Shell Provider - DDoS Attacks - IPFW Ratelimiting

Jez Hancock jez.hancock at
Fri Jun 27 20:47:15 PDT 2003


Regarding your main question I'm afraid I can't really help - although
what the other person said about not being able to do a whole lot about
it I think is generally the case unfortunately.  I run a number of
eggdrop bots on my home network (about 20 full time bots in all, around
100 shell users in all) and have seen a few similar DDoS attacks from
botnets (characterized by open ports 80 and 113) which really clogged
the system.

Luckily in my case the last attack was a relatively simple ICMP attack
with fragmented packets (_lots_ of them, around 30MB in 5 minutes on a
512k ADSL connection).  This was easy enough to block with ipf
(incidentally you are using ipf aren't you:).

Very annoying and generally I just felt like stopping my users from
running their eggdrops (as you no doubt know there's little way to tell
exactly what/who caused the attack to be brought about, banning one user
who has brought it on isn't possible).

> And a last thing, I use right now tcpdump, trafshow, ipfm to trace the source(attackers) and the destination(which one of my ips is attacked) ips. Do you suggest any other tools to make my life easier?
lsof is very useful for gaining additional insight into network
connections.  I found the perl scripts located in the scripts directory
to be very insightful, particularly in how to incorporate lsof into a
custom tool.

I particularly needed to know which eggdrop was attempting to connect to
private address ranges which were blocked by the firewall and causing
lots of log entries.  lsof easily allowed me to determine what user
owned the process that spawned these connection attempts
(sockstat/netstat is ok, but filtering lsof output is a lot easier).

Anyway, good luck,


More information about the freebsd-questions mailing list