Community discussions

 
pokeman
Member Candidate
Member Candidate
Topic Author
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

critical issue 98mb flood packets

Fri Jan 18, 2008 9:03 pm

dear all

this is critical issue my lan interface is block .then i sniff the packets here is detail .

how to block this packets from my lan interface


0 0.26 ether1 10.0.6.253:1377 218.30.20.210:5909 udp 1052
1 0.26 ether1 10.0.6.253:1383 218.30.20.210:5909 udp 1052
2 0.26 ether1 10.0.6.253:1395 218.30.20.210:5909 udp 1052
3 0.26 ether1 10.0.6.253:1372 218.30.20.210:5909 udp 1052
4 0.27 ether1 10.0.6.253:1388 218.30.20.210:5909 udp 1052
5 0.27 ether1 10.0.6.253:1374 218.30.20.210:5909 udp 1052
6 0.27 ether1 10.0.6.253:1376 218.30.20.210:5909 udp 1052
7 0.27 ether1 10.0.6.253:1369 218.30.20.210:5909 udp 1052
8 0.27 ether1 10.0.6.253:1378 218.30.20.210:5909 udp 1052
9 0.27 ether1 10.0.6.253:1385 218.30.20.210:5909 udp 1052

detail

time=4294967.288 src-mac-address=00:08:74:C7:9E:49 dst-mac-address=00:07:E9:0D:F3:CB interface=ether1
src-address=10.0.6.253:1392 dst-address=218.30.20.210:5909 protocol=ip ip-protocol=udp size=1052 ip-packet-size=1052
ip-header-size=20 tos=0 identification=54751 fragment-offset=0 ttl=128

2 time=4294967.288 src-mac-address=00:08:74:C7:9E:49 dst-mac-address=00:07:E9:0D:F3:CB interface=ether1
src-address=10.0.6.253:1392 dst-address=218.30.20.210:5909 protocol=ip ip-protocol=udp size=1052 ip-packet-size=1052
ip-header-size=20 tos=0 identification=54752 fragment-offset=0 ttl=128

3 time=4294967.288 src-mac-address=00:08:74:C7:9E:49 dst-mac-address=00:07:E9:0D:F3:CB interface=ether1
src-address=10.0.6.253:1374 dst-address=218.30.20.210:5909 protocol=ip ip-protocol=udp size=1052 ip-packet-size=1052
ip-header-size=20 tos=0 identification=54753 fragment-offset=0 ttl=128


raw packets

0 time=4294967.262 src-mac-address=00:08:74:C7:9E:49 dst-mac-address=00:07:E9:0D:F3:CB interface=ether1
data="4500 041c c786 0000 8011 6f5d 0a00 06fd da1e 14d2 0569 1715 0408 18b0 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 \00"
 
User avatar
JJCinAZ
Member
Member
Posts: 473
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ
Contact:

Re: critical issue 98mb flood packets

Fri Jan 18, 2008 10:30 pm

Looks like 10.0.6.253 has a process going haywire. I'd go find that machine and pull the Ethernet. You can also add a rule in the forward chain:

/ip firewall filter add chain=forward src-address=10.0.6.253 action=drop place-before=1

Note that you need to have done a:

/ip firewall filter print forward

before you do the add above else the place-before parameter will not work.
 
pokeman
Member Candidate
Member Candidate
Topic Author
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: critical issue 98mb flood packets

Sat Jan 19, 2008 12:06 am

i just set this mangle rule
**** Mangle Rule
chain=prerouting tos=normal packet-size=1052 action=mark-packet new-packet-mark=DPHBO passthrough=yes
*****firewall rule

chain=forward packet-mark=DROPITHBO action=drop
chain=input packet-mark=DROPITHBO action=drop

after this rule my system goes 100% when attacks on machine after this my wan interface is goes normal but my lan interface RX-rate 40 to 50 mb
 
pokeman
Member Candidate
Member Candidate
Topic Author
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: critical issue 98mb flood packets

Mon Jan 21, 2008 3:32 pm

hello MT

nobody have any clue about this issue ?
 
Ozelo
Member
Member
Posts: 338
Joined: Fri Jun 02, 2006 3:56 am

Re: critical issue 98mb flood packets

Mon Jan 21, 2008 4:14 pm

I think that you should use just a ip firewall rule on the "forward" chain if it is not a local address or "input" if it is indeed a local address. This is enough to stop the flood going anywhere than the router in question til you find what is the abnormal machine doing this. However, if your router still suffering with the flood droping, you may consider a new ethernet hardware whitch dont load that much. i.e. server adapters.
MTCRE - 1104RE006
MTCINE - 1104INE001
 
pokeman
Member Candidate
Member Candidate
Topic Author
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: critical issue 98mb flood packets

Tue Jan 22, 2008 9:49 am

thanks for your suggestion !
 
pokeman
Member Candidate
Member Candidate
Topic Author
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: critical issue 98mb flood packets

Sat Jan 26, 2008 8:31 am

again attack !!!

i already make this rule
/ip firewall mangle print
chain=prerouting tos=normal packet-size=1052 action=mark-packet new-packet-mark=DROPITHBO passthrough=no

/ip firewall filter print
chain=forward packet-mark=DROPITHBO action=drop
You do not have the required permissions to view the files attached to this post.
 
npbrasil
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Wed Jun 02, 2004 8:50 am

Re: critical issue 98mb flood packets

Sat Jan 26, 2008 1:41 pm

Hi pokeman, try reject instead of drop. The cpu usage should decrease, but the most important: find the attacker.
 
pokeman
Member Candidate
Member Candidate
Topic Author
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: critical issue 98mb flood packets

Sun Jan 27, 2008 1:36 pm

no result still attacker on my interface their is any way to limit this attacker packet this is udp packet actully user infacted with BHO virus
 
npbrasil
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Wed Jun 02, 2004 8:50 am

Re: critical issue 98mb flood packets

Sun Jan 27, 2008 4:04 pm

Post the topology of the network.
 
pokeman
Member Candidate
Member Candidate
Topic Author
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: critical issue 98mb flood packets

Sun Jan 27, 2008 6:44 pm

hi mate
You do not have the required permissions to view the files attached to this post.
 
Diganet
Member
Member
Posts: 349
Joined: Sun Oct 30, 2005 9:30 pm
Location: Denmark
Contact:

Re: critical issue 98mb flood packets

Sun Jan 27, 2008 11:45 pm

hi mate
You can't block UDP from coming into your interface, you only control what's coming through your router. this has to be done at the switch. If you had the users on different VLANs you could just remove the gw IP address from your router and the packets would have nowhere to travel, but i guess all the users are on the same subnet and you don't know where to find this particular user? If these switches are manageable you could telnet into them and find the port with 100% utilization and shut it down.

Regards

Henrik

Who is online

Users browsing this forum: MSN [Bot] and 110 guests