Mailinglist Archive: opensuse (3566 mails)
| < Previous | Next > |
Re: [opensuse] *Help* Am I under some kind of attack??
- From: "G.T.Smith" <grahamsmith@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Apr 2007 10:29:38 +0100
- Message-id: <462F1F82.8080800@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Darryl Gregorash wrote:
> On 2007-04-24 23:12, david rankin wrote:
>
>>> <snip>
>>>
>>>
>> Thanks for all the responses! It looks like the primary problem is a
>> lot of lame servers out there.
>>
>
> As Carlos explained, the IP in question does not resolve with reverse
> DNS. However, I would not call that your primary problem: you seem to
> have the external interface (on your router, or whatever) open for ftp,
> and seem to be getting subjected to a dictionary attack (attempts to log
> in with any number of common potential user IDs and passwords). Close
> the external interface for ftp, unless you absolutely need it, and let
> the firewall handle the job of protecting your ftp server security.
>
>
Disabling ftp will solve first cause... but there is something of more
concern here...
Occasionally I need to enable external ssh access. When I enable
external ssh access, I usually get ssh scan attacks. They do not
normally make a heavy impact on network or server load.. What I do not
get is the subsequent high level of DNS error responses if an address
not resolvable. This may be because the way my DNS setup is configured,
or I am just lucky. The extra traffic (1 DNS resolution request seems
to have generated 14 responses) and the associated overheads is
effectively a DoS attack, but for this effect to be experienced either
the settings of the DNS servers queried or the DNS settings of the
target server are not quit right . This could cause problems not just in
this scan attack but for anything that needs to resolve an address and
the address is not resolvable (sending a raft of mail from an
unresolvable or spoofed address could have a similar effect). That is
worrying...
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
> On 2007-04-24 23:12, david rankin wrote:
>
>>> <snip>
>>>
>>>
>> Thanks for all the responses! It looks like the primary problem is a
>> lot of lame servers out there.
>>
>
> As Carlos explained, the IP in question does not resolve with reverse
> DNS. However, I would not call that your primary problem: you seem to
> have the external interface (on your router, or whatever) open for ftp,
> and seem to be getting subjected to a dictionary attack (attempts to log
> in with any number of common potential user IDs and passwords). Close
> the external interface for ftp, unless you absolutely need it, and let
> the firewall handle the job of protecting your ftp server security.
>
>
Disabling ftp will solve first cause... but there is something of more
concern here...
Occasionally I need to enable external ssh access. When I enable
external ssh access, I usually get ssh scan attacks. They do not
normally make a heavy impact on network or server load.. What I do not
get is the subsequent high level of DNS error responses if an address
not resolvable. This may be because the way my DNS setup is configured,
or I am just lucky. The extra traffic (1 DNS resolution request seems
to have generated 14 responses) and the associated overheads is
effectively a DoS attack, but for this effect to be experienced either
the settings of the DNS servers queried or the DNS settings of the
target server are not quit right . This could cause problems not just in
this scan attack but for anything that needs to resolve an address and
the address is not resolvable (sending a raft of mail from an
unresolvable or spoofed address could have a similar effect). That is
worrying...
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |