Shorewall users - Sep 2003 - Tracing back Martian packets

... lately (three weeks or so), I''ve been getting THOUSANDS of
hits daily from rfc1918 addresses, e.g.:

Sep 23 13:22:36 yoreach kernel: Shorewall:logdrop:DROP:IN=eth0
OUT=eth2 SRC=10.6.17.240 DST=10.1.2.2 LEN=78 TOS=0x00 PREC=0x00
TTL=114 ID=13689 PROTO=UDP SPT=1027 DPT=137 LEN=58

Sep 23 13:22:36 yoreach kernel: Shorewall:logdrop:DROP:IN=eth0
OUT=eth2 SRC=10.6.17.240 DST=10.1.2.2 LEN=78 TOS=0x00 PREC=0x00
TTL=114 ID=13689 PROTO=UDP SPT=1027 DPT=137 LEN=58

Sep 23 13:22:36 yoreach kernel: Shorewall:logdrop:DROP:IN=eth0
OUT=eth2 SRC=10.6.17.240 DST=10.1.2.2 LEN=78 TOS=0x00 PREC=0x00
TTL=114 ID=13689 PROTO=UDP SPT=1027 DPT=137 LEN=58

My ISP, when asked for help on stopping these attacks, told me:

[...]

     "Additionally, the source ip 10.6.17.240 does not reside on
     the Cogent network.  More than likely, that ip address is
     either spoofed or the been altered to hide the actual host.

     "Without an accurate source ip we have the same to [sic] two
     options as last time. 1) We can null route your ip - no
     traffic comes or goes.  Many times this ends the attack.  2)
     You can thwart this attack with your firewall. Possibly
     block port 137 or the 10.6.x.x net block.

     "As we discussed last time, Cogent does not support packet
     filtering. Usually that is handled on the customer''s side,
     normally by a firewall."

[...]

Basically, I''ve been left to fend for myself. So, I was wondering
if there was anything I could develop on my end (I''m running
Shorewall 1.4.4b) to glean more information about the
attacker(s) ...

-- 
_________________________________________
Nachman Yaakov Ziskind, EA, LLM         awacs@egps.com
Attorney and Counselor-at-Law           http://ziskind.us
Economic Group Pension Services         http://egps.com
Actuaries and Employee Benefit Consultants

On Tue, 2003-09-23 at 11:07, Nachman Yaakov Ziskind wrote:
> Basically, I''ve been left to fend for myself. So, I was wondering
> if there was anything I could develop on my end (I''m running
> Shorewall 1.4.4b) to glean more information about the
> attacker(s) ...
I personally would modify my rfc1918 file to not log that source
address.

Are the messages you posted the raw messages from your log or are they
produced by "shorewall show log"? If the latter, you might look at the
raw log; if you are lucky, there will be a MAC address logged (and the
address isn''t the address of your ISPs router).

-Tom
-- 
Nothing is foolproof to a sufficiently talented fool

> Message: 6
> Date: 23 Sep 2003 11:39:41 -0700
> From: Tom Eastep <teastep@shorewall.net>
> On Tue, 2003-09-23 at 11:07, Nachman Yaakov Ziskind wrote:
> 
> > Basically, I''ve been left to fend for myself. So, I was
wondering
> > if there was anything I could develop on my end (I''m running
> > Shorewall 1.4.4b) to glean more information about the
> > attacker(s) ...
> 
> I personally would modify my rfc1918 file to not log that source
> address.
IOW, just ignore it? *sigh* Maybe I should. But I get a LOT of them, 
sometimes several packets a second, and I''m wondering if my tiny little
firewall (Bering LEAF v1.0) is getting overwhelmed.
> Are the messages you posted the raw messages from your log or are they
> produced by "shorewall show log"? If the latter, you might look
at the
> raw log; if you are lucky, there will be a MAC address logged (and the
> address isn''t the address of your ISPs router).
> 
> -Tom
Alas, no luck. Those are from /var/log/messages.

Suppose I''m looking at the firewall in the *middle of an attack*. Might
other information be gleaned then? I''m just fishing for ideas.

By the by, I complained loud and long to Cogent''s NOC and finally got
the head
of it, a Mr. Larry Collins. I mentioned the rfc1918 thing - "How do your
routers pass such packets?" - and he opined that routers which are rfc1918
compliant are not required to drop such packets; says he, only the destination
address is important in this respect; the fact that the source address is a
private one matters not a whit.

Is he correct?

Thanks!

-- 
_________________________________________
Nachman Yaakov Ziskind, EA, LLM         awacs@egps.com
Attorney and Counselor-at-Law           http://ziskind.us
Economic Group Pension Services         http://egps.com
Actuaries and Employee Benefit Consultants

On Tue, 23 Sep 2003, Nachman Yaakov Ziskind wrote:
> > Message: 6
> > Date: 23 Sep 2003 11:39:41 -0700
> > From: Tom Eastep <teastep@shorewall.net>
> > On Tue, 2003-09-23 at 11:07, Nachman Yaakov Ziskind wrote:
> > 
> > > Basically, I''ve been left to fend for myself. So, I was
wondering
> > > if there was anything I could develop on my end (I''m
running
> > > Shorewall 1.4.4b) to glean more information about the
> > > attacker(s) ...
> > 
> > I personally would modify my rfc1918 file to not log that source
> > address.
> 
> IOW, just ignore it? *sigh* Maybe I should. But I get a LOT of them, 
> sometimes several packets a second, and I''m wondering if my tiny
little
> firewall (Bering LEAF v1.0) is getting overwhelmed.
> 
> > Are the messages you posted the raw messages from your log or are they
> > produced by "shorewall show log"? If the latter, you might
look at the
> > raw log; if you are lucky, there will be a MAC address logged (and the
> > address isn''t the address of your ISPs router).
> > 
> > -Tom
> 
> Alas, no luck. Those are from /var/log/messages.
> 
> Suppose I''m looking at the firewall in the *middle of an attack*.
Might
> other information be gleaned then? I''m just fishing for ideas.
>
You can use tcpdump to capture the traffic during an attack. Also, look at 
"arp -na" on your firewall; that will also show the MAC of device that
is
sending you these packets (again, it may be your ISP''s router).
> By the by, I complained loud and long to Cogent''s NOC and finally
got the head
> of it, a Mr. Larry Collins. I mentioned the rfc1918 thing - "How do
your
> routers pass such packets?" - and he opined that routers which are
rfc1918
> compliant are not required to drop such packets; says he, only the
destination
> address is important in this respect; the fact that the source address is a
> private one matters not a whit.
> 
> Is he correct?
> 
Yes.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> > Alas, no luck. Those are from /var/log/messages.
> >
> > Suppose I''m looking at the firewall in the *middle of an
attack*. Might
> > other information be gleaned then? I''m just fishing for
ideas.
> 
> You can use tcpdump to capture the traffic during an attack. Also, look at
> "arp -na" on your firewall; that will also show the MAC of device
that is
> sending you these packets (again, it may be your ISP''s router).
You can also use Ethereal if you have X installed.  It has helped me to
trace some odd behavior that Tom helped me to fix.  If you want to just
capture packets from this single IP address set the capture filter to be
''host 10.6.17.240''.  If you want to do a block, set the
capture filter to be
''net 10.6.17.0/24''.  Ethereal provides MAC address info.  You
can set it up
to capture x packets or capture for x seconds.  So, you could leave it
running and not have to be in the middle of an attack.

Good luck!

On Tue, 2003-09-23 at 13:08, Scott Jibben wrote:
> > > Alas, no luck. Those are from /var/log/messages.
> > >
> > > Suppose I''m looking at the firewall in the *middle of an
attack*. Might
> > > other information be gleaned then? I''m just fishing for
ideas.
> > 
> > You can use tcpdump to capture the traffic during an attack. Also,
look at
> > "arp -na" on your firewall; that will also show the MAC of
device that is
> > sending you these packets (again, it may be your ISP''s
router).
> 
> You can also use Ethereal if you have X installed.
Nachman runs LEAF Bering (router on a floppy disk) -- no X environment.

-Tom
-- 
Nothing is foolproof to a sufficiently talented fool

Nachman Yaakov Ziskind typed (on Tue, Sep 23, 2003 at 03:21:16PM -0400):
| > Message: 6
| > Date: 23 Sep 2003 11:39:41 -0700
| > From: Tom Eastep <teastep@shorewall.net>
| > On Tue, 2003-09-23 at 11:07, Nachman Yaakov Ziskind wrote:
| > 
| > > Basically, I''ve been left to fend for myself. So, I was
wondering
| > > if there was anything I could develop on my end (I''m
running
| > > Shorewall 1.4.4b) to glean more information about the
| > > attacker(s) ...
| > 
| > I personally would modify my rfc1918 file to not log that source
| > address.
| 
| IOW, just ignore it? *sigh* Maybe I should. But I get a LOT of them, 
| sometimes several packets a second, and I''m wondering if my tiny
little
| firewall (Bering LEAF v1.0) is getting overwhelmed.
| 
| > Are the messages you posted the raw messages from your log or are they
| > produced by "shorewall show log"? If the latter, you might look
at the
| > raw log; if you are lucky, there will be a MAC address logged (and the
| > address isn''t the address of your ISPs router).
| > 
| > -Tom
| 
| Alas, no luck. Those are from /var/log/messages.
| 
| Suppose I''m looking at the firewall in the *middle of an attack*.
Might
| other information be gleaned then? I''m just fishing for ideas.
| 
| By the by, I complained loud and long to Cogent''s NOC and finally got
the head
| of it, a Mr. Larry Collins. I mentioned the rfc1918 thing - "How do your
| routers pass such packets?" - and he opined that routers which are
rfc1918
| compliant are not required to drop such packets; says he, only the destination
| address is important in this respect; the fact that the source address is a
| private one matters not a whit.
| 
| Is he correct?

RFC1918 seems unambiguous to me when it says:

   Because private addresses have no global meaning, routing information
   about private networks shall not be propagated on inter-enterprise
   links, and packets with private source or destination addresses
   should not be forwarded across such links.

-- 
JP

On Tue, 2003-09-23 at 13:19, Jean-Pierre Radley wrote:
> | 
> | By the by, I complained loud and long to Cogent''s NOC and
finally got the head
> | of it, a Mr. Larry Collins. I mentioned the rfc1918 thing - "How do
your
> | routers pass such packets?" - and he opined that routers which are
rfc1918
> | compliant are not required to drop such packets; says he, only the
destination
> | address is important in this respect; the fact that the source address is
a
> | private one matters not a whit.
> | 
> | Is he correct?
> 
> RFC1918 seems unambiguous to me when it says:
> 
>    Because private addresses have no global meaning, routing information
>    about private networks shall not be propagated on inter-enterprise
>    links, and packets with private source or destination addresses
>    should not be forwarded across such links.
I stand corrected.

Thanks,
-Tom
-- 
Nothing is foolproof to a sufficiently talented fool