alot of State failure on: 2

Abdullah Ibn Hamad Al-Marri almarrie at gmail.com
Fri May 25 23:10:04 UTC 2007 

Hello,

My server is being flooded by a script kiddie against port 7325.

Here is the dmesg output.

pf: State failure on: 1       | 5
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4064 [lo=2903116211 high=2903120308 win=0 modulator=0]
[lo=3133254124 high=3133254125 win=4096 modulator=0] 4:2 SA
seq=3133254123 ack=2903116212 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:1232 [lo=1528732996 high=1528737092 win=65535
modulator=0] [lo=1110233468 high=1110299003 win=4096 modulator=0] 4:2
S seq=1615476339 ack=1110233468 len=0 ackskew=0 pkts=3:4 dir=in,fwd
pf: State failure on: 1       | 5
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4075 [lo=4260964132 high=4260968229 win=0 modulator=0]
[lo=524210142 high=524210143 win=4096 modulator=0] 4:2 SA
seq=524210141 ack=4260964133 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:1244 [lo=2193693082 high=2193697178 win=65535
modulator=0] [lo=1850636290 high=1850701825 win=4096 modulator=0] 4:2
S seq=2280473825 ack=1850636290 len=0 ackskew=0 pkts=3:4 dir=in,fwd
pf: State failure on: 1       | 5
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4106 [lo=2808910619 high=2808914716 win=0 modulator=0]
[lo=70028163 high=70028164 win=4096 modulator=0] 4:2 SA seq=70028162
ack=2808910620 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4142 [lo=3849039689 high=3849043786 win=0 modulator=0]
[lo=1357385265 high=1357385266 win=4096 modulator=0] 4:2 SA
seq=1357385264 ack=3849039690 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4136 [lo=1765130854 high=1765134951 win=0 modulator=0]
[lo=4245636096 high=4245636097 win=4096 modulator=0] 4:2 SA
seq=4245636095 ack=1765130855 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4155 [lo=2253582753 high=2253586850 win=0 modulator=0]
[lo=578092985 high=578092986 win=4096 modulator=0] 4:2 SA
seq=578092984 ack=2253582754 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4165 [lo=550262320 high=550266417 win=0 modulator=0]
[lo=3799579754 high=3799579755 win=4096 modulator=0] 4:2 SA
seq=3799579753 ack=550262321 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:1203 [lo=490558546 high=490562643 win=0 modulator=0]
[lo=3233895008 high=3233895009 win=4096 modulator=0] 4:2 SA
seq=3233895007 ack=490558547 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4188 [lo=1709375942 high=1709380039 win=0 modulator=0]
[lo=2834491968 high=2834491969 win=4096 modulator=0] 4:2 SA
seq=2834491967 ack=1709375943 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4178 [lo=1856654595 high=1856658692 win=0 modulator=0]
[lo=1762587611 high=1762587612 win=4096 modulator=0] 4:2 SA
seq=1762587610 ack=1856654596 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4211 [lo=438506757 high=438510854 win=0 modulator=0]
[lo=3182986845 high=3182986846 win=4096 modulator=0] 4:2 SA
seq=3182986844 ack=438506758 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |
pf: BAD state: TCP 66.90.108.40:7325 66.90.108.40:7325
91.120.91.178:4277 [lo=2147987817 high=2147991914 win=0 modulator=0]
[lo=1434323249 high=1434323250 win=4096 modulator=0] 4:2 SA
seq=1434323248 ack=2147987818 len=0 ackskew=-1 pkts=1:1 dir=out,rev
pf: State failure on:   2     |

Here is my pf.conf

ext_if="fxp0"
int_if="lo0"
tcp_services = "{ domain, www, 123, 5999, 7325, 7771, 59999 }"
udp_services = "{ domain, 123, 514 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              240.0.0.0/4 }"
icmp_types = "8"
table <bruteforce> persist
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set skip on $int_if
set optimization normal
set block-policy drop
set require-order yes
set debug loud
set fingerprints "/etc/pf.os"
scrub in all
#scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
#scrub in on $ext_if all no-df
#scrub on $ext_if  all reassemble tcp
antispoof for $ext_if inet
antispoof for $int_if
block in log on $ext_if all
block in quick on $ext_if from any to 255.255.255.255
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block quick log from <bruteforce>
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass proto udp to any port $udp_services keep state
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out on $ext_if inet proto udp from any to any \
             port 33433 >< 33626 keep state
pass in on $ext_if proto tcp from any to $ext_if port $tcp_services \
        flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 30/3, \
         overload <bruteforce> flush global)
pass out proto tcp to any flags S/SA keep state
pass out proto udp to any keep state
# End

