If your upstream provider or Service Provider does not filter private
addresses, ask them to do so, and suggest the following filter changes to them
!Block RFC 1918 on inbound interface from Service Provider
access-list 150 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 150 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 150 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
access-list 150 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
I think what Wiliam Stackpole is referring to regarding SNMP Discovery is a
SNMP Sweep which a is a method SNMP discovery that basically scans an IP
Address range for responding devices and then discovers details about each
device via SNMP. Most of the updated SNMP packages all the administrator
to turn this feature off, (i.e. HP Openview). In most cases, where you
observing ICMP flood type conditions is that a machine somewhere is
misconfigured and causing all kinds of strange network performance issues.
A large number of ICMP control messages usually indicates a Denial of
Service attempt, or a machine is not configured properly causing the same
type of symptoms.
If one is blaming their ISP, ask them for a report of the following for
their SNMP tools, if any of the values are high, then it might possibly be
a misconfigured networked device somewhere on the network.
@SNMPFields = (
"ipAdEntAddr[\$NODEIP]",
"icmpOutDestUnreachs[\$NODEIP]",
"icmpOutTimeExcds[\$NODEIP]",
"icmpOutSrcQuenchs[\$NODEIP]",
"tcpActiveOpens[\$NODEIP]",
"tcpAttemptFails[\$NODEIP]",
"tcpEstabResets[\$NODEIP]",
"tcpRetransSegs[\$NODEIP]",
etc, etc.
My .02 are going to Bill to get his stock back up :)
At 09:13 AM 2/9/01 -0800, [EMAIL PROTECTED] wrote:
Eric,
I've seen this kind of activity from misconfigured Network Management
stations doing "Discovery" If your Service Provider does not filter
private addresses internally (most don't), it's possible that the probes
are coming from one of your fellow ISP customers. The standard Discovery
process pings everything first then follows up on responding node with SNMP
requests. I'd start by notifying your ISP and having them take a look.
There isn't a good explaination for the connection slow down unless this is
some kind of ICMP exploit or your getting a zillion of these things. You
might want to check with your hardware and software vendors for any known
ICMP vulnerabilities and patch as appropriate. If this were a ICMP flood
you should have seen more that one entry in the log.
-- Bill Stackpole, CISSP
[EMAIL PROTECTED] (Eric Rozon)
Sent by: [EMAIL PROTECTED]
02/09/01 08:26 AM
To: [EMAIL PROTECTED]
cc:
Subject: Getting hit from 10.1.1.169
Hello All,
This morning we got hit by ICMP requests coming from 10.1.1.169. Below is
a line from our logs:
02/09/01 10:04 firewalld[90]: deny in eth0 56 icmp 20 254 10.1.1.169
x.x.x.x 1 (blocked site)
(Where x.x.x.x is our firewall). Our connection became slow.
My question is: Is there a way to trace this abusive person, this being a
private net?
I suspect that there isn't a way. I hope that I can be corrected.
Sorry if this is a newbie question. Thanks in advance for your replies.
Eric
PS: We've just included on the internet-facing interface of our routers
the following filters to prevent this in the future:
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.0.255.255 any
- [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe
firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
