet
>> connection. if you aren't, you could simply force the cable modem to
reset
>> to another ip address..
>
> I tried reseting the cable modem but I'm not sure it changes my ip
> address.
>
>> you might have to work with comcast tech support to accomplish this. (get
a
>> 2nd/3rd level guy who actually knows/wants to help you out)
>
> I'm going to try to talk with them about this tomorrow.
>
>> if you've already done this, has it managed to slow the offender down?
>
> No. But the attack had ceased when I got up this morning.
>
>> do you have a router connected to the cable modem? does it log the ip
>> addresses of the offending client?
>
> I use pf with a block all incoming rule. I don't see any traffic with
> pftop, but I saw a lot of incoming packets by observing the leds on my
> cable modem. It's pretty clear to me that both F9 and Suse11 are
> vulnerable to attack from the internet. I'm starting to get very
> interested in linux security and preventing dos attacks.

ANYTHING connected to the internet is vulnerable to attack, be it SYN
floods, brute force SSH attempts, any number of others.  Wait till you
get a DC++ attack!  The only way to block that sucker is to do a deep
packet inspection of the payload and drop the connections or find the
hub that has you listed and kill it somehow.

It's totally irrelevant what OS you run, it's an attack against the
interface.  Different OSes handle it differently.  It's best to have a
hardware firewall out front, but then internal software firewalls like
iptables are your second level of defense.  Next is making sure only
the network "listeners" you NEED are enabled.  I manage a network
that seems to have a big, red target painted on it.  I deal with this
all the time.  Thank goodness for our Cisco, Foundry and Radware gear
out front!  They block most of it, the rest we deal with via iptables
and we monitor EVERYTHING (my cell phone has almost melted on occasion
from the SMS text alerts when a DOS is attempted).

As to your problem, Comcast's first level techs (and I'm being generous
using that term) are notoriously crappy as far as solving problems.
They're not much more than telemarketers and work off a script. Ask them
something off script and they're at sea.  Can't say Time Warner is much
better.  One problem I had with them:

Me: "I'm not getting a DHCP address from you, your DHCP servers are down."
Them: "Which OS?"
Me: "Linux."
Them: "Oh, we don't support Linux."
Me: "DHCP is DHCP you twit.  The OS has nothing to do with it!  Let me
talk to a level 3 tech."
(this went on for about five minutes, I threatened dire vengeance,
then I got a level 3 guy [skipped level 2, they're idiots, too])
Level3Guy: "What's the problem?"
Me: "You're not giving out DHCP addresses.  Your servers are down."
L3G: "I don't think so."
Me: "Dude, I'm watching a tcpdump of it.  I'm sending requests and
you're not answering.  No denials, no responses, nada."
L3G: "Let me check."
(long pause)
L3G: "Yeah, six of them crashed."
Me: "You don't monitor that sort of thing?"
L3G: "Uh, guess not."
Me: "ARRGHHH!"

--
- Rick Stevens, Systems Engineer  [EMAIL PROTECTED] -
- AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
--
-   If the enemy's in range...so are you!-
--

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Fred Silsbee




--- On Wed, 11/26/08, Rick Stevens <[EMAIL PROTECTED]> wrote:

