Re: [newbie] ping flood?
If your machine is reasonably current (300Mhz or faster, 128MB+ RAM), then I would have to suspect a distributed attack via a virus or worm. Maybe. There were a large number of different, seemingly random, hosts all trying port 4156. Portsentry seems to be the way to get rid of these, and all the hosts it reported are now blocked. I just had to do a little reading and edit the config file. I'm back to normal, at least for now :). Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] ping flood?
Gretts * I came home today to my box noticing that a large number of httpd processes being spawned (this isn't a server, at least not really), and for the last hours or so my box is real slow when it comes to using the net. I'm on a DSL line and am getting some errors connecting to sites and such. I installed tcpdump and am getting lines like: 17:57:50.710986 210.95.36.130.4156 m206-157.dsl.tsoft.com.4156: udp 41 (DF) 17:57:50.711030 m206-157.dsl.tsoft.com 210.95.36.130: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] 17:57:50.737316 158.182.6.120.4156 m206-157.dsl.tsoft.com.4156: udp 41 (DF) 17:57:50.737361 m206-157.dsl.tsoft.com 158.182.6.120: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] 17:57:50.742490 How can I fix this? If it's a ping storm how do I stop it? I figure it has something to do with iptables but I'm a real newbie where this type of thing is concerned. After looking at tcpdump for a few minutes it is not apparent that a single site is trying to connect, but a large number of different sites. They all have one thing in common, though, this port 4156. I also noticed when looking in /var/log a couple of lines that look specifically like breakin attempts within the last week... Sep 16 19:17:04 m206-157 rpc.statd[1008]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 etc... that is very suspicious - that looks like an exploit. Between 9/16 and today nothing suspicious; there is always the lone ftp or nntp attempt but they fail and it doesn't impact performance. But today, it's like someone is flood pinging my device - the net lights are constantly on. I also saw this today: Sep 21 10:03:59 m206-157 kernel: Neighbour table overflow. Sep 21 10:03:59 m206-157 last message repeated 9 times Sep 21 10:04:04 m206-157 kernel: NET: 3050 messages suppressed. Sep 21 10:04:04 m206-157 kernel: Neighbour table overflow. Sep 21 10:04:09 m206-157 kernel: NET: 8192 messages suppressed. Sep 21 10:04:09 m206-157 kernel: Neighbour table overflow. Sep 21 10:04:14 m206-157 kernel: NET: 7009 messages suppressed. Sep 21 10:04:14 m206-157 kernel: Neighbour table overflow. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ping flood?
On Sat, 2002-09-21 at 21:09, dfox wrote: Gretts * I came home today to my box noticing that a large number of httpd processes being spawned (this isn't a server, at least not really), and for the last hours or so my box is real slow when it comes to using the net. I'm on a DSL line and am getting some errors connecting to sites and such. I installed tcpdump and am getting lines like: 17:57:50.710986 210.95.36.130.4156 m206-157.dsl.tsoft.com.4156: udp 41 (DF) 17:57:50.711030 m206-157.dsl.tsoft.com 210.95.36.130: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] 17:57:50.737316 158.182.6.120.4156 m206-157.dsl.tsoft.com.4156: udp 41 (DF) 17:57:50.737361 m206-157.dsl.tsoft.com 158.182.6.120: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] 17:57:50.742490 How can I fix this? If it's a ping storm how do I stop it? I figure it has something to do with iptables but I'm a real newbie where this type of thing is concerned. After looking at tcpdump for a few minutes it is not apparent that a single site is trying to connect, but a large number of different sites. They all have one thing in common, though, this port 4156. Dfox, Why don't you try installing Portsentry? It modifies the netfilter tables on the fly so you don't have to be an instant brainiac. You can also specify specific ip addresses for it to drop via iptables. I would try posting this to the expert list too, there are some peeps there who might have some more comments and suggestions. I also noticed when looking in /var/log a couple of lines that look specifically like breakin attempts within the last week... Sep 16 19:17:04 m206-157 rpc.statd[1008]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 etc... that is very suspicious - that looks like an exploit. This looks like a buffer overflow attempt. Between 9/16 and today nothing suspicious; there is always the lone ftp or nntp attempt but they fail and it doesn't impact performance. But today, it's like someone is flood pinging my device - the net lights are constantly on. I also saw this today: Sep 21 10:03:59 m206-157 kernel: Neighbour table overflow. Sep 21 10:03:59 m206-157 last message repeated 9 times Sep 21 10:04:04 m206-157 kernel: NET: 3050 messages suppressed. Sep 21 10:04:04 m206-157 kernel: Neighbour table overflow. Sep 21 10:04:09 m206-157 kernel: NET: 8192 messages suppressed. Sep 21 10:04:09 m206-157 kernel: Neighbour table overflow. Sep 21 10:04:14 m206-157 kernel: NET: 7009 messages suppressed. Sep 21 10:04:14 m206-157 kernel: Neighbour table overflow. There's no doubt that you are under attack. I'd try portsentry first, and then get someone to recommend an rc.firewall script for you. I've seen some, but the landscape is changing so very fast that it's hard to stay up on the latest custom iptables scripts. The experts would be a good place to ask. ;) --LX -- °°° Kernel 2.4.18-6mdk Mandrake Linux 8.2 Enlightenment 0.16.5-11mdkEvolution 1.0.2-5mdk Registered Linux User #268899 http://counter.li.org/ °°° Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ping flood?