-4

I realize this is a lamer/beginner question, but I've been attacked by a couple of addresses in China and I'm not sure how to close the hole.

My snort logs (yes I'm using snort! I see you are impressed) show things like this:

TCP Portscan

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3] 
11/09-06:48:46.652278 58.218.199.227 -> 208.69.57.101
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:166 DF

And fragmentation overlap:

[**] [123:8:1] (spp_frag3) Fragmentation overlap [**]
[Priority: 3] 
11/09-06:25:44.678218 208.69.57.102 -> 183.177.114.1
UDP TTL:64 TOS:0x0 ID:33670 IpLen:20 DgmLen:1500 MF
Frag Offset: 0x0000   Frag Size: 0x05C8

I don't understand what this means, but I think it means that someone is portscanning me from 58.218.199.227 (208.69.57.101 is my IP address). They are also fragmenting my overlaps, which I don't take kindly to.

This is is the alert file generated by snort. My server provider shut down my server because he said there was something like 60 GB of data transfer last night.

So what should I do now?

  • What are immediate actions? I shut down the web server, mysql server. Anything else I should do?
  • How do I fix the problem? Should I just go through the log file and manually block all ip addresses that generated alerts?
bobobobo
  • 769
  • 6
  • 14
  • 26
  • 1
    Hey downvoters, how's it going? Would you like to answer the question? – bobobobo Nov 09 '11 at 17:40
  • Shutting down the server because someone is trying to scan you is a bit extreme isn't it? (I didn't downvote). – Zoredache Nov 09 '11 at 17:42
  • Well I don't know what you're _supposed_ to do. And downvoters? Sheesh. What a bunch of lamers. – bobobobo Nov 09 '11 at 17:44
  • You are supposed to determine if this is a **real threat** in your environment. If there isn't, then you don't do anything. Is there even any service listening on UDP on the target hosts? If you try to react on every port scan you receive you may be wasting a lot of time. – Zoredache Nov 09 '11 at 17:49
  • The downvoters may be reacting to the wording of your question, particularly the fragmentation overlap bit, which strongly implies that you have not bothered to consult any documentation at all and instead posted here first. – David Spillett Nov 09 '11 at 18:00

2 Answers2

6

To my eye those alerts are simple background noise. Just by being internet visible you'll get 'portscan' alerts in any firewall or IDS system. Are they an attack? No, not really. They're just jiggling door handles to figure out which doors are possibly open. This is a recon step before anything else is done.

Snort throws ALERT on those because they are potentially interesting. Trends in the ports being scanned are interesting to the general Information Security community as they yield intelligence on what the hacker community considers newly-vulnerable. If you really don't care about jiggling door handles, I believe you can suppress those alerts.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Oh. That's a good answer. Is a fragmentation overlap also a "jiggle"? Why would my provider report 60 G data transfer? Would that indicate a more serious problem that I haven't found yet? – bobobobo Nov 09 '11 at 17:50
  • 1
    @bobobobo I am not a Snort expert, for that you may want to try http://security.stackexchange.com/, but near as I can tell that's another 'interesting' alert. It can be prone to false-positives from misconfiguring, but can also indicate 'evasive maneuvers' on the part of an attacker. – sysadmin1138 Nov 09 '11 at 17:56
  • So uh, is blocking their IP addresses "acceptable"/normal? – bobobobo Nov 09 '11 at 18:11
  • +1 spot on! Wish I could give another +1 for pointing out security.stackexchange.com as the place to go for security issues :-) – Rory Alsop Nov 11 '11 at 12:41
0

I manually blocked all the IP addresses that appear in the snort logs.

Here is a document by CERT which further outlines steps to take to manage UDP attacks

bobobobo
  • 769
  • 6
  • 14
  • 26