# Security Question - UDP Connection Attempts To Firewall



## mamoser6969 (Nov 22, 2008)

Hi everyone,

I'm seeing this when i run tcpdump -n -i [int] on my firewall.

08:28:50.999054 IP 93.123.3.58.42344 > 72.x.x.x.27333: UDP, length 98
08:28:51.185180 IP 93.123.3.58.42344 > 72.x.x.x.27333: UDP, length 98

This happens all day all the time. However, I do not see any traffic from my IP responding to it nor do I see any other type of suspicious traffic. 

My thoughts are the following:

I'm guessing that the IP is some sort of zomby pc trying to establish back a connection. From time to time, I'm seeing these attempts from different IPs as well.

08:35:01.021527 IP 85.98.188.236.10301 > 72.x.x.x.32701: UDP, length 35

08:39:15.916282 IP 218.10.111.106.12200 > 72.x.x.x.8090: S 13902953:13902953(0) win 8192

My roomate's PC had a trojan on it which i noticed by running the command shown earlier. I cleaned the PC and the supicious traffic stopped from firewall except for what displayed above. 

I'll create a simple pf block statement to deny these IPs but I was curious to know if the information above indicates some sort compromise on my firewall.

Could someone point me to a good security posting or online article to investigate security breaches. Even a good book to understand these processes on FreeBSD system.

Here's a copy of the current process on my system.
CPE00173fcefd1a-CM001868522afe# ps -aux
USER           PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
root            11 99.0  0.0     0     8  ??  RL   Sun08PM 7871:04.35 [idle: cpu
root             0  0.0  0.0     0     0  ??  WLs  Sun08PM   0:00.00 [swapper]
root             1  0.0  0.1  1888   272  ??  ILs  Sun08PM   0:00.02 /sbin/init
root             2  0.0  0.0     0     8  ??  DL   Sun08PM   0:13.88 [g_event]
root             3  0.0  0.0     0     8  ??  DL   Sun08PM   0:21.65 [g_up]
root             4  0.0  0.0     0     8  ??  DL   Sun08PM   0:31.84 [g_down]
root             5  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [xpt_thrd]
root             6  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [kqueue ta
root             7  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [acpi_task
root             8  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [acpi_task
root             9  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [acpi_task
root            10  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [audit]
root            12  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.01 [swi1: net
root            13  0.0  0.0     0     8  ??  WL   Sun08PM   6:23.62 [swi4: clo
root            14  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [swi3: vm]
root            15  0.0  0.0     0     8  ??  DL   Sun08PM   0:15.35 [yarrow]
root            16  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [swi2: cam
root            17  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [swi5: +]
root            18  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [thread ta
root            19  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [swi6: Gia
root            20  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [swi6: tas
root            21  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [irq9: acp
root            22  0.0  0.0     0     8  ??  WL   Sun08PM   0:10.55 [irq20: fx
root            23  0.0  0.0     0     8  ??  WL   Sun08PM   0:22.98 [irq16: rl
root            24  0.0  0.0     0     8  ??  WL   Sun08PM   0:27.33 [irq22: rl
root            25  0.0  0.0     0     8  ??  WL   Sun08PM   0:10.03 [irq14: at
root            26  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [irq15: at
root            27  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [irq19: uh
root            28  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.03 [usb0]
root            29  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [usbtask-h
root            30  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [usbtask-d
root            31  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [irq23: uh
root            32  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.04 [usb1]
root            33  0.0  0.0     0     8  ??  DL   Sun08PM   0:40.73 [acpi_ther
root            34  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [irq1: atk
root            35  0.0  0.0     0     8  ??  DL   Sun08PM   0:01.53 [fdc0]
root            36  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [swi0: sio
root            37  0.0  0.0     0     8  ??  WL   Sun08PM   0:00.00 [irq7: ppb
root            38  0.0  0.0     0    16  ??  DL   Sun08PM   0:00.00 [sctp_iter
root            39  0.0  0.0     0     8  ??  DL   Sun08PM   0:02.67 [pfpurge]
root            40  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.59 [pagedaemo
root            41  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.00 [vmdaemon]
root            42  0.0  0.0     0     8  ??  DL   Sun08PM   0:00.01 [pagezero]
root            43  0.0  0.0     0     8  ??  DL   Sun08PM   0:02.18 [bufdaemon
root            44  0.0  0.0     0     8  ??  DL   Sun08PM   0:04.73 [vnlru]
root            45  0.0  0.0     0     8  ??  DL   Sun08PM   4:39.24 [syncer]
root            46  0.0  0.0     0     8  ??  DL   Sun08PM   0:06.73 [softdepfl
root            47  0.0  0.0     0     8  ??  DL   Sun08PM   0:26.67 [schedcpu]
root           159  0.0  0.2  1356   588  ??  Is   Sun08PM   0:00.00 adjkerntz
root           617  0.0  0.4  3316   992  ??  Is   Sun08PM   0:00.01 pflogd: [p
_pflogd        622  0.0  0.4  3316  1072  ??  S    Sun08PM   0:12.72 pflogd: [r
root           853  0.0  0.2  1888   420  ??  Is   Sun08PM   0:00.00 /sbin/devd
root           903  0.0  0.4  3156   872  ??  Ss   Sun08PM   0:06.18 /usr/sbin/
root          1032  0.0  0.8  5616  2100  ??  Is   Sun08PM   0:00.03 /usr/sbin/
root          1042  0.0  0.4  3184   980  ??  Is   Sun08PM   0:02.23 /usr/sbin/
_dhcp         1283  0.0  0.4  3104  1020  ??  Ss   Sun08PM   0:01.19 dhclient:
root         76295  0.0  1.2  8384  2948  ??  Is    8:11AM   0:00.12 sshd: fire
firewalluser 76299  0.0  1.2  8384  2928  ??  S     8:12AM   0:00.10 sshd: fire
root         63396  0.0  0.3  3156   824  v0  Is+  Tue06PM   0:00.01 /usr/libex
root          1086  0.0  0.3  3156   820  v1  Is+  Sun08PM   0:00.00 /usr/libex
root          1087  0.0  0.3  3156   820  v2  Is+  Sun08PM   0:00.00 /usr/libex
root          1088  0.0  0.3  3156   820  v3  Is+  Sun08PM   0:00.00 /usr/libex
root          1089  0.0  0.3  3156   820  v4  Is+  Sun08PM   0:00.00 /usr/libex
root          1090  0.0  0.3  3156   820  v5  Is+  Sun08PM   0:00.00 /usr/libex
root          1091  0.0  0.3  3156   820  v6  Is+  Sun08PM   0:00.00 /usr/libex
root          1092  0.0  0.3  3156   820  v7  Is+  Sun08PM   0:00.00 /usr/libex
root          1258  0.0  0.4  3104   936  p0- I    Sun08PM   0:00.01 dhclient:
firewalluser 76301  0.0  0.5  3456  1284  p0  Is    8:12AM   0:00.01 -sh (sh)
root         76303  0.0  0.5  3592  1336  p0  I     8:12AM   0:00.02 su -
root         76304  0.0  0.9  4452  2116  p0  S     8:12AM   0:00.04 -su (csh)
root         76375  0.0  0.3  3220   840  p0  R+    8:45AM   0:00.00 ps -aux

the sshd connection is me connected remotly to the box. 

Thanks for reading.

Joe


----------



## SirDice (Nov 22, 2008)

mamoser6969 said:
			
		

> I'll create a simple pf block statement to deny these IPs but I was curious to know if the information above indicates some sort compromise on my firewall.


There's nothing indicating that your firewall has been breached.

The simplest solution is to block all incoming connections. If you're not running any services this won't be a problem.

The UDP packets and the TCP to port 8090 look like it's bittorrent traffic. If you have run a bittorrent client but stopped it the other torrent clients in the network will still try to connect. It'll take a while for the other clients to notice your torrent client isn't there anymore.


----------



## Mel_Flynn (Nov 22, 2008)

Two things:

Use sysutils/pftop to see connections in realtime. This will show you if the UDP traffic is really locally generated.
Check sockstat -4l to see if there's a local program listening on the UDP ports you're worried about.


----------



## mamoser6969 (Nov 24, 2008)

Thanks for the advice.. I will install pftop and check the output of the sockstat command. 

Do you recommend any books for freebsd security?


----------



## anomie (Nov 24, 2008)

mamoser6969 said:
			
		

> Do you recommend any books for freebsd security?



I liked: _Mastering FreeBSD and OpenBSD Security_ by Yanek Korff, Paco Hope, and Bruce Potter. 

Very brief review here.


----------



## danger@ (Nov 25, 2008)

does it cover MAC by any chance?


----------



## anomie (Nov 25, 2008)

danger@ said:
			
		

> does it cover MAC by any chance?



Are you asking about the book? 

If so, I remember a fleeting mention of MAC. At the time of the writing it was "experimental", and the book focuses on both FBSD and OBSD. 

(In other words, I don't recall reading much about MAC there.)


----------



## brd@ (Nov 25, 2008)

Sorry to hijack this thread further, but.. My understanding is MAC (Mandatory Access Controls) are still somewhat considered experimental. They should be ready for prime time with 8.0 and possibly even enabled by default.


----------

