Firewall is getting hammered...help
I'm with verizon "business" dsl. I've been having a problem lately with my firewall getting hammered by someone, or some people, on verizon. It almost appears that I'm getting a denial of service attack, but I think it's just somone sniffing...a lot. Example: Sep 28 22:31:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:50:da:0b:71:ce:00:02:3b:00:ab:32:08:00 SRC=4.3.91.228 DST=4.3.48.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=34984 DF PROTO=TCP SPT=3578 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) It's really bugging me and is causing problems getting and receiving email. Anyone know what I can do? Tom -- Tom Nielsen Neuro Logic Systems, Inc. 805.389.5435 ext.18 www.neuro-logic.com
Tom Nielsen wrote:
Sep 28 22:31:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:50:da:0b:71:ce:00:02:3b:00:ab:32:08:00 SRC=4.3.91.228 DST=4.3.48.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=34984 DF PROTO=TCP SPT=3578 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
It's really bugging me and is causing problems getting and receiving email. Anyone know what I can do?
Port 135 (DPT=135) is used for M$ RPC calls and its security holes are exploited by various M$ diseases (I think lovsan is one). I've a SuSE box on a 16-bit network with lots of Win2k boxen on it and I get about 60 of these a day at the moment. There's not much you can do other than change ISP. Eventually the messages will die away. -- JDL Non enim propter gloriam, diuicias aut honores pugnamus set propter libertatem solummodo quam Nemo bonus nisi simul cum vita amittit.
On Monday 29 September 2003 07:59, John Lamb wrote:
Tom Nielsen wrote:
Sep 28 22:31:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:50:da:0b:71:ce:00:02:3b:00:ab:32:08:00 SRC=4.3.91.228 DST=4.3.48.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=34984 DF PROTO=TCP SPT=3578 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
It's really bugging me and is causing problems getting and receiving email. Anyone know what I can do?
Port 135 (DPT=135) is used for M$ RPC calls and its security holes are exploited by various M$ diseases (I think lovsan is one). I've a SuSE box on a 16-bit network with lots of Win2k boxen on it and I get about 60 of these a day at the moment.
I'm on a subnet of a university system and must be seeing more like 60 an hour. If you're running Samba, of course, your machines can get pestered on this port, though I suppose any worm payload won't do real damage. I have SuSEfirewall2 set up so that it filters out everything SMB but my own subnet to avoid this. I suppose it will die off eventually, but it's been going on for weeks now. Best Fergus
There's not much you can do other than change ISP. Eventually the messages will die away.
-- JDL
Non enim propter gloriam, diuicias aut honores pugnamus set propter libertatem solummodo quam Nemo bonus nisi simul cum vita amittit.
-- Fergus Wilde Chetham's Library Long Millgate Manchester M3 1SB Tel: +44 161 834 7961 Fax: +44 161 839 5797 http://www.chethams.org.uk
John Lamb wrote:
Port 135 (DPT=135) is used for M$ RPC calls and its security holes are exploited by various M$ diseases (I think lovsan is one). I've a SuSE box on a 16-bit network with lots of Win2k boxen on it and I get about 60 of these a day at the moment.
Your lucky, I have been getting over 10,000 a day for the last few weeks.
There's not much you can do other than change ISP. Eventually the messages will die away.
They do seem to be dying off, only 4,500 today so far. I even wrote a little script to find out the worst offenders, and tried to contact them, but to no avail. Steve
On Mon, Sep 29, 2003 at 07:11:49PM +0100 or thereabouts, Stephen wrote:
John Lamb wrote:
Port 135 (DPT=135) is used for M$ RPC calls and its security holes are exploited by various M$ diseases (I think lovsan is one). I've a SuSE box on a 16-bit network with lots of Win2k boxen on it and I get about 60 of these a day at the moment.
Your lucky, I have been getting over 10,000 a day for the last few weeks.
There's not much you can do other than change ISP. Eventually the messages will die away.
They do seem to be dying off, only 4,500 today so far.
from the C/L iptables -A INPUT -s worse.IP.Addresses -d 0/0 --proto all -j DROP set it, and forget it. -- Gary My husband bought me a mood ring the other day. When I'm in a good mood, it turns green. When I'm in a bad mood, it leaves a red mark on his forehead.
* gary; <gv-dated-1064860534.pfcbkchi@mygirlfriday.info> on 29 Sep, 2003 wrote:
from the C/L
iptables -A INPUT -s worse.IP.Addresses -d 0/0 --proto all -j DROP
set it, and forget it.
you can if there are no iptables rules running. If there are then iptables -I INPUT -s worse.IP.Addresses -d 0/0 --proto all -j DROP -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
gary wrote:
from the C/L
iptables -A INPUT -s worse.IP.Addresses -d 0/0 --proto all -j DROP
set it, and forget it.
This will only help him so much. Those packets will still keep hitting his firewall and taking up processing time and bandwidth. It will keep the packets from clogging up his internal network, but will do nothing for internal-to-external throughput. If you are getting so many that your external bandwidth is being eaten up you should contact your isp and have them track the main offenders to their sources because this would most likely be a coordinated DOS attack. 10,000 a day won't qualify, since depending on your config you might get that many per second in *real* DOS attack, but you have to decide what is cripling for your network. JS
I do not know if this will be of any assistance or not. But it might be worth a try and at least check. Since port 135 is only used by MS I would suspect it has to do with MS boxes. So if you are running Samba then make sure it is not binding to your outside world interface. If it is binding then it is acting just like an NT server would. I set my Samba machines to only bind on my internal network interfaces by the following lines in the global section of the smb.conf file. interfaces = eth1 bind interfaces only = True Use whatever interfaces you need to bind with for your services. But do not add the outside interface. Restart Samba. James On Monday 29 September 2003 01:34, Tom Nielsen wrote:
I'm with verizon "business" dsl. I've been having a problem lately with my firewall getting hammered by someone, or some people, on verizon. It almost appears that I'm getting a denial of service attack, but I think it's just somone sniffing...a lot. Example:
Sep 28 22:31:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:50:da:0b:71:ce:00:02:3b:00:ab:32:08:00 SRC=4.3.91.228 DST=4.3.48.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=34984 DF PROTO=TCP SPT=3578 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
It's really bugging me and is causing problems getting and receiving email. Anyone know what I can do?
Tom
participants (8)
-
Fergus Wilde -
gary -
James Finnall -
John Lamb -
js -
Stephen -
Togan Muftuoglu -
Tom Nielsen