[lug] route add -host attacks

Nate Duehr nate at natetech.com
Thu Nov 15 11:33:37 MST 2001


I don't think someone could remotely have been adding the routes.  If
portsentry was configured to drop routes of attacking machines then the
scan of the port was causing portsenty to react by removing your route
back to that machine forcibly.  It does this rather nicely, in fact.
:-)

Nate

On Thu, Nov 15, 2001 at 11:19:26AM -0700, Warren Sanders wrote:
> Another friend had suggested commenting out the KILL_ROUTE="/sbin/route features 
> in portsentry.  I have done this and restarted portsentry... now I sit and wait.  
> The attacks only occurred about 1-2 times an hour so it's not like I'm getting 
> DOSed.
> 
> James (below> is correct for what he suggests and I do not have this port open;  
> although I did find my NFS (services) was open partially.  NFS mount, NFS daemon
> NFS quotas, and portmap were down.
> 
> So far I have not had any more route adds, but it's only been a couple hours.
> 
> On Thu, 15 Nov 2001, Harris, James wrote:
> 
> > Date: Thu, 15 Nov 2001 10:04:29 -0700
> > From: "Harris, James" <James_Harris at maxtor.com>
> > Reply-To: lug at lug.boulder.co.us
> > To: "'lug at lug.boulder.co.us'" <lug at lug.boulder.co.us>
> > Subject: RE: [lug] route add -host attacks
> > 
> > May I stray from the original intent of this post and make a recommendation:
> > disable sunrpc if you don't need it.  It has a history of known exploits and
> > it's definitely at the top of hackers and script kiddies lists to try.
> > 
> > NFS is the only service that _I_ know of that requires it (but I'm _sure_
> > there are others.)  If you're not using NFS, try disabling it completely and
> > see if it has any affect on your system.
> > 
> > My two cents...
> > 
> > -----Original Message-----
> > From: D. Stimits [mailto:stimits at idcomm.com] 
> > Sent: Wednesday, November 14, 2001 21:55
> > To: lug at lug.boulder.co.us
> > Subject: Re: [lug] route add -host attacks
> > 
> > 
> > 
> 
> -- 
> Warren Sanders
> http://MontanaLinux.Org
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

-- 
Nate Duehr <nate at natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.



More information about the LUG mailing list