Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Question about strange ICMP/RAW traffic downstream on my DNS.

From: Julien BREVIERE <root () SUPRAMOTEUR COM>
Date: Thu, 12 Oct 2000 18:59:46 +0200
Hello,
I got a question... I'm receiving packets from private addresses to my 2 DNS IPs 

I dont have a real NAT/DMZ/Firewall, all IPs of my subnet are routed directly.

but my ISP blocked all 192.168.* incoming traffic and the packets are still
coming in (even if denied by the local ipchains on each 'attacked' hosts),
so I thought the 192.168* source was given because the packets are fragmented.

here's a piece of a 'netstat -a | grep raw' output :
showing a high Recv-Q :

leeloo:/root/tcpdump-3.4# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
raw 0 0 0.0.0.0:6 0.0.0.0:* 7 raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 65488 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:1 0.0.0.0:* 7 
raw        0      0 0.0.0.0:6               0.0.0.0:*               7

here's a piece of a 'tcpdump -n | grep 192.168' output :
(note that the packets are not really 'flooding' since there's only one packet for about two seconds.) 

leeloo:/root/tcpdump-3.4# ./tcpdump -n | grep 192.168
tcpdump: listening on eth0
18:42:57.495236 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:01.602663 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:13.371107 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:13.644952 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:16.370584 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 18:43:19.375309 192.168.2.41 > 213.11.63.10: icmp: time exceeded in-transit [tos 0xc0] 
etc...
from what I've logged/saw, only 192.168.2.41, 192.168.2.33 and 192.168.2.37 are doing such accesses.
when ipchains has loggin enabled (/sbin/ipfwadm-wrapper -I -a deny -S 192.168.0.0/16 -D $ip -P icmp -o) 
it shows up those lines in syslogging :
Oct 12 18:45:15 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48891 F=0x0000 T=237 (#25) Oct 12 18:45:18 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48895 F=0x0000 T=237 (#25) Oct 12 18:45:20 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48907 F=0x0000 T=237 (#25) Oct 12 18:45:21 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48908 F=0x0000 T=237 (#25) Oct 12 18:45:29 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48929 F=0x0000 T=237 (#25) Oct 12 18:45:33 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48933 F=0x0000 T=237 (#25) Oct 12 18:45:41 leeloo kernel: Packet log: inp DENY eth0 PROTO=1 192.168.2.41:11 213.11.63.10:0 L=56 S=0xC0 I=48950 F=0x0000 T=237 (#25) 

etc...

both 213.11.63.10 and 213.11.63.20 are suffering those
it's only directed to thoses IPs, because I have several aliased IPs on .20 but .20 is never showed up anywhere else than in a DNS WHOIS lookup for our domains and none other IPs are receiving those packets.
That makes a mess in my network, causing for example unimaginable timeouts (like between eth0 and eth0:1 two aliased IPs on the local machine) 

that's going since a little bit more than 24 hours
and my ISP (UUNET) didnt find any way of blocking it.
If you could help me in a way of configuring the router (Cisco 1601) or my ipchains so the recv-q will go down and even if the packet continues considering its not really a 'flood' at the primary sense of this word, I will be very glad of it. 

                                        Thanks in advance,
                                                                Regards,

===================================
Julien BREVIERE
Net'Veille/L'Ecripapiers System Administrator
mailto:root () supramoteur com

Tél.: +33 1 41 05 43 03
===================================
Previous By Date Next
Previous By Thread Next

Current thread: