General discussion

Locked

Tracking Attacks

By e_mak ·
I think I'm being attacked, I have a network monitor and it monitored hundreds of attacks to the same port per second!

I launched a packet sniffer to extract packets and compared them to each other, exactly the same 1k worth of text, reads like bits and pieces of a book.

The problem is that the IP's are spoofed so I can't just to to they're ISP. What can I do? Anyways to block them without closing up the port(needed for mud services)?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Tracking Attacks

by Hasse MCSE/Brainbench In reply to Tracking Attacks

Hi!

Install some sort of firewalling software, if you're running linux ipchains are great.

Just block the ip from which the attack is coming.

/Hasse

Collapse -

Tracking Attacks

by e_mak In reply to Tracking Attacks

I said that they are coming from randomly spoofed IP's. No one is sitting at any of the thousands of IP's. When I try to trace those I usually get a bad destination alret by the 2 or 3rd hop.

Collapse -

Tracking Attacks

by bill.parks In reply to Tracking Attacks

You need to address this with your ISP. Give them the opportunity to combat this situation for you. If they cannot do it, set-up something between your public machine and the Internet. MS Proxy will work, Linux is cheap, anything with stateful inspection will work, or simply close that port on your NT box for a day or two.

Collapse -

Tracking Attacks

by e_mak In reply to Tracking Attacks

Poster rated this answer

Collapse -

Tracking Attacks

by Joe Prochazka In reply to Tracking Attacks

OK I am not sure what OS you are running so I will give you a possible answer both for Windows and Linux.

As far as Linux goes you may want to edit your hosts.deny file found in /etc/hosts.deny
there you will add the following line:
ALL evil.host.name, .host.name
Make sure to put the host name or ip of the attacker so that only he is blocked.
This will block not only the port the attacker is intruding but also any other port so that the thwarted attacked doesnt decide to move onto the next port thats open.

As for windows you may want to try installing software such as Black Ice Defender (http://www.networkice.com) or ZoneAlarm (http://www.zonelabs.com). Both these programs are capable of blocking a single IP Address on a port without blocking the port from wanted connections.

This is going to be about the only way you will be able to stop the attacks with out totally shutting down the port in question. Hope this comes as some help to you.

Collapse -

Tracking Attacks

by e_mak In reply to Tracking Attacks

Poster rated this answer

Collapse -

Tracking Attacks

by e_mak In reply to Tracking Attacks

This question was closed by the author

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums