Firewall Net tests, installation & configuration
FireWall Net - Guide installation configuration Firewalls
 
 FAQFAQ   RechercherRechercher   Liste des MembresListe des Membres   Groupes d'utilisateursGroupes d'utilisateurs   S'enregistrerS'enregistrer 
 ProfilProfil   Se connecter pour vérifier ses messages privésSe connecter pour vérifier ses messages privés   ConnexionConnexion 

Understanding What Is Happening?

 
Poster un nouveau sujet   Répondre au sujet    Firewall-net.com Index du Forum -> Discuss
Voir le sujet précédent :: Voir le sujet suivant  
Auteur Message
Geoff
Invité
MessagePosté le: Jeu 10 Mai, 2001    Sujet du message: Understanding What Is Happening? Répondre en citant
Hi!

Fairly new to the firewall thing. I installed one to just test and I'm getting quite a bit of messages that I am not entirely understanding;

2001/05/10 9:22:52 AM GMT -0800: SMC EZ Card 10/10..[0001][Ref# 3] Blocking incoming ICMP: src=24.114.38.162, dst=255.255.255.255, type 8.

These have been coming in for at least 3 hours now. About one every 10 seconds. It seems to be a DoS type of attack, although a bit slow. But, I do not entirely understand the destination address of 255.255.255.255. I believe this is a general broadcast address.

Any help in pointing me to where I can learn a bit more about this and possibly what I can do (at a router level) to prevent it.

Thanks

Geoff
Revenir en haut
trent
Invité
MessagePosté le: Lun 04 Juin, 2001    Sujet du message: Re: Understanding What Is Happening? Répondre en citant
This is an old fashioned DoS attack called smurf.
You are not the intended victim, someone is trying to use your machine to do their dirtywork. They Cannot gain access to your machine with these packets.

Someone is creating ECHO REQUEST (ping) packets that say they are from the machine they are trying to DoS and trying to send them to ALL of the internet. Any machines that don't block this type of attack and aren't behind a router or gateway that does will send an ICMP ECHO REPLY packet to the src= machine. This will overload their internet connection and block out traffic to their website or drop them out of Everquest/Quake/Counterstrike etc. If it goes on for a long time they are probably DoSing a big server. If the duration is short (30s-5min) they are probably trying to drop someone out of a game.

The person at the src= address is the victim, do not complain to their ISP. You might be able to trace the packets back to the perpetrator IF you have a packet sniffer AND the perpetrator is within 9 hops of you. Sometimes ping programs will set a flag that makes the machines along the route store their address in the packet header. You can capture the header with a Packet Sniffer/IDS such as snort (snort.org).

If the log above is from your router, you're already blocking it. If not, configure your router to block all broadcast ICMP TYPE=8. It's also a good idea to configure the router to block any packets leaving your LAN that have a SRC not on your LAN (unless one of your machines is redirecting).
Revenir en haut
Montrer les messages depuis:   
Poster un nouveau sujet   Répondre au sujet    Firewall-net.com Index du Forum -> Discuss Toutes les heures sont au format GMT + 2 Heures
Page 1 sur 1

 
Sauter vers:  
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum


Powered by phpBB © 2001, 2005 phpBB Group
Traduction par : phpBB-fr.com