icmp attack, need help?

tpatel · Wed May 17, 2006 1:59 am

Hi,

We have been getting attack 2 times a day.

Under the tourch I see

protocol src-address dest-address Tx Rx
icmp 0.0.0.0 one of the interface address 0 512K rate

We are running 2.8.3

After going through 2.9 manual I configered following to stop icmp attack in the forward and input chain. It seems it is not making any difference.

Last night I put the following rules, (rule 0 to 5 were after rule 15). Inspite of putting such rule I did not see any difference. I still saw the attack today.

What am I missing? How can I prevent this?

Thanks,
Tushar

Forward Chain

0 src-address=/8 action=drop

1 dst-address=/8 action=drop

2 src-address=127.0.0.0/8 action=drop

3 dst-address=127.0.0.0/8 action=drop

4 src-address=224.0.0.0/3 action=drop

5 dst-address=224.0.0.0/3 action=drop

6 X protocol=icmp action=drop

7 X protocol=icmp action=drop

8 ;;; drop invalid connections
protocol=icmp icmp-options=0:0 action=accept

9 ;;; allow established connections
protocol=icmp icmp-options=3:0 action=accept

10 ;;; allow already established connections
protocol=icmp icmp-options=3:1 action=accept

11 ;;; allow source quench
protocol=icmp icmp-options=4:0 action=accept

12 ;;; allow echo request
protocol=icmp icmp-options=8:0 action=accept

13 ;;; allow time exceed
protocol=icmp icmp-options=11:0 action=accept

14 ;;; allow parameter bad
protocol=icmp icmp-options=12:0 action=accept

15 ;;; deny all other types
protocol=icmp action=drop

input

0 X dst-address=10.1.253.33/32 protocol=icmp action=drop

1 X protocol=icmp action=drop

2 ;;; drop invalid connctions
protocol=icmp icmp-options=0:0 action=accept

3 ;;; allow established connections
protocol=icmp icmp-options=3:0 action=accept

4 ;;; allow already establish connections
protocol=icmp icmp-options=3:1 action=accept

5 ;;; allow source quench
protocol=icmp icmp-options=4:0 action=accept

6 ;;; allow echo request
protocol=icmp icmp-options=8:0 action=accept

7 ;;; allow time exceed
protocol=icmp icmp-options=11:0 action=accept

8 ;;; allow parameter bad
protocol=icmp icmp-options=12:0 action=accept

9 ;;; deny all other types
protocol=icmp action=drop

tpatel · Wed May 17, 2006 2:05 am

One more thing when I did packet sniff, it did not show me any mac address?

How can I see the MAC address using packet sniff? DO I have to run the the sniffer for long time to see the MAC address?

Tushar

Wed May 17, 2006 9:24 am

1. Upgrade router to 2.9 release, there are many new options in firewall and other new valuable features.
As well you'll be able to limit ICMP packets per time,
e.g. allow 5 packets per second. (Examples are given in demo2.mt.lv router).

2. To view frame MAC-address,
- select interface you want to sniff,
- start/stop packet sniffer,
- run 'tool sniffer packet print detail' to view 'src' and 'dst' MAC-address.

tpatel · Wed May 17, 2006 6:04 pm

Thanks for the reply

What is the password for the demo router?

Tushar

raenius · Wed May 17, 2006 7:42 pm

looks like username: demo
no password works

icmp attack, need help?

icmp attack, need help?

Who is online