Possible Attack?
Olivier Nicole
on at cs.ait.ac.th
Wed Jun 22 03:31:06 GMT 2005
> Jun 21 21:50:55 mx1 /kernel: Limiting closed port RST response from 230
> to 200 packets per second
> Jun 21 21:51:23 mx1 /kernel: Limiting closed port RST response from 222
> to 200 packets per second
> Jun 21 21:53:02 mx1 /kernel: Limiting closed port RST response from 230
> to 200 packets per second
That is a guy scanning your machine a bit too fast, or a tentative of DoS.
If the problem persis, run tcpdump on that machine to try to locate
the source.
A tentative connection to an unexisting service should return such RST
packet, from host amanda I tried to connect TCP 27 on the host sysl,
on the host sysl I can see:
sysl<root>44: tcpdump host amanda
tcpdump: listening on fxp0
10:27:39.891050 amanda.xx.yy.net.1758 > sysl.xx.yy.net.nsw-fe: S 3520569314:3520569314(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 68799367 0> (DF) [tos 0x10]
10:27:39.891122 sysl.xx.yy.net.nsw-fe > amanda.xx.yy.net.1758: R 0:0(0) ack 3520569315 win 0
The second packet it the RST
Olivier
More information about the freebsd-questions
mailing list