I am currently being semi-flooded by a DDOS attack (ICMP is coming from everywhere). Yet the attack is to pissy to hardly effect me, maybe it will get worse.
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=67.61.46.250 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=22244 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=54388
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=212.101.17.181 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=114 ID=42433 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=32127
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=65.216.100.4 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=110 ID=9723 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29176
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=141.150.202.205 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=19345 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=8424
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=24.93.8.71 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=110 ID=60342 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33183
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=4.41.187.239 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=115 ID=56518 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43833
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=203.213.103.128 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=25022 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55648
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=221.190.180.15 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=112 ID=35304 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=60140
Im being pwned here
11 posts
• Page 1 of 1
Im being pwned here
by X11 » Sun Dec 14, 2003 9:37 am
- X11
- guru
- Posts: 674
- Joined: Sun Jan 19, 2003 11:09 pm
- Location: Australia
by Void Main » Sun Dec 14, 2003 9:48 am
That looks like the Nachi virus to me. If I recall one of the signatures of Nachi is 92 byte ICMP packets. If you were running Snort it probably would have told you right off.
-
Void Main - Site Admin
- Posts: 5705
- Joined: Wed Jan 08, 2003 5:24 am
- Location: Tuxville, USA
by X11 » Sun Dec 14, 2003 9:54 am
I have been running ethereal since I noticed the attack.
I thought it might be a worm, only some strange form of Moron would attack me with 92 bytes per minute.
Its getting worse, and effecting me noticeably now.
I thought it might be a worm, only some strange form of Moron would attack me with 92 bytes per minute.
Its getting worse, and effecting me noticeably now.
- X11
- guru
- Posts: 674
- Joined: Sun Jan 19, 2003 11:09 pm
- Location: Australia
by Void Main » Sun Dec 14, 2003 11:25 am
Well short of that to rectify your current situation you could:
That comes from the link in my last post.
- Code: Select all
iptables -A FORWARD -p icmp -m length --length 92 -j DROP
That comes from the link in my last post.
-
Void Main - Site Admin
- Posts: 5705
- Joined: Wed Jan 08, 2003 5:24 am
- Location: Tuxville, USA
by Void Main » Sun Dec 14, 2003 1:00 pm
I should have said that you will likely see strange problems sooner or later if you block all ICMP. You will surely at some point run into certain sites that you will not be able to communicate with at all and you may think that the remote site is down when in fact it's not down.
ICMP performs functions like determining whether the packets going to/from your machine need to be fragmented or not. If the remote end is running larger frame sizes than you (MTU or Maximum Transmission Unit) and your machine can't tell the routers in between that your MTU is only 1500 then the remote site will/may assume that you are capable of the larger frame sizes.
You will run into this if the remote site is running Token Ring, ATM, etc and you are on Ethernet and the DF (don't fragment) bit is set in the packets. Of course this is just one example of a problem that you can have by blocking all ICMP, there are other reasons.
I'm not saying that you should leave ICMP wide open, in fact I would recommend blocking some of it, just that you shouldn't block it completely. It may take a little research to determine exactly what ICMP you should and shouldn't block.
ICMP performs functions like determining whether the packets going to/from your machine need to be fragmented or not. If the remote end is running larger frame sizes than you (MTU or Maximum Transmission Unit) and your machine can't tell the routers in between that your MTU is only 1500 then the remote site will/may assume that you are capable of the larger frame sizes.
You will run into this if the remote site is running Token Ring, ATM, etc and you are on Ethernet and the DF (don't fragment) bit is set in the packets. Of course this is just one example of a problem that you can have by blocking all ICMP, there are other reasons.
I'm not saying that you should leave ICMP wide open, in fact I would recommend blocking some of it, just that you shouldn't block it completely. It may take a little research to determine exactly what ICMP you should and shouldn't block.
-
Void Main - Site Admin
- Posts: 5705
- Joined: Wed Jan 08, 2003 5:24 am
- Location: Tuxville, USA
by X11 » Sun Dec 14, 2003 7:49 pm
I havnt had any problems, this may be because of my ISP's Invisible Proxy for HTTP.
However I have noticed trouble with some IRC networks which could be related. But my ISP proxy that as well I think now.
If I have problems I'll enable it.
However I have noticed trouble with some IRC networks which could be related. But my ISP proxy that as well I think now.
If I have problems I'll enable it.
- X11
- guru
- Posts: 674
- Joined: Sun Jan 19, 2003 11:09 pm
- Location: Australia
11 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests