Re: I'm getting hammered... what should I do about it?
Nick Rout wrote: Having set up a telstraclear cable modem yesterday i can tell you 203.96.152.4 is the telstraclear/paradise dns server (.12 is their other one). :53 is of course the dns port. Yes I've just closed off dns. I'm wondering if it's associated. Cheers Don
Re: I'm getting hammered... what should I do about it?
well, 53/udp is dns traffic. So if you're not running a dns server serving the internet, block it off. iirc you're using clark connect... surely it's got a firewall. Not that it's any volume of traffic, really... On Wed, 15 Oct 2008 21:00:56 +1300 [EMAIL PROTECTED] wrote: I've got a 7.8mb secure log with this stuff in it and not sure what I should do to sort it out? [EMAIL PROTECTED] log]# tail -f secure Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 203.96.152.4:53 - 121.73.114.171:58076 Oct 15 21:06:41 bowenvale last message repeated 2 times Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768 Oct 15 21:06:43 bowenvale snort[21511]: [1:408:5] ICMP Echo Reply [Classification: Misc activity] [Priority: 3]: {ICMP} 69.90.141.108 - 121.73.114.171 Oct 15 21:06:47 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 203.96.152.4:53 - 121.73.114.171:58076 Oct 15 21:06:47 bowenvale last message repeated 2 times Oct 15 21:06:52 bowenvale sshd[21144]: Did not receive identification string from :::125.215.218.34 Oct 15 21:06:53 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.241.249.210:51264 - 121.73.114.171:37912 Oct 15 21:06:53 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.225.114.13:17910 - 121.73.114.171:37912 Oct 15 21:06:53 bowenvale snort[21511]: [1:408:5] ICMP Echo Reply [Classification: Misc activity] [Priority: 3]: {ICMP} 69.90.141.108 - 121.73.114.171 Oct 15 21:06:55 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768 Oct 15 21:06:55 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.241.246.81:3743 - 121.73.114.171:25768 Oct 15 21:06:56 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 129.186.194.160:52234 - 121.73.114.171:37912 Oct 15 21:06:56 bowenvale snort[21511]: [1:384:5] ICMP PING [Classification: Misc activity] [Priority: 3]: {ICMP} 209.80.45.41 - 121.73.114.171 Oct 15 21:06:57 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768 Oct 15 21:06:58 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 132.206.121.52:9413 - 121.73.114.171:25768 Oct 15 21:07:01 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768 Cheers Don -- Don Gould 31 Acheson Ave, Mairehau, Christchurch, NZ Ph +64 3 348 7235 or + 64 21 114 0699 www.thinkdesignprint.co.nz -- Steve Holdoway [EMAIL PROTECTED]
Re: I'm getting hammered... what should I do about it?
Having set up a telstraclear cable modem yesterday i can tell you 203.96.152.4 is the telstraclear/paradise dns server (.12 is their other one). :53 is of course the dns port. On Wed, Oct 15, 2008 at 9:00 PM, [EMAIL PROTECTED] wrote: I've got a 7.8mb secure log with this stuff in it and not sure what I should do to sort it out? [EMAIL PROTECTED] log]# tail -f secure Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 203.96.152.4:53 - 121.73.114.171:58076 Oct 15 21:06:41 bowenvale last message repeated 2 times Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768 Oct 15 21:06:43 bowenvale snort[21511]: [1:408:5] ICMP Echo Reply [Classification: Misc activity] [Priority: 3]: {ICMP} 69.90.141.108 - 121.73.114.171 Oct 15 21:06:47 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 203.96.152.4:53 - 121.73.114.171:58076 Oct 15 21:06:47 bowenvale last message repeated 2 times Oct 15 21:06:52 bowenvale sshd[21144]: Did not receive identification string from :::125.215.218.34 Oct 15 21:06:53 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.241.249.210:51264 - 121.73.114.171:37912 Oct 15 21:06:53 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.225.114.13:17910 - 121.73.114.171:37912 Oct 15 21:06:53 bowenvale snort[21511]: [1:408:5] ICMP Echo Reply [Classification: Misc activity] [Priority: 3]: {ICMP} 69.90.141.108 - 121.73.114.171 Oct 15 21:06:55 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768 Oct 15 21:06:55 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.241.246.81:3743 - 121.73.114.171:25768 Oct 15 21:06:56 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 129.186.194.160:52234 - 121.73.114.171:37912 Oct 15 21:06:56 bowenvale snort[21511]: [1:384:5] ICMP PING [Classification: Misc activity] [Priority: 3]: {ICMP} 209.80.45.41 - 121.73.114.171 Oct 15 21:06:57 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768 Oct 15 21:06:58 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 132.206.121.52:9413 - 121.73.114.171:25768 Oct 15 21:07:01 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768 Cheers Don -- Don Gould 31 Acheson Ave, Mairehau, Christchurch, NZ Ph +64 3 348 7235 or + 64 21 114 0699 www.thinkdesignprint.co.nz
Re: I'm getting hammered... what should I do about it?
On Wed, Oct 15, 2008 at 10:36 PM, [EMAIL PROTECTED] wrote: It's all packaged with clark connect and seems to be working ok. It's got preaty flash stuff that shows me I've got over 80k hits from one IP alone in the last day. I've emailed [EMAIL PROTECTED] to see if they can block the traffic. Just blackhole all the traffic from that IP, and indeed from pretty much any pwned attacker you see, if you care. Actually, if you aren't running any services on your external interface, ignore it. Only monitor services you are actually running. In theory you are still paying to receive their SYN packets, but in practice if you're both on TCL then they don't charge for it, especially if it's on the local loop. Anyway, they can hammer away for hours with just SYN packets, and it'll only add up to a couple of page loads of stuff.co.nz ... :-) -jim
Re: I'm getting hammered... what should I do about it?
Jim Cheetham wrote: On Wed, Oct 15, 2008 at 10:00 PM, [EMAIL PROTECTED] wrote: I've got a 7.8mb secure log with this stuff in it and not sure what I should do to sort it out? [EMAIL PROTECTED] log]# tail -f secure Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard IP protocol [Classification: Detection of a non-standard protocol or event] [Priority: 2]: {UDP} 203.96.152.4:53 - 121.73.114.171:58076 Errm, respectfully, if you don't know what this stuff is, don't run snort. It isn't a user-level piece of software, it's a network intrusion detection/prevention system. If it isn't configured to fit your network, it'll cause problems for you ... -jim It's all packaged with clark connect and seems to be working ok. It's got preaty flash stuff that shows me I've got over 80k hits from one IP alone in the last day. I've emailed [EMAIL PROTECTED] to see if they can block the traffic. Cheers Don -- Don Gould 31 Acheson Ave, Mairehau, Christchurch, NZ Ph +64 3 348 7235 or + 64 21 114 0699 www.thinkdesignprint.co.nz
Re: I'm getting hammered... what should I do about it?
From the subject line, my first thought was lay off the booze. ;-) After reading, my second thought was to learn how to read snort if you're going to use it. That way you'll know that it is DNS traffic and (depending on if you are running a DNS server or not) what to do about it. The what to do about it thought was you should just block it with a firewall - the traffic is insignificant. :-)
Re: I'm getting hammered... what should I do about it?
Hi, My thoughts were: a)the subject line was sufficiently interesting to attact attention b)it was a golden opportunity for us to point Don in the correct direction and briefly say, standard snort report, port whatever, DNS... --That way, all newbies who read the email will benefit also.. c)Keep the tone of emails to clug good - please. Derek. On Thu, 16 Oct 2008, Brett Davidson wrote: From the subject line, my first thought was lay off the booze. ;-) After reading, my second thought was to learn how to read snort if you're going to use it. That way you'll know that it is DNS traffic and (depending on if you are running a DNS server or not) what to do about it. The what to do about it thought was you should just block it with a firewall - the traffic is insignificant. :-) -- Derek Smithies Ph.D. IndraNet Technologies Ltd. Email: [EMAIL PROTECTED] ph +64 3 365 6485 Web: http://www.indranet-technologies.com/
Re: I'm getting hammered... what should I do about it?
Derek Smithies wrote: Hi, My thoughts were: a)the subject line was sufficiently interesting to attact attention To be honest I haven't even thought about how it read... I was watching `# tail -f secure` and thought 'crap, I'm getting hammered here'... I've had about 3 emails from TCL telling me I'm over my limit and here's another 500mb, so I've been on the hunt for where it's going. b)it was a golden opportunity for us to point Don in the correct direction and briefly say, standard snort report, port whatever, DNS... --That way, all newbies who read the email will benefit also.. Snort is a standard package in CC 3.2 home. I agree, I have bugger all idea what I'm looking at but when one IP has had 80k hits, it made me wonder what it is and what it's trying to do! c)Keep the tone of emails to clug good - please. No use of C# then? Cheers Don