Re: I'm getting hammered... what should I do about it?
Nick Rout wrote: Having set up a telstraclear cable modem yesterday i can tell you 203.96.152.4 is the telstraclear/paradise dns server (.12 is their other one). :53 is of course the dns port. Yes I've just closed off dns. I'm wondering if it's associated. Cheers Don
Re: I'm getting hammered... what should I do about it?
well, 53/udp is dns traffic. So if you're not running a dns server serving the
internet, block it off. iirc you're using clark connect... surely it's got a
firewall.
Not that it's any volume of traffic, really...
On Wed, 15 Oct 2008 21:00:56 +1300
[EMAIL PROTECTED] wrote:
I've got a 7.8mb secure log with this stuff in it and not sure what I
should do to sort it out?
[EMAIL PROTECTED] log]# tail -f secure
Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 203.96.152.4:53 -
121.73.114.171:58076
Oct 15 21:06:41 bowenvale last message repeated 2 times
Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 -
121.73.114.171:25768
Oct 15 21:06:43 bowenvale snort[21511]: [1:408:5] ICMP Echo Reply
[Classification: Misc activity] [Priority: 3]: {ICMP} 69.90.141.108 -
121.73.114.171
Oct 15 21:06:47 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 203.96.152.4:53 -
121.73.114.171:58076
Oct 15 21:06:47 bowenvale last message repeated 2 times
Oct 15 21:06:52 bowenvale sshd[21144]: Did not receive identification
string from :::125.215.218.34
Oct 15 21:06:53 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 71.241.249.210:51264 -
121.73.114.171:37912
Oct 15 21:06:53 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 71.225.114.13:17910 -
121.73.114.171:37912
Oct 15 21:06:53 bowenvale snort[21511]: [1:408:5] ICMP Echo Reply
[Classification: Misc activity] [Priority: 3]: {ICMP} 69.90.141.108 -
121.73.114.171
Oct 15 21:06:55 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 -
121.73.114.171:25768
Oct 15 21:06:55 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 71.241.246.81:3743 -
121.73.114.171:25768
Oct 15 21:06:56 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 129.186.194.160:52234 -
121.73.114.171:37912
Oct 15 21:06:56 bowenvale snort[21511]: [1:384:5] ICMP PING
[Classification: Misc activity] [Priority: 3]: {ICMP} 209.80.45.41 -
121.73.114.171
Oct 15 21:06:57 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 -
121.73.114.171:25768
Oct 15 21:06:58 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 132.206.121.52:9413 -
121.73.114.171:25768
Oct 15 21:07:01 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC
Non-Standard IP protocol [Classification: Detection of a non-standard
protocol or event] [Priority: 2]: {UDP} 71.174.101.194:61636 -
121.73.114.171:25768
Cheers Don
--
Don Gould
31 Acheson Ave, Mairehau, Christchurch, NZ
Ph +64 3 348 7235 or + 64 21 114 0699
www.thinkdesignprint.co.nz
--
Steve Holdoway [EMAIL PROTECTED]
Re: I'm getting hammered... what should I do about it?
Having set up a telstraclear cable modem yesterday i can tell you
203.96.152.4 is the telstraclear/paradise dns server (.12 is their
other one). :53 is of course the dns port.
On Wed, Oct 15, 2008 at 9:00 PM, [EMAIL PROTECTED] wrote:
I've got a 7.8mb secure log with this stuff in it and not sure what I should
do to sort it out?
[EMAIL PROTECTED] log]# tail -f secure
Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 203.96.152.4:53 - 121.73.114.171:58076
Oct 15 21:06:41 bowenvale last message repeated 2 times
Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768
Oct 15 21:06:43 bowenvale snort[21511]: [1:408:5] ICMP Echo Reply
[Classification: Misc activity] [Priority: 3]: {ICMP} 69.90.141.108 -
121.73.114.171
Oct 15 21:06:47 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 203.96.152.4:53 - 121.73.114.171:58076
Oct 15 21:06:47 bowenvale last message repeated 2 times
Oct 15 21:06:52 bowenvale sshd[21144]: Did not receive identification string
from :::125.215.218.34
Oct 15 21:06:53 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 71.241.249.210:51264 - 121.73.114.171:37912
Oct 15 21:06:53 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 71.225.114.13:17910 - 121.73.114.171:37912
Oct 15 21:06:53 bowenvale snort[21511]: [1:408:5] ICMP Echo Reply
[Classification: Misc activity] [Priority: 3]: {ICMP} 69.90.141.108 -
121.73.114.171
Oct 15 21:06:55 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768
Oct 15 21:06:55 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 71.241.246.81:3743 - 121.73.114.171:25768
Oct 15 21:06:56 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 129.186.194.160:52234 - 121.73.114.171:37912
Oct 15 21:06:56 bowenvale snort[21511]: [1:384:5] ICMP PING [Classification:
Misc activity] [Priority: 3]: {ICMP} 209.80.45.41 - 121.73.114.171
Oct 15 21:06:57 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768
Oct 15 21:06:58 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 132.206.121.52:9413 - 121.73.114.171:25768
Oct 15 21:07:01 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 71.174.101.194:61636 - 121.73.114.171:25768
Cheers Don
--
Don Gould
31 Acheson Ave, Mairehau, Christchurch, NZ
Ph +64 3 348 7235 or + 64 21 114 0699
www.thinkdesignprint.co.nz
Re: I'm getting hammered... what should I do about it?
On Wed, Oct 15, 2008 at 10:36 PM, [EMAIL PROTECTED] wrote: It's all packaged with clark connect and seems to be working ok. It's got preaty flash stuff that shows me I've got over 80k hits from one IP alone in the last day. I've emailed [EMAIL PROTECTED] to see if they can block the traffic. Just blackhole all the traffic from that IP, and indeed from pretty much any pwned attacker you see, if you care. Actually, if you aren't running any services on your external interface, ignore it. Only monitor services you are actually running. In theory you are still paying to receive their SYN packets, but in practice if you're both on TCL then they don't charge for it, especially if it's on the local loop. Anyway, they can hammer away for hours with just SYN packets, and it'll only add up to a couple of page loads of stuff.co.nz ... :-) -jim
Re: I'm getting hammered... what should I do about it?
Jim Cheetham wrote:
On Wed, Oct 15, 2008 at 10:00 PM, [EMAIL PROTECTED] wrote:
I've got a 7.8mb secure log with this stuff in it and not sure what I should
do to sort it out?
[EMAIL PROTECTED] log]# tail -f secure
Oct 15 21:06:41 bowenvale snort[21511]: [1:1620:5] BAD TRAFFIC Non-Standard
IP protocol [Classification: Detection of a non-standard protocol or event]
[Priority: 2]: {UDP} 203.96.152.4:53 - 121.73.114.171:58076
Errm, respectfully, if you don't know what this stuff is, don't run snort.
It isn't a user-level piece of software, it's a network intrusion
detection/prevention system. If it isn't configured to fit your
network, it'll cause problems for you ...
-jim
It's all packaged with clark connect and seems to be working ok. It's
got preaty flash stuff that shows me I've got over 80k hits from one IP
alone in the last day.
I've emailed [EMAIL PROTECTED] to see if they can block the
traffic.
Cheers Don
--
Don Gould
31 Acheson Ave, Mairehau, Christchurch, NZ
Ph +64 3 348 7235 or + 64 21 114 0699
www.thinkdesignprint.co.nz
Re: I'm getting hammered... what should I do about it?
From the subject line, my first thought was lay off the booze. ;-) After reading, my second thought was to learn how to read snort if you're going to use it. That way you'll know that it is DNS traffic and (depending on if you are running a DNS server or not) what to do about it. The what to do about it thought was you should just block it with a firewall - the traffic is insignificant. :-)
Re: I'm getting hammered... what should I do about it?
Hi, My thoughts were: a)the subject line was sufficiently interesting to attact attention b)it was a golden opportunity for us to point Don in the correct direction and briefly say, standard snort report, port whatever, DNS... --That way, all newbies who read the email will benefit also.. c)Keep the tone of emails to clug good - please. Derek. On Thu, 16 Oct 2008, Brett Davidson wrote: From the subject line, my first thought was lay off the booze. ;-) After reading, my second thought was to learn how to read snort if you're going to use it. That way you'll know that it is DNS traffic and (depending on if you are running a DNS server or not) what to do about it. The what to do about it thought was you should just block it with a firewall - the traffic is insignificant. :-) -- Derek Smithies Ph.D. IndraNet Technologies Ltd. Email: [EMAIL PROTECTED] ph +64 3 365 6485 Web: http://www.indranet-technologies.com/
Re: I'm getting hammered... what should I do about it?
Derek Smithies wrote: Hi, My thoughts were: a)the subject line was sufficiently interesting to attact attention To be honest I haven't even thought about how it read... I was watching `# tail -f secure` and thought 'crap, I'm getting hammered here'... I've had about 3 emails from TCL telling me I'm over my limit and here's another 500mb, so I've been on the hunt for where it's going. b)it was a golden opportunity for us to point Don in the correct direction and briefly say, standard snort report, port whatever, DNS... --That way, all newbies who read the email will benefit also.. Snort is a standard package in CC 3.2 home. I agree, I have bugger all idea what I'm looking at but when one IP has had 80k hits, it made me wonder what it is and what it's trying to do! c)Keep the tone of emails to clug good - please. No use of C# then? Cheers Don
