1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • Telnet Flooding

    From tbirdsradio@VERT/TBIRDS to All on Thursday, August 06, 2015 11:10:21
    I've been receiving some telnet flooding (for lack of a better term) from various IP addresses. Nodes 1, 2, 3, & 4 will receive connections in numerical order continuously. Each Node dropping the connection and then immediately answering on the next available Node. It's like they are trying to crash or overload the server. Sometimes this will go on for quite a while.

    My questions is other than placing the IP address in the IP filter, what can be done if anything ? It's coming from multiple IP addresses so i'm guessing i'm just filling the IP Filter log with proxy addresses. First time i've ever experienced this swarming type behavior with the bbs. Any help/advise would be appreciated. Thanks

    ---
    þ Synchronet þ ´ TBIRDS BBS ´ telnet://tbirds.dyndns.org
  • From Nightfox@VERT/DIGDIST to tbirdsradio on Thursday, August 06, 2015 10:28:30
    I've been receiving some telnet flooding (for lack of a better term) from various IP addresses. Nodes 1, 2, 3, & 4 will receive connections in numerical order continuously. Each Node dropping the connection and then immediately answering on the next available Node. It's like they are trying to crash or overload the server. Sometimes this will go on for quite a while.

    My questions is other than placing the IP address in the IP filter, what can be done if anything ? It's coming from multiple IP addresses so i'm guessing i'm just filling the IP Filter log with proxy addresses. First time i've ever experienced this swarming type behavior with the bbs. Any help/advise would be appreciated. Thanks

    I get that every so often on my BBS. I've added some of those IP addresses to my IP filter, but it always seems to eventually happen again from different IP addresses. I'm also interested in knowing from others if there's a better solution. I suppose I could have a look at where these IP addresses are coming from - I've seen other sysops say they have banned entire countries when they get a lot of attacks from one particular country.

    Unless they're filling up all of your telnet nodes, I'm not sure how much of a concern. I have 16 nodes set up on my BBS, and I've only seen them fill maybe 5 nodes at a time, but it's only for a moment, and they quickly stop.

    Nightfox

    ---
    þ Synchronet þ Digital Distortion: digitaldistortionbbs.com
  • From tbirdsradio@VERT/TBIRDS to Nightfox on Thursday, August 06, 2015 18:00:25
    Re: Telnet Flooding
    By: Nightfox to tbirdsradio on Thu Aug 06 2015 10:28 am

    I get that every so often on my BBS. I've added some of those IP addresses my IP filter, but it always seems to eventually happen again from different addresses. I'm also interested in knowing from others if there's a better

    Thanks for the response, Nightfox. Unfortunately, yes. This does clog my 4 Node setup temporarily. What makes it super annoying is that sometimes this will go on and on throughout the day. They also come from ports other than 23. For example: port 58340, 51413, 52120, 47972, etc..

    ---
    þ Synchronet þ ´ TBIRDS BBS ´ telnet://tbirds.dyndns.org
  • From Digital Man@VERT to tbirdsradio on Thursday, August 06, 2015 16:33:16
    Re: Telnet Flooding
    By: tbirdsradio to Nightfox on Thu Aug 06 2015 06:00 pm

    Re: Telnet Flooding
    By: Nightfox to tbirdsradio on Thu Aug 06 2015 10:28 am

    I get that every so often on my BBS. I've added some of those IP addresses my IP filter, but it always seems to eventually happen again from different addresses. I'm also interested in knowing from others if there's a better

    Thanks for the response, Nightfox. Unfortunately, yes. This does clog my 4 Node setup temporarily. What makes it super annoying is that sometimes this will go on and on throughout the day. They also come from ports other than 23. For example: port 58340, 51413, 52120, 47972, etc..

    The source port is normally an "ephemeral" port number (i.e. always > 1024 and usually > 32768). Only the destination port should be a "well known" port number (e.g. 23 for Telnet).

    digital man

    Synchronet "Real Fact" #10:
    DOVE-Net was originally an exclusive ("elite") WWIVnet network in O.C., Calif. Norco, CA WX: 84.0øF, 45.0% humidity, 7 mph E wind, 0.00 inches rain/24hrs

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net
  • From nolageek@VERT/CAPSHRIL to Nightfox on Thursday, August 06, 2015 18:29:53
    Re: Telnet Flooding
    By: Nightfox to tbirdsradio on Thu Aug 06 2015 10:28 am

    I've been receiving some telnet flooding (for lack of a better term)
    from various IP addresses. Nodes 1, 2, 3, & 4 will receive connections
    My questions is other than placing the IP address in the IP filter,
    what can be done if anything ? It's coming from multiple IP addresses
    I get that every so often on my BBS. I've added some of those IP addresses different IP addresses. I'm also interested in knowing from others if

    Are you running windows? I just started using peerblock to block russia, ukrane, china and czech republic. It block hundreds of connections a day. It's crazy. :)

    |01-|03nolageek

    ---
    þ Synchronet þ Capitol Shrill BBS - Washington, DC - capitolshrill.com
  • From Nightfox@VERT/DIGDIST to nolageek on Thursday, August 06, 2015 18:43:10
    Re: Telnet Flooding
    By: nolageek to Nightfox on Thu Aug 06 2015 18:29:53

    I've been receiving some telnet flooding (for lack of a better term)
    from various IP addresses. Nodes 1, 2, 3, & 4 will receive
    connections My questions is other than placing the IP address in the
    IP filter, what can be done if anything ? It's coming from multiple
    IP addresses

    I get that every so often on my BBS. I've added some of those IP
    addresses different IP addresses. I'm also interested in knowing
    from others if

    Are you running windows? I just started using peerblock to block russia, ukrane, china and czech republic. It block hundreds of connections a day. It's crazy. :)

    Yes, I am running my BBS in Windows. I've often been unsure that I'd want to go so far as to ban entire countries though - It seems to me that attackers could be anywhere, and I wouldn't want to prevent real users from getting in. I know some would disagree though..

    Nightfox

    ---
    þ Synchronet þ Digital Distortion: digitaldistortionbbs.com
  • From Mro@VERT/BBSESINF to tbirdsradio on Thursday, August 06, 2015 22:27:31
    Re: Telnet Flooding
    By: tbirdsradio to All on Thu Aug 06 2015 11:10 am

    I've been receiving some telnet flooding (for lack of a better term) from various IP addresses. Nodes 1, 2, 3, & 4 will receive connections in numerical order continuously. Each Node dropping the connection and then immediately answering on the next available Node. It's like they are trying to crash or overload the server. Sometimes this will go on for quite a while.

    My questions is other than placing the IP address in the IP filter, what
    can be done if anything ? It's coming from multiple IP addresses so i'm guessing i'm just filling the IP Filter log with proxy addresses. First
    time i've ever experienced this swarming type behavior with the bbs. Any help/advise would be appreciated. Thanks



    this type of stuff is to be expected if you have a server accessable on the internet.

    you can use ipdeny to generate country blocklists and then use them with iptables (linux) or adapt it to a software firewall.

    i use peerblock and throw in my own lists. i dont even want the attacks to stress the bbs which is why i use peerblock.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Mro@VERT/BBSESINF to tbirdsradio on Thursday, August 06, 2015 22:28:36
    Re: Telnet Flooding
    By: tbirdsradio to Nightfox on Thu Aug 06 2015 06:00 pm

    Thanks for the response, Nightfox. Unfortunately, yes. This does clog my 4 Node setup temporarily. What makes it super annoying is that sometimes this will go on and on throughout the day. They also come from ports other than 23. For example: port 58340, 51413, 52120, 47972, etc..


    those arent really ports in that sence.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From tbirdsradio@VERT/TBIRDS to Digital Man on Friday, August 07, 2015 08:34:48
    Re: Telnet Flooding
    By: Digital Man to tbirdsradio on Thu Aug 06 2015 04:33 pm

    will go on and on throughout the day. They also come from ports other tha 23. For example: port 58340, 51413, 52120, 47972, etc..

    The source port is normally an "ephemeral" port number (i.e. always > 1024 a usually > 32768). Only the destination port should be a "well known" port number (e.g. 23 for Telnet).

    Ok so "ephemeral" in this sense meaning brief and/or temporary ? One minute i have for example an IP address connect, sit idle for approx 5 seconds or so
    , then disconnect. Immediately after, that same IP will connect with a port number attached to the end of the IP. This is usually followed up with more of the same using different IP addresses. Just have never noticed before so many different port variants in the Sync telnet log.

    Do you recommend i continue adding to the IP filter list, Rob ? Thanks.

    ---
    þ Synchronet þ ´ TBIRDS BBS ´ telnet://tbirds.dyndns.org
  • From tbirdsradio@VERT/TBIRDS to Mro on Friday, August 07, 2015 08:50:45
    Re: Telnet Flooding
    By: Mro to tbirdsradio on Thu Aug 06 2015 10:27 pm

    guessing i'm just filling the IP Filter log with proxy addresses. First time i've ever experienced this swarming type behavior with the bbs. Any help/advise would be appreciated. Thanks

    this type of stuff is to be expected if you have a server accessable on the internet.

    Hi Mro,
    Yes, i understand. It's just that this has really been aggressive and unrelenting.

    Been totally out of the loop for some years now and just recently set the board back up. Never in all the years prior have i ever experienced this type of unprovoked behavior.

    i use peerblock and throw in my own lists. i dont even want the attacks to stress the bbs which is why i use peerblock.

    Thanks for the ideas. I'll look into it. Likewise, i don't want to see anyone's bbs system treated like this. Thanks again.

    ---
    þ Synchronet þ ´ TBIRDS BBS ´ telnet://tbirds.dyndns.org
  • From tbirdsradio@VERT/TBIRDS to Mro on Friday, August 07, 2015 09:11:54
    Re: Telnet Flooding
    By: Mro to tbirdsradio on Thu Aug 06 2015 10:28 pm

    will go on and on throughout the day. They also come from ports other tha 23. For example: port 58340, 51413, 52120, 47972, etc..

    those arent really ports in that sence.

    I'm not really hip to all the port variants and/or their meaning. Just thought it odd and perhaps worth mentioning. As i described in a previous post, i'll have IP: XX.X.XXX.XXX connect to the system, set idle for approximately 5 secs, hangup, then immediately that very same IP will connect again only this time with port XXXXX attached to the end of it.

    Digital Man said they were "ephemeral". I understood that to mean temporary so again, i don't know what to make of it. Just wanted to post it for discussion and/or possible solutions/explanations. Much smarter folks than me here when it comes to computers and i appreciate everyone's input/advise.

    ---
    þ Synchronet þ ´ TBIRDS BBS ´ telnet://tbirds.dyndns.org
  • From Mro@VERT/BBSESINF to tbirdsradio on Friday, August 07, 2015 17:31:17
    Re: Telnet Flooding
    By: tbirdsradio to Mro on Fri Aug 07 2015 08:50 am


    i use peerblock and throw in my own lists. i dont even want the attacks to stress the bbs which is why i use peerblock.

    Thanks for the ideas. I'll look into it. Likewise, i don't want to see anyone's bbs system treated like this. Thanks again.


    make sure you use peerblock. just dont forget about it.

    otherwise you can pay for hosting and it can handle more traffic and attacks. ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Mro@VERT/BBSESINF to tbirdsradio on Friday, August 07, 2015 17:31:53
    Re: Telnet Flooding
    By: tbirdsradio to Mro on Fri Aug 07 2015 09:11 am

    post, i'll have IP: XX.X.XXX.XXX connect to the system, set idle for approximately 5 secs, hangup, then immediately that very same IP will connect again only this time with port XXXXX attached to the end of it.

    Digital Man said they were "ephemeral". I understood that to mean temporary so again, i don't know what to make of it. Just wanted to post it for discussion and/or possible solutions/explanations. Much smarter folks than me here when it comes to computers and i appreciate everyone's


    all you need to know is you should block those ip addresses if they are unwanted.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Digital Man@VERT to tbirdsradio on Monday, August 10, 2015 15:30:21
    Re: Telnet Flooding
    By: tbirdsradio to Digital Man on Fri Aug 07 2015 08:34 am

    Re: Telnet Flooding
    By: Digital Man to tbirdsradio on Thu Aug 06 2015 04:33 pm

    will go on and on throughout the day. They also come from ports other tha 23. For example: port 58340, 51413, 52120, 47972, etc..

    The source port is normally an "ephemeral" port number (i.e. always > 1024 a usually > 32768). Only the destination port should be a "well known" port number (e.g. 23 for Telnet).

    Ok so "ephemeral" in this sense meaning brief and/or temporary ?

    Yes. https://en.wikipedia.org/wiki/Ephemeral_port

    One minute
    i have for example an IP address connect, sit idle for approx 5 seconds or so
    , then disconnect. Immediately after, that same IP will connect with a port number attached to the end of the IP.

    Every TCP connection has a source port number.

    This is usually followed up with more
    of the same using different IP addresses. Just have never noticed before so many different port variants in the Sync telnet log.

    Yup, that's normal.

    Do you recommend i continue adding to the IP filter list, Rob ? Thanks.

    Sure, I do. I also have the login attempt counting stuff automatically filter IP addresses as well.

    digital man

    Synchronet "Real Fact" #7:
    Synchronet was originally intended as a replacement for WWIV BBS software. Norco, CA WX: 80.9øF, 51.0% humidity, 5 mph ENE wind, 0.00 inches rain/24hrs

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net
  • From tbirdsradio@VERT/TBIRDS to Digital Man on Monday, August 10, 2015 18:00:40
    Re: Telnet Flooding
    By: Digital Man to tbirdsradio on Mon Aug 10 2015 03:30 pm

    Do you recommend i continue adding to the IP filter list, Rob ? Thanks.

    Sure, I do. I also have the login attempt counting stuff automatically filte IP addresses as well.

    Thank you, Rob. Your the man!

    ---
    þ Synchronet þ ´ TBIRDS BBS ´ telnet://tbirds.dyndns.org