lots of tcp port 445 traffic

Linux Netfilter discussions
 help / color / mirror / Atom feed

* lots of tcp port 445 traffic
@ 2004-12-06 16:54 ro0ot
  2004-12-06 22:56 ` Paul Annesley
  2004-12-09 21:17 ` Jose Maria Lopez
  0 siblings, 2 replies; 5+ messages in thread
From: ro0ot @ 2004-12-06 16:54 UTC (permalink / raw)
  To: netfilter

Hi,

I get lots of tcp port 445 traffic when I do a tcpdump -n port 445, 
could it be an attack?

I check on the syslog files at /var/log/syslog, it shows this as below: -

Dec  7 00:36:40 fw01 kernel: Neighbour table overflow.
Dec  7 00:36:46 fw01 kernel: NET: 32 messages suppressed.
Dec  7 00:36:46 fw01 kernel: Neighbour table overflow.
Dec  7 00:36:51 fw01 kernel: NET: 27 messages suppressed.
Dec  7 00:36:51 fw01 kernel: Neighbour table overflow.
Dec  7 00:38:14 fw01 kernel: NET: 6 messages suppressed.
Dec  7 00:38:14 fw01 kernel: Neighbour table overflow.

When I try to ping my router IP address, I get this message below: -

connect: No buffer space available

I did tried running the below command and it seems not helping much: -

iptables -I cus2jarwan -p tcp --dport 445 -j REJECT --reject-with tcp-reset

or

iptables -I cus2jarwan -p tcp --dport 445 -j DROP

How can I stop this tcp port 445 traffic?  Or how can I prevent it?

Regards,
ro0ot





^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: lots of tcp port 445 traffic
  2004-12-06 16:54 lots of tcp port 445 traffic ro0ot
@ 2004-12-06 22:56 ` Paul Annesley
  2004-12-09 21:17 ` Jose Maria Lopez
  1 sibling, 0 replies; 5+ messages in thread
From: Paul Annesley @ 2004-12-06 22:56 UTC (permalink / raw)
  To: netfilter

On Tue, 07 Dec 2004 00:54:08 +0800, ro0ot <ro0ot@phreaker.net> wrote:
> Hi,
> 
> I get lots of tcp port 445 traffic when I do a tcpdump -n port 445,
> could it be an attack?

Many viruses hammer TCP port 445 attempting to exploit MS Windows
vulnerabilities.  They attempt to establish TCP sessions on dport 445
to a massive amount of P addresses.. this can fill up
/proc/net/ip_conntrack in no time, amongst other things.

> 
> I check on the syslog files at /var/log/syslog, it shows this as below: -
> 
> Dec  7 00:36:40 fw01 kernel: Neighbour table overflow.
> Dec  7 00:36:46 fw01 kernel: NET: 32 messages suppressed.
> Dec  7 00:36:46 fw01 kernel: Neighbour table overflow.
> Dec  7 00:36:51 fw01 kernel: NET: 27 messages suppressed.
> Dec  7 00:36:51 fw01 kernel: Neighbour table overflow.
> Dec  7 00:38:14 fw01 kernel: NET: 6 messages suppressed.
> Dec  7 00:38:14 fw01 kernel: Neighbour table overflow.
> 
> When I try to ping my router IP address, I get this message below: -
> 
> connect: No buffer space available
> 
> I did tried running the below command and it seems not helping much: -
> 
> iptables -I cus2jarwan -p tcp --dport 445 -j REJECT --reject-with tcp-reset
> 
> or
> 
> iptables -I cus2jarwan -p tcp --dport 445 -j DROP
> 

You definately don't want to use -J REJECT - this will do more harm
than good, as it will be generating an ICMP unreachable message for
each port 445 packet.

> How can I stop this tcp port 445 traffic?  Or how can I prevent it?

Use the drop rule you mentioned.  Apply it to INPUT and also FORWARD.

