From owner-FreeBSD-users-jp@jp.freebsd.org  Wed Sep 16 09:25:30 1998
Received: by jaz.jp.freebsd.org (8.9.1+3.0W/8.7.3) id JAA23825;
	Wed, 16 Sep 1998 09:25:30 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from ohnoko.co.jp (epcot.ohnoko.co.jp [210.164.245.86])
	by jaz.jp.freebsd.org (8.9.1+3.0W/8.7.3) with ESMTP id JAA23819
	for <FreeBSD-users-jp@jp.freebsd.org>; Wed, 16 Sep 1998 09:25:28 +0900 (JST)
	(envelope-from yutaka@ohnoko.co.jp)
Received: from hina2
	by ohnoko.co.jp (8.9.1+3.0W/3.7W) with SMTP id JAA05129
	for <FreeBSD-users-jp@jp.freebsd.org>; Wed, 16 Sep 1998 09:24:57 +0900 (JST)
Message-ID: <00ea01bde108$6e0a5200$1adca8c0@hina2.ohnoko.co.jp>
From: "Yutaka Ohno" <yutaka@ohnoko.co.jp>
To: <FreeBSD-users-jp@jp.freebsd.org>
Date: Wed, 16 Sep 1998 09:24:55 +0900
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3155.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: bulk
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+980914
X-Sequence: FreeBSD-users-jp 32937
Subject: [FreeBSD-users-jp 32937] is this attack?
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org

$BBgLn!wBgLn8w$G$9!#(B

$B%U%!%$%"!<%&%)!<%k$N@_DjCf$J$N$G$9$,!":rF|!"<!$N$h$&$J(B
LOG$B$,;D$C$F$$$^$7$?!#%7%9%F%`$O(BFreeBSD(98)2.2.6R$B$G!"(B
ipfw+natd1.2$B$H$$$&9=@.$G$9!#(B

> 07410          1        137 deny log udp from any 53 to any via ed17
> ipfw: 7410 Deny UDP 192.16.202.11:53 xxx.xxx.xxx.xxx:32772 in via ed17

xxx.xxx.xxx.xxx$B$H$$$&$N$O!"%U%!%$%"!<%&%)!<%k$N(BIP$B%"%I%l%9$G(B
$B$9$,!"%U%!%$%"!<%&%)!<%k$N@_Dj$G$O!"(B
$fwcmd add divert 6668 udp from any 53 to ${firewall} via ed17
$B$H$$$&$h$&$K!"30$+$iF~$C$F$-$?(BDNS$B$N%Q%1%C%H$O!"$^$:(Bdivert$B$5$l(B
$fwcmd add pass udp from any 53 to ${ip} via ed17
$fwcmd add deny log udp from any 53 to any via ed17
$B%M!<%`%5!<%P!<$NF0$$$F$$$k%"%I%l%9$K$D$$$F$O!"DL2a$5$;!"(B
$B$=$l0J30$O5qH]$7$F(BLOG$B$r;D$9$h$&$J@_Dj$K$7$F$$$k$D$b$j(B
$B$G$9!#(B

$B$3$3$G!";D$C$F$$$k(BLOG$B$K$D$$$F$O!"IT@5%"%/%;%9$r$7$h$&$H(B
$B$7$?$H$$$&$3$H$G$7$g$&$+!)%"%/%;%9$N$"$C$?;~4VBS$K$D$$$F$O!"(B
$BC/$b<RFb$N%3%s%T%e!<%?!<$K$O%"%/%;%9$7$F$*$j$^$;$s$G$7$?$7!"(B
$B<RFb$+$i%M!<%`%5!<%P!<$,0z$1$J$+$C$?$H$$$&(BLOG$B$b;D$C$F(B
$B$*$j$^$;$s!#$^$?!"%"%/%;%9$N$"$C$?%"%I%l%9(B192.16.202.11$B$H$$(B
$B$&$N$O!"(Bnslookup$B$9$k$H(B ns.EU.net $B$H$J$C$F$$$^$9$,!"$3$s$J(B
$B$H$3$m$K%"%/%;%9$7$?3P$($O$"$j$^$;$s$,!%!%!%(BCRON$B$b$3$s$J(B
$B;~4V$K$OF0$$$F$$$J$$$h$&$G$9!#(B
$B30It8~$1$N%M!<%`%5!<%P!<$O%U%!%$%"!<%&%)!<%k$N30$K$*$$(B
$B$F$"$j!"$&$A$N%5%$%H$KIaDL$K%"%/%;%9$7$h$&$HMh$?%Q%1%C%H$G$O(B
$B$J$$5$$,$7$^$9!#(B

$B$I$3$+@_Dj%_%9$,$"$k$G$7$g$&$+!)(B
$B$^$?!"IT@5%"%/%;%9$@$H$9$l$P!"$I$&$d$C$F(Bxxx.xxx.xxx.xxx:32772
$B$H$$$&$N$r8+$D$1$?$N$G$7$g$&$+!)$I$3$+$GEpD0$5$l$F$$$k$+!)(B
$B%"%/%;%9$7$?%M!<%`%5!<%P!<$G(BLOG$B$,$H$i$l$FMxMQ$5$l$F$$$k(B
$B$N$G$7$g$&$+!)(B

