The last couple of weeks I notice a lot of annoying ICMP-messages in my firewall logs: Shorewall:net2all:DROP:IN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 ID=54335 PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] Could this be some kind of attack (ICMP 3 Code 2 = protocol unreachable), what is your opinion? Thanks. Ad Koster lidad@zeelandnet.nl
On Friday 09 January 2004 09:29 am, Ad Koster wrote:> The last couple of weeks I notice a lot of annoying ICMP-messages in my > firewall logs: > > Shorewall:net2all:DROP:IN=eth0 OUT> MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 ID=54335 > PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > unreachable), what is your opinion?What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show nat''? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 09 January 2004 10:05 am, Tom Eastep wrote:> On Friday 09 January 2004 09:29 am, Ad Koster wrote: > > The last couple of weeks I notice a lot of annoying ICMP-messages in my > > firewall logs: > > > > Shorewall:net2all:DROP:IN=eth0 OUT> > MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 ID=54335 > > PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > > unreachable), what is your opinion? > > What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show > nat''? >Also, do you have ''norfc1918'' enabled on eth0? If so, what does your /etc/shorewall/rfc1918 file have for 0.0.0.0/7? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 09 January 2004 10:24, Ad Koster wrote:> On Fri, 2004-01-09 at 19:05, Tom Eastep wrote: > > On Friday 09 January 2004 09:29 am, Ad Koster wrote: > > > The last couple of weeks I notice a lot of annoying ICMP-messages in my > > > firewall logs: > > > > > > Shorewall:net2all:DROP:IN=eth0 OUT> > > MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > > > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > > > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 ID=54335 > > > PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > > > > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > > > unreachable), what is your opinion? > > > > What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show > > nat''? > > > > -Tom > > the output of "ip add ls eth0" is:Ok. It is difficult to understand where all of the null addresses are coming from. According to the above message, the 11,0 ICMP is in response to a 3,2 icmp with a null source address. The original destination address (62.238.196.17) isn''t in your external subnet (62.238.32.0-62.238.63.255). The null IP source address on the 11,0 ICMP is also strange since I would have expected that to be the IP of your default gateway router. I''ll await a reply on my rfc1918 question before I speculate further. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Friday 09 January 2004 10:44 am, Tom Eastep wrote:> On Friday 09 January 2004 10:24, Ad Koster wrote: > > On Fri, 2004-01-09 at 19:05, Tom Eastep wrote: > > > On Friday 09 January 2004 09:29 am, Ad Koster wrote: > > > > The last couple of weeks I notice a lot of annoying ICMP-messages in > > > > my firewall logs: > > > > > > > > Shorewall:net2all:DROP:IN=eth0 OUT> > > > MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > > > > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > > > > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 > > > > ID=54335 PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > > > > > > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > > > > unreachable), what is your opinion? > > > > > > What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show > > > nat''? > > > > > > -Tom > > > > the output of "ip add ls eth0" is: > > Ok. It is difficult to understand where all of the null addresses are > coming from. According to the above message, the 11,0 ICMP is in response > to a 3,2 icmp with a null source address. The original destination address > (62.238.196.17) isn''t in your external subnet (62.238.32.0-62.238.63.255). > The null IP source address on the 11,0 ICMP is also strange since I would > have expected that to be the IP of your default gateway router. > > I''ll await a reply on my rfc1918 question before I speculate further.Ok -- I''ve thought about this a bit more and here is what I think is happening. Some box in 62.238.32.0/19 is sending a broken 3,2 ICMP to 62.238.196.17; it is broken because the source address in that packet is null. Your default gateway is broadcasting an 11,0 ICMP in response (note the "all-ones" destination MAC address in the logged packet). I believe that you can suppress these messages by: a) Enabling ''norfc1918'' on eth0. b) Adding "0.0.0.0 DROP" to your /etc/shorewall/rfc1918 file BEFORE "0.0.0.0/7 logdrop". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 09 January 2004 10:58 am, Ad Koster wrote:> On Fri, 2004-01-09 at 19:17, Tom Eastep wrote: > > On Friday 09 January 2004 10:05 am, Tom Eastep wrote: > > > On Friday 09 January 2004 09:29 am, Ad Koster wrote: > > > > The last couple of weeks I notice a lot of annoying ICMP-messages in > > > > my firewall logs: > > > > > > > > Shorewall:net2all:DROP:IN=eth0 OUT> > > > MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > > > > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > > > > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 > > > > ID=54335 PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > > > > > > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > > > > unreachable), what is your opinion? > > > > > > What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show > > > nat''? > > > > Also, do you have ''norfc1918'' enabled on eth0? If so, what does your > > /etc/shorewall/rfc1918 file have for 0.0.0.0/7? > > > > -Tom > > Tom > > My "/etc/shorewall/interfaces" looks like: > > net eth0 detect > dhcp,routefilter,norfc1918,blacklist,tcpflags > loc eth1 detect dhcp > > And rfc1918 has the default value: > > 0.0.0.0/7 logdrop # ReservedHmmm -- then I don''t understand why the packet is being logged out of the ''net2all'' chain rather than the ''logdrop'' chain.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2004-01-09 at 19:17, Tom Eastep wrote:> On Friday 09 January 2004 10:05 am, Tom Eastep wrote: > > On Friday 09 January 2004 09:29 am, Ad Koster wrote: > > > The last couple of weeks I notice a lot of annoying ICMP-messages in my > > > firewall logs: > > > > > > Shorewall:net2all:DROP:IN=eth0 OUT> > > MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > > > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > > > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 ID=54335 > > > PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > > > > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > > > unreachable), what is your opinion? > > > > What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show > > nat''? > > > > Also, do you have ''norfc1918'' enabled on eth0? If so, what does your > /etc/shorewall/rfc1918 file have for 0.0.0.0/7? > > -TomTom My "/etc/shorewall/interfaces" looks like: net eth0 detect dhcp,routefilter,norfc1918,blacklist,tcpflags loc eth1 detect dhcp And rfc1918 has the default value: 0.0.0.0/7 logdrop # Reserved ------------ Ad Koster lidad@zeelandnet.nl
On Friday 09 January 2004 10:58 am, Ad Koster wrote:> > And rfc1918 has the default value: > > 0.0.0.0/7 logdrop # ReservedWhat entries do you have *before* that one? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 09 January 2004 10:58 am, Tom Eastep wrote:> > > > And rfc1918 has the default value: > > > > 0.0.0.0/7 logdrop # Reserved > > Hmmm -- then I don''t understand why the packet is being logged out of the > ''net2all'' chain rather than the ''logdrop'' chain.... >More thoughts. I think that the connection-tracking state of the 11,0 is probably INVALID so the packet isn''t being passed down the ''rfc1918'' chain. I suggest that you try the following: a) If you don''t already have /etc/shorewall/common, then create it with the4 following contents: run_iptables -A common -s 0.0.0.0 -j DROP . /etc/shorewall/common.def b) If you already have /etc/shorewall/common then add the above DROP rule to it before it sources /etc/shorewall/common.def (if it does). Let me know if that works and I''ll add that DROP rule automatically. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2004-01-09 at 19:58, Tom Eastep wrote:> On Friday 09 January 2004 10:58 am, Ad Koster wrote: > > On Fri, 2004-01-09 at 19:17, Tom Eastep wrote: > > > On Friday 09 January 2004 10:05 am, Tom Eastep wrote: > > > > On Friday 09 January 2004 09:29 am, Ad Koster wrote: > > > > > The last couple of weeks I notice a lot of annoying ICMP-messages in > > > > > my firewall logs: > > > > > > > > > > Shorewall:net2all:DROP:IN=eth0 OUT> > > > > MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > > > > > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > > > > > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 > > > > > ID=54335 PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > > > > > > > > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > > > > > unreachable), what is your opinion? > > > > > > > > What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show > > > > nat''? > > > > > > Also, do you have ''norfc1918'' enabled on eth0? If so, what does your > > > /etc/shorewall/rfc1918 file have for 0.0.0.0/7? > > > > > > -Tom > > > > Tom > > > > My "/etc/shorewall/interfaces" looks like: > > > > net eth0 detect > > dhcp,routefilter,norfc1918,blacklist,tcpflags > > loc eth1 detect dhcp > > > > And rfc1918 has the default value: > > > > 0.0.0.0/7 logdrop # Reserved > > Hmmm -- then I don''t understand why the packet is being logged out of the > ''net2all'' chain rather than the ''logdrop'' chain.... > > -TomTom, No there are no non-default entries in my /etc/shorewall/rfc1918-file: 255.255.255.255 RETURN # We need to allow limited broadcast 169.254.0.0/16 DROP # DHCP autoconfig 172.16.0.0/12 logdrop # RFC 1918 192.0.2.0/24 logdrop # Example addresses (RFC 3330) 192.168.0.0/16 logdrop # RFC 1918 # # The following are generated with the help of the Python program found at: # # http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ # # The program was contributed by Andy Wiggin # 0.0.0.0/7 logdrop # Reserved 2.0.0.0/8 logdrop # Reserved 5.0.0.0/8 logdrop # Reserved 7.0.0.0/8 logdrop # Reserved 10.0.0.0/8 logdrop # Reserved 23.0.0.0/8 logdrop # Reserved 27.0.0.0/8 logdrop # Reserved Ad Koster lidad@zeelandnet.nl
On Fri, 2004-01-09 at 20:27, Tom Eastep wrote:> On Friday 09 January 2004 10:58 am, Tom Eastep wrote: > > > > > > > And rfc1918 has the default value: > > > > > > 0.0.0.0/7 logdrop # Reserved > > > > Hmmm -- then I don''t understand why the packet is being logged out of the > > ''net2all'' chain rather than the ''logdrop'' chain.... > > > > More thoughts. I think that the connection-tracking state of the 11,0 is > probably INVALID so the packet isn''t being passed down the ''rfc1918'' chain. I > suggest that you try the following: > > a) If you don''t already have /etc/shorewall/common, then create it with the4 > following contents: > > run_iptables -A common -s 0.0.0.0 -j DROP > . /etc/shorewall/common.def > > b) If you already have /etc/shorewall/common then add the above DROP rule to > it before it sources /etc/shorewall/common.def (if it does). > > Let me know if that works and I''ll add that DROP rule automatically. > -TomThanks Tom, so far this seems to solve the "problem". Ad Koster lidad@zeelandnet.nl
On Fri, 2004-01-09 at 19:05, Tom Eastep wrote:> On Friday 09 January 2004 09:29 am, Ad Koster wrote: > > The last couple of weeks I notice a lot of annoying ICMP-messages in my > > firewall logs: > > > > Shorewall:net2all:DROP:IN=eth0 OUT> > MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 ID=54335 > > PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > > unreachable), what is your opinion? > > What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show nat''? > > -TomTom, I added the rule to /etc/shorewall/common and so far this solves the "problem" Thanks Ad Koster lidad@zeelandnet.nl
On Friday 09 January 2004 12:13 pm, Ad Koster wrote:> On Fri, 2004-01-09 at 19:05, Tom Eastep wrote: > > On Friday 09 January 2004 09:29 am, Ad Koster wrote: > > > The last couple of weeks I notice a lot of annoying ICMP-messages in my > > > firewall logs: > > > > > > Shorewall:net2all:DROP:IN=eth0 OUT> > > MAC=ff:ff:ff:ff:ff:ff:00:50:bf:d6:ce:f9:08:00 SRC=0.0.0.0 DST=0.0.0.0 > > > LEN=56 TOS=0x00 PREC=0x00 TTL=250 ID=34038 PROTO=ICMP TYPE=11 CODE=0 > > > [SRC=0.0.0.0 DST=62.238.196.17 LEN=56 TOS=0x00 PREC=0x00 TTL=1 ID=54335 > > > PROTO=ICMP TYPE=3 CODE=2 INCOMPLETE [8 bytes] ] > > > > > > Could this be some kind of attack (ICMP 3 Code 2 = protocol > > > unreachable), what is your opinion? > > > > What does ''ip addr ls eth0'' show on your firewall? Also ''shorewall show > > nat''? > > > > -Tom > > Tom, > > I added the rule to /etc/shorewall/common and so far this solves the > "problem" >Thanks, Ad. I''ve added the following to common.def for 1.4.9: ############################################################################ # ICMP -- Silently drop null-address ICMPs # run_iptables -A common -p icmp -s 0.0.0.0 -j DROP -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday 09 January 2004 12:20 pm, Tom Eastep wrote:> > I''ve added the following to common.def for 1.4.9: > > ########################################################################### > # ICMP -- Silently drop null-address ICMPs > # > run_iptables -A common -p icmp -s 0.0.0.0 -j DROP >Make that: ########################################################################### # ICMP -- Silently drop null-address ICMPs # run_iptables -A common -p icmp -s 0.0.0.0 -j DROP run_iptables -A common -p icmp -d 0.0.0.0 -j DROP -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net