Robert-
I used several ideas that were offered on this board
to put together a general solution for this problem on
the assumption that this load balancing act is the
Internet of the future. I've noticed this happening
with UDP packets also.
I have two files: /etc/dns_tcp_floods and
/etc/dns_udp_floods.
The dns_tcp_floods looks like this:
216.220.39.42
216.35.167.58
216.34.68.2
216.33.35.214
212.78.160.237
212.23.225.98
209.249.97.40
209.225.53.254
209.225.53.253
209.225.53.252
208.184.162.71
...etc...
dns_udp_floods is similar but shorter. Haven't seen as
many. Notice how anal I've become. I sorted them in
reverse ip order so they'll show up in proper order on
the weblet. Totally unnecessary. The ip's that are
hitting you with PROTO=6 packets in your logs go into
dns_tcp_floods. PROTO=17 packets go into
dns_udp_floods.
I've placed the following code [two adjacent sections
highlighted with splats] into the
ipfilter_firewall_cfg () function of
/etc/ipfilter.conf. Grok the exact location by
context.
------------ 8< ------------
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE
DOING! If
# you turn off the filters, the box will become opaque
to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# ***************
# Block known IPs that do port 53 tcp DNS floods
# Added to block list of IPs on 7/13/2001
IP_LIST="`cat /etc/dns_tcp_floods`"
for IP in $IP_LIST ; do
$IPCH -I input -j DENY -p tcp -s $IP/32 -d 0/0
53 -i $EXTERN_IF
done ; unset IP
# ***************
# ***************
# Block known IPs that do port 53 udp DNS floods
# Added to block list of IPs on 8/19/2001
IP_LIST="`cat /etc/dns_udp_floods`"
for IP in $IP_LIST ; do
$IPCH -I input -j DENY -p udp -s $IP/32 -d 0/0
53 -i $EXTERN_IF
done ; unset IP
# ***************
# Set up Fair Queueing classifier lists
ipfilter_fairq
------------ 8< ------------
Beware of wrapped lines!
I believe reloading the firewall rules at this point
is all you have to do. The new code will cause the dns
floods to be denied *without logging*. Right now I
have 20,000 of these packets denied in 32 days. My
system used to reboot because of them.
By the way, with a little fiddling with lrcfg, I now
have an easy menu to add new ip's as they come along.
I really can't remember if this was my addition or
another list idea. My network config menu now looks
like this:
Network configuration menu
1) Network Configuation
2) IP Filter/Firewall Rules (ACLs)
3) DNS TCP flood source IP addresses
4) DNS UDP flood source IP addresses
5) Services
6) Super server daemon configuration (inetd.conf)
7) hosts.allow
8) hosts.deny
9) networks
10) Base networking daemon start-up (inetd,
portmap)
11) Networking daemon start-up (routed, etc)
12) Additional networking daemon start-up
q) quit
---------------------------------------------
Selection:
If you're interested in the exact lrcfg mods, let me
know.
Hope that helped. I hope I haven't screwed up the
facts too badly :-)
-John
--- Robert Williams <[EMAIL PROTECTED]> wrote:
> This afternoon I received 292 log items in 6
> seconds. I know that
> port 53 is related to DNS but beyond that I am
> fairly naive. The log
> analyzer at http://www.echogent.com/cgi-bin/fwlog.pl
> did not have any
> thin specific to say about these It is interesting
> to me that all 18
> of the ips that sent packets did so all with in 6
> seconds most of
> them sending exactly 16 packets each. Any help
> diagnosing this would
> be helpful. If they are harmless I will just make up
> a ipchains rule
> to not log them. I am using Dachstien rc2.
> Thanks for any insight.
> Robert Williams
>
>
> 292
> Oct 25 15:51:01 firewall kernel: Packet log: input
> DENY eth0 PROTO=6
> 64.14.200.154:17181 64.171.17.149:53 L=44 S=0x00 I=0
> F=0x0000 T=245
> (#41)
> Oct 25 15:51:01 firewall kernel: Packet log: input
> DENY eth0 PROTO=6
> 209.249.97.40:60302 64.171.17.149:53 L=44 S=0x00 I=0
> F=0x0000 T=245
> (#41)
> Oct 25 15:51:01 firewall kernel: Packet log: input
> DENY eth0 PROTO=6
> 208.184.162.71:15070 64.171.17.149:53 L=44 S=0x00
> I=0 F=0x0000 T=246
> (#41)
>
> <snip>
>
> Oct 25 15:51:07 firewall kernel: Packet log: input
> DENY eth0 PROTO=6
> 202.139.133.129:16725 64.171.17.149:53 L=44 S=0x00
> I=0 F=0x0000 T=243
> (#41)
> Oct 25 15:51:07 firewall kernel: Packet log: input
> DENY eth0 PROTO=6
> 203.208.128.70:32687 64.171.17.149:53 L=44 S=0x00
> I=0 F=0x0000 T=241
> (#41)
>
> List of offending IPs
> 194.205.125.26
> 194.213.64.150
> 202.139.133.129
> 203.194.166.182
> 203.208.128.70
> 207.55.138.206
> 208.184.162.71
> 209.249.97.40
> 212.78.160.237
> 216.220.39.42
> 216.33.35.214
> 216.34.68.2
> 216.35.167.58
> 62.23.80.2
> 62.26.119.34
> 64.14.200.154
> 64.37.200.46
> 64.56.174.18
>
> 6
> 64.78.235.14
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
>
https://lists.sourceforge.net/lists/listinfo/leaf-user
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
