Im being pwned here

Discuss Networking
Post Reply
X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Im being pwned here

Post by X11 »

I am currently being semi-flooded by a DDOS attack (ICMP is coming from everywhere). Yet the attack is to pissy to hardly effect me, maybe it will get worse.

Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=67.61.46.250 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=22244 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=54388
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=212.101.17.181 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=114 ID=42433 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=32127
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=65.216.100.4 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=110 ID=9723 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29176
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=141.150.202.205 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=113 ID=19345 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=8424
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=24.93.8.71 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=110 ID=60342 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33183
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=4.41.187.239 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=115 ID=56518 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43833
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=203.213.103.128 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=25022 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55648
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=221.190.180.15 DST=203.213.97.57 LEN=92 TOS=0x00 PREC=0x00 TTL=112 ID=35304 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=60140

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

That looks like the Nachi virus to me. If I recall one of the signatures of Nachi is 92 byte ICMP packets. If you were running Snort it probably would have told you right off.

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

I have been running ethereal since I noticed the attack.

I thought it might be a worm, only some strange form of Moron would attack me with 92 bytes per minute.

Its getting worse, and effecting me noticeably now.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »


X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

Im gonna have to install snort

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Well short of that to rectify your current situation you could:

Code: Select all

iptables -A FORWARD -p icmp -m length --length 92 -j DROP
That comes from the link in my last post.

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

I turned ICMP off a long time ago, I dont need it.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Yes you do.

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

Uhm, Whys that?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I should have said that you will likely see strange problems sooner or later if you block all ICMP. You will surely at some point run into certain sites that you will not be able to communicate with at all and you may think that the remote site is down when in fact it's not down.

ICMP performs functions like determining whether the packets going to/from your machine need to be fragmented or not. If the remote end is running larger frame sizes than you (MTU or Maximum Transmission Unit) and your machine can't tell the routers in between that your MTU is only 1500 then the remote site will/may assume that you are capable of the larger frame sizes.

You will run into this if the remote site is running Token Ring, ATM, etc and you are on Ethernet and the DF (don't fragment) bit is set in the packets. Of course this is just one example of a problem that you can have by blocking all ICMP, there are other reasons.

I'm not saying that you should leave ICMP wide open, in fact I would recommend blocking some of it, just that you shouldn't block it completely. It may take a little research to determine exactly what ICMP you should and shouldn't block.

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

I havnt had any problems, this may be because of my ISP's Invisible Proxy for HTTP.

However I have noticed trouble with some IRC networks which could be related. But my ISP proxy that as well I think now.

If I have problems I'll enable it.

Post Reply