Was: [Nolug] MS Blaster DDOS against the rest of us; Now: Where's the meeting?

From: Andrew S. Johnson <andy_at_asjohnson.com>
Date: Tue, 19 Aug 2003 20:00:21 -0500
Message-Id: <200308192000.21087.andy@asjohnson.com>

On Tuesday 19 August 2003 02:31 pm, Joey Kelly wrote:
> Thou spake:
> >I was looking at the log on my SMC firewall, and I couldn't help
> >but notice that for the 174 or so entries that it can hold, that 169
> >of those are scans on port 135. In the 99 minutes that the log
> >currently holds, that's 17 scans per minute. DOH! Is my IP address
> >just a lucky honey-covered bullseye, or are y'all seeing the same
> >sort of activity? This is _WAY_ worse than average. Usually,
> >I'd see all sorts of scans, such MS SQL Slammer, NFS, telnet,
> >and the like. But this drowns them all out. If I could only trade
> >this for some telemarketing calls during dinner........
> >
> >Blasted in Luling,
> >
> >Andy
>
>
> I don't get anything on that port, but I'm getting hit hundreds of times with:
>
> ICMP PING Cyberkit 2.2 Windows
>
> Apparently it's a reconnaisance tool used by windows lusers. I'm just letting
> snort log it all...
>
> Last night I had someone doing POSTs on a php page on my box several times a
> second... the sad part is, the script accepts no form variables... it's only
> doing a page counter, reading data from a file on my box. I started dropping
> his packets ()iptables -A INPUT -s $IP -j DROP... hopefully he'll leave me
> alone for a while.
>
> My point is, whether a worm or a lamer, your box is going to be blasted by
> something or other, 24/7, unfortunately. You might consider dropping packets
> with destination port 135, thusly (assuming you're running a 2.4 kernel):
>
> iptables -A INPUT -dport 135 -j DROP
>
> (someone please correct me if I have the syntax wrong...)
>
> Happy hunting!
>
>
> --
>
> Joey Kelly
> < Minister of the Gospel | Computer Networking Consultant >
> http://joeykelly.net
>
Actually, the firewall (it's an external firewall/router, SMC Barricade) is
dropping everything except for the eight ports I've opened. It's just the
idea that an insecure OS and the people that wrote it are are being
allowed to continue defiling the face of God's green earth.

Ranting aside, has a venue for the next NOLUG meeting been established?

Andy

___________________
Nolug mailing list
nolug@nolug.org
Received on 08/19/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST