ghormannalumni.indiana.edu

• Next message: Mike Silbersack: "Re: your mail"
• Previous message: Kris Kennaway: "Re: MFC'ing OpenSSL 0.9.5a?"
• Next in thread: Mike Silbersack: "Re: your mail"
• Maybe reply: Greg Hormann: "(no subject)"
• Reply: Mike Silbersack: "Re: your mail"
• Reply: Kris Kennaway: "Re: your mail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Today I noticed that my FreeBSD nat server was getting a extremely high
number of packet hits. Turns out that my socks5 server was under some
type of attack from multiple host. Looks like it started at about 2pm and
ran until I shut Socks5 down just after midnight.

Turns out the permit line in my socks5.conf just contained "-", a left
over from my dialup days. Not understanding exactly how the SOCKS
protocol works, I wonder

(1) What damage might this have done? The destination port appears to
always be 6112. Anybody know what is on this port?

(2) Whats the best way to block this? If I block external access to the
Socks5 port in my firewall will socks5 still work? Should I just use a
permit/auth statement?

Thanks for any input.

Greg.

Aug 1 00:13:51 hormann Socks5[89393]: TCP Connection Established: Connect (24.141.20.175:3560 to 216.148.246.9:6112) for user
Aug 1 00:13:52 hormann Socks5[89394]: TCP Connection Request: Connect (24.141.20.175:3561 to 216.148.246.9:6112) for user
Aug 1 00:14:06 hormann Socks5[89397]: TCP Connection Terminated: Normal (24.141.20.175:3580 to 216.148.246.9:6112) for user : 1 bytes out, 0 bytes in

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Mike Silbersack: "Re: your mail"
• Previous message: Kris Kennaway: "Re: MFC'ing OpenSSL 0.9.5a?"
• Next in thread: Mike Silbersack: "Re: your mail"
• Maybe reply: Greg Hormann: "(no subject)"
• Reply: Mike Silbersack: "Re: your mail"
• Reply: Kris Kennaway: "Re: your mail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]