If possible;
- remove the viruses
- disable the infected computer(s) switch port(s) until cleaned
- unplug the infected computer(s) from the network until cleaned

Regards,
Paul

> 
> Regards,
> ro0ot
> 
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: lots of tcp port 445 traffic
  2004-12-06 16:54 lots of tcp port 445 traffic ro0ot
  2004-12-06 22:56 ` Paul Annesley
@ 2004-12-09 21:17 ` Jose Maria Lopez
  2004-12-09 21:37   ` Paul Annesley
  1 sibling, 1 reply; 5+ messages in thread
From: Jose Maria Lopez @ 2004-12-09 21:17 UTC (permalink / raw)
  To: netfilter@lists.netfilter.org

El lun, 06 de 12 de 2004 a las 17:54, ro0ot escribió:
> Hi,
> 
> I get lots of tcp port 445 traffic when I do a tcpdump -n port 445, 
> could it be an attack?
> 
> I check on the syslog files at /var/log/syslog, it shows this as below: -
> 
> Dec  7 00:36:40 fw01 kernel: Neighbour table overflow.
> Dec  7 00:36:46 fw01 kernel: NET: 32 messages suppressed.
> Dec  7 00:36:46 fw01 kernel: Neighbour table overflow.
> Dec  7 00:36:51 fw01 kernel: NET: 27 messages suppressed.
> Dec  7 00:36:51 fw01 kernel: Neighbour table overflow.
> Dec  7 00:38:14 fw01 kernel: NET: 6 messages suppressed.
> Dec  7 00:38:14 fw01 kernel: Neighbour table overflow.
> 
> When I try to ping my router IP address, I get this message below: -
> 
> connect: No buffer space available
> 
> I did tried running the below command and it seems not helping much: -
> 
> iptables -I cus2jarwan -p tcp --dport 445 -j REJECT --reject-with tcp-reset
> 
> or
> 
> iptables -I cus2jarwan -p tcp --dport 445 -j DROP
> 
> How can I stop this tcp port 445 traffic?  Or how can I prevent it?
> 
> Regards,
> ro0ot
> 

I also receive tons of this kind of traffic, like anyone else,
I suppose. The way you stop them it's correct, maybe you don't
have the rule in the correct chain, because it works ok for me.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: lots of tcp port 445 traffic
  2004-12-09 21:17 ` Jose Maria Lopez
@ 2004-12-09 21:37   ` Paul Annesley
  2004-12-10 13:52     ` ro0ot
  0 siblings, 1 reply; 5+ messages in thread
From: Paul Annesley @ 2004-12-09 21:37 UTC (permalink / raw)
  To: netfilter

> > iptables -I cus2jarwan -p tcp --dport 445 -j REJECT --reject-with tcp-reset
> >
> > or
> >
> > iptables -I cus2jarwan -p tcp --dport 445 -j DROP
> >
>
> You definately don't want to use -J REJECT - this will do more harm
> than good, as it will be generating an ICMP unreachable message for
> each port 445 packet.

My mistake - I didn't notice you were using "--reject-with tcp-reset".
Pretty sure you'd be better off with DROP anyway.

Regards,
Paul


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: lots of tcp port 445 traffic
  2004-12-09 21:37   ` Paul Annesley
@ 2004-12-10 13:52     ` ro0ot
  0 siblings, 0 replies; 5+ messages in thread
From: ro0ot @ 2004-12-10 13:52 UTC (permalink / raw)
  To: Paul Annesley; +Cc: netfilter

I include these rules below and it helps: -

iptables -t nat -A PREROUTING -p tcp --dport 135 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP


Paul Annesley wrote:

>>>iptables -I cus2jarwan -p tcp --dport 445 -j REJECT --reject-with tcp-reset
>>>
>>>or
>>>
>>>iptables -I cus2jarwan -p tcp --dport 445 -j DROP
>>>
>>>      
>>>
>>You definately don't want to use -J REJECT - this will do more harm
>>than good, as it will be generating an ICMP unreachable message for
>>each port 445 packet.
>>    
>>
>
>My mistake - I didn't notice you were using "--reject-with tcp-reset".
>Pretty sure you'd be better off with DROP anyway.
>
>Regards,
>Paul
>
>
>  
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2004-12-10 13:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-06 16:54 lots of tcp port 445 traffic ro0ot
2004-12-06 22:56 ` Paul Annesley
2004-12-09 21:17 ` Jose Maria Lopez
2004-12-09 21:37   ` Paul Annesley
2004-12-10 13:52     ` ro0ot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox