Re: [Openstack-operators] Please help!!!!Openvswitch attacked by ICMP!!!!!!!

Mon, 21 Sep 2015 20:19:13 -0700 

Thank you. After some work, I figured out that I misunderstood the openstack 
network configuration and now everything is ok.

Regards
hjh

2015-09-22



applyhhj



发件人:Salvatore Orlando <[email protected]>
发送时间:2015-09-21 21:06
主题:Re: [Openstack-operators] Please help!!!!Openvswitch attacked by ICMP!!!!!!!
收件人:"Kris G. Lindgren"<[email protected]>
抄送:"applyhhj"<[email protected]>,"openstack-operators"<[email protected]>

The comment from Kris is correct.
In the official openstack guide I believe it is stated to remove any address 
from the interface attached to br-ex (sudo ip addr del <addr> dev <dev>), not 
to assign it 0.0.0.0


If the guide says otherwise please open a bug against the relevant doc project.


Salvatore






On 17 September 2015 at 16:08, Kris G. Lindgren <[email protected]> wrote:

For us on boot, we configure the systems init scripts to bring up br-ext and 
plug in the ethernet (or in our case bond) device into the external bridge.  
You should look at your specific distro for guidence here.  Redhat based 
(RHEL/CentOS/Fedora) use: 
http://blog.oddbit.com/2014/05/20/fedora-and-ovs-bridge-interfac/ as a guide.


We do not assign any ip address to the interface attached to the bridge.  If 
you assigned 0.0.0.0 netmask 0.0.0.0 you basically assigned every ip address in 
ipv4 to your interface, so anything that arps on your network for an ip 
address, you server is going to respond say "hey that’s me".
___________________________________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy


From: applyhhj
Date: Thursday, September 17, 2015 at 8:55 AM
To: openstack-operators
Subject: [Openstack-operators] Please help!!!!Openvswitch attacked by 
ICMP!!!!!!!



Hi,
I followed The Guidance and tried to configure openvswitch(OVS) service. I 
first created a bridge br-ex and then added eth2 to the bridge. After that I 
set the IP of eth2 to 0.0.0.0 and then reboot the system. However br-ex was not 
up when system launched. So I turned on br-ex manually and then restart the 
network, but br-ex could not get ip from dhcp server. Thus I used “dhclient 
br-ex” to manually acquire IP. Well till then everything worked fine, but in 
the evening the Network Node was continuously attacked by ICMP package. Iptraf 
showed the following messages:

x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.xx on eth2          
                                                                                
                            
x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 
166.111.61.xxx on eth2                                                          
                                      
x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 
166.111.61.xx on eth2                                                           
                                      
x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.xx on eth2 
                                                                                
                           
x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.xx on eth2          
                                                                                
                            
x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 
166.111.61.xxx on eth2                                                          
                                      
x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 
166.111.61.xx on eth2                                                           
                                      
x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.x on eth2  
                                                                                
                          
x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.63 on eth2          
                                                                                
                            
x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 
166.111.61.xx on eth2                                                           
                                     
x ICMP dest unrch (host comm denied) (576 bytes) from 176.32.36.23 to 
166.111.61.xxx on eth2                                                          
                                       
x ICMP dest unrch (host) (100 bytes) from 59.66.96.226 to 166.111.61.xx on eth2 
                                                                                
                           
x ICMP time excd (56 bytes) from 4.69.143.125 to 166.111.61.x on eth2

My ip is none of the above ones. The download speed in system monitor went up 
to 3m/s or even higher to 8m/s. I tried to use iptables and ebtable to filter 
icmp packages and also set icmp_echo_ignore_all to drop all icmp pacakges. But, 
unfortunately, nothing works. As long as I deleted eth2 from br-ex or brought 
down br-ex, the network went back normal.If you have any idea, please help me. 
I have been stuck here for several days. Thank you very much!!

Regards!
hjh


2015-09-17



applyhhj

_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Reply via email to