Security Incidents mailing list archives
Question about strange ICMP/RAW traffic downstream on my DNS.
From: Julien BREVIERE <root () SUPRAMOTEUR COM>
Date: Thu, 12 Oct 2000 18:59:46 +0200
Hello,I got a question... I'm receiving packets from private addresses to my 2 DNS IPs
I dont have a real NAT/DMZ/Firewall, all IPs of my subnet are routed directly. but my ISP blocked all 192.168.* incoming traffic and the packets are still coming in (even if denied by the local ipchains on each 'attacked' hosts), so I thought the 192.168* source was given because the packets are fragmented. here's a piece of a 'netstat -a | grep raw' output : showing a high Recv-Q : leeloo:/root/tcpdump-3.4# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address Stateraw 0 0 0.0.0.0:6 0.0.0.0:* 7 raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 65488 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7 here's a piece of a 'tcpdump -n | grep 192.168' output :(note that the packets are not really 'flooding' since there's only one packet for about two seconds.)
leeloo:/root/tcpdump-3.4# ./tcpdump -n | grep 192.168 tcpdump: listening on eth018:42:57.495236 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:01.602663 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:13.371107 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:13.644952 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:16.370584 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:19.375309 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0]
etc...from what I've logged/saw, only 192.168.2.41, 192.168.2.33 and 192.168.2.37 are doing such accesses.
when ipchains has loggin enabled (/sbin/ipfwadm-wrapper -I -a deny -S 192.168.0.0/16 -D $ip -P icmp -o)
it shows up those lines in syslogging :Oct 12 18:45:15 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48891 F=0x0000 T=237 (#25) Oct 12 18:45:18 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48895 F=0x0000 T=237 (#25) Oct 12 18:45:20 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48907 F=0x0000 T=237 (#25) Oct 12 18:45:21 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48908 F=0x0000 T=237 (#25) Oct 12 18:45:29 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48929 F=0x0000 T=237 (#25) Oct 12 18:45:33 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48933 F=0x0000 T=237 (#25) Oct 12 18:45:41 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48950 F=0x0000 T=237 (#25)
etc... both 213.11.63.10 and 213.11.63.20 are suffering thoseit's only directed to thoses IPs, because I have several aliased IPs on .20 but .20 is never showed up anywhere else than in a DNS WHOIS lookup for our domains and none other IPs are receiving those packets.
That makes a mess in my network, causing for example unimaginable timeouts (like between eth0 and eth0:1 two aliased IPs on the local machine)
that's going since a little bit more than 24 hours and my ISP (UUNET) didnt find any way of blocking it.If you could help me in a way of configuring the router (Cisco 1601) or my ipchains so the recv-q will go down and even if the packet continues considering its not really a 'flood' at the primary sense of this word, I will be very glad of it.
Thanks in advance, Regards, =================================== Julien BREVIERE Net'Veille/L'Ecripapiers System Administrator mailto:root () supramoteur com Tél.: +33 1 41 05 43 03 ===================================
Current thread:
- Question about strange ICMP/RAW traffic downstream on my DNS. Julien BREVIERE (Oct 12)
- Arrowpoint CS-100 atack Thiago Madeira de Lima (Oct 16)
- Re: Arrowpoint CS-100 atack junior (Oct 17)
- Arrowpoint CS-100 atack Thiago Madeira de Lima (Oct 16)