[leaf-user] Shorewall Log Question

Sat, 20 Dec 2003 18:51:11 -0800 

A little confirmation please. I am getting hundreds of the following
sequences in my shorewall logs:

DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=112 ID=36907
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=36509
Dec 20 20:41:33 markii Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:9c:a7:a7:00:05:74:f1:f8:54:08:00 SRC=24.209.86.205
DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=125 ID=20347
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=54718
Dec 20 20:41:38 markii Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:9c:a7:a7:00:05:74:f1:f8:54:08:00 SRC=24.207.62.11
DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=112 ID=59880
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=13711
Dec 20 20:41:48 markii Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:9c:a7:a7:00:05:74:f1:f8:54:08:00 SRC=24.209.105.55
DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=122 ID=27869
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=40817
Dec 20 20:42:34 markii Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:9c:a7:a7:00:05:74:f1:f8:54:08:00 SRC=24.213.217.55
DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=110 ID=45275
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26286
Dec 20 20:42:38 markii Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:9c:a7:a7:00:05:74:f1:f8:54:08:00 SRC=24.210.254.13
DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=127 ID=20778
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=54210
Dec 20 20:42:48 markii Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:9c:a7:a7:00:05:74:f1:f8:54:08:00 SRC=24.210.236.122
DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=124 ID=38120
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=42483
Dec 20 20:42:55 markii Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:9c:a7:a7:00:05:74:f1:f8:54:08:00 SRC=24.211.185.113
DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=114 ID=28125
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=57946
Dec 20 20:43:05 markii Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:a0:c9:9c:a7:a7:00:05:74:f1:f8:54:08:00 SRC=24.210.82.136
DST=24.210.193.152 LEN=92 TOS=00 PREC=0x00 TTL=120 ID=11961
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=

These appear to be pings from a large number of different hosts on
the RR network. I would guess a DOS attack except that I had no
website to attack until yesterday. I have just brought a small web
server online just for personal use with no content of interest to
any hacker. Any ideas what else it could be? I think I need to add
DROP            net             fw              icmp    8
to my rules file just to keep from logging the entries and filling up
my logs. Correct?

Thanks as always,

Kory Krofft




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to