Some computer (or computers) on my Hotspot network are periodically doing an "oversized/fragmented DOS PING attack" on remote IPs. My head end router blocks the oversized pings from getting to the network but so far I have not been able to pinpoint the IP address of the offending computer. (My front end router log says it is coming from the IP address of the MT box but that is not a lot of help.)
There must be a way to add a ping packet trace to the MT logs? (I hope.) Can someone tell me the best way to proceed in tracking the offending computer's IP address on the hotspot side of the MT?
Thanks
Joe
An icmp packet can be spoofed very easily. If it is a ddos type icmp packet it most likely is. this is where ingress/egress filtering helps - use firewall rules to only allow the subnets you host. Don't allow any source ips that are not part of your subnets. Are you using UCI?
Whats the destination they are trying to ping to death? Would be nice to notify them they are under ddos and also secure the malware causing it - for evidence. If we were under ddos attacks, and have been a few times, i'd wish that someone would isolate an infected host and send me the malware causing it so i could disable it. Mainly look to see which IRC server they are attaching to.
Sam
Whats the destination they are trying to ping to death? Would be nice to notify them they are under ddos and also secure the malware causing it - for evidence. If we were under ddos attacks, and have been a few times, i'd wish that someone would isolate an infected host and send me the malware causing it so i could disable it. Mainly look to see which IRC server they are attaching to.
Sam
Thanks for your help.
The DoS packets are not actually making it out of my system onto the wider WAN/Internet network. I have a multiple WAN load balancing router between the MT and the outside network.
I am sure that the IP sending the DoS packets is, in fact, one of my hotspot users but the intermittant nature of the attacks (maybe 10 minutes a day at seemingly random times) has so far prevented me from figureing out WHICH of my client users has the trojan. So far I have a list of IPs which are NOT guilty, but there are still about 12 that I have not eliminated yet.
What I need is some sort of ICMP logger that I can sit on my hotspot LAN and monitor for IMCP packets only. Suggestions anyone? Can the logger in the MT be set to do this?
Thanks
Joe
The DoS packets are not actually making it out of my system onto the wider WAN/Internet network. I have a multiple WAN load balancing router between the MT and the outside network.
I am sure that the IP sending the DoS packets is, in fact, one of my hotspot users but the intermittant nature of the attacks (maybe 10 minutes a day at seemingly random times) has so far prevented me from figureing out WHICH of my client users has the trojan. So far I have a list of IPs which are NOT guilty, but there are still about 12 that I have not eliminated yet.
What I need is some sort of ICMP logger that I can sit on my hotspot LAN and monitor for IMCP packets only. Suggestions anyone? Can the logger in the MT be set to do this?
Thanks
Joe
We recently had the same thing happen and we ran the sniffer and isolated the user.
We have disabled them, but I would like a way to drop multiple pings from causing the router interface to crumble under the attack.
Does anyone have a set of firewall rules to drop more than x number of pps from any given host to any other host?
I have been reading here and learned much, but I am looking for something a little more specific.
Any help is appreciated.
We have disabled them, but I would like a way to drop multiple pings from causing the router interface to crumble under the attack.
Does anyone have a set of firewall rules to drop more than x number of pps from any given host to any other host?
I have been reading here and learned much, but I am looking for something a little more specific.
Any help is appreciated.
