From: Ted Kaczmarek <tazman@linsolutions.com>
To: crv2 <crv2@tstd.pl>
Cc: netfilter@lists.netfilter.org
Subject: Re: 127.0.0.1 source flood and dhcpd DOS
Date: Sun, 22 Feb 2004 08:37:49 -0500 [thread overview]
Message-ID: <20040222133749.GA11511@tarkus.linsolutions.com> (raw)
In-Reply-To: <002601c3f948$08ed3230$2d01a8c0@ad4gc1asnujhom> (from crv2@tstd.pl on Sun, Feb 22, 2004 at 08:30:26 -0500)
Track down the mac address and remove/fix/disable that machine.
Ted
On 02/22/04 08:30:26, crv2 wrote:
> hi,
>
> Does someone else observe the problem with Blaster spoofed flood
> attack
> affecting Dhcpd daemon?
>
> The output from the Tcpdump -i eth1 -ne host 127.0.0.1 (eth1 -
> internal
> interface):
> 18:18:48.933129 0:a:cd:1:b:39 0:10:15:34:23:34 0800 60: 127.0.0.1.80
> >
> 10.0.143.221.1806: R 0:0(0) ack 357826561 win 0
> 18:18:48.943879 0:2:44:57:364 0:10:15:34:23:34 0800 60: 127.0.0.1.80
> >
> 10.0.192.42.1689: R 0:0(0) ack 83165185 win 0
> 18:18:48.955866 0:a:cd:0:a7:7f 0:10:15:34:23:34 0800 60: 127.0.0.1.80
> >
> 10.0.57.67.1197: R 0:0(0) ack 1552613377 win 0
> 18:18:48.956093 0:30:4f:20:e0:8b 0:10:15:34:23:34 0800 60:
> 127.0.0.1.80 >
> 10.0.56.108.1893: R 0:0(0) ack 952369153 win 0
> 18:18:48.956519 0:30:4f:26:c7:96 0:10:15:34:23:34 0800 60:
> 127.0.0.1.80 >
> 10.0.2.37.1812: R 0:0(0) ack 1434583041 win 0
> 18:18:48.956715 0:a:cd:1:b:39 0:10:15:34:23:34 0800 60: 127.0.0.1.80
> >
> 10.0.209.93.1642: R 0:0(0) ack 992411649 win 0
> 18:18:48.963920 0:2:44:57:364 0:10:15:34:23:34 0800 60: 127.0.0.1.80
> >
> 10.0.2.169.1524: R 0:0(0) ack 717750273 win 0
>
> 00:10:15:34:23:34 out server DHCPd mac address
> flood is about 1200p/s and from 4 different MAC's
>
> and another output (out client DHCP request with no response from out
> server)
> tcpdump -i eth1 -n udp port 67:
>
> tcpdump: listening on eth1
> 18:38:34.071188 0.0.0.0.68 > 255.255.255.255.67: xid:0x1e429414
> secs:55030
> file ""[|bootp]
> 18:38:35.702552 0.0.0.0.68 > 255.255.255.255.67: xid:0x1c6f144e
> secs:56566
> flags:0x8000 file ""[|bootp]
> 18:38:36.298190 0.0.0.0.68 > 255.255.255.255.67: xid:0x4a34ea34
> secs:57846
> flags:0x8000 file ""[|bootp]
> 18:38:37.894439 0.0.0.0.68 > 255.255.255.255.67: xid:0xa41add0d
> secs:57846
> flags:0x8000 file ""[|bootp]
> 18:38:40.527775 0.0.0.0.68 > 255.255.255.255.67: xid:0xb20b790e
> secs:59382
> flags:0x8000 file ""[|bootp]
>
> It seems that it is affecting only dhcpd daemon, on different version
> of
> kernel and iptables.
> iptables v1.2.9 and iptables v1.2.8
> kernel 2.4.23 and 2.4.24
> Internet Software Consortium DHCP Server V3.0pl2
>
> And why iptables -I FORWARD -s 127.0.0.1 -i eth1 -j DROP and iptables
> -I
> INPUT -s 127.0.0.1 -i eth1 -j DROP
> does not blocking the traffic?
>
> Only solution is: iptables -I PREROUTING -t mangle -s 127.0.0.1 -i
> eth1 -j
> DROP
> After that Dhcpd starts working normaly again (And we are not 100%
> surre of
> that)
>
> ifconfig lo down or ifconfig lo 192.168.1.1/32 does not work
>
> Any idea?
>
>
>
next prev parent reply other threads:[~2004-02-22 13:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-22 13:30 127.0.0.1 source flood and dhcpd DOS crv2
2004-02-22 13:37 ` Ted Kaczmarek [this message]
2004-02-24 6:25 ` Dharmendra T.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040222133749.GA11511@tarkus.linsolutions.com \
--to=tazman@linsolutions.com \
--cc=crv2@tstd.pl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox