Eric,
I've seen this kind of activity from misconfigured Network Management stations doing "Discovery" If your Service Provider does not filter private addresses internally (most don't), it's possible that the probes are coming from one of your fellow ISP customers. The standard Discovery process pings everything first then follows up on responding node with SNMP requests. I'd start by notifying your ISP and having them take a look.
There isn't a good explaination for the connection slow down unless this is some kind of ICMP exploit or your getting a zillion of these things. You might want to check with your hardware and software vendors for any known ICMP vulnerabilities and patch as appropriate. If this were a ICMP flood you should have seen more that one entry in the log.
-- Bill Stackpole, CISSP
| [EMAIL PROTECTED] (Eric Rozon)
Sent by: [EMAIL PROTECTED] 02/09/01 08:26 AM
|
To: [EMAIL PROTECTED] cc: Subject: Getting hit from 10.1.1.169 |
Hello All,
This morning we got hit by ICMP requests coming from 10.1.1.169. Below is a line from our logs:
02/09/01 10:04 firewalld[90]: deny in eth0 56 icmp 20 254 10.1.1.169 x.x.x.x 1 (blocked site)
(Where x.x.x.x is our firewall). Our connection became slow.
My question is: Is there a way to trace this abusive person, this being a private net?
I suspect that there isn't a way. I hope that I can be corrected.
Sorry if this is a newbie question. Thanks in advance for your replies.
Eric
PS: We've just included on the internet-facing interface of our routers the following filters to prevent this in the future:
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.0.255.255 any
- [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
