icmp attack, need help?

tpatel · May 16, 2006, 10:59pm

Hi,

We have been getting attack 2 times a day.

Under the tourch I see

protocol src-address dest-address Tx Rx
icmp 0.0.0.0 one of the interface address 0 512K rate

We are running 2.8.3

After going through 2.9 manual I configered following to stop icmp attack in the forward and input chain. It seems it is not making any difference.

Last night I put the following rules, (rule 0 to 5 were after rule 15). Inspite of putting such rule I did not see any difference. I still saw the attack today.

What am I missing? How can I prevent this?

Thanks,
Tushar

Forward Chain

0 src-address=/8 action=drop

1 dst-address=/8 action=drop

2 src-address=127.0.0.0/8 action=drop

3 dst-address=127.0.0.0/8 action=drop

4 src-address=224.0.0.0/3 action=drop

5 dst-address=224.0.0.0/3 action=drop

6 X protocol=icmp action=drop

7 X protocol=icmp action=drop

8 ;;; drop invalid connections
protocol=icmp icmp-options=0:0 action=accept

9 ;;; allow established connections
protocol=icmp icmp-options=3:0 action=accept

10 ;;; allow already established connections
protocol=icmp icmp-options=3:1 action=accept

11 ;;; allow source quench
protocol=icmp icmp-options=4:0 action=accept

12 ;;; allow echo request
protocol=icmp icmp-options=8:0 action=accept

13 ;;; allow time exceed
protocol=icmp icmp-options=11:0 action=accept

14 ;;; allow parameter bad
protocol=icmp icmp-options=12:0 action=accept

15 ;;; deny all other types
protocol=icmp action=drop

input

0 X dst-address=10.1.253.33/32 protocol=icmp action=drop

1 X protocol=icmp action=drop

2 ;;; drop invalid connctions
protocol=icmp icmp-options=0:0 action=accept

3 ;;; allow established connections
protocol=icmp icmp-options=3:0 action=accept

4 ;;; allow already establish connections
protocol=icmp icmp-options=3:1 action=accept

5 ;;; allow source quench
protocol=icmp icmp-options=4:0 action=accept

6 ;;; allow echo request
protocol=icmp icmp-options=8:0 action=accept

7 ;;; allow time exceed
protocol=icmp icmp-options=11:0 action=accept

8 ;;; allow parameter bad
protocol=icmp icmp-options=12:0 action=accept

9 ;;; deny all other types
protocol=icmp action=drop

tpatel · May 16, 2006, 11:05pm

One more thing when I did packet sniff, it did not show me any mac address?

How can I see the MAC address using packet sniff? DO I have to run the the sniffer for long time to see the MAC address?

Tushar

sergejs · May 17, 2006, 6:24am

Upgrade router to 2.9 release, there are many new options in firewall and other new valuable features.
As well you’ll be able to limit ICMP packets per time,
e.g. allow 5 packets per second. (Examples are given in demo2.mt.lv router).
To view frame MAC-address,

select interface you want to sniff,
start/stop packet sniffer,
run ‘tool sniffer packet print detail’ to view ‘src’ and ‘dst’ MAC-address.

tpatel · May 17, 2006, 3:04pm

Thanks for the reply

What is the password for the demo router?

Tushar

raenius · May 17, 2006, 4:42pm

looks like username: demo
no password works