Hi, I am running shorewall 4.2.10 3 Interface Is there any way to stop these ICMP Attacks. I have replaced my external IP with xx.xxx.xxx.xx Sep 2 00:25:03 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=58.218.200.37 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=42105 PROTO=ICMP TYPE=8 CODE=0 ID=42105 SEQ=19 Sep 2 00:25:03 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=95.128.60.133 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=41486 PROTO=ICMP TYPE=8 CODE=0 ID=41486 SEQ=10 Sep 2 00:25:03 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=174.35.82.6 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=50552 PROTO=ICMP TYPE=8 CODE=0 ID=50552 SEQ=8 Sep 2 00:25:03 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.184.126.75 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=54348 PROTO=ICMP TYPE=8 CODE=0 ID=54348 SEQ=18 Sep 2 00:25:04 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=60.28.214.247 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=6 ID=53721 PROTO=ICMP TYPE=8 CODE=0 ID=53721 SEQ=19 Sep 2 00:25:04 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=61.164.115.78 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=47135 PROTO=ICMP TYPE=8 CODE=0 ID=47135 SEQ=19 Sep 2 00:25:04 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=175.41.1.14 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=5 ID=71 PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=11 Sep 2 00:25:05 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=122.224.176.18 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=6 ID=65040 PROTO=ICMP TYPE=8 CODE=0 ID=65040 SEQ=19 Sep 2 00:25:06 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.147.244.141 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=5 ID=27775 PROTO=ICMP TYPE=8 CODE=0 ID=27775 SEQ=16 Sep 2 00:25:07 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=95.128.60.133 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=2 ID=41486 PROTO=ICMP TYPE=8 CODE=0 ID=41486 SEQ=11 Sep 2 00:25:07 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=174.35.82.6 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=2 ID=50552 PROTO=ICMP TYPE=8 CODE=0 ID=50552 SEQ=9 Sep 2 00:25:07 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.184.126.75 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=2 ID=54348 PROTO=ICMP TYPE=8 CODE=0 ID=54348 SEQ=19 Sep 2 00:25:08 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=60.28.214.247 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=53721 PROTO=ICMP TYPE=8 CODE=0 ID=53721 SEQ=20 Sep 2 00:25:08 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=175.41.1.14 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=6 ID=71 PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=12 Sep 2 00:25:09 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=122.224.176.18 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=65040 PROTO=ICMP TYPE=8 CODE=0 ID=65040 SEQ=20 Sep 2 00:25:10 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.147.244.141 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=6 ID=27775 PROTO=ICMP TYPE=8 CODE=0 ID=27775 SEQ=17 Sep 2 00:25:11 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=96.6.40.12 DST=xx.xxx.xxx.xx LEN=94 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=3478 DPT=61502 LEN=74 Sep 2 00:25:11 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=95.128.60.133 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=3 ID=41486 PROTO=ICMP TYPE=8 CODE=0 ID=41486 SEQ=12 Sep 2 00:25:11 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=174.35.82.6 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=3 ID=50552 PROTO=ICMP TYPE=8 CODE=0 ID=50552 SEQ=10 Sep 2 00:25:11 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.184.126.75 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=3 ID=54348 PROTO=ICMP TYPE=8 CODE=0 ID=54348 SEQ=20 Sep 2 00:25:12 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=175.41.1.14 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=71 PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=13 Sep 2 00:25:14 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.147.244.141 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=27775 PROTO=ICMP TYPE=8 CODE=0 ID=27775 SEQ=18 Sep 2 00:25:15 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=95.128.60.133 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=4 ID=41486 PROTO=ICMP TYPE=8 CODE=0 ID=41486 SEQ=13 Sep 2 00:25:15 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=174.35.82.6 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=4 ID=50552 PROTO=ICMP TYPE=8 CODE=0 ID=50552 SEQ=11 Sep 2 00:25:15 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.184.126.75 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=4 ID=54348 PROTO=ICMP TYPE=8 CODE=0 ID=54348 SEQ=21 Sep 2 00:25:19 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=95.128.60.133 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=5 ID=41486 PROTO=ICMP TYPE=8 CODE=0 ID=41486 SEQ=14 Sep 2 00:25:19 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=174.35.82.6 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=5 ID=50552 PROTO=ICMP TYPE=8 CODE=0 ID=50552 SEQ=12 Sep 2 00:25:19 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.184.126.75 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=5 ID=54348 PROTO=ICMP TYPE=8 CODE=0 ID=54348 SEQ=22 Sep 2 00:25:23 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=95.128.60.133 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=6 ID=41486 PROTO=ICMP TYPE=8 CODE=0 ID=41486 SEQ=15 Sep 2 00:25:23 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=174.35.82.6 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=6 ID=50552 PROTO=ICMP TYPE=8 CODE=0 ID=50552 SEQ=13 Sep 2 00:25:23 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.184.126.75 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=6 ID=54348 PROTO=ICMP TYPE=8 CODE=0 ID=54348 SEQ=23 Sep 2 00:25:27 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=95.128.60.133 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=41486 PROTO=ICMP TYPE=8 CODE=0 ID=41486 SEQ=16 Sep 2 00:25:27 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=174.35.82.6 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=50552 PROTO=ICMP TYPE=8 CODE=0 ID=50552 SEQ=14 Sep 2 00:25:27 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MACSRC=119.184.126.75 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 TTL=7 ID=54348 PROTO=ICMP TYPE=8 CODE=0 ID=54348 SEQ=24 ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
