Re: TCP connections to port 1024 - DDoS?

[Peter Gamache <peter () LUNO ORG>]

Arrigo Triulzi wrote:

> Turpin, Jason scripsit:
> |I am seeing the same thing the last couple of days.  It comes from about 100
> |ip's and targets my Mail Servers on port 1024.  There are approximately 254
> |attempts in less than 10 seconds from these 100 ip's
>
> You might want to consider the fact that some boxes, Linux for
> example, often use 1024 as the first port for outgoing connections.
> This might be an attempt to "get back" at you in some way on a waiting
> connection, man-in-the-middle?
>
> Just a quick thought.
>
> Arrigo

And to extend that comment, the first process that allocates a persistent,
listening, (>1023) port on GNU/Linux systems is usually named.  Double check
this with "lsof | grep IP", but that's almost always the case.

If you want to avoid some of the less-talented script kiddies out there, try
putting this in one of the rc.d files on your Linux 2.2.x box (before any
interesting network services get started):

echo "45000 55000" > /proc/sys/net/ipv4/ip_local_port_range

Of course you can pick your own range, but stay away from >60000, those ports
are used for kernel IP masquerading.  After this trick, processes which request
an ephemeral port will be handed one from this range (45000-55000), instead of
the default (1024-4999, on kernel 2.2.16)  Poke around at the other settings,
you'll find lots of useful things to tweak within /proc/sys/net/ipv4

This works nicely along with an ipchains rule to log (or silently deny) "-p tcp
-d 0/0 1024:44999".  For local connections, you want to preceed this rule with a
couple explicit "allow" rules for your localhost and ethernet adaptor
addresses.  You'll have to beware of poorly-behaved programs that force the
allocation of a particular port, but even in the case that workarounds are
neccessary for those programs, it's still a good idea to do something like this.

Sorry, I'm drifting off topic...

- Peter