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 dfox wrote: | Gretts * | | I came home today to my box noticing that a large number of httpd | processes being spawned (this isn't a server, at least not really), | and for the last hours or so my box is real slow when it comes to | using the net. | | I'm on a DSL line and am getting some errors connecting to sites | and such. I installed tcpdump and am getting lines like: | | 17:57:50.710986 210.95.36.130.4156 m206-157.dsl.tsoft.com.4156: udp 41 (DF) | 17:57:50.711030 m206-157.dsl.tsoft.com 210.95.36.130: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] | 17:57:50.737316 158.182.6.120.4156 m206-157.dsl.tsoft.com.4156: udp 41 (DF) | 17:57:50.737361 m206-157.dsl.tsoft.com 158.182.6.120: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] | 17:57:50.742490 | | How can I fix this? If it's a ping storm how do I stop it? I figure | it has something to do with iptables but I'm a real newbie where this | type of thing is concerned. After looking at tcpdump for a few minutes | it is not apparent that a single site is trying to connect, but | a large number of different sites. They all have one thing in common, | though, this port 4156. | | I also noticed when looking in /var/log a couple of lines that look | specifically like breakin attempts within the last week... | | Sep 16 19:17:04 m206-157 rpc.statd[1008]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ | ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n | \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 | etc... that is very suspicious - that looks like an exploit. | | Between 9/16 and today nothing suspicious; there is always the lone | ftp or nntp attempt but they fail and it doesn't impact performance. | But today, it's like someone is flood pinging my device - the net | lights are constantly on. | | I also saw this today: | | Sep 21 10:03:59 m206-157 kernel: Neighbour table overflow. | Sep 21 10:03:59 m206-157 last message repeated 9 times | Sep 21 10:04:04 m206-157 kernel: NET: 3050 messages suppressed. | Sep 21 10:04:04 m206-157 kernel: Neighbour table overflow. | Sep 21 10:04:09 m206-157 kernel: NET: 8192 messages suppressed. | Sep 21 10:04:09 m206-157 kernel: Neighbour table overflow. | Sep 21 10:04:14 m206-157 kernel: NET: 7009 messages suppressed. | Sep 21 10:04:14 m206-157 kernel: Neighbour table overflow. | | | | | | Want to buy your Pack or Services from MandrakeSoft? | Go to http://www.mandrakestore.com If your machine is reasonably current (300Mhz or faster, 128MB+ RAM), then I would have to suspect a distributed attack via a virus or worm. Due to the volume, I'd bet windows. I suggest you look up a subset of that string with someone like Mcafee. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9jT1lUMkt1ZRwL1MRAh5DAJ0Q+jmZmUcsold6MYZIiOb1jDykkACZAUMh dNFMCNDhYCw3gu7lc0O5FoQ= =QpUD -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] ping flood?
I'd download gShield and portsentry... gShield has some excellent features, for example its really easy to blacklist IP's on the fly... other good stuff like that.. portsentry is good in that it does realtime blacklisting automatically. rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lyvim Xaphir Sent: Sunday, 22 September 2002 10:58 AM To: NewbieMandrake-List Subject: Re: [newbie] ping flood? On Sat, 2002-09-21 at 21:09, dfox wrote: Gretts * I came home today to my box noticing that a large number of httpd processes being spawned (this isn't a server, at least not really), and for the last hours or so my box is real slow when it comes to using the net. I'm on a DSL line and am getting some errors connecting to sites and such. I installed tcpdump and am getting lines like: 17:57:50.710986 210.95.36.130.4156 m206-157.dsl.tsoft.com.4156: udp 41 (DF) 17:57:50.711030 m206-157.dsl.tsoft.com 210.95.36.130: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] 17:57:50.737316 158.182.6.120.4156 m206-157.dsl.tsoft.com.4156: udp 41 (DF) 17:57:50.737361 m206-157.dsl.tsoft.com 158.182.6.120: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] 17:57:50.742490 How can I fix this? If it's a ping storm how do I stop it? I figure it has something to do with iptables but I'm a real newbie where this type of thing is concerned. After looking at tcpdump for a few minutes it is not apparent that a single site is trying to connect, but a large number of different sites. They all have one thing in common, though, this port 4156. Dfox, Why don't you try installing Portsentry? It modifies the netfilter tables on the fly so you don't have to be an instant brainiac. You can also specify specific ip addresses for it to drop via iptables. I would try posting this to the expert list too, there are some peeps there who might have some more comments and suggestions. I also noticed when looking in /var/log a couple of lines that look specifically like breakin attempts within the last week... Sep 16 19:17:04 m206-157 rpc.statd[1008]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%19 2x%n \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 etc... that is very suspicious - that looks like an exploit. This looks like a buffer overflow attempt. Between 9/16 and today nothing suspicious; there is always the lone ftp or nntp attempt but they fail and it doesn't impact performance. But today, it's like someone is flood pinging my device - the net lights are constantly on. I also saw this today: Sep 21 10:03:59 m206-157 kernel: Neighbour table overflow. Sep 21 10:03:59 m206-157 last message repeated 9 times Sep 21 10:04:04 m206-157 kernel: NET: 3050 messages suppressed. Sep 21 10:04:04 m206-157 kernel: Neighbour table overflow. Sep 21 10:04:09 m206-157 kernel: NET: 8192 messages suppressed. Sep 21 10:04:09 m206-157 kernel: Neighbour table overflow. Sep 21 10:04:14 m206-157 kernel: NET: 7009 messages suppressed. Sep 21 10:04:14 m206-157 kernel: Neighbour table overflow. There's no doubt that you are under attack. I'd try portsentry first, and then get someone to recommend an rc.firewall script for you. I've seen some, but the landscape is changing so very fast that it's hard to stay up on the latest custom iptables scripts. The experts would be a good place to ask. ;) --LX -- °°° Kernel 2.4.18-6mdk Mandrake Linux 8.2 Enlightenment 0.16.5-11mdkEvolution 1.0.2-5mdk Registered Linux User #268899 http://counter.li.org/ °°° Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