On 9/1/10 4:46 PM, paddy667 wrote:> Hi, > > > > I am running shorewall 4.2.10 > > 3 Interface > > > > Is there any way to stop these ICMP Attacks.No -- there is nothing a packet filter can do to stop an attack. But you are DOSing yourself by logging them. That''s likwly doing more damage than the attack itself. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
My Policy file below. How do I stop it logging ICMP from the net, but keep other logging. Thanks ############################################################################ ##### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # # LEVEL BURST MASK # ############################################################################ ##### ############################################################################ ##### # Policies for traffic originating from the local LAN (loc) # ############################################################################ ##### loc net REJECT info loc $FW REJECT info loc dmz REJECT info loc all REJECT info ############################################################################ ##### # Policies for traffic originating from the firewall ($FW) # ############################################################################ ##### $FW net REJECT info $FW loc REJECT info $FW dmz REJECT info $FW all REJECT info ############################################################################ ##### # Policies for traffic originating from the De-Militarized Zone (dmz) # ############################################################################ ##### dmz net REJECT info dmz $FW REJECT info dmz loc REJECT info dmz all REJECT info ############################################################################ ##### # Policies for traffic originating from the Internet zone (net) # ############################################################################ ##### net $FW DROP info net loc DROP info net dmz DROP info net all DROP info ############################################################################ ##### # THE FOLLOWING POLICY MUST BE LAST # ############################################################################ ##### all all REJECT info ############################################################################ ##### # LAST LINE -- DO NOT REMOVE # ############################################################################ ##### -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: 02 September 2010 00:56 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] ICMP Attacks On 9/1/10 4:46 PM, paddy667 wrote:> Hi, > > > > I am running shorewall 4.2.10 > > 3 Interface > > > > Is there any way to stop these ICMP Attacks.No -- there is nothing a packet filter can do to stop an attack. But you are DOSing yourself by logging them. That''s likwly doing more damage than the attack itself. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
On 9/1/10 5:07 PM, paddy667 wrote:> My Policy file below. > How do I stop it logging ICMP from the net, but keep other logging.Add a DROP rule to your rules file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
Thanks, will try that out. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: 02 September 2010 01:13 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] ICMP Attacks On 9/1/10 5:07 PM, paddy667 wrote:> My Policy file below. > How do I stop it logging ICMP from the net, but keep other logging.Add a DROP rule to your rules file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
paddy667 wrote:>Is there any way to stop these ICMP Attacks. >I have replaced my external IP with xx.xxx.xxx.xx > > >Sep 2 00:25:03 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= >MAC= SRC=58.218.200.37 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 >TTL=7 ID=42105 PROTO=ICMP TYPE=8 CODE=0 ID=42105 SEQ=19 >Sep 2 00:25:03 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= >MAC= SRC=95.128.60.133 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 >TTL=1 ID=41486 PROTO=ICMP TYPE=8 CODE=0 ID=41486 SEQ=10 >Sep 2 00:25:03 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= >MAC= SRC=174.35.82.6 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 >TTL=1 ID=50552 PROTO=ICMP TYPE=8 CODE=0 ID=50552 SEQ=8 >Sep 2 00:25:03 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= >MAC= SRC=119.184.126.75 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 >TTL=1 ID=54348 PROTO=ICMP TYPE=8 CODE=0 ID=54348 SEQ=18 >Sep 2 00:25:04 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= >MAC= SRC=60.28.214.247 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 >TTL=6 ID=53721 PROTO=ICMP TYPE=8 CODE=0 ID=53721 SEQ=19 >Sep 2 00:25:04 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= >MAC= SRC=61.164.115.78 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 >TTL=7 ID=47135 PROTO=ICMP TYPE=8 CODE=0 ID=47135 SEQ=19 >Sep 2 00:25:04 Viper kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= >MAC= SRC=175.41.1.14 DST=xx.xxx.xxx.xx LEN=28 TOS=0x00 PREC=0x00 >TTL=5 ID=71 PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=11One way to stop panicking about it is to stop calling it an attack - few pings a second is not an attack. It looks more like random machines (probably part of a botnet looking to targets) pinging addresses and just happening to hit yours. Just don''t log them, and if you are truly paranoid, drop them without replying - but don''t think that gives you any element of security. Personally, I think logging dropped/rejected inbound connections, or even in most cases accepted ones, is a waste of CPU cycles and storage space. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd