From owner-freebsd-net@FreeBSD.ORG Mon Aug 25 11:03:08 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7B7416A4BF for ; Mon, 25 Aug 2003 11:03:08 -0700 (PDT) Received: from out006.verizon.net (out006pub.verizon.net [206.46.170.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39DF843FDD for ; Mon, 25 Aug 2003 11:03:07 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.237.14.199]) by out006.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030825180306.WZRW5302.out006.verizon.net@mac.com>; Mon, 25 Aug 2003 13:03:06 -0500 Message-ID: <3F4A4F53.4040504@mac.com> Date: Mon, 25 Aug 2003 14:02:59 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stoyan Stratev References: <002201c36b1a$3408a790$0c00a8c0@lini> In-Reply-To: <002201c36b1a$3408a790$0c00a8c0@lini> X-Enigmail-Version: 0.76.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out006.verizon.net from [68.237.14.199] at Mon, 25 Aug 2003 13:03:06 -0500 cc: freebsd-net@freebsd.org Subject: Re: the router spams with echo requests X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2003 18:03:09 -0000 Stoyan Stratev wrote: [ ... ] > The ISP is using a network with hubs therefore we receive echo packets on > the outside interface, that are not meant for our machine. The problem is > that that the box forwards those packets multiple times and so the ISP > thinks we have a virus or are doing portscans. > i ran 'tcpdump -p -i rl1| grep echo' and noticed the following: > we receive one packet: > 20:50:02.596560 some.address.com > machine.on.our.subnet: icmp: echo request > [tos 0x80] > we send 20 packets very fast: > 20:50:02.596851 our.router.com > machine.on.our.subnet: icmp: echo request > [tos 0x80] machine.on.our.subnet isn't your network broadcast address, correct? This smells like a ICMP-amplification based denial-of-service, and I'd double-check your internal machines. Have you sniffed your internal net to see whether the ICMPs are coming from inside (and then being NATed)? Consider blocking ICMP pings ("add deny icmp from any to any icmptypes 0,8") until you've figured out what's going on. -- -Chuck