labrocca
Verified User
- Joined
- Mar 12, 2006
- Messages
- 151
I have this in my logs:
As you can see...they are using my NS2 to do a LOT of traffic to hit other sites. I replaced my domain obviously but this server is both ns1.domain.com and ns2.domain.com The attack is from smtp.as.ro. It's bizarre because I can't figure out how they are passing my firewall.
There you can see that I had to add rule 505 to block the high ports early in the ruleset but I know that's not the right way to block this. And without that rule they SHOULDN'T be hitting those ports anyways.
Help is GREATLY appreciated.
16:27:20.626762 IP smtp.as.ro.http > ns2.domain.com.51891: . 372412:373860(1448) ack 1 win 1716 <nop,nop,timestamp 379626649 1892617291>
16:27:20.628011 IP smtp.as.ro.http > ns2.domain.com.51891: . 373860:375308(1448) ack 1 win 1716 <nop,nop,timestamp 379626649 1892617291>
16:27:20.628039 IP ns2.domain.com.51891 > smtp.as.ro.http: . ack 375308 win 32580 <nop,nop,timestamp 1892617620 379626649>
16:27:20.629260 IP smtp.as.ro.http > ns2.domain.com.51891: . 375308:376756(1448) ack 1 win 1716 <nop,nop,timestamp 379626650 1892617292>
16:27:20.629288 IP ns2.domain.com.51891 > smtp.as.ro.http: . ack 376756 win 33304 <nop,nop,timestamp 1892617621 379626650>
16:27:20.630509 IP cpe-66-74-154-25.socal.res.rr.com.1156 > ns1.domain.com.http: P 1:1393(1392) ack 1 win 65535
16:27:20.640708 IP ns1.domain.com.http > 82.115.16.118.16812: . ack 1368 win 32148 <nop,nop,timestamp 1892617633 7362279>
16:27:20.644512 IP 78.140.130.213.http > ns2.domain.com.53910: . 2897:4345(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.645755 IP 78.140.130.213.http > ns2.domain.com.53910: . 4345:5793(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.645803 IP ns2.domain.com.53910 > 78.140.130.213.http: . ack 5793 win 31856 <nop,nop,timestamp 1892617638 439326923>
16:27:20.645835 IP ns2.domain.com.53910 > 78.140.130.213.http: . ack 5793 win 33304 <nop,nop,timestamp 1892617638 439326923>
16:27:20.647001 IP 78.140.130.213.http > ns2.domain.com.53910: . 5793:7241(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
16:27:20.648127 IP smtp.as.ro.http > ns2.domain.com.51891: . 376756:378204(1448) ack 1 win 1716 <nop,nop,timestamp 379626760 1892617403>
16:27:20.649377 IP smtp.as.ro.http > ns2.domain.com.56971: . 165072:166520(1448) ack 1 win 1716 <nop,nop,timestamp 379626663 1892617304>
As you can see...they are using my NS2 to do a LOT of traffic to hit other sites. I replaced my domain obviously but this server is both ns1.domain.com and ns2.domain.com The attack is from smtp.as.ro. It's bizarre because I can't figure out how they are passing my firewall.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny tcp from any to any frag
00505 deny ip from any to any dst-port 32566-65534
01500 deny ip from table(1) to me
01600 check-state
01700 deny tcp from any to any established
01800 allow ip from any to any out keep-state
01900 allow icmp from any to any
02000 allow tcp from any to any dst-port 21 setup keep-state
02100 allow tcp from any to any dst-port 22 setup keep-state
02200 allow tcp from any to any dst-port 25 setup keep-state
02300 allow tcp from any to any dst-port 53 setup keep-state
02400 allow udp from any to any dst-port 53 keep-state
02500 allow tcp from any to any dst-port 80 setup keep-state
02600 allow tcp from any to any dst-port 110 setup keep-state
02700 allow tcp from any to any dst-port 143 setup keep-state
02800 allow tcp from any to any dst-port 443 setup keep-state
02900 allow tcp from any to any dst-port 2222 setup keep-state
03000 allow tcp from any to any dst-port 32555-32565 in setup keep-state
03100 deny log logamount 10 ip from any to any
65535 deny ip from any to any
There you can see that I had to add rule 505 to block the high ports early in the ruleset but I know that's not the right way to block this. And without that rule they SHOULDN'T be hitting those ports anyways.
Help is GREATLY appreciated.
Last edited: