If the problem shows up as a ping storm, you could try something like the following, but to be really effective it needs to be running near the edge of your network (e.g. the client AP):
iptables -N lmticmp iptables -F lmticmp iptables -A lmticmp -j ACCEPT -s ! 192.168.0.0/16 iptables -A lmticmp -j ACCEPT -s 192.168.0.0/16 -m limit --limit 30/s iptables -A lmticmp -j LOG -m limit --limit 5/min --limit-burst 5 --log-level 0 --log-prefix "PACKETSTORM" iptables -A lmticmp -j DROP There's also a good posting on this subject here: http://www.usenet-forums.com/linux-networking/59497-what-limitation-iptabless-limit-option.html Tom Sharples Qorvus Systems, Inc. ----- Original Message ----- From: "Dennis Burgess" <[email protected]> To: "WISPA General List" <[email protected]> Sent: Wednesday, February 18, 2009 9:58 AM Subject: Re: [WISPA] Suggestions on preventing network flooding > As I say in my Traffic Management and Firewalling Mikrotik Courses, "If > you can't identify the traffic, you can't control it, block it, limit > it, or otherwise do ANYTHING with it! " > > Traffic Identification is first! :) > > * ----------------------------------------------------------- > Dennis Burgess, CCNA, A+, Mikrotik Certified Trainer > WISPA Board Member - wispa.org <http://www.wispa.org/> > Link Technologies, Inc -- Mikrotik & WISP Support Services > WISPA Vendor Member* > *Office*: 314-735-0270 *Website*: http://www.linktechs.net > <http://www.linktechs.net/> > */LIVE On-Line Mikrotik Training/* > <http://www.linktechs.net/onlinetraining.asp> > > The information transmitted (including attachments) is covered by the > Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is intended > only for the person(s) or entity/entities to which > it is addressed and may contain confidential and/or privileged material. > Any review, retransmission, dissemination or other use of, or taking of > any action in reliance upon, this information by persons or entities other > than the intended recipient(s) is prohibited, If you > received this in error, please contact the sender and delete the material > from any computer. > > > > > > Patrick Shoemaker wrote: >> You really need to find out exactly WHAT the problematic traffic is >> before you worry about how to best block it. Hook up a machine with >> Wireshark to a tap or a mirrored switch port that is seeing the >> offending traffic. If you can't immediately identify the problem traffic >> by looking at the packets live from the wire, you can have Wireshark >> sort the flows by all kinds of different factors. >> >> Patrick Shoemaker >> Vector Data Systems LLC >> [email protected] >> office: (301) 358-1690 x36 >> http://www.vectordatasystems.com >> >> >> Patrick Nix Jr. wrote: >> >>> Right, I'm routing already to my customers. I just can't seem to >>> identify where the flood of traffic is coming from. My guess is that >>> someone is using some sort of p2p and opening gazillions of connections >>> for either upload or download traffic or someone has a virus that is >>> flooding the network with a bunch of small packets. I've tried to setup >>> some iptables rules in our imagestream to prevent both of these but I am >>> a newbie with iptables and I either end up killing all internet traffic >>> to everyone or it has no effect at all. Does anyone care to share some >>> suggestions for iptables rules using Powercode with an imagestream >>> router. >>> >>> Thanks a million. >>> >>> __________________________________________ >>> >>> Patrick Nix, Jr., >>> csweb.net >>> (918) 235-0414 >>> http://www.csweb.net >>> E-Mail: [email protected] >>> >>> ==================================================================== >>> ATTENTION: This e-mail may contain information that is confidential in >>> nature. If you are not the intended recipient, please delete this e-mail >>> and notify the sender immediately. Thank you. >>> ==================================================================== >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of Dennis Burgess >>> Sent: Wednesday, February 18, 2009 10:33 AM >>> To: WISPA General List >>> Subject: Re: [WISPA] Suggestions on preventing network flooding >>> >>> Routing man. >>> >>> * ----------------------------------------------------------- >>> Dennis Burgess, CCNA, A+, Mikrotik Certified Trainer >>> WISPA Board Member - wispa.org <http://www.wispa.org/> >>> Link Technologies, Inc -- Mikrotik & WISP Support Services >>> WISPA Vendor Member* >>> *Office*: 314-735-0270 *Website*: http://www.linktechs.net >>> <http://www.linktechs.net/> >>> */LIVE On-Line Mikrotik Training/* >>> <http://www.linktechs.net/onlinetraining.asp> >>> >>> The information transmitted (including attachments) is covered by the >>> Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is intended >>> only for the person(s) or entity/entities to which >>> it is addressed and may contain confidential and/or privileged material. >>> Any review, retransmission, dissemination or other use of, or taking of >>> any action in reliance upon, this information by persons or entities >>> other than the intended recipient(s) is prohibited, If you >>> received this in error, please contact the sender and delete the >>> material from any computer. >>> >>> >>> >>> >>> >>> Patrick Nix Jr. wrote: >>> >>>> Everyday we seem to have this problem, we can watch our pings and for >>>> the morning our avg ping time will be about 27ms to our customers. >>>> >>> And >>> >>>> then it will just start climbing up to 1000ms and stay there most of >>>> >>> the >>> >>>> time for hours. I can't seem to identify where it is coming from >>>> although it must be coming from our customers, because I can set here >>>> >>> at >>> >>>> the head end and still ping google at 60ms consistently while this is >>>> going on. When it happens the network slows down to the point of >>>> >>> being >>> >>>> unusable. Any suggestions. Below is an example of yesterday. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Thanks >>>> >>>> >>>> >>>> __________________________________________ >>>> >>>> >>>> >>>> Patrick Nix, Jr., >>>> >>>> csweb.net >>>> >>>> (918) 235-0414 >>>> >>>> http://www.csweb.net <http://www.csweb.net/> >>>> >>>> E-Mail: [email protected] >>>> >>>> >>>> >>>> ==================================================================== >>>> >>>> ATTENTION: This e-mail may contain information that is confidential in >>>> nature. If you are not the intended recipient, please delete this >>>> >>> e-mail >>> >>>> and notify the sender immediately. Thank you. >>>> >>>> ==================================================================== >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> ------------------------------------------------------------------------ >>> >>>> >>>> >>> ------------------------------------------------------------------------ >>> -------- >>> >>>> WISPA Wants You! Join today! >>>> http://signup.wispa.org/ >>>> >>>> >>> ------------------------------------------------------------------------ >>> -------- >>> >>>> >>>> WISPA Wireless List: [email protected] >>>> >>>> Subscribe/Unsubscribe: >>>> http://lists.wispa.org/mailman/listinfo/wireless >>>> >>>> Archives: http://lists.wispa.org/pipermail/wireless/ >>>> >>> ------------------------------------------------------------------------ >>> -------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> ------------------------------------------------------------------------ >>> -------- >>> >>> WISPA Wireless List: [email protected] >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >>> >>> -------------------------------------------------------------------------------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> -------------------------------------------------------------------------------- >>> >>> WISPA Wireless List: [email protected] >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: [email protected] >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
