Block a spoofing attack

vamos · Feb 4, 2013

Hello guys, I've get a problem with my server, someone attack my website (80 port) with spoofing IP like it:

Code:

tcp4       0      0 localhost.80       124.243.9.149.40242    SYN_RCVD
tcp4       0      0 localhost.80       91.191.234.62.25615    SYN_RCVD
tcp4       0      0 localhost.80       95.141.204.48.23315    SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.251.1048    SYN_RCVD
tcp4       0      0 localhost.80       195.3.84.81.9228       SYN_RCVD
tcp4       0      0 localhost.80       189.10.148.150.40506   SYN_RCVD
tcp4       0      0 localhost.80       197.53.51.137.21266    SYN_RCVD
tcp4       0      0 localhost.80       64.245.164.19.19982    SYN_RCVD
tcp4       0      0 localhost.80       28.99.179.43.16174     SYN_RCVD
tcp4       0      0 localhost.80       28.99.179.45.14082     SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.244.12097   SYN_RCVD
tcp4       0      0 localhost.80       64.46.85.75.35397      SYN_RCVD
tcp4       0      0 localhost.80       124.243.9.147.63280    SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.253.14408   SYN_RCVD
tcp4       0      0 localhost.80       142.230.54.219.53029   SYN_RCVD
tcp4       0      0 localhost.80       72.149.251.227.52532   SYN_RCVD
tcp4       0      0 localhost.80       124.243.9.145.11548    SYN_RCVD
tcp4       0      0 localhost.80       142.230.54.216.64000   SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.245.64576   SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.247.64540   SYN_RCVD
tcp4       0      0 localhost.80       26.238.171.220.33082   SYN_RCVD
tcp4       0      0 localhost.80       145.102.57.133.39727   SYN_RCVD
tcp4       0      0 localhost.80       145.102.57.132.38188   SYN_RCVD
tcp4       0      0 localhost.80       189.10.148.151.5899    SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.250.35609   SYN_RCVD
tcp4       0      0 localhost.80       95.141.204.52.34059    SYN_RCVD
tcp4       0      0 localhost.80       124.243.9.143.33813    SYN_RCVD
tcp4       0      0 localhost.80       145.102.57.138.20299   SYN_RCVD
tcp4       0      0 localhost.80       64.245.164.24.12600    SYN_RCVD
tcp4       0      0 localhost.80       64.245.164.25.10051    SYN_RCVD
tcp4       0      0 localhost.80       195.3.84.89.15949      SYN_RCVD
tcp4       0      0 localhost.80       95.141.204.46.546      SYN_RCVD
tcp4       0      0 localhost.80       64.245.164.27.29509    SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.248.13340   SYN_RCVD
tcp4       0      0 localhost.80       142.230.54.215.12838   SYN_RCVD
tcp4       0      0 localhost.80       115.195.241.254.65054  SYN_RCVD
tcp4       0      0 localhost.80       145.102.57.139.51716   SYN_RCVD
tcp4       0      0 localhost.80       64.245.164.26.46386    SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.254.63014   SYN_RCVD
tcp4       0      0 localhost.80       64.245.164.22.42774    SYN_RCVD
tcp4       0      0 localhost.80       26.238.171.223.62500   SYN_RCVD
tcp4       0      0 localhost.80       88.48.51.61.8264       SYN_RCVD
tcp4       0      0 localhost.80       64.46.85.74.24073      SYN_RCVD
tcp4       0      0 localhost.80       64.245.164.21.53795    SYN_RCVD
tcp4       0      0 localhost.80       124.243.9.144.19490    SYN_RCVD
tcp4       0      0 localhost.80       67.151.20.111.26927    SYN_RCVD
tcp4       0      0 localhost.80       184.228.186.75.9002    SYN_RCVD
tcp4       0      0 localhost.80       64.245.164.20.50448    SYN_RCVD
tcp4       0      0 localhost.80       124.243.9.148.22336    SYN_RCVD
tcp4       0      0 localhost.80       101.244.233.154.43027  SYN_RCVD
tcp4       0      0 localhost.80       142.230.54.207.37956   SYN_RCVD
tcp4       0      0 localhost.80       142.230.54.218.43311   SYN_RCVD
tcp4       0      0 localhost.80       145.102.57.134.47909   SYN_RCVD
tcp4       0      0 localhost.80       73.185.252.249.42769   SYN_RCVD
tcp4       0      0 localhost.80       124.243.9.146.24886    SYN_RCVD

Can ipfw block the spoofing or pf? Thanks in advance.

DutchDaemon · Feb 4, 2013

Any stateful firewall should be able to halt these "replies", since they will usually only allow a SYN in before creating a state. Without a state, other inbound traffic is rejected.

SirDice · Feb 12, 2013

Since you have no control over your attacker you cannot stop him. You can however mitigate the effects of such an attack.

[thread=4108]Unofficial FreeBSD Security Checklist / Links / Resources[/thread]

gqgunhed · Feb 12, 2013

pf can be setup to do block spoofed packets, see http://www.openbsd.org/faq/pf/filter.html#antispoof for examples.

Sorry, I don't use ipfw, so I can not help you with that.

You should follow the advice for SirDice at first, then get a firewall in place. Ok, in your case maybe the firewall first

Any device being directly reachable from the internet must be properly secured and monitored.

I really like the IMHO excellent pf guide at calomel.org.

Crivens · Feb 12, 2013

rohitewebtech said:
can u give me a few tips about stoping hacker attacking my pc ?

To quote from a Harrison Ford movie "The course of action I'd suggest is the course of action i can't suggest"
Other than that, firewalls are the only way. Reading "Absolute FreeBSD" may also give some tipps how to make life better.

Block a spoofing attack

vamos

DutchDaemon

Administrator

SirDice

Administrator

gqgunhed

Crivens

Administrator