Re: F9 DOS attack
On Thu, Nov 27, 2008 at 02:25:26AM +1030, Tim wrote: On Wed, 2008-11-26 at 06:54 -0500, Dave Feustel wrote: I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. If you're chatting with your ISP, I'd ask them if it's just you being flooded, or a range of their IP addresses. Then you'll know if you're a direct target. If they can't work that out, they're hopeless. I just tried whois 68.87.72.130 (the ip address in all the unsolicited packets that were coming in) and that is a comcast ip address. (something to do with 'jumpstart'. Does anyone know anything about this? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
Dave Feustel wrote: On Thu, Nov 27, 2008 at 02:25:26AM +1030, Tim wrote: On Wed, 2008-11-26 at 06:54 -0500, Dave Feustel wrote: I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. If you're chatting with your ISP, I'd ask them if it's just you being flooded, or a range of their IP addresses. Then you'll know if you're a direct target. If they can't work that out, they're hopeless. I just tried whois 68.87.72.130 (the ip address in all the unsolicited packets that were coming in) and that is a comcast ip address. (something to do with 'jumpstart'. Does anyone know anything about this? $ whois -vi 68.87.72.130 [Querying whois.arin.net] [whois.arin.net] Comcast Cable Communications, Inc. JUMPSTART-2 (NET-68-80-0-0-1) 68.80.0.0 - 68.87.255.255 Comcast Cable Communications, Inc. COMCAST-18 (NET-68-87-64-0-1) 68.87.64.0 - 68.87.127.255 # ARIN WHOIS database, last updated 2008-11-26 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Ran this through http://cqcounter.com/whois/ and got the following back. Which makes this look like one of the Comcast DNS servers. No? OrgName:Comcast Cable Communications, Inc. OrgID: CMCS Address:1800 Bishops Gate Blvd City: Mt Laurel StateProv: NJ PostalCode: 08054 Country:US NetRange: 68.80.0.0 http://cqcounter.com/whois/index.php?query=68.80.0.0 - 68.87.255.255 http://cqcounter.com/whois/index.php?query=68.87.255.255 CIDR: 68.80.0.0/13 NetName:JUMPSTART-2 NetHandle: NET-68-80-0-0-1 Parent: NET-68-0-0-0-0 NetType:Direct Allocation NameServer: DNS101.COMCAST.NET http://cqcounter.com/whois/index.php?query=COMCAST.NET NameServer: DNS102.COMCAST.NET http://cqcounter.com/whois/index.php?query=COMCAST.NET NameServer: DNS103.COMCAST.NET http://cqcounter.com/whois/index.php?query=COMCAST.NET Comment:ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate:2002-01-28 Updated:2008-10-31 RTechHandle: IC161-ARIN RTechName: Comcast Cable Communications Inc RTechPhone: +1-856-317-7200 RTechEmail: [EMAIL PROTECTED] http://cqcounter.com/whois/index.php?query=comcast.com OrgAbuseHandle: NAPO-ARIN OrgAbuseName: Network Abuse and Policy Observance OrgAbusePhone: +1-856-317-7272 OrgAbuseEmail: [EMAIL PROTECTED] http://cqcounter.com/whois/index.php?query=comcast.net OrgTechHandle: IC161-ARIN OrgTechName: Comcast Cable Communications Inc OrgTechPhone: +1-856-317-7200 OrgTechEmail: [EMAIL PROTECTED] http://cqcounter.com/whois/index.php?query=comcast.com CustName: Comcast Cable Communications, Inc. Address:1800 Bishops Gate Blvd City: Mt Laurel StateProv: NJ PostalCode: 08054 Country:US RegDate:2007-04-17 Updated:2007-04-17 NetRange: 68.87.64.0 http://cqcounter.com/whois/index.php?query=68.87.64.0 - 68.87.127.255 http://cqcounter.com/whois/index.php?query=68.87.127.255 CIDR: 68.87.64.0/18 NetName:COMCAST-18 NetHandle: NET-68-87-64-0-1 Parent: NET-68-80-0-0-1 NetType:Reassigned Comment: RegDate:2007-04-17 Updated:2007-04-17 RTechHandle: IC161-ARIN RTechName: Comcast Cable Communications Inc RTechPhone: +1-856-317-7200 RTechEmail: [EMAIL PROTECTED] http://cqcounter.com/whois/index.php?query=comcast.com OrgAbuseHandle: NAPO-ARIN OrgAbuseName: Network Abuse and Policy Observance OrgAbusePhone: +1-856-317-7272 OrgAbuseEmail: [EMAIL PROTECTED] http://cqcounter.com/whois/index.php?query=comcast.net OrgTechHandle: IC161-ARIN OrgTechName: Comcast Cable Communications Inc OrgTechPhone: +1-856-317-7200 OrgTechEmail: [EMAIL PROTECTED] http://cqcounter.com/whois/index.php?query=comcast.com # ARIN WHOIS database, last updated 2008-11-26 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
On Tue, Nov 25, 2008 at 08:01:08PM +, Alan Cox wrote: On Tue, 25 Nov 2008 14:58:27 -0500 (GMT-05:00) Dave Feustel [EMAIL PROTECTED] wrote: Well, my cable modem once again getting a LOT of unsolicited traffic from the internet - so much so that nothing I attempt to send gets out. My poor ole Dell doesn't even have enough oomph to process keyboard commands. Does this qualify as a DOS attack? Is there any way to get around this? Assuming you have firewalling configured to drop all the crud then no - contact your ISP and law enforcement as appropriate. I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
Alan Cox wrote: I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. Sounds like you got the tea boy, or your ISP doesn't care (or both) Alan Note to self... Do not take a mouthful of coffee before reading Alan's posts, now I have to clean up the mess I made! -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
RE: F9 DOS attack
hi dave... just saw this thread. are you running a static ip on your external internet connection. if you aren't, you could simply force the cable modem to reset to another ip address.. you might have to work with comcast tech support to accomplish this. (get a 2nd/3rd level guy who actually knows/wants to help you out) if you've already done this, has it managed to slow the offender down? do you have a router connected to the cable modem? does it log the ip addresses of the offending client? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Feustel Sent: Wednesday, November 26, 2008 3:54 AM To: Alan Cox Cc: Community assistance, encouragement,and advice for using Fedora. Subject: Re: F9 DOS attack On Tue, Nov 25, 2008 at 08:01:08PM +, Alan Cox wrote: On Tue, 25 Nov 2008 14:58:27 -0500 (GMT-05:00) Dave Feustel [EMAIL PROTECTED] wrote: Well, my cable modem once again getting a LOT of unsolicited traffic from the internet - so much so that nothing I attempt to send gets out. My poor ole Dell doesn't even have enough oomph to process keyboard commands. Does this qualify as a DOS attack? Is there any way to get around this? Assuming you have firewalling configured to drop all the crud then no - contact your ISP and law enforcement as appropriate. I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. Sounds like you got the tea boy, or your ISP doesn't care (or both) Alan -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote: hi dave... just saw this thread. are you running a static ip on your external internet connection. if you aren't, you could simply force the cable modem to reset to another ip address.. I tried reseting the cable modem but I'm not sure it changes my ip address. you might have to work with comcast tech support to accomplish this. (get a 2nd/3rd level guy who actually knows/wants to help you out) I'm going to try to talk with them about this tomorrow. if you've already done this, has it managed to slow the offender down? No. But the attack had ceased when I got up this morning. do you have a router connected to the cable modem? does it log the ip addresses of the offending client? I use pf with a block all incoming rule. I don't see any traffic with pftop, but I saw a lot of incoming packets by observing the leds on my cable modem. It's pretty clear to me that both F9 and Suse11 are vulnerable to attack from the internet. I'm starting to get very interested in linux security and preventing dos attacks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Feustel Sent: Wednesday, November 26, 2008 3:54 AM To: Alan Cox Cc: Community assistance, encouragement,and advice for using Fedora. Subject: Re: F9 DOS attack On Tue, Nov 25, 2008 at 08:01:08PM +, Alan Cox wrote: On Tue, 25 Nov 2008 14:58:27 -0500 (GMT-05:00) Dave Feustel [EMAIL PROTECTED] wrote: Well, my cable modem once again getting a LOT of unsolicited traffic from the internet - so much so that nothing I attempt to send gets out. My poor ole Dell doesn't even have enough oomph to process keyboard commands. Does this qualify as a DOS attack? Is there any way to get around this? Assuming you have firewalling configured to drop all the crud then no - contact your ISP and law enforcement as appropriate. I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
On Wed, 2008-11-26 at 06:54 -0500, Dave Feustel wrote: I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. If you're chatting with your ISP, I'd ask them if it's just you being flooded, or a range of their IP addresses. Then you'll know if you're a direct target. If they can't work that out, they're hopeless. As far as security goes, turn off the services you don't need. And configure the ones that you do need, to not listen to the outside world unnecessarily (secure the services properly, don't rely on a firewall to stand in the way). Then, add a firewall to your mix. It's an extra layer, not the only thing you should use in your defence. Attempts to crack into your system over SSH, for instance, will be water off a duck's back if you don't have an SSH server running, or it never listens to the world interface. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.27.5-41.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
Dave Feustel wrote: On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote: hi dave... just saw this thread. are you running a static ip on your external internet connection. if you aren't, you could simply force the cable modem to reset to another ip address.. I tried reseting the cable modem but I'm not sure it changes my ip address. you might have to work with comcast tech support to accomplish this. (get a 2nd/3rd level guy who actually knows/wants to help you out) I'm going to try to talk with them about this tomorrow. if you've already done this, has it managed to slow the offender down? No. But the attack had ceased when I got up this morning. do you have a router connected to the cable modem? does it log the ip addresses of the offending client? I use pf with a block all incoming rule. I don't see any traffic with pftop, but I saw a lot of incoming packets by observing the leds on my cable modem. It's pretty clear to me that both F9 and Suse11 are vulnerable to attack from the internet. I'm starting to get very interested in linux security and preventing dos attacks. ANYTHING connected to the internet is vulnerable to attack, be it SYN floods, brute force SSH attempts, any number of others. Wait till you get a DC++ attack! The only way to block that sucker is to do a deep packet inspection of the payload and drop the connections or find the hub that has you listed and kill it somehow. It's totally irrelevant what OS you run, it's an attack against the interface. Different OSes handle it differently. It's best to have a hardware firewall out front, but then internal software firewalls like iptables are your second level of defense. Next is making sure only the network listeners you NEED are enabled. I manage a network that seems to have a big, red target painted on it. I deal with this all the time. Thank goodness for our Cisco, Foundry and Radware gear out front! They block most of it, the rest we deal with via iptables and we monitor EVERYTHING (my cell phone has almost melted on occasion from the SMS text alerts when a DOS is attempted). As to your problem, Comcast's first level techs (and I'm being generous using that term) are notoriously crappy as far as solving problems. They're not much more than telemarketers and work off a script. Ask them something off script and they're at sea. Can't say Time Warner is much better. One problem I had with them: Me: I'm not getting a DHCP address from you, your DHCP servers are down. Them: Which OS? Me: Linux. Them: Oh, we don't support Linux. Me: DHCP is DHCP you twit. The OS has nothing to do with it! Let me talk to a level 3 tech. (this went on for about five minutes, I threatened dire vengeance, then I got a level 3 guy [skipped level 2, they're idiots, too]) Level3Guy: What's the problem? Me: You're not giving out DHCP addresses. Your servers are down. L3G: I don't think so. Me: Dude, I'm watching a tcpdump of it. I'm sending requests and you're not answering. No denials, no responses, nada. L3G: Let me check. (long pause) L3G: Yeah, six of them crashed. Me: You don't monitor that sort of thing? L3G: Uh, guess not. Me: ARRGHHH! -- - Rick Stevens, Systems Engineer [EMAIL PROTECTED] - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - If the enemy's in range...so are you!- -- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
--- On Wed, 11/26/08, Rick Stevens [EMAIL PROTECTED] wrote: From: Rick Stevens [EMAIL PROTECTED] Subject: Re: F9 DOS attack To: Community assistance, encouragement, and advice for using Fedora. fedora-list@redhat.com Date: Wednesday, November 26, 2008, 6:18 PM Dave Feustel wrote: On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote: hi dave... just saw this thread. are you running a static ip on your external internet connection. if you aren't, you could simply force the cable modem to reset to another ip address.. I tried reseting the cable modem but I'm not sure it changes my ip address. you might have to work with comcast tech support to accomplish this. (get a 2nd/3rd level guy who actually knows/wants to help you out) I'm going to try to talk with them about this tomorrow. if you've already done this, has it managed to slow the offender down? No. But the attack had ceased when I got up this morning. do you have a router connected to the cable modem? does it log the ip addresses of the offending client? I use pf with a block all incoming rule. I don't see any traffic with pftop, but I saw a lot of incoming packets by observing the leds on my cable modem. It's pretty clear to me that both F9 and Suse11 are vulnerable to attack from the internet. I'm starting to get very interested in linux security and preventing dos attacks. ANYTHING connected to the internet is vulnerable to attack, be it SYN floods, brute force SSH attempts, any number of others. Wait till you get a DC++ attack! The only way to block that sucker is to do a deep packet inspection of the payload and drop the connections or find the hub that has you listed and kill it somehow. It's totally irrelevant what OS you run, it's an attack against the interface. Different OSes handle it differently. It's best to have a hardware firewall out front, but then internal software firewalls like iptables are your second level of defense. Next is making sure only the network listeners you NEED are enabled. I manage a network that seems to have a big, red target painted on it. I deal with this all the time. Thank goodness for our Cisco, Foundry and Radware gear out front! They block most of it, the rest we deal with via iptables and we monitor EVERYTHING (my cell phone has almost melted on occasion from the SMS text alerts when a DOS is attempted). As to your problem, Comcast's first level techs (and I'm being generous using that term) are notoriously crappy as far as solving problems. They're not much more than telemarketers and work off a script. Ask them something off script and they're at sea. Can't say Time Warner is much better. One problem I had with them: Me: I'm not getting a DHCP address from you, your DHCP servers are down. Them: Which OS? Me: Linux. Them: Oh, we don't support Linux. Me: DHCP is DHCP you twit. The OS has nothing to do with it! Let me talk to a level 3 tech. (this went on for about five minutes, I threatened dire vengeance, then I got a level 3 guy [skipped level 2, they're idiots, too]) Level3Guy: What's the problem? Me: You're not giving out DHCP addresses. Your servers are down. L3G: I don't think so. Me: Dude, I'm watching a tcpdump of it. I'm sending requests and you're not answering. No denials, no responses, nada. L3G: Let me check. (long pause) L3G: Yeah, six of them crashed. Me: You don't monitor that sort of thing? L3G: Uh, guess not. Me: ARRGHHH! -- - Rick Stevens, Systems Engineer [EMAIL PROTECTED] - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - - - - If the enemy's in range...so are you! - -- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines refreshing news on the internet a few weeks ago: a big load of spammers and internet attackers headed to prison Have some compassion now! The problem started with their childhood pottytraining! Ref: the basement guy in the Deniro/Norton move The Score -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
RE: F9 DOS attack
hey rick... are you the same rick, who used to work with a company in san mateo.. that used to deal with akamai... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Stevens Sent: Wednesday, November 26, 2008 10:18 AM To: Community assistance, encouragement,and advice for using Fedora. Subject: Re: F9 DOS attack Dave Feustel wrote: On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote: hi dave... just saw this thread. are you running a static ip on your external internet connection. if you aren't, you could simply force the cable modem to reset to another ip address.. I tried reseting the cable modem but I'm not sure it changes my ip address. you might have to work with comcast tech support to accomplish this. (get a 2nd/3rd level guy who actually knows/wants to help you out) I'm going to try to talk with them about this tomorrow. if you've already done this, has it managed to slow the offender down? No. But the attack had ceased when I got up this morning. do you have a router connected to the cable modem? does it log the ip addresses of the offending client? I use pf with a block all incoming rule. I don't see any traffic with pftop, but I saw a lot of incoming packets by observing the leds on my cable modem. It's pretty clear to me that both F9 and Suse11 are vulnerable to attack from the internet. I'm starting to get very interested in linux security and preventing dos attacks. ANYTHING connected to the internet is vulnerable to attack, be it SYN floods, brute force SSH attempts, any number of others. Wait till you get a DC++ attack! The only way to block that sucker is to do a deep packet inspection of the payload and drop the connections or find the hub that has you listed and kill it somehow. It's totally irrelevant what OS you run, it's an attack against the interface. Different OSes handle it differently. It's best to have a hardware firewall out front, but then internal software firewalls like iptables are your second level of defense. Next is making sure only the network listeners you NEED are enabled. I manage a network that seems to have a big, red target painted on it. I deal with this all the time. Thank goodness for our Cisco, Foundry and Radware gear out front! They block most of it, the rest we deal with via iptables and we monitor EVERYTHING (my cell phone has almost melted on occasion from the SMS text alerts when a DOS is attempted). As to your problem, Comcast's first level techs (and I'm being generous using that term) are notoriously crappy as far as solving problems. They're not much more than telemarketers and work off a script. Ask them something off script and they're at sea. Can't say Time Warner is much better. One problem I had with them: Me: I'm not getting a DHCP address from you, your DHCP servers are down. Them: Which OS? Me: Linux. Them: Oh, we don't support Linux. Me: DHCP is DHCP you twit. The OS has nothing to do with it! Let me talk to a level 3 tech. (this went on for about five minutes, I threatened dire vengeance, then I got a level 3 guy [skipped level 2, they're idiots, too]) Level3Guy: What's the problem? Me: You're not giving out DHCP addresses. Your servers are down. L3G: I don't think so. Me: Dude, I'm watching a tcpdump of it. I'm sending requests and you're not answering. No denials, no responses, nada. L3G: Let me check. (long pause) L3G: Yeah, six of them crashed. Me: You don't monitor that sort of thing? L3G: Uh, guess not. Me: ARRGHHH! -- - Rick Stevens, Systems Engineer [EMAIL PROTECTED] - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - If the enemy's in range...so are you!- -- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
RE: F9 DOS attack
hey rick... are you the same rick, who used to work with a company in san mateo.. that used to deal with akamai... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Stevens Sent: Wednesday, November 26, 2008 10:18 AM To: Community assistance, encouragement,and advice for using Fedora. Subject: Re: F9 DOS attack Dave Feustel wrote: On Wed, Nov 26, 2008 at 05:30:09AM -0800, bruce wrote: hi dave... just saw this thread. are you running a static ip on your external internet connection. if you aren't, you could simply force the cable modem to reset to another ip address.. I tried reseting the cable modem but I'm not sure it changes my ip address. you might have to work with comcast tech support to accomplish this. (get a 2nd/3rd level guy who actually knows/wants to help you out) I'm going to try to talk with them about this tomorrow. if you've already done this, has it managed to slow the offender down? No. But the attack had ceased when I got up this morning. do you have a router connected to the cable modem? does it log the ip addresses of the offending client? I use pf with a block all incoming rule. I don't see any traffic with pftop, but I saw a lot of incoming packets by observing the leds on my cable modem. It's pretty clear to me that both F9 and Suse11 are vulnerable to attack from the internet. I'm starting to get very interested in linux security and preventing dos attacks. ANYTHING connected to the internet is vulnerable to attack, be it SYN floods, brute force SSH attempts, any number of others. Wait till you get a DC++ attack! The only way to block that sucker is to do a deep packet inspection of the payload and drop the connections or find the hub that has you listed and kill it somehow. It's totally irrelevant what OS you run, it's an attack against the interface. Different OSes handle it differently. It's best to have a hardware firewall out front, but then internal software firewalls like iptables are your second level of defense. Next is making sure only the network listeners you NEED are enabled. I manage a network that seems to have a big, red target painted on it. I deal with this all the time. Thank goodness for our Cisco, Foundry and Radware gear out front! They block most of it, the rest we deal with via iptables and we monitor EVERYTHING (my cell phone has almost melted on occasion from the SMS text alerts when a DOS is attempted). As to your problem, Comcast's first level techs (and I'm being generous using that term) are notoriously crappy as far as solving problems. They're not much more than telemarketers and work off a script. Ask them something off script and they're at sea. Can't say Time Warner is much better. One problem I had with them: Me: I'm not getting a DHCP address from you, your DHCP servers are down. Them: Which OS? Me: Linux. Them: Oh, we don't support Linux. Me: DHCP is DHCP you twit. The OS has nothing to do with it! Let me talk to a level 3 tech. (this went on for about five minutes, I threatened dire vengeance, then I got a level 3 guy [skipped level 2, they're idiots, too]) Level3Guy: What's the problem? Me: You're not giving out DHCP addresses. Your servers are down. L3G: I don't think so. Me: Dude, I'm watching a tcpdump of it. I'm sending requests and you're not answering. No denials, no responses, nada. L3G: Let me check. (long pause) L3G: Yeah, six of them crashed. Me: You don't monitor that sort of thing? L3G: Uh, guess not. Me: ARRGHHH! -- - Rick Stevens, Systems Engineer [EMAIL PROTECTED] - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - If the enemy's in range...so are you!- -- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
bruce wrote: hey rick... are you the same rick, who used to work with a company in san mateo.. that used to deal with akamai... A couple of friends and I founded SiteStream in '99. In '01 we merged with another company and renamed the new beast VitalStream, which was an Akamai (and SpeedEra) competitor. We were based in Irvine in SoCal (San Mateo is in NoCal). VitalStream was acquired by Internap in February of '06 and they've made a sad hash of what was a great company. I left there in April of '08 as I couldn't stand to watch my baby abused the way it was any longer. -- - Rick Stevens, Systems Engineer [EMAIL PROTECTED] - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - I haven't lost my mind. It's backed up on tape somewhere, but - - probably not recoverable.- -- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
RE: F9 DOS attack
yes.. vitalstream!! that was it, with internap... hey.. is the email address at the bottom valid for you? -bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Stevens Sent: Wednesday, November 26, 2008 2:34 PM To: Community assistance, encouragement,and advice for using Fedora. Subject: Re: F9 DOS attack bruce wrote: hey rick... are you the same rick, who used to work with a company in san mateo.. that used to deal with akamai... A couple of friends and I founded SiteStream in '99. In '01 we merged with another company and renamed the new beast VitalStream, which was an Akamai (and SpeedEra) competitor. We were based in Irvine in SoCal (San Mateo is in NoCal). VitalStream was acquired by Internap in February of '06 and they've made a sad hash of what was a great company. I left there in April of '08 as I couldn't stand to watch my baby abused the way it was any longer. -- - Rick Stevens, Systems Engineer [EMAIL PROTECTED] - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - I haven't lost my mind. It's backed up on tape somewhere, but - - probably not recoverable.- -- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
On Thu, Nov 27, 2008 at 02:25:26AM +1030, Tim wrote: On Wed, 2008-11-26 at 06:54 -0500, Dave Feustel wrote: I spoke with a Comcast technician yesterday. He said there was nothing Comcast could do and that the problem was that the 'bomber' was able to get my ip address by scanning my system. That seems inconsistent to me. If you're chatting with your ISP, I'd ask them if it's just you being flooded, or a range of their IP addresses. Then you'll know if you're a direct target. If they can't work that out, they're hopeless. As far as security goes, turn off the services you don't need. And configure the ones that you do need, to not listen to the outside world unnecessarily (secure the services properly, don't rely on a firewall to stand in the way). Then, add a firewall to your mix. It's an extra layer, not the only thing you should use in your defence. I don't run any servers. My total activity is email, browsing, and RSS. I don't even use ssh. Makes me wonder what I did to provoke the attack (assuming that the attack was specifically directed at me.) Attempts to crack into your system over SSH, for instance, will be water off a duck's back if you don't have an SSH server running, or it never listens to the world interface. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.27.5-41.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
On Wed, 2008-11-26 at 19:56 -0500, Dave Feustel wrote: I don't run any servers. Does that mean you don't use them, or that you've actually turned them off? Makes me wonder what I did to provoke the attack Possibly nothing. For some victims, merely existing is reason enough. Years ago, I used to notice increased firewall activity any time I made a public posting. I wasn't doing anything inflammatory, so I assume that miscreants were monitoring the list to capture what they hoped were currently in-use IP addresses. These days, there's less point in doing that, with always-on DSL and cable services, many of the IP addresses will always be in-use. Though the capturing idea does tend to identify an IP address and the OS in use, which they might go looking for ones with vulnerabilities that they know how to exploit. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.27.5-41.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
re: F9 DOS attack
Well, my cable modem once again getting a LOT of unsolicited traffic from the internet - so much so that nothing I attempt to send gets out. My poor ole Dell doesn't even have enough oomph to process keyboard commands. Does this qualify as a DOS attack? Is there any way to get around this? Thanks. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 DOS attack
On Tue, 25 Nov 2008 14:58:27 -0500 (GMT-05:00) Dave Feustel [EMAIL PROTECTED] wrote: Well, my cable modem once again getting a LOT of unsolicited traffic from the internet - so much so that nothing I attempt to send gets out. My poor ole Dell doesn't even have enough oomph to process keyboard commands. Does this qualify as a DOS attack? Is there any way to get around this? Assuming you have firewalling configured to drop all the crud then no - contact your ISP and law enforcement as appropriate. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines