Hi, I had set email to the list before with the firewall denying the icmp request coming from 10.14.9.254 top my internet address However for the last 30 minutes or more this has become a real pain and its like DOS as I cannot visit websites nor can do ftp downloads and the mail traffic has become extremely slow. This is the same log I sent to the ISP (can't say they are helpfull yet) 1)What can I do to minimize the effect ? 2)Sorry for a basic question but how would I capture the packages coming from the adsl line (pppoe) will it be eth0 or ppp0 and since I only want to get this ip and this protocol realted thing what would be the syntax ( I know In need to RTFM but a hint will be helpfull also) Thx -- Togan Muftuoglu Security Violations =-=-=-=-=-=-=-=-=-= Aug 23 11:29:29 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=38076 F=0x0000 T=254 (#3) Aug 23 11:31:11 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=60371 F=0x0000 T=254 (#3) Aug 23 11:32:43 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=23903 F=0x0000 T=254 (#3) Aug 23 11:33:45 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=23903 F=0x0000 T=254 (#3) Aug 23 11:35:04 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:36:08 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:36:23 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:39:07 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:40:02 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:40:12 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:41:46 gardiyan su: (to root) toganm on /dev/pts/0 Aug 23 11:43:17 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=63763 F=0x0000 T=254 (#3) Aug 23 11:44:31 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=46773 F=0x0000 T=254 (#3) Aug 23 11:45:40 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=46773 F=0x0000 T=254 (#3) Aug 23 11:46:01 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=46773 F=0x0000 T=254 (#3) Aug 23 11:46:22 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=29599 F=0x0000 T=254 (#3) Aug 23 11:47:17 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=29599 F=0x0000 T=254 (#3) Aug 23 11:47:34 gardiyan pppoe[225]: Bad TCP checksum cc27 Aug 23 11:47:36 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=33275 F=0x0000 T=254 (#3) Aug 23 11:48:18 gardiyan pppoe[225]: Bad TCP checksum 47a4 Aug 23 11:48:21 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=33275 F=0x0000 T=254 (#3) Aug 23 11:54:18 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=33275 F=0x0000 T=254 (#3) Aug 23 11:59:18 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=33275 F=0x0000 T=254 (#3) Unusual System Events =-=-=-=-=-=-=-=-=-=-= Aug 23 11:20:27 gardiyan sshd[9235]: Accepted publickey for toganm from 192.168.1.3 port 1896 ssh2 Aug 23 11:21:11 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/usr/sbin/tc qdisc add dev eth0 handle ffff:0 ingress Aug 23 11:29:29 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=38076 F=0x0000 T=254 (#3) Aug 23 11:31:11 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=60371 F=0x0000 T=254 (#3) Aug 23 11:31:49 gardiyan last message repeated 9 times Aug 23 11:32:43 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=23903 F=0x0000 T=254 (#3) Aug 23 11:33:18 gardiyan sshd[9277]: Accepted publickey for toganm from 192.168.1.3 port 1968 ssh2 Aug 23 11:33:29 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/firewall Aug 23 11:33:45 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=23903 F=0x0000 T=254 (#3) Aug 23 11:34:54 gardiyan last message repeated 2 times Aug 23 11:35:04 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:36:08 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:36:23 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:36:51 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/sbin/ipchains -I -p icmp -s 10.14.9.254 3 -d 212.156.197.226 1 -j ACCEPT -l Aug 23 11:37:32 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/sbin/ipchains -I input -p icmp -s 10.14.9.254 3 -d 212.156.197.226 1 -j ACCEPT -l Aug 23 11:37:37 gardiyan kernel: Packet log: input ACCEPT ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#1) Aug 23 11:37:41 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/firewall Aug 23 11:37:42 gardiyan kernel: Packet log: input ACCEPT ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#1) Aug 23 11:38:29 gardiyan last message repeated 2 times Aug 23 11:38:50 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/sbin/ipchains -D input -p icmp -s 10.14.9.254 3 -d 212.156.197.226 1 -j ACCEPT -l Aug 23 11:39:07 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:40:02 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:40:09 gardiyan sshd[9295]: Accepted publickey for toganm from 192.168.1.3 port 1996 ssh2 Aug 23 11:40:12 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/firewall Aug 23 11:40:12 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=22055 F=0x0000 T=254 (#3) Aug 23 11:40:46 gardiyan last message repeated 2 times Aug 23 11:41:31 gardiyan last message repeated 4 times Aug 23 11:41:46 gardiyan su: (to root) toganm on /dev/pts/0 Aug 23 11:41:46 gardiyan PAM-unix2[9309]: session started for user root, service su Aug 23 11:41:59 gardiyan PAM-unix2[9309]: session finished for user root, service su Aug 23 11:42:01 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/firewall Aug 23 11:43:17 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=63763 F=0x0000 T=254 (#3) Aug 23 11:44:00 gardiyan last message repeated 5 times Aug 23 11:44:26 gardiyan last message repeated 3 times Aug 23 11:44:31 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=46773 F=0x0000 T=254 (#3) Aug 23 11:44:31 gardiyan last message repeated 2 times Aug 23 11:44:38 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/firewall Aug 23 11:44:45 gardiyan sudo: toganm : TTY=pts/0 ; PWD=/home/toganm ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/firewall Aug 23 11:45:40 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=46773 F=0x0000 T=254 (#3) Aug 23 11:46:01 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=46773 F=0x0000 T=254 (#3) Aug 23 11:46:22 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=29599 F=0x0000 T=254 (#3) Aug 23 11:47:04 gardiyan last message repeated 8 times Aug 23 11:47:17 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=29599 F=0x0000 T=254 (#3) Aug 23 11:47:32 gardiyan snort: spp_portscan: PORTSCAN DETECTED from 212.175.64.11 (STEALTH) Aug 23 11:47:32 gardiyan snort: spp_portscan: portscan status from 64.28.67.21: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH Aug 23 11:47:32 gardiyan snort: SCAN FIN [Classification: Attempted Information Leak Priority: 3]: 212.175.64.11:1828 -> 212.156.197.226:53 Aug 23 11:47:34 gardiyan pppoe[225]: Bad TCP checksum cc27 Aug 23 11:47:36 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=33275 F=0x0000 T=254 (#3) Aug 23 11:47:46 gardiyan last message repeated 2 times Aug 23 11:47:56 gardiyan snort: spp_portscan: End of portscan from 64.28.67.21: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH Aug 23 11:47:56 gardiyan snort: spp_portscan: portscan status from 212.175.64.11: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH Aug 23 11:47:56 gardiyan snort: SCAN FIN [Classification: Attempted Information Leak Priority: 3]: 212.175.64.11:53 -> 212.156.197.226:1031 Aug 23 11:48:18 gardiyan pppoe[225]: Bad TCP checksum 47a4 Aug 23 11:48:21 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=33275 F=0x0000 T=254 (#3) Aug 23 11:48:57 gardiyan last message repeated 2 times Aug 23 11:50:10 gardiyan last message repeated 14 times Aug 23 11:51:18 gardiyan last message repeated 3 times Aug 23 11:52:23 gardiyan last message repeated 6 times Aug 23 11:53:25 gardiyan last message repeated 5 times Aug 23 11:54:18 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=33275 F=0x0000 T=254 (#3) Aug 23 11:59:00 gardiyan /USR/SBIN/CRON[9344]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Aug 23 11:59:18 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=33275 F=0x0000 T=254 (#3) Aug 23 11:59:49 gardiyan last message repeated 397 times ----- End forwarded message -----
From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Security Violations =-=-=-=-=-=-=-=-=-= Aug 23 11:29:29 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=38076 F=0x0000 T=254 (#3) Actually this looks more like a misconfigured NAT or a wrong route. 10.x.x.x is a private network. Which firewall scripts do you use? Marc's? AFAIK the script denies private traffic over a public interface. Which IP space are you using internally. If your IP space is different from the one above, you might have to contact your ISP in order to tell them not to forward private traffic to your machine. Regards, Andreas
* Andreas Achtzehn; <suse-security@achtzehn.2y.net> on 23 Aug, 2001 wrote:
From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Security Violations =-=-=-=-=-=-=-=-=-= Aug 23 11:29:29 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=38076 F=0x0000 T=254 (#3)
Actually this looks more like a misconfigured NAT or a wrong route. 10.x.x.x is a private network. Which firewall scripts do you use? Marc's? AFAIK the script denies private traffic over a public interface.
like many other :-) as you can see I am in DENY mode also
Which IP space are you using internally. If your IP space is different from the one above, you might have to contact your ISP in order to tell them not to forward private traffic to your machine.
I have already and the support email address bounced back "quote full" so I need to do something from my end before they get their but togetter. Any input on this side would be extremely helpfull -- Togan Muftuoglu
I have already and the support email address bounced back "quote full" so I need to do > > something from my end before they get their but togetter. Any input on this side would > > be extremely helpfull What about just removing the logging line for this deny? Search for a
From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] line in your ipchains or iptables that solemnly contains logging and the 10.0.0.0 subnet. Remove that one and you will be fine. Packets will still come over the line (unavoidable!) but you will not be bothered with them in your log file anymore. Regards, Andreas
* Andreas Achtzehn; <suse-security@achtzehn.2y.net> on 23 Aug, 2001 wrote: Hi Andreas,
line in your ipchains or iptables that solemnly contains logging and the 10.0.0.0 subnet. Remove that one and you will be fine. Packets will still come over the line (unavoidable!) but you will not be bothered
Thx for the brilliant idea which solves my Disk DOS problem leaving the other one :-) -- Togan Muftuoglu
Thx for the brilliant idea which solves my Disk DOS problem leaving
From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Hi Togan! the other one :-) I'm sorry to tell you, but there is no way of making the source of those packets not SEND their packets. The problem usually is the line between you and your ISP. If your ISP won't delete that route you will always get those packets. First problem will be to trace back to the origin of the packets. I presume that your ISP is the cause of trouble. A full support mailbox is usually a sign of a bad/busy ISP. Right now the only thing I can do for you is helping you with making that packet shower as convenient as possible. It is a good idea to log the traffic that comes from that unknown origin for possible payment claims (you pay by traffic, don't you?). By the way: the disk problem is a DoS problem (making a service as busy as possible in order to drive it useless for normal usage(it's difficult reading your logfiles right now, isn't it?)), the other problem is flooding your network, which is not a service and since not DoS. Regards, Andreas
Hi, On 23-Aug-01 Togan Muftuoglu wrote:
Hi,
I had set email to the list before with the firewall denying the icmp request coming from 10.14.9.254 top my internet address
However for the last 30 minutes or more this has become a real pain and its like DOS as I cannot visit websites nor can do ftp downloads and the mail traffic has become extremely slow.
This is the same log I sent to the ISP (can't say they are helpfull yet)
The denied packets are ICMP type 3 code 1/3 (host/port unreachable). The ip 10.14.9.254 is an address from the privat class A ip block (10.0.0.0 - 10.255.255.255/255.0.0.0), and due to the fact that the TTL of these packets is 254, the host/router which sends these packets is not far away from you I think. In this case (if no spoofing is involved), I suppose there's some kind of boarder router/point-of-presence of your ISP trying to tell your host that it/other hosts is/are not reachable. You should never block ICMP type 3 on your firewall since TCP sometimes relies on these error messages to work correctly.
1)What can I do to minimize the effect ?
Close your connection, open your firewall to ICMP type 3, restart your pppoed, bring up the firewall again and look what happens... ;) [...]
Thx
-- Togan Muftuoglu
Security Violations =-=-=-=-=-=-=-=-=-= Aug 23 11:29:29 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=38076 F=0x0000 T=254 (#3) Aug 23 11:31:11 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=60371 F=0x0000 T=254 (#3) Aug 23 11:32:43 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.226:1 L=56 S=0x00 I=23903 F=0x0000 T=254 (#3) [...]
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
On Thu, 23 Aug 2001, Togan Muftuoglu wrote:
However for the last 30 minutes or more this has become a real pain and its like DOS as I cannot visit websites nor can do ftp downloads and the mail traffic has become extremely slow.
This is the same log I sent to the ISP (can't say they are helpfull yet)
1)What can I do to minimize the effect ? 2)Sorry for a basic question but how would I capture the packages coming from the adsl line (pppoe) will it be eth0 or ppp0 and since I only want to get this ip and this protocol realted thing what would be the syntax ( I know In need to RTFM but a hint will be helpfull also)
What interface has your IP? ppp0 or eth0? Ask ifconfig or netstat -i. eth0 is set to 0.0.0.0 "no IP" and only used for raw eth, so it can't be eth0. ppp0 remains, and that is what you need to use tcpdump, ethereal or snort on.
participants (4)
-
Andreas Achtzehn -
Boris Lorenz -
Matthias Andree -
Togan Muftuoglu