Question
In the last few days my server suffers an attack of this kind: (bandwith > 60MBit/s, XXX.XXX.XXX.XXX are multiple IPs)
https://stackoverflow.com/questions/16173476
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian tcpdump -n proto ICMP
17:15:19.267464 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 36
17:15:19.325217 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 36
17:15:19.345561 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 56
17:15:19.484865 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 36
17:15:19.529616 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 36
17:15:19.957058 IP XXX.XXX.XXX.XXX > my_ip: ICMP YYY.YYY.YYY.YYY tcp port 39692 unreachable, length 36
17:15:19.968957 IP XXX.XXX.XXX.XXX > my_ip: ICMP host YYY.YYY.YYY.YYY unreachable, length 56
17:15:20.112520 IP XXX.XXX.XXX.XXX > my_ip: ICMP host YYY.YYY.YYY.YYY unreachable, length 56
17:15:20.203199 IP XXX.XXX.XXX.XXX > my_ip: ICMP host YYY.YYY.YYY.YYY unreachable, length 36
17:15:20.204803 IP XXX.XXX.XXX.XXX > my_ip: ICMP host YYY.YYY.YYY.YYY unreachable, length 36
I've FreeBSD 9.1 and my pf.conf is
ext_if="em0"
table <blockedips> persist file "/etc/pf-blocked-ips.conf"
set skip on lo0
block drop in log (all) quick on $ext_if from <blockedips> to any
block in
pass out flags S/SA keep state
pass in on $ext_if proto tcp to port 80 flags S/SA keep state
pass in on $ext_if proto tcp to port ssh flags S/SA synproxy state
There's anything that i can do with pf?
Solution
It looks like you might be receiving some backscatter from a ddos attack (http://blog.usu.edu/security/2010/08/24/backscatters-the-name-dos-the-game/).
There's not much you can do about this unless you can filter them in a switch before they hit your server; they're already getting dropped in the kernel as a network anomaly.
