I am experiencing a strange situation where I am being flooded with ICMP 11,3s from a site in Poland. The original packet is reported as a "ping" (ICMP 8,0) with SRC=192.168.0.1 DST=192.168.0.200!! While I never attribute to malice that which can be explained as stupidity, the result is that my log is expanding at a fearsome rate. What''s worse, since Netfilter connection tracking classifies these as INVALID and I have BLACKLISTNEWONLY=Yes, the packets aren''t passed through the blacklisting chains. As a consequence, I can''t simply blacklist the packet source. The attached patch (which will be in RC2), corrects this so that INVALID packets are also passed through the blacklists. It should apply (with offsets/fuzz) to all recent Shorewall versions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Am Donnerstag, 17. Juni 2004 21:38 schrieb Tom Eastep:> I am experiencing a strange situation where I am being flooded with ICMP > 11,3s from a site in Poland. The original packet is reported as a "ping" > (ICMP 8,0) with SRC=192.168.0.1 DST=192.168.0.200!! While I never > attribute to malice that which can be explained as stupidity, the result > is that my log is expanding at a fearsome rate.Tom; I learned 192.168.x.x is not routable and will never leave local network? kp
K.-P. Kirchdörfer wrote:> Am Donnerstag, 17. Juni 2004 21:38 schrieb Tom Eastep: > >>I am experiencing a strange situation where I am being flooded with ICMP >>11,3s from a site in Poland. The original packet is reported as a "ping" >>(ICMP 8,0) with SRC=192.168.0.1 DST=192.168.0.200!! While I never >>attribute to malice that which can be explained as stupidity, the result >>is that my log is expanding at a fearsome rate. > > > Tom; > > I learned 192.168.x.x is not routable and will never leave local network? >A lot of NAT implementations don''t handle ICMP generation very well. They apply NAT then discover that the (new) destination isn''t reachable and generate an ICMP that includes the modified IP headers rather than the originals. I see that happen a lot with DNAT (in fact, Linux hasn''t handled this correctly at times) but I''ve not seen it happen before where both the source and destination had been rewritten. Still, it is certainly possible. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "K.-P. Kirchdörfer"> Tom; > I learned 192.168.x.x is not routable and will never leave local network?ROL :D JBanks
----- Original Message ----- From: "Joshua Banks" From: "K.-P. Kirchdörfer"> Tom; > I learned 192.168.x.x is not routable and will never leave local network?ROL :D I apologize... I meant to add that I''m just as confused. Thanks for the explanation Tom.. JBanks
On Thu, 2004-06-17 at 21:53 +0200, K.-P. Kirchdörfer wrote:> > Tom; > > I learned 192.168.x.x is not routable and will never leave local network? > >The RFC1918 networks are fully routeable and useable however you would like. However, by RFC and general agreement, they are not to be used on the public Internet. There is nothing in any software or firewalls that automatically says "Hey, this is private address space, I''m not going to forward it". That is something that is put in place via access lists, rules, filters, what have you. If routers/firewalls automatically discarded this traffic, enterprise WANs would have to use public addressing. To make a long story short, you should not ever see these addresses on the Internet, and if you do it is because there are network guys not doing their jobs and applying proper ingress/egress filtering. -- David T Hollis <dhollis@davehollis.com>
On 17 Jun 2004 at 16:44, David T Hollis wrote:> To make a long story short, you should not ever see these > addresses on the Internet, and if you do it is because there are > network guys not doing their jobs and applying properingress/egress> filtering. >Or, as Tom hinted, it might REALLY be a new kind of attack or exploit. Our Cable Modem provider is having horrendous problems with icmp floods in certain areas of Anchorage, and they have not been able to pin point the source. (And they are not a bunch of clueless goofs like some cable operators). The most affected equipment is Linksys routers. Seems to light them up solid, but changing INTERNAL Subnet to anything other than the defalt seems to solve the problem. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
John wrote on 17/06/2004 18:36:07:> On 17 Jun 2004 at 16:44, David T Hollis wrote: > > > The most affected equipment is Linksys routers. Seems > to light them up solid, but changing INTERNAL Subnet to > anything other than the defalt seems to solve the problem. >there was a couple of security warnings concerning Linksys routers, IIRC.