Ping flood

Ping flood

[Paulo Andre]

I have the following log:
Nov  1 09:10:40 guardian ---SA_IN--- IN=eth1 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:e0:1e:83:d5:19:08:00  SRC=64.34.170.237 
DST=255.255.255.255 LEN=1072 TOS=00 PREC=0x40 TTL=243 ID=12209 DF 
PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0

I am receiving thousands of these a day, icmp traffic is blocked with 
iptables. But still this traffic is coming up the line. Is my only 
solution to contact the ISP or is there something I can do in 
iptables/linux?

Paulo

Re: Ping flood

[Zoltan Nagy]

consider dropping all multicast packets
$ipt    -d 224.0.0.0/4                  -j DROP


Paulo Andre wrote:
> I have the following log:
> Nov  1 09:10:40 guardian ---SA_IN--- IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:e0:1e:83:d5:19:08:00  SRC=64.34.170.237
> DST=255.255.255.255 LEN=1072 TOS=00 PREC=0x40 TTL=243 ID=12209 DF
> PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0
> 
> I am receiving thousands of these a day, icmp traffic is blocked with
> iptables. But still this traffic is coming up the line. Is my only
> solution to contact the ISP or is there something I can do in
> iptables/linux?
> 
> Paulo
> 
> 

Re: Ping flood

[/dev/rob0]

On Tuesday 2005-November-01 08:30, Paulo Andre wrote:
> I have the following log:
> Nov  1 09:10:40 guardian ---SA_IN--- IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:e0:1e:83:d5:19:08:00  SRC=64.34.170.237

Who is this?

$ host 64.34.170.237
237.170.34.64.in-addr.arpa domain name pointer server1.ircnapoli.com.
$ whois $_
Peer 1 Network Inc. PEER1-BLK-08 (NET-64-34-0-0-1)
                                  64.34.0.0 - 64.34.255.255
ServerBeach PEER1-SERVERBEACH-02 (NET-64-34-160-0-1)
                                  64.34.160.0 - 64.34.191.255
...
$ host server1.ircnapoli.com.
server1.ircnapoli.com has address 64.34.170.237

> DST=255.255.255.255 LEN=1072 TOS=00 PREC=0x40 TTL=243 ID=12209 DF
> PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0

That's a broadcast ping.

> I am receiving thousands of these a day, icmp traffic is blocked with
> iptables. But still this traffic is coming up the line. Is my only

How much is a flood? Is it eating all your bandwidth?

> solution to contact the ISP or is there something I can do in
> iptables/linux?

Contact the person in charge of server1.ircnapoli.com. If you're really 
under a DoS attack, by all means, call the ISP.

If it's just an annoying log message, adjust your LOG rules so that 
these are not logged. You don't need netfilter logging to know when 
you're under DoS attack. Your network connection won't work.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Ping flood

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



perhaps, but I think the real answer is to not allow icmp traffic to hit 
the braodcast address of the network or subnetwork in consideration, which 
is a slightly, if not totally different issue then multicast traffic 
passing the perimiter.  Though I'm up for educatiting and clues if I am 
mistaken here.

thanks,

Ron DuFresne


On Tue, 1 Nov 2005, Zoltan Nagy wrote:

>
> consider dropping all multicast packets
> $ipt    -d 224.0.0.0/4                  -j DROP
>
>
> Paulo Andre wrote:
>> I have the following log:
>> Nov  1 09:10:40 guardian ---SA_IN--- IN=eth1 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:e0:1e:83:d5:19:08:00  SRC=64.34.170.237
>> DST=255.255.255.255 LEN=1072 TOS=00 PREC=0x40 TTL=243 ID=12209 DF
>> PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0
>>
>> I am receiving thousands of these a day, icmp traffic is blocked with
>> iptables. But still this traffic is coming up the line. Is my only
>> solution to contact the ISP or is there something I can do in
>> iptables/linux?
>>
>> Paulo
>>
>>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDaTFnst+vzJSwZikRAlzaAJ4pwFiHxbgneeHnq2unfoO1ap7m8ACgzS9j
lylmKFXRvyyJGK8wTWJRyEU=
=CGLX
-----END PGP SIGNATURE-----

Re: Ping flood

[Nick Drage]

On Tue, Nov 01, 2005 at 06:08:45 +0100, Zoltan Nagy wrote:
> Paulo Andre wrote:

> > I have the following log:
> > Nov  1 09:10:40 guardian ---SA_IN--- IN=eth1 OUT=
> > MAC=ff:ff:ff:ff:ff:ff:00:e0:1e:83:d5:19:08:00  SRC=64.34.170.237
> > DST=255.255.255.255 LEN=1072 TOS=00 PREC=0x40 TTL=243 ID=12209 DF
> > PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0
> > 
> > I am receiving thousands of these a day, icmp traffic is blocked
> > with iptables. But still this traffic is coming up the line. Is my
> > only solution to contact the ISP or is there something I can do in
> > iptables/linux?
> > 
> > Paulo

> consider dropping all multicast packets
> $ipt    -d 224.0.0.0/4                  -j DROP

If the destination IP address is 255.255.255.255, and multicast traffic
defined by "224.0.0.0/24" is from 224.0.0.0 to 239.255.255.255, this
won't make any difference will it?

-- 
deviants are sacrificed to increase group solidarity
Jenny Solzer

Re: Ping flood

[Nick Drage]

On Tue, Nov 01, 2005 at 11:19:31 -0600, /dev/rob0 wrote:
> On Tuesday 2005-November-01 08:30, Paulo Andre wrote:
> > I have the following log:
> > Nov  1 09:10:40 guardian ---SA_IN--- IN=eth1 OUT=
> > MAC=ff:ff:ff:ff:ff:ff:00:e0:1e:83:d5:19:08:00  SRC=64.34.170.237
> 
> Who is this?
> 
> $ host 64.34.170.237
> 237.170.34.64.in-addr.arpa domain name pointer server1.ircnapoli.com.
> $ whois $_
> Peer 1 Network Inc. PEER1-BLK-08 (NET-64-34-0-0-1)
>                                   64.34.0.0 - 64.34.255.255
> ServerBeach PEER1-SERVERBEACH-02 (NET-64-34-160-0-1)
>                                   64.34.160.0 - 64.34.191.255
> ...
> $ host server1.ircnapoli.com.
> server1.ircnapoli.com has address 64.34.170.237
> 
> > DST=255.255.255.255 LEN=1072 TOS=00 PREC=0x40 TTL=243 ID=12209 DF
> > PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0
> 
> That's a broadcast ping.

The thing is, seeing as it's to 255.255.255.255 rather than the local
broadcast address, I've a feeling packet is being generated locally in
some way, rather than being sent to the broadcast address on the
original poster's network from the remote host.

Although the TTL would appear to refute that hypothesis.

I can't actually force IPtables to log pings to the broadcast address on
the boxes I have to hand, that I've sent from a host outside of the
local network, but looking at tcpdump the destination address is
definitely the IP address of the local broadcast address rather than
255.255.255.255.

Paulo, what has a MAC address of 00:e0:1e:83:d5:19 on your LAN?

-- 
deviants are sacrificed to increase group solidarity
Jenny Solzer