Page 1 of 1

packet len 64020 ?!

Posted: Sun Apr 06, 2008 3:17 am
by marko_bg
first, I find icmp packet len 64020 (6,4 MB) , in router,
is this (i think it is) DDOS attack ?!

than i decide to block every packet over 1500,
can this be problems for some normal traffic ?
becouse, i see some packet over 1500, but not much.

btw, we used PPPoE , with MTU/MRU 1492/1492, over wire and wireless.

Re: packet len 64020 ?!

Posted: Sun Apr 06, 2008 4:24 am
by marko_bg
i make rules for !0-1500 log and drop, but rules log and drop 1498 , 1486 ?!

is this bug ?

v3.6

Re: packet len 64020 ?!

Posted: Mon Apr 07, 2008 8:54 am
by normis
are you sure it's ICMP? in support you wrote us that it's UDP ...

Re: packet len 64020 ?!

Posted: Mon Apr 07, 2008 11:58 am
by marko_bg
first i see traffic from 1 users (i think it is virus) to internet , and this are ICMP (upload) len 64020, (pic1) , he reinstall OS, and this traffic is gone.

than I block packages over 1500, after that, I see package over 1500 in log on 3-4 routers, and this are UDP (i think p2p) , from 1600-5000 leng. (some are in pic2)

and only 4-5 users have this traffic,
many users used p2p 100% of time on net , but never have this traffic (over 1500).

Re: packet len 64020 ?!

Posted: Mon Apr 07, 2008 12:55 pm
by marko_bg
is it safe to block this packages with >1500 len , but with no effect on normal used of internet ?

Re: packet len 64020 ?!

Posted: Mon Apr 07, 2008 1:16 pm
by normis
you can't block them, because they will arrive in fragments

Re: packet len 64020 ?!

Posted: Mon Apr 07, 2008 1:46 pm
by marko_bg
I wish to block only possible virus , ddos, etc...

and i make rule: all !0-1500 drop ...
and router is droping this packages, on pic2.

I wonder, is I block normal traffic to users ?
because , I do not wish to block normal traffic.

MT support tell me: You can block ICMP >1500 for sure, but don't recommend to do it for other traffic.

Re: packet len 64020 ?!

Posted: Mon Apr 07, 2008 2:27 pm
by normis
I wish to block only possible virus , ddos, etc...

and i make rule: all !0-1500 drop ...
and router is droping this packages, on pic2.

I wonder, is I block normal traffic to users ?
because , I do not wish to block normal traffic.

MT support tell me: You can block ICMP >1500 for sure, but don't recommend to do it for other traffic.
cross posting in support and forum is not a good idea, because you talk to the same person in two places.

Re: packet len 64020 ?!

Posted: Mon Apr 07, 2008 3:32 pm
by marko_bg
I known,

but I think maybe some MT users have some idea for this.