pfctl -vvsTables
-pa-r-  bruteforce
        Addresses:   579
        Cleared:     Thu Jan  1 00:00:00 1970
        References:  [ Anchors: 0                  Rules: 219                ]
        Evaluations: [ NoMatch: 60918665           Match: 51919907           ]
        In/Block:    [ Packets: 51919907           Bytes: 2562926165         ]
        In/Pass:     [ Packets: 0                  Bytes: 0                  ]
        In/XPass:    [ Packets: 0                  Bytes: 0                  ]
        Out/Block:   [ Packets: 0                  Bytes: 0                  ]
        Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
        Out/XPass:   [ Packets: 0                  Bytes: 0                  ]

tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
000000 rule 77/0(match): block in on fxp0: 24.39.30.107.1340 >
66.90.108.40.7325: S 2502809781:2502809781(0) win 64240 <mss
1460,nop,nop,sackOK>
000007 rule 77/0(match): block in on fxp0: 24.39.30.107.1341 >
66.90.108.40.7325: S 2502851269:2502851269(0) win 64240 <mss
1460,nop,nop,sackOK>
000125 rule 77/0(match): block in on fxp0: 24.39.30.107.1343 >
66.90.108.40.7325: S 2502964552:2502964552(0) win 64240 <mss
1460,nop,nop,sackOK>
000039 rule 77/0(match): block in on fxp0: 84.1.154.50.3741 >
66.90.108.40.7325: S 1022062798:1022062798(0) win 65535 <mss
1460,nop,nop,sackOK>
000006 rule 77/0(match): block in on fxp0: 24.39.30.107.1342 >
66.90.108.40.7325: S 2502906432:2502906432(0) win 64240 <mss
1460,nop,nop,sackOK>
000087 rule 77/0(match): block in on fxp0: 24.39.30.107.1344 >
66.90.108.40.7325: S 2503024257:2503024257(0) win 64240 <mss
1460,nop,nop,sackOK>
000005 rule 77/0(match): block in on fxp0: 24.39.30.107.1350 >
66.90.108.40.7325: S 2503165130:2503165130(0) win 64240 <mss
1460,nop,nop,sackOK>
000026 rule 77/0(match): block in on fxp0: 24.39.30.107.1345 >
66.90.108.40.7325: S 2503084885:2503084885(0) win 64240 <mss
1460,nop,nop,sackOK>
000179 rule 77/0(match): block in on fxp0: 24.39.30.107.1346 >
66.90.108.40.7325: S 2503131377:2503131377(0) win 64240 <mss
1460,nop,nop,sackOK>
000018 rule 77/0(match): block in on fxp0: 84.0.144.75.1416 >
66.90.108.40.7325: S 2025750048:2025750048(0) win 65535 <mss
1440,nop,nop,sackOK>
000008 rule 77/0(match): block in on fxp0: 82.127.41.104.2831 >
66.90.108.40.7325: S 4128598212:4128598212(0) win 65535 <mss
1452,nop,nop,sackOK>
000366 rule 77/0(match): block in on fxp0: 84.5.97.92.1972 >
66.90.108.40.7325: S 3823128639:3823128639(0) win 16384 <mss
1440,nop,nop,sackOK>
000086 rule 77/0(match): block in on fxp0: 193.6.6.135.3819 >
66.90.108.40.7325: S 4260080384:4260080384(0) win 65535 <mss
1380,nop,nop,sackOK>
000112 rule 77/0(match): block in on fxp0: 82.50.127.107.2684 >
66.90.108.40.7325: S 3307955851:3307955851(0) win 65535 <mss
1452,nop,nop,sackOK>
003003 rule 77/0(match): block in on fxp0: 84.9.32.123.4869 >
66.90.108.40.7325: S 3742698697:3742698697(0) win 65535 <mss
1418,nop,nop,sackOK>
000011 rule 77/0(match): block in on fxp0: 201.51.254.195.2546 >
66.90.108.40.7325: S 4092558202:4092558202(0) win 65535 <mss
1440,nop,nop,sackOK>
000005 rule 77/0(match): block in on fxp0: 201.51.254.195.2545 >
66.90.108.40.7325: S 1627281497:1627281497(0) win 65535 <mss
1440,nop,nop,sackOK>

150 packets captured
10780 packets received by filter
9934 packets dropped by kernel


-- 
Regards,

-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

More information about the freebsd-pf mailing list