Page 1 of 1

one client , UDP 3000p/s ?!

Posted: Tue Dec 04, 2007 12:09 am
by marko_bg
I have problem with this ...

internet --- MT1 --- MT2 --- MT3(with PPPoE server),

pppoe client using p2p, or sometnih else, and he have public IP, when he after etc. 6 days, change IP (dhcp)...

traffic between MT2 and MT3, from standard 1000p/s, jump to 3000p/s , and procesor to 90%.

I make firewall rules on MT2, to drop all UDP from SRC(any)to DST(client old IP) , and packet are again 1000p/s ?!

how to fix this ?

I can't block this IP, because, another user will be take this IP.

btw, all user have public IP.

what is solution for this problem.

Re: one client , UDP 3000p/s ?!

Posted: Tue Dec 04, 2007 6:17 pm
by jp
The customer probably has some sort of network problem, like a switch plugged into itself, or some bad equipment. Change their pppoe password or disable their pppoe account.

Re: one client , UDP 3000p/s ?!

Posted: Wed Dec 05, 2007 9:51 am
by marko_bg
we have after MT3 , more MT(network MT4-MT5-MT6 ....), average 100 users, we have user on MT1 and MT2 to, and link between MT2 and MT3 have average 1000p/s , this is normal, and link work ok with 1000p/s.

but , one day pppoe are change IP to this user (on MT3), and then link MT2-MT3 jump from normal-1000p/s to 3000p/s,
(this user have wifi connection)

I find that this packet going to IP of this users(old IP) , and when block UDP to this IP (on MT2), packet on link back to 1000p/s.

I think this is something like p2p traffic, when user have this IP traffic going to user , but when he get diffrent IP, traffic punch to MT3 (pppoe where this IP was assign), because can't find user p2p client software ... to me this is apparently look like p2p traffic.

one thing, ... all 100 users, used p2p, we do not inhibit p2p, and this fact make all more strange.

is there way to block packet , witch not arrive on destination?

we have rule to block invalid packet but this rule not capture this traffic.

Re: one client , UDP 3000p/s ?!

Posted: Thu Dec 06, 2007 12:41 am
by marko_bg
... when user start p2p program (this have dc++), packet back to normal.

how to resolve this problem ?

mt staff , do you have any idea ?

Re: one client , UDP 3000p/s ?!

Posted: Thu Dec 06, 2007 3:07 am
by Chupaka
hm... in dc++, udp traffic is Search... there may be vulnerabilities in dc++ software your customer use, and that vulnerabilities may allow 'udp flood' attacks

Re: one client , UDP 3000p/s ?!

Posted: Thu Dec 06, 2007 9:57 am
by normis
wait - when he starts DC++ the problem STOPS??? Make him download movies all the time :)

Re: one client , UDP 3000p/s ?!

Posted: Thu Dec 06, 2007 10:36 am
by marko_bg
yes, and this is strange, when start dc, on new IP, ...

look like udp known where he is, and packages end (punch) on his machine, and link back to 1000p/s.

one more thing, all UDP coming from internet, but packages are 3000p/s only between MT2-MT3, ... ?!

this is strange, why packages not increase on all link ... internet-MT1-MT2-MT3 ?

we have this problem 4-5 month ago , on otherone link to, packages go to 5000p/s , and 30mbps+ on link, and cpu go to 100%. we did not known at this time what is happend, we reboot this 2 router and packages stop, back to normal.

and strange this happend only between 2 MT , deep in network, but traffic comming from internet ?!

network have all public IP, MT to, but all service on all MT are OFF , only work winbox port, and MT discovery, and in log there is no stragne login to ruters.

btw, we have approximate 30 link in network, and this happend only on 2-3, but many users have p2p, and without prohibit, ... like you tell, strange to.

btw2, all router are 2.9.49

Re: one client , UDP 3000p/s ?!

Posted: Thu Dec 06, 2007 6:02 pm
by Chupaka
hmmm... maybe, looped icmp traffic 'destination unreachable' or something? =)

Re: one client , UDP 3000p/s ?!

Posted: Fri Dec 07, 2007 1:15 pm
by marko_bg
... and againg

user disconnect and paket go to 3000p/s ... but ...

we have found cause it is p2p but is not dc++ than SKYPE !!!!

what now ?!

Re: one client , UDP 3000p/s ?!

Posted: Fri Dec 07, 2007 4:53 pm
by marko_bg
I think that I known what problem is, ... but, did not know how to resolved.

we have static route for all IP, we have not used OSPF or RIP, but I think this cannot be reason !


my view of problem:

internet traffic go to MT2 then go to MT3 then go to user(when user are connect), but ...

...when user are disconnect, internet traffic go to MT2 then go to MT3, then MT3 because have not user IP(we used pppoe), send packages to MT2 (by default gateway), then MT2 send packages back on MT3(by default static route of this IP) ...

and this make loop between MT2 and MT3 !!!

normis,
do you know, how to stop this ?

Re: one client , UDP 3000p/s ?!

Posted: Fri Dec 07, 2007 6:00 pm
by Chupaka
TTL stops this =)
add a rule to set TTL of packets destinied to clients to 2 for example =)

Re: one client , UDP 3000p/s ?!

Posted: Sun Dec 09, 2007 12:11 am
by marko_bg
hm, ... ttl=2 ,

but this will back packages to MT2, and then kill ...

how to kill packet on MT3 when arrived, if IP did not assign ?

Re: one client , UDP 3000p/s ?!

Posted: Sun Dec 09, 2007 2:05 pm
by marko_bg
we put TTL=3 (some user have router), and will wait to see what happend,

but is there some way to capture packages with over 1000p/s or something like SPAM, UDP attack, or number of connection, or number of invalid try ...

and then put this dst-IP in address-list or put src-IP in list and block ... and block on 1 or 2 day.
because after 2 day traffic stop, even user is not connect.

I think to change SPAM rules from wiki, but how to known witch traffic have 1000p/s or something from above.

Re: one client , UDP 3000p/s ?!

Posted: Thu Dec 13, 2007 1:11 am
by marko_bg
i put ip from users pool in address list "change-TTL", and make :
src-adr:0.0.0.0 dst-adr:change-TTL , set changeTTL on 3, , but ping go to 300ms, after 2-3 min ?

who to make route on MT, to tell router that IP are on him ?
... and stoping router to seek this IP on other router, when packet arrived to him.

must be something !

Re: one client , UDP 3000p/s ?!

Posted: Fri Dec 28, 2007 2:37 pm
by snark
we have found cause it is p2p but is not dc++ than SKYPE !!!!

what now ?!
watch this (sorry, it in Russian, but babelfish can help)
Image
for short - skype use high BW clients as server for other clients ...