# Dos Issue



## drbabbers (Feb 21, 2010)

All,

I am having an issue regarding my server being a source of Dos attacks.

Here are 2 of the logs/complaints:


```
01:08:01.050648 IP (tos 0x0, ttl 231, id 59307, offset 0, flags [none],
proto TCP (6), length 40) MY.IP.58222 > THEIR.IP.38863: S,
cksum 0x8274 (correct), 2305416740:2305416740(0) win 65535

01:08:01.050663 IP (tos 0x0, ttl 231, id 40256, offset 0, flags [none],
proto TCP (6), length 40) MY.IP.4122 > THEIR.IP.289: S,
cksum 0x1da2 (correct), 306717724:306717724(0) win 65535
```

There seem to be lots of random outgoing ports in the logs, which makes it hard to be specific with my firewall rules.

So far I am only receiving this complaint from one host.

I am using pf as my firewall and my FreeBSD version is 5.4.

My server runs as a http server with mysql, apart from that the only other services I use are ftp and ssh.

Can anyone give me any assistance or advice? Is it going to be a case of ensuring I have the latest versions of the OS, apache, mysql etc and my firewall configuration?

Also I am a bit of a newbie with pf, so any configuration advice would be much appreciated.

Thanks in advance.
D


----------



## J65nko (Feb 21, 2010)

If your server is part of a botnet doing Denial of Service attacks, there is only one solution. Create a backup of the configuration files, and install a newer supported version of FreeBSD.


----------



## gkontos (Feb 21, 2010)

Also, try to do some basic forensics.

Why did this happen ?
What application/service was exploited ?
How can this be patched ?

Otherwise the same thing will happen again.

Regards,

George


----------



## DutchDaemon (Feb 21, 2010)

What do your own firewall logs (or tcpdump) say? Are you in fact seeing random SYN packets on your outbound interface? DOS attacks usually involve spoofing, so somebody may be trying to actually DOS you by sending replies your way.


----------



## Ruler2112 (Feb 22, 2010)

I would second the idea of using tcpdump to determine what's going on before wiping your system.


----------



## SirDice (Feb 22, 2010)

Are you (or one of your users) running any P2P software?

P2P traffic will look a lot like a DoS to the untrained eye.


----------



## Ruler2112 (Feb 22, 2010)

SirDice said:
			
		

> Are you (or one of your users) running any P2P software?
> 
> P2P traffic will look a lot like a DoS to the untrained eye.



That is an excellent idea.  Something related to it - are you running NAT?  (Or providing an internet connection to other users through your BSD box?)  If so, it could be a windoze box is infected and because of NAT, it's appearing to the person complaining that it's coming from your BSD machine.


----------



## anomie (Feb 22, 2010)

Also, try to capture some PID info using `# sockstat -4c`

Armed with that, you can start to pinpoint which processes are doing this.


----------

