Re: [leaf-user] Under Attack?
On Thu, 20 Jun 2002, Akom wrote: Hi all, I normally get my share of spoofed ip packets in the logs all the time, which I ignore, however this time they don't look healthy as they are destined for the internal IP of my server and it's been happening for a couple of days about every 3 minutes: Jun 20 10:33:31 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=192.168.0.2 DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=11842 DF PROTO=TCP SPT=3093 DPT= WINDOW=65535 RES=0x00 SYN URGP=0 Note that the incoming packets, even though they are probably spoofed, are destined for an internal ip of the real server! One think that I keep meaning to do but haven't yet is to make it clear which 'rfc1918' chain the message is coming from (yes, there are two): a) One in the mangle table that catches packets whose original destination is reserved by RFC1918. b) One in the filter table that catches packets whose original source is reserved by RFC1918. DNAT occurs between the time that packets traverse a) and the time that they traverse b). So if you are doing NAT or DNAT (for port ) then the original IP address for the packet could have been your external IP address. The reason that there are two chains is that not all kernel's are built with mangle support. In that case, only the second chain is available and packets whose original IP address are reserved by RFC 1918 can still get through. So I tried changing the internal IP of the server (and the port fwd rules to match)... as soon as I do, I get a dump of DROP net2all logs from seemingly every client conected to opennap... all destined for the old internal IP, not external IP!!! Here is the scary part though... after a few minutes the logs above changed from old internal IP to the new one, even with opennap shut down! Services I'm portforwarding: ssh,http,https,81,,smtp Ok -- so DNAT is occuring before the second rfc1918 chain is traversed so the original destination was NOT 192.168.2.1 but rather your external IP address. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Under Attack?
On Thu, Jun 20, 2002 at 11:35:54AM -0400, Akom wrote: I'm getting a bit concerned about what's going in my logs for the past couple of days. I'm running Bering 1.0 rc2 with Shorewall 1.3.1, standard run of the mill setup: external eth0: dhcp, norfc1982, noping, routefilter, blacklist internal eth1: routestopped External is cable, internal is a 192.168.2.0/24 Portforwarded inside the eth0 net is a single server running a bunch of stuff including opennap (port ): 192.168.2.1 I normally get my share of spoofed ip packets in the logs all the time, which I ignore, however this time they don't look healthy as they are destined for the internal IP of my server and it's been happening for a couple of days about every 3 minutes: Jun 20 10:33:31 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=192.168.0.2 DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=11842 DF PROTO=TCP SPT=3093 DPT= WINDOW=65535 RES=0x00 SYN URGP=0 Jun 20 10:33:31 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=192.168.0.2 DST=192.168.2.1 LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=12354 DF PROTO=TCP SPT=3093 DPT= WINDOW=65535 RES=0x00 ACK URGP=0 Get tcpdump.lrp (and libm.lrp and libpcap.lrp) and install them. Then run tcpdump -i eth0 -s0 -n host internal_IP ...on one virtual console, and tcpdump -i eth1 -s0 -n host internal_IP ...on the other. Use Alt-Fx to switch to console x. Then sit back and watch. If you have the capability to store some data, then add the following option to each: -w /some/path/to/store/a/dump/at/dump.dat If you use -w, you'll get no output on screen, but there'll be a dump on disk. Then you can read the dump with ethereal (recommended!) on a full system with X - or show it to others, too. There's also software to despoof addresses, but I forget which it is or where it is. --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[Leaf-user] Under attack
Hi I'm running Dachstein 1.02. With a public IP DMZ plus some masqueraded workstations. We are connected via a shared 10/100 link to our ISP. Recently we've come under attack, but I can't figure out where or what by. The first I noticed was very high internet use reported by our ISP. 100 times our normal traffic. What's my best solution for tracing this traffic, I have run tried iptraf and snort, but I don't seem to be getting the data in a useful format. What I think I need is to find out: how much traffic is my firewall receiving (on the external port) how much is being transmitted which internal machines receive the most traffic, how much traffic is that Thanks in advance Greg Ford ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Under attack
Oh do you have any information ? nothing ? scary stuff hamm.. come-on you must have something.. even normal tcpdump -n will give you some kind of a picture from your public DMZ server what kind of service world or you get, give us some more details, config etc I am sure you have holls in your firewall rules else you are running Windows Box as your DMZ server while all the ports open heh.. Please give us more information Upnet Joe - Original Message - From: Greg Ford [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 18, 2002 6:38 AM Subject: [Leaf-user] Under attack Hi I'm running Dachstein 1.02. With a public IP DMZ plus some masqueraded workstations. We are connected via a shared 10/100 link to our ISP. Recently we've come under attack, but I can't figure out where or what by. The first I noticed was very high internet use reported by our ISP. 100 times our normal traffic. What's my best solution for tracing this traffic, I have run tried iptraf and snort, but I don't seem to be getting the data in a useful format. What I think I need is to find out: how much traffic is my firewall receiving (on the external port) how much is being transmitted which internal machines receive the most traffic, how much traffic is that Thanks in advance Greg Ford ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user