> From: Rick Stevens <[EMAIL PROTECTED]>
> Subject: Re: F9 DOS attack
> To: "Community assistance, encouragement, and advice for using Fedora." 
> 
> Date: Wednesday, November 26, 2008, 6:18 PM
> Dave Feustel wrote:
> > On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote:
> >> hi dave...
> >>
> >> just saw this thread. are you running a static ip
> on your external internet
> >> connection. if you aren't, you could simply
> force the cable modem to reset
> >> to another ip address..
> > 
> > I tried reseting the cable modem but I'm not sure
> it changes my ip
> > address.
> >  
> >> you might have to work with comcast tech support
> to accomplish this. (get a
> >> 2nd/3rd level guy who actually knows/wants to help
> you out)
> > 
> > I'm going to try to talk with them about this
> tomorrow.
> >  
> >> if you've already done this, has it managed to
> slow the offender down?
> > 
> > No. But the attack had ceased when I got up this
> morning.
> >  
> >> do you have a router connected to the cable modem?
> does it log the ip
> >> addresses of the offending client?
> > 
> > I use pf with a block all incoming rule. I don't
> see any traffic with
> > pftop, but I saw a lot of incoming packets by
> observing the leds on my
> > cable modem. It's pretty clear to me that both F9
> and Suse11 are
> > vulnerable to attack from the internet. I'm
> starting to get very
> > interested in linux security and preventing dos
> attacks.
> 
> ANYTHING connected to the internet is vulnerable to attack,
> be it SYN
> floods, brute force SSH attempts, any number of others. 
> Wait till you
> get a DC++ attack!  The only way to block that sucker is to
> do a deep
> packet inspection of the payload and drop the connections
> or find the
> hub that has you listed and kill it somehow.
> 
> It's totally irrelevant what OS you run, it's an
> attack against the
> interface.  Different OSes handle it differently.  It's
> best to have a
> hardware firewall out front, but then internal software
> firewalls like
> iptables are your second level of defense.  Next is making
> sure only
> the network "listeners" you NEED are enabled.  I
> manage a network
> that seems to have a big, red target painted on it.  I deal
> with this
> all the time.  Thank goodness for our Cisco, Foundry and
> Radware gear
> out front!  They block most of it, the rest we deal with
> via iptables
> and we monitor EVERYTHING (my cell phone has almost melted
> on occasion
> from the SMS text alerts when a DOS is attempted).
> 
> As to your problem, Comcast's first level techs (and
> I'm being generous
> using that term) are notoriously crappy as far as solving
> problems.
> They're not much more than telemarketers and work off a
> script. Ask them
> something off script and they're at sea.  Can't say
> Time Warner is much
> better.  One problem I had with them:
> 
> Me: "I'm not getting a DHCP address from you, your
> DHCP servers are down."
> Them: "Which OS?"
> Me: "Linux."
> Them: "Oh, we don't support Linux."
> Me: "DHCP is DHCP you twit.  The OS has nothing to do
> with it!  Let me
> talk to a level 3 tech."
> (this went on for about five minutes, I threatened dire
> vengeance,
> then I got a level 3 guy [skipped level 2, they're
> idiots, too])
> Level3Guy: "What's the problem?"
> Me: "You're not giving out DHCP addresses.  Your
> servers are down."
> L3G: "I don't think so."
> Me: "Dude, I'm watching a tcpdump of it.  I'm
> sending requests and
> you're not answering.  No denials, no responses,
> nada."
> L3G: "Let me check."
> (long pause)
> L3G: "Yeah, six of them crashed."
> Me: "You don't monitor that sort of thing?"
> L3G: "Uh, guess not."
> Me: "ARRGHHH!"
> 
> --
> - Rick Stevens, Systems Engineer 
> [EMAIL PROTECTED] -
> - AIM/Skype: therps2ICQ: 22643734Yahoo:
> origrps2 -
> -  
>  -
> -   If the enemy's in range...so are you!  
>  -
> --
> 
> -- 
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

refreshing news on the internet a few weeks ago: a big load of spammers and 
internet attackers headed to prison

Have some compassion now! The problem started with their childhood 
pottytraining!

Ref: the basement guy in the Deniro/Norton move "The Score"



  

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Rick Stevens


Dave Feustel wrote:

On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote:

hi dave...

just saw this thread. are you running a static ip on your external internet
connection. if you aren't, you could simply force the cable modem to reset
to another ip address..


I tried reseting the cable modem but I'm not sure it changes my ip
address.
 

you might have to work with comcast tech support to accomplish this. (get a
2nd/3rd level guy who actually knows/wants to help you out)


I'm going to try to talk with them about this tomorrow.
 

if you've already done this, has it managed to slow the offender down?


No. But the attack had ceased when I got up this morning.
 

do you have a router connected to the cable modem? does it log the ip
addresses of the offending client?


I use pf with a block all incoming rule. I don't see any traffic with
pftop, but I saw a lot of incoming packets by observing the leds on my
cable modem. It's pretty clear to me that both F9 and Suse11 are
vulnerable to attack from the internet. I'm starting to get very
interested in linux security and preventing dos attacks.


ANYTHING connected to the internet is vulnerable to attack, be it SYN
floods, brute force SSH attempts, any number of others.  Wait till you
get a DC++ attack!  The only way to block that sucker is to do a deep
packet inspection of the payload and drop the connections or find the
hub that has you listed and kill it somehow.

It's totally irrelevant what OS you run, it's an attack against the
interface.  Different OSes handle it differently.  It's best to have a
hardware firewall out front, but then internal software firewalls like
iptables are your second level of defense.  Next is making sure only
the network "listeners" you NEED are enabled.  I manage a network
that seems to have a big, red target painted on it.  I deal with this
all the time.  Thank goodness for our Cisco, Foundry and Radware gear
out front!  They block most of it, the rest we deal with via iptables
and we monitor EVERYTHING (my cell phone has almost melted on occasion
from the SMS text alerts when a DOS is attempted).

As to your problem, Comcast's first level techs (and I'm being generous
using that term) are notoriously crappy as far as solving problems.
They're not much more than telemarketers and work off a script. Ask them
something off script and they're at sea.  Can't say Time Warner is much
better.  One problem I had with them:

Me: "I'm not getting a DHCP address from you, your DHCP servers are down."
Them: "Which OS?"
Me: "Linux."
Them: "Oh, we don't support Linux."
Me: "DHCP is DHCP you twit.  The OS has nothing to do with it!  Let me
talk to a level 3 tech."
(this went on for about five minutes, I threatened dire vengeance,
then I got a level 3 guy [skipped level 2, they're idiots, too])
Level3Guy: "What's the problem?"
Me: "You're not giving out DHCP addresses.  Your servers are down."
L3G: "I don't think so."
Me: "Dude, I'm watching a tcpdump of it.  I'm sending requests and
you're not answering.  No denials, no responses, nada."
L3G: "Let me check."
(long pause)
L3G: "Yeah, six of them crashed."
Me: "You don't monitor that sort of thing?"
L3G: "Uh, guess not."
Me: "ARRGHHH!"

--
- Rick Stevens, Systems Engineer  [EMAIL PROTECTED] -
- AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 -
--
-   If the enemy's in range...so are you!-
--

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Tim

On Wed, 2008-11-26 at 06:54 -0500, Dave Feustel wrote:
> I spoke with a Comcast technician yesterday. He said there was nothing
> Comcast could do and that the problem was that the 'bomber' was able
> to get my ip address by scanning my system. That seems inconsistent to
> me.

If you're chatting with your ISP, I'd ask them if it's just you being
flooded, or a range of their IP addresses.  Then you'll know if you're a
direct target.  If they can't work that out, they're hopeless.

As far as security goes, turn off the services you don't need.  And
configure the ones that you do need, to not listen to the outside world
unnecessarily (secure the services properly, don't rely on a firewall to
stand in the way).  Then, add a firewall to your mix.  It's an extra
layer, not the only thing you should use in your defence.

Attempts to crack into your system over SSH, for instance, will be water
off a duck's back if you don't have an SSH server running, or it never
listens to the world interface.

-- 
[EMAIL PROTECTED] ~]$ uname -r
2.6.27.5-41.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Dave Feustel

On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote:
> hi dave...
> 
> just saw this thread. are you running a static ip on your external internet
> connection. if you aren't, you could simply force the cable modem to reset
> to another ip address..

I tried reseting the cable modem but I'm not sure it changes my ip
address.
 
> you might have to work with comcast tech support to accomplish this. (get a
> 2nd/3rd level guy who actually knows/wants to help you out)

I'm going to try to talk with them about this tomorrow.
 
> if you've already done this, has it managed to slow the offender down?

No. But the attack had ceased when I got up this morning.
 
> do you have a router connected to the cable modem? does it log the ip
> addresses of the offending client?

I use pf with a block all incoming rule. I don't see any traffic with
pftop, but I saw a lot of incoming packets by observing the leds on my
cable modem. It's pretty clear to me that both F9 and Suse11 are
vulnerable to attack from the internet. I'm starting to get very
interested in linux security and preventing dos attacks.
 
 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dave Feustel
> Sent: Wednesday, November 26, 2008 3:54 AM
> To: Alan Cox
> Cc: Community assistance, encouragement,and advice for using Fedora.
> Subject: Re: F9 DOS attack
> 
> 
> On Tue, Nov 25, 2008 at 08:01:08PM +, Alan Cox wrote:
> > On Tue, 25 Nov 2008 14:58:27 -0500 (GMT-05:00)
> > Dave Feustel <[EMAIL PROTECTED]> wrote:
> >
> > > Well, my cable modem once again getting a LOT of unsolicited traffic
> > > from the internet - so much so that nothing I attempt to send gets
> > > out. My poor ole Dell doesn't even have enough oomph to process keyboard
> > > commands. Does this qualify as a DOS attack?
> > >
> > > Is there any way to get around this?
> >
> > Assuming you have firewalling configured to drop all the crud then no -
> > contact your ISP and law enforcement as appropriate.
> 
> I spoke with a Comcast technician yesterday. He said there was nothing
> Comcast could do and that the problem was that the 'bomber' was able to
> get my ip address by scanning my system. That seems inconsistent to me.
> 
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
> 
> -- 
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

RE: F9 DOS attack

2008-11-26 Thread bruce

hi dave...

