[Fwd: Re: What is a 'normal' amount of un-solicited connection attempts?]

Adam J Richardson fatman at crackmonkey.us
Thu Aug 30 07:59:10 PDT 2007 

Modulok wrote:
> I'm new to the admin game and this is somewhat of a subjective
> question, so bear with me...
> 
> I run a small network on a home/office broadband connection and I'm
> getting more than my fair share of un-solicited traffic (maybe) on
> what I believed to be in the "private address range," as per RFC 1918.
> I have ipfw(8) setup to block such traffic, but with the volume of
> traffic being blocked it makes me wonder if I mis-configured something
> or if the RFC is depricated or what not. All of my services work and
> all of my clients can access everything they need to both locally and
> remotely, but when I read through the ipfw(8) log files there is a
> plethora of traffic attempting to connect from "the Internet" on
> various ports from various addresses. Most in the 10.0.0.0/8 block.
> This is normal, but how much is normal?
>
> For example, here was an interesting one that's been hitting the log
> files pretty hard today. Note: "em1" is my Internet-facing interface,
> so the following is coming in from the Internet, (ipfw rule followed
> by log entry):
>
>     03401  1233 30036 deny log logamount 25 ip from 10.0.0.0/8 to any 
in via em1
>
>     Aug 27 13:03:16  kernel: ipfw: 3401 Deny UDP 10.20.0.2:67
> 255.255.255.255:68 in via em1
>     Aug 27 13:06:08  kernel: ipfw: limit 25 reached on entry 3401
>
> It appears to be a dhcp or bootp broadcast...to the entire world? This
> is just one of many seemingly ridiculous entries. Did I miss something
> here? I'm new to the admin game, so I'm not sure what the 'norm' is as
> far as frequency of un-solicited and often humorous traffic.
> 10.0.0.0/8 is where probably 98% of the un-solicited traffic comes
> from. Is this just "normal"? If it's just me, I would almost feel
> better than to think there are that many mis-configure servers out
> there spewing out crap. What is "normal" for a small business
> connection and what does one do when there are a lot of repeated
> un-solicited connection attempts from a single source to your server?
> I had one day where I got something like 25 attempts to connect to
> port 22 (sshd) from a particular IP address somewhere in Romania (and
> we're nowhere near there). Sorry for the somewhat vague question.
>
> Just looking for general reassurances and advice, I suppose.
> -Modulok-

Hi Modulok.

Try capturing and analysing the spoofed datagrams, to see if there are
any routable IPs hidden inside. If your service isn't being interrupted
by the spoofed datagrams, maybe you're being used as a reflection attack
server.

HtH,
Adam J Richardson

More information about the freebsd-questions mailing list