Page 1 of 1

critical issue 98mb flood packets

Posted: Fri Jan 18, 2008 9:03 pm
by pokeman
dear all

this is critical issue my lan interface is block .then i sniff the packets here is detail .

how to block this packets from my lan interface


0 0.26 ether1 10.0.6.253:1377 218.30.20.210:5909 udp 1052
1 0.26 ether1 10.0.6.253:1383 218.30.20.210:5909 udp 1052
2 0.26 ether1 10.0.6.253:1395 218.30.20.210:5909 udp 1052
3 0.26 ether1 10.0.6.253:1372 218.30.20.210:5909 udp 1052
4 0.27 ether1 10.0.6.253:1388 218.30.20.210:5909 udp 1052
5 0.27 ether1 10.0.6.253:1374 218.30.20.210:5909 udp 1052
6 0.27 ether1 10.0.6.253:1376 218.30.20.210:5909 udp 1052
7 0.27 ether1 10.0.6.253:1369 218.30.20.210:5909 udp 1052
8 0.27 ether1 10.0.6.253:1378 218.30.20.210:5909 udp 1052
9 0.27 ether1 10.0.6.253:1385 218.30.20.210:5909 udp 1052

detail

time=4294967.288 src-mac-address=00:08:74:C7:9E:49 dst-mac-address=00:07:E9:0D:F3:CB interface=ether1
src-address=10.0.6.253:1392 dst-address=218.30.20.210:5909 protocol=ip ip-protocol=udp size=1052 ip-packet-size=1052
ip-header-size=20 tos=0 identification=54751 fragment-offset=0 ttl=128

2 time=4294967.288 src-mac-address=00:08:74:C7:9E:49 dst-mac-address=00:07:E9:0D:F3:CB interface=ether1
src-address=10.0.6.253:1392 dst-address=218.30.20.210:5909 protocol=ip ip-protocol=udp size=1052 ip-packet-size=1052
ip-header-size=20 tos=0 identification=54752 fragment-offset=0 ttl=128

3 time=4294967.288 src-mac-address=00:08:74:C7:9E:49 dst-mac-address=00:07:E9:0D:F3:CB interface=ether1
src-address=10.0.6.253:1374 dst-address=218.30.20.210:5909 protocol=ip ip-protocol=udp size=1052 ip-packet-size=1052
ip-header-size=20 tos=0 identification=54753 fragment-offset=0 ttl=128


raw packets

0 time=4294967.262 src-mac-address=00:08:74:C7:9E:49 dst-mac-address=00:07:E9:0D:F3:CB interface=ether1
data="4500 041c c786 0000 8011 6f5d 0a00 06fd da1e 14d2 0569 1715 0408 18b0 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161
6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 6161 \00"

Re: critical issue 98mb flood packets

Posted: Fri Jan 18, 2008 10:30 pm
by JJCinAZ
Looks like 10.0.6.253 has a process going haywire. I'd go find that machine and pull the Ethernet. You can also add a rule in the forward chain:

/ip firewall filter add chain=forward src-address=10.0.6.253 action=drop place-before=1

Note that you need to have done a:

/ip firewall filter print forward

before you do the add above else the place-before parameter will not work.

Re: critical issue 98mb flood packets

Posted: Sat Jan 19, 2008 12:06 am
by pokeman
i just set this mangle rule
**** Mangle Rule
chain=prerouting tos=normal packet-size=1052 action=mark-packet new-packet-mark=DPHBO passthrough=yes
*****firewall rule

chain=forward packet-mark=DROPITHBO action=drop
chain=input packet-mark=DROPITHBO action=drop

after this rule my system goes 100% when attacks on machine after this my wan interface is goes normal but my lan interface RX-rate 40 to 50 mb

Re: critical issue 98mb flood packets

Posted: Mon Jan 21, 2008 3:32 pm
by pokeman
hello MT

nobody have any clue about this issue ?

Re: critical issue 98mb flood packets

Posted: Mon Jan 21, 2008 4:14 pm
by Ozelo
I think that you should use just a ip firewall rule on the "forward" chain if it is not a local address or "input" if it is indeed a local address. This is enough to stop the flood going anywhere than the router in question til you find what is the abnormal machine doing this. However, if your router still suffering with the flood droping, you may consider a new ethernet hardware whitch dont load that much. i.e. server adapters.

Re: critical issue 98mb flood packets

Posted: Tue Jan 22, 2008 9:49 am
by pokeman
thanks for your suggestion !

Re: critical issue 98mb flood packets

Posted: Sat Jan 26, 2008 8:31 am
by pokeman
again attack !!!

i already make this rule
/ip firewall mangle print
chain=prerouting tos=normal packet-size=1052 action=mark-packet new-packet-mark=DROPITHBO passthrough=no

/ip firewall filter print
chain=forward packet-mark=DROPITHBO action=drop

Re: critical issue 98mb flood packets

Posted: Sat Jan 26, 2008 1:41 pm
by npbrasil
Hi pokeman, try reject instead of drop. The cpu usage should decrease, but the most important: find the attacker.

Re: critical issue 98mb flood packets

Posted: Sun Jan 27, 2008 1:36 pm
by pokeman
no result still attacker on my interface their is any way to limit this attacker packet this is udp packet actully user infacted with BHO virus

Re: critical issue 98mb flood packets

Posted: Sun Jan 27, 2008 4:04 pm
by npbrasil
Post the topology of the network.

Re: critical issue 98mb flood packets

Posted: Sun Jan 27, 2008 6:44 pm
by pokeman
hi mate

Re: critical issue 98mb flood packets

Posted: Sun Jan 27, 2008 11:45 pm
by Diganet
hi mate
You can't block UDP from coming into your interface, you only control what's coming through your router. this has to be done at the switch. If you had the users on different VLANs you could just remove the gw IP address from your router and the packets would have nowhere to travel, but i guess all the users are on the same subnet and you don't know where to find this particular user? If these switches are manageable you could telnet into them and find the port with 100% utilization and shut it down.

Regards

Henrik