Shorewall users - Jan 2004 - invalid ICMP type 3, code 13 error to a broadcast

Hi, I have Debian Woody + Iptables 1.28 + shorewall 1.48

Sometimes I got that error on my server screen:

Jan 27 04:50:44 server kernel: xx.xxx.xxx.xx (<- my IP ) sent an invalid ICMP
type 3, code 13 error to a broadcast: 255.255.255.255 on ppp0

It appears everytime for 3 times, and after my connection goes very slow.

Somebody can help me ? Is a shorewall configuration error ?

thanks

On Tuesday 27 January 2004 11:47 am, Salvatore wrote:
> Hi, I have Debian Woody + Iptables 1.28 + shorewall 1.48
>
> Sometimes I got that error on my server screen:
>
> Jan 27 04:50:44 server kernel: xx.xxx.xxx.xx (<- my IP ) sent an invalid
> ICMP type 3, code 13 error to a broadcast: 255.255.255.255 on ppp0
>
> It appears everytime for 3 times, and after my connection goes very slow.
>
> Somebody can help me ? Is a shorewall configuration error ?
>
The fundamental error is that the host that your ppp0 connects to is sending 
broadcasts over a non-broadcast link. If ppp0 is your internet link, try 
adding this as the first rule in your /etc/shorewall/rules file:

DROP	net	fw:255.255.255.255	all	
 
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 27 Jan 2004 at 11:55, Tom Eastep wrote:
> On Tuesday 27 January 2004 11:47 am, Salvatore wrote:
> > Hi, I have Debian Woody + Iptables 1.28 + shorewall 1.48
> >
> > Sometimes I got that error on my server screen:
> >
> > Jan 27 04:50:44 server kernel: xx.xxx.xxx.xx (<- my IP ) sent an
> > invalid ICMP type 3, code 13 error to a broadcast: 
255.255.255.255
> > on ppp0
> >
> > It appears everytime for 3 times, and after my connection goes 
very
> > slow.
> >
> > Somebody can help me ? Is a shorewall configuration error ?
> >
> 
> The fundamental error is that the host that your ppp0 connects to 
is
> sending broadcasts over a non-broadcast link. If ppp0 is your 
internet
> link, try adding this as the first rule in your 
/etc/shorewall/rules
> file:
> 
> DROP	net	fw:255.255.255.255	all	
> 
> -Tom
Tom: 

I see these too (every two minutes), but the source IP is not any of 
mine.  

I was able to snif one of these packets and obtain the mac address of 
its source, and it came from somewhere on the cable-modem, not from 
any of my in-house machines.  The ip reported  was a rfc1819 IP in a 
range I don''t use.

(People in this area will configure rfc1819 subnets on the cable 
modem system to link two sites that are located on the same cable 
modem head-end controller. Apparently this is done with wink and a 
nod from the cable company, as this traffic never goes beyond the 
head end controller).  

The mac address implied a linksys router was involved.

Salvatore seemed to imply that this errant ping originated on his own 
machine (maybe I misread his editing of the message).  

Is this some sort of smurf attack?  Sending a ping to a broadcase
would cause every machine not filtering the packets to respond
would it not (thereby explaining Salvatore''s slowdown)?


-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

On Tuesday 27 January 2004 12:38 pm, John S. Andersen wrote:
>
> Salvatore seemed to imply that this errant ping originated on his own
> machine (maybe I misread his editing of the message).
The errant packet isn''t a ping but rather a "Communication
Administratively
Prohibited" ICMP. Shorewall can generate those out of the
''reject'' chain
under newer kernels.
>
> Is this some sort of smurf attack?  Sending a ping to a broadcase
> would cause every machine not filtering the packets to respond
> would it not (thereby explaining Salvatore''s slowdown)?
I''ve added some code to 1.4.10 that attempts to avoid sending any ICMP 
response to a broadcast or multicast packet.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> Is this some sort of smurf attack?  Sending a ping to a broadcase
> would cause every machine not filtering the packets to respond
> would it not (thereby explaining Salvatore''s slowdown)?
Yes, it''s possibile, I have many ddos and smurf attaks this my machine.

In this case is it correct the Tom solution ?

On Tuesday 27 January 2004 01:16 pm, Salvatore wrote:
> > Is this some sort of smurf attack?  Sending a ping to a broadcase
> > would cause every machine not filtering the packets to respond
> > would it not (thereby explaining Salvatore''s slowdown)?
>
> Yes, it''s possibile, I have many ddos and smurf attaks this my
machine.
>
> In this case is it correct the Tom solution ?
>
You might also add:

DROP	net:255.255.255.255	fw	all

After a while, see which rule is getting hit.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tuesday 27 January 2004 01:30 pm, Tom Eastep wrote:
> On Tuesday 27 January 2004 01:16 pm, Salvatore wrote:
> > > Is this some sort of smurf attack?  Sending a ping to a broadcase
> > > would cause every machine not filtering the packets to respond
> > > would it not (thereby explaining Salvatore''s slowdown)?
> >
> > Yes, it''s possibile, I have many ddos and smurf attaks this
my machine.
> >
> > In this case is it correct the Tom solution ?
>
> You might also add:
>
> DROP	net:255.255.255.255	fw	all
>
> After a while, see which rule is getting hit.
I suspect that I misread the original post and that the original packet was 
probably a smurf.

I''ve added some more code to 1.4.10 to silently drop smurf packets in
the
''reject'' chain.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net