just saw this thread. are you running a static ip on your external internet
connection. if you aren't, you could simply force the cable modem to reset
to another ip address..

you might have to work with comcast tech support to accomplish this. (get a
2nd/3rd level guy who actually knows/wants to help you out)

if you've already done this, has it managed to slow the offender down?

do you have a router connected to the cable modem? does it log the ip
addresses of the offending client?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dave Feustel
Sent: Wednesday, November 26, 2008 3:54 AM
To: Alan Cox
Cc: Community assistance, encouragement,and advice for using Fedora.
Subject: Re: F9 DOS attack

On Tue, Nov 25, 2008 at 08:01:08PM +, Alan Cox wrote:
> On Tue, 25 Nov 2008 14:58:27 -0500 (GMT-05:00)
> Dave Feustel <[EMAIL PROTECTED]> wrote:
>
> > Well, my cable modem once again getting a LOT of unsolicited traffic
> > from the internet - so much so that nothing I attempt to send gets
> > out. My poor ole Dell doesn't even have enough oomph to process keyboard
> > commands. Does this qualify as a DOS attack?
> >
> > Is there any way to get around this?
>
> Assuming you have firewalling configured to drop all the crud then no -
> contact your ISP and law enforcement as appropriate.

I spoke with a Comcast technician yesterday. He said there was nothing
Comcast could do and that the problem was that the 'bomber' was able to
get my ip address by scanning my system. That seems inconsistent to me.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Bryan Hepworth


Alan Cox wrote:

I spoke with a Comcast technician yesterday. He said there was nothing
Comcast could do and that the problem was that the 'bomber' was able to
get my ip address by scanning my system. That seems inconsistent to me.



Sounds like you got the tea boy, or your ISP doesn't care (or both)

Alan

  

Note to self...

Do not take a mouthful of coffee before reading Alan's posts, now I have 
to clean up the mess I made!


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Alan Cox

> I spoke with a Comcast technician yesterday. He said there was nothing
> Comcast could do and that the problem was that the 'bomber' was able to
> get my ip address by scanning my system. That seems inconsistent to me.

Sounds like you got the tea boy, or your ISP doesn't care (or both)

Alan

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-26 Thread Dave Feustel

On Tue, Nov 25, 2008 at 08:01:08PM +, Alan Cox wrote:
> On Tue, 25 Nov 2008 14:58:27 -0500 (GMT-05:00)
> Dave Feustel <[EMAIL PROTECTED]> wrote:
> 
> > Well, my cable modem once again getting a LOT of unsolicited traffic
> > from the internet - so much so that nothing I attempt to send gets
> > out. My poor ole Dell doesn't even have enough oomph to process keyboard
> > commands. Does this qualify as a DOS attack?
> > 
> > Is there any way to get around this?
> 
> Assuming you have firewalling configured to drop all the crud then no -
> contact your ISP and law enforcement as appropriate.

I spoke with a Comcast technician yesterday. He said there was nothing
Comcast could do and that the problem was that the 'bomber' was able to
get my ip address by scanning my system. That seems inconsistent to me.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

2008-11-25 Thread Alan Cox

On Tue, 25 Nov 2008 14:58:27 -0500 (GMT-05:00)
Dave Feustel <[EMAIL PROTECTED]> wrote:

> Well, my cable modem once again getting a LOT of unsolicited traffic
> from the internet - so much so that nothing I attempt to send gets
> out. My poor ole Dell doesn't even have enough oomph to process keyboard
> commands. Does this qualify as a DOS attack?
> 
> Is there any way to get around this?

Assuming you have firewalling configured to drop all the crud then no -
contact your ISP and law enforcement as appropriate.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

re: F9 DOS attack

2008-11-25 Thread Dave Feustel

Well, my cable modem once again getting a LOT of unsolicited traffic
from the internet - so much so that nothing I attempt to send gets
out. My poor ole Dell doesn't even have enough oomph to process keyboard
commands. Does this qualify as a DOS attack?

Is there any way to get around this?

Thanks.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 DOS attack

Re: F9 DOS attack

Re: F9 DOS attack

Re: F9 DOS attack

RE: F9 DOS attack

Re: F9 DOS attack

RE: F9 DOS attack

RE: F9 DOS attack

Re: F9 DOS attack

Re: F9 DOS attack

Re: F9 DOS attack

Re: F9 DOS attack

RE: F9 DOS attack

Re: F9 DOS attack

Re: F9 DOS attack

Re: F9 DOS attack

Re: F9 DOS attack

re: F9 DOS attack

18 matches

Site Navigation

Mail list logo

Footer information