Basically what I see is 900+ packets per second flooding the entire network. It seems to happen every 30minutes or so and appears to be internal.
The SRC and DST IP addresses are consistant, but if you look at a few of the packets the SRC-MAC address varies between three different MACs.
I’ve since disabled all three MAC addresses and taken those users offline… But I’m trying to understand what might be causing this ACK flood…
The SRC and DST IP addresses vary between the attacks, but the SRC MAC’s always stay consistant between the three MACs.
It seems to always be TCP, sometimes its ACK packets sometimes its a “TCP Retransmission”.
I’ve seen activity similar to this caused by Viri/Worms, but it has always been one SRC MAC.. Not three seperate MAC’s using the same SRC and DST IP addresses. I thought it might be a spoofed MAC but I find it odd that all three MAC addresses are in use on my network.
You probably have some ill behaved customer firewalls participating in a broadcast storm of some sort. When a bunch of firewalls are on a network together, sometimes the poorly coded ones do this. I’ve seen it with gigafast, dlink, and older linksys bfsr routers.
If you have traffic graphing on each CPE, those CPE uploading at the same time as the broadcast should help you track down the offenders.
All the captures I’ve performed I have not seen any SYN packets. The funny thing is, the public IP address doesn’t even belong to the src macs. So it doesn’t make any since why it would even respond to a SYN packet sent to aa.bb.cc.dd when aa.bb.cc.dd isnt even bound to the MAC.
And in each attack the SRC IP address is different, but the SRC-MAC addresses are consistant between the three..
I’ve since narrowed it down to one of the MAC addresses and took it offline. The attack hasn’t reoccurred since. Now I just need to go out and figure out what is causeing this.
Thanks for the tip JP, I’ll look into that. I think I’ll be able to find out more once I’m onsite.
Yeah, that’s on my list of things to do.. I’ve inherited a poorly designed network, but I’m working on it! Converting all the users to PPPoE comes first. Then breaking up the broadcast domains will be easier by deploying the Access concentrators closer to the edge.
Thanks for the info! I’m assuming this would be caused by a malicious application/code/virus/worm.
You can’t spoof the MAC beyond your own physical lan … so if its an attack its someone on his lan doing it. Probably a loop somewhere on the remote end or a zombified PC with some new malware. I have seen those cheap blue boxes (and other of the like) spew garbage like that.
Doubtful unless something like PowerLine or macnat type stations are involved (those’ll mess you up good)
It doesnt have to be new, i experienced the very same from 1 single windows 2000 server back in ~2002. Different attacks with apparently correct src mac addresses (but never of the offending server), invalid ip addresses, dst mac address was multicast. The protocol was different though. It was seemingly correct IGMP packets (looking at the headers) but with a tail containing “HAHA\0HAHA\0”
Yes, those boxes are just like any other, hackable, modifiable and relativly easily exploited or swayed.
then it’s unlikely that it’s anything connected to the tranzeo’s then.
look towards your servers or someone that doesn’t use proxy-arp’d routing.
(proxy-arping is still routing, not bridging).
if however they pass just any kind of ethernet traffic then you can not exclude the tranzeo’s from your suspicions
As far as I know, everything that is recieved on the wireless side is spit out the ethernet port and vise-versa..
The problem was most likely a virus on one of the client machines. I disabled their connection and the problem went away. It just so happened they were moving offices when I turned them off so it’ll be some other ISP’s problem.
