Guillermo Schmid
2004-Oct-07 02:58 UTC
Virus en hosts of WIFI zone causes DoS in my Shorewall box
Hi Tom, This is my first post on this list. First, I''m a Shorewall user since 1.4.6 version, and I''am a very satisfied with the results in my own business: WISP using this excelent GNU firewall in all of my servers (about a dozen). Tom, sincerely: THANK YOU for your creation. Shorewall really works fine. Otherwise Iptables had been vudu for me. Well, in the past weeks I have detected with iptraf an excessive data flow in the port 135 tcp originated in some clients (within my wifi zone) with Win XP. My wifi zone is eth1 in 10.10.30.x in one of the servers and this gateway serves to aprox. 180 devices (2 hosts by client: pc and AP) in the same network. Some of this hosts, affected by a virus (SDbot and his family of mutations specifically) when activating his routines start sends to the network WIFI zone (a simple WLAN in 802.11b) thousands of tcp packets to port 135 to random (and nonexistents) IP address in the 10.10.x.x range. After that, this "rain" of packets incoming to the eth1 of my box, causes a DoS. The box shows me an error when I put a ping command to any host: "Can''t connect: buffer space not available". And, of course, the service crashes... My question is: there is some way of prevent this limit situation? wath I can do with the shorewall configuration files to avoid this buffer overflow, that causes a denial of service? I try filtering all tcp incoming data packets originating in hosts of my wifi zone and destined to port 135 in the same network, but It doens''t result like as I hoped: my box crashes anyway. Is very frustrating :-(( Maybe the solution is very simple, but I can''t see that. And Tom, thanks again for your work. -- Guillermo Schmid
Tom Eastep
2004-Oct-07 15:56 UTC
Re: Virus en hosts of WIFI zone causes DoS in my Shorewall box
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guillermo Schmid wrote:> > My question is: there is some way of prevent this limit situation? > wath I can do with the shorewall configuration files to avoid this > buffer overflow, that causes a denial of service?The only thing that comes to mind is to specify limits in your policy file on policies with WIFI as the source (use the LIMIT/BURST column). Of course it is important to have Virus protection in depth (on your mail server and on each Windoze host) and to keep them all updated. Best to try to avoid this problem rather than to have to deal with it once it happens. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZWdAO/MAbZfjDLIRAr/uAJ4+O3I6GpWdozztihWzai954Bs5TwCdEVHS 98VGYoxpEn4R7cQeCKg5FR0=eIZB -----END PGP SIGNATURE-----