Hi,
I seem to be suffering from a DoS attack or something - a machine in an
internal network asks my DNS in DMZ to resolve "spamtalk.biz" with a
very high frequency. The IP address of the guilty machine is
172.16.128.3 so I tried first black list it dynamically and later also
added it to the /etc/shorewall/blacklist file and refreshed the
shorewall (/etc/init.d/shorewall refresh).
Now "shorewall show dynamic" displays a quickly increasing bytes count
(see below, currently at 1249 kB and counting) but the DNS is still
being hit by the requests (as tcpdump shows both on the firewall and
also the DNS machine itself). I tried also to cut the current
connections with the ''cutter'' but it didn''t work, so
I stopped the bind9
to kill the current connections and then restarted it - still no help.
I am wondering if it''s possible to blacklist an address that is
masqueraded. There is no sign of dropped packets in /var/log/kern.log so
are they blocked or not. I am confused a bit.
$ shorewall show dynamic
21499 1249K DROP all -- * * 172.16.128.3
0.0.0.0/0
$ shorewall version
2.0.0b
$ ip addr show
(incomplete but with all relevant info)
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000
link/ether 00:01:02:10:14:28 brd ff:ff:ff:ff:ff:ff
inet 194.108.5.66/29 brd 194.108.5.71 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000
link/ether 00:04:75:ae:49:0a brd ff:ff:ff:ff:ff:ff
inet 194.108.5.129/25 brd 194.108.5.255 scope global eth1
inet 172.16.128.1/24 brd 172.16.128.255 scope global eth1:0
$ ip route show
(incomplete, but with relevant info)
172.16.128.0/24 dev eth1 proto kernel scope link src 172.16.128.1
default via 194.108.5.65 dev eth0
/etc/shorewall/masq (incomplete but with all relevant info)
eth0 172.16.128.0/24
eth1 172.16.128.0/24
Hmmm, while I was writing this mail the situation calmed down, it seems.
But I don''t know if the blocking started to work or if they just
stopped
their activity for a while.
Thanks.
Petr
Petr Stehlik wrote:> > Hmmm, while I was writing this mail the situation calmed down, it seems. > But I don''t know if the blocking started to work or if they just stopped > their activity for a while. >Adding an entry to /etc/shorewall/blacklist would likely have no effect since it is doubtful that you have the ''blacklist'' option set on your internal interface. If you have set ''BLACKLISTNEWONLY=Yes'' (the default) in shorewall.conf then additions to the blacklist (static or dynamic) won''t stop traffic on established connections (connections already reflected in the conntrack table -- see "shorewall show connections"). So long as the rogue host had established connections to your DNS server, traffic would continue to flow. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
V Čt, 29. 07. 2004 v 16:21, Tom Eastep píše:> > Hmmm, while I was writing this mail the situation calmed down, it seems. > > But I don''t know if the blocking started to work or if they just stopped > > their activity for a while.> Adding an entry to /etc/shorewall/blacklist would likely have no effect > since it is doubtful that you have the ''blacklist'' option set on your > internal interface./etc/shorewall/interfaces: wifi eth1 detect routeback,routefilter,tcpflags,blacklist> If you have set ''BLACKLISTNEWONLY=Yes'' (the default) in shorewall.conf > then additions to the blacklist (static or dynamic) won''t stop traffic > on established connections (connections already reflected in theI knew it. That''s why I mentioned two trials of stopping it: first I tried cutter (which failed) and later I stopped the DNS altogether for a while (which I hoped would kill the established connections).> conntrack table -- see "shorewall show connections")"show connections"! That was the missing piece of info. Thanks. Currently it shows 44 ESTABLISHED connections from that rogue but none is to my DNS server so it seems that stopping the bind for a while helped? Petr
Petr Stehlik wrote:> > "show connections"! That was the missing piece of info. Thanks. > > Currently it shows 44 ESTABLISHED connections from that rogue but none > is to my DNS server so it seems that stopping the bind for a while > helped? >Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
V Čt, 29. 07. 2004 v 16:55, Tom Eastep píše:> > "show connections"! That was the missing piece of info. Thanks. > > > > Currently it shows 44 ESTABLISHED connections from that rogue but none > > is to my DNS server so it seems that stopping the bind for a while > > helped? > > Yes.I''d love to have the BLACKLISTNEWONLY set to No to be ready for next similar situation but with some 300 records in the blacklist file the Celeron 333 would not handle the up to 2 Mbps traffic, I am afraid. Or is there someone brave with BLACKLISTNEWONLY=No that could estimate what HW can handle such Mbps traffic? Petr