Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
In the last few days my server suffers an attack of this kind:
(bandwith > 60MBit/s, XXX.XXX.XXX.XXX are multiple IPs)
tcpdump -n proto ICMP
17:15:19.267464 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 36
17:15:19.325217 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 36
17:15:19.345561 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 56
17:15:19.484865 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 36
17:15:19.529616 IP XXX.XXX.XXX.XXX > my_ip: ICMP time exceeded in-transit, length 36
17:15:19.957058 IP XXX.XXX.XXX.XXX > my_ip: ICMP YYY.YYY.YYY.YYY tcp port 39692 unreachable, length 36
17:15:19.968957 IP XXX.XXX.XXX.XXX > my_ip: ICMP host YYY.YYY.YYY.YYY unreachable, length 56
17:15:20.112520 IP XXX.XXX.XXX.XXX > my_ip: ICMP host YYY.YYY.YYY.YYY unreachable, length 56
17:15:20.203199 IP XXX.XXX.XXX.XXX > my_ip: ICMP host YYY.YYY.YYY.YYY unreachable, length 36
17:15:20.204803 IP XXX.XXX.XXX.XXX > my_ip: ICMP host YYY.YYY.YYY.YYY unreachable, length 36
I've FreeBSD 9.1 and my pf.conf is
ext_if="em0"
table <blockedips> persist file "/etc/pf-blocked-ips.conf"
set skip on lo0
block drop in log (all) quick on $ext_if from <blockedips> to any
block in
pass out flags S/SA keep state
pass in on $ext_if proto tcp to port 80 flags S/SA keep state
pass in on $ext_if proto tcp to port ssh flags S/SA synproxy state
There's anything that i can do with pf?
It looks like you might be receiving some backscatter from a ddos attack (http://blog.usu.edu/security/2010/08/24/backscatters-the-name-dos-the-game/).
There's not much you can do about this unless you can filter them in a switch before they hit your server; they're already getting dropped in the kernel as a network anomaly.
Related
I had a problem with my VACL configuration on cisco packet tracer.
My problem is I want to block ping to 192.168.6.2 from 192.168.1.0 but it keeps failing
Here is my code :
access-list 101 deny icmp 192.168.6.2 0.0.0.0 192.168.1.0 0.0.0.255 echo-reply
access-list 101 permit icmp any any
interface gig0/0/0
ip access-group 101 in
ex
my network picture
You swapped between source and destination adresses :
Access-list 101 deny icmp 192.168.1.0 0.0.0.255 host 192.168.6.2 echo
I'm trying to launch a SNMP query from a pod uploaded in an Azure cloud to an internal host on my company's network. The snmpget queries work well from the pod to, say, a public SNMP server, but the query to my target host results in:
root#status-tanner-api-86557c6786-wpvdx:/home/status-tanner-api/poller# snmpget -c public -v 2c 192.168.118.23 1.3.6.1.2.1.1.1.0
Timeout: No Response from 192.168.118.23.
an NMAP shows that the SNMP port is open|filtered:
Nmap scan report for 192.168.118.23
Host is up (0.16s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
I requested a new rule to allow 161UDP from my pod, but I'm suspecting that I requested the rule to be made for the wrong IP address.
My theory is that I should be able to determine the IP address my pod uses to access this target host if I could get inside the target host, open a connection from the pod and see using netstat which is the IP address my pod is using. The problem is that I currently have no access to this host.
So, my question is How can I see from which address my pod is reaching the target host? Some sort of public address is obviously being used, but I can't tell which one is it without entering the target host.
I'm pretty sure I'm missing an important network tool that should help me in this situation. Any suggestion would be profoundly appreciated.
By default Kubernetes will use you node ip to reach the others servers, so you need to make a firewall rule using your node IP.
I've tested using a busybox pod to reach other server in my network
Here is my lab-1 node IP with ip 10.128.0.62:
$rabello#lab-1:~ ip ad | grep ens4 | grep inet
inet 10.128.0.62/32 scope global dynamic ens4
In this node I have a busybox pod with the ip 192.168.251.219:
$ kubectl exec -it busybox sh
/ # ip ad | grep eth0 | grep inet
inet 192.168.251.219/32 scope global eth0
When perform a ping test to another server in the network (server-1) we have:
/ # ping 10.128.0.61
PING 10.128.0.61 (10.128.0.61): 56 data bytes
64 bytes from 10.128.0.61: seq=0 ttl=63 time=1.478 ms
64 bytes from 10.128.0.61: seq=1 ttl=63 time=0.337 ms
^C
--- 10.128.0.61 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.337/0.907/1.478 ms
Using tcpdump on server-1, we can see the ping requests from my pod using the node ip from lab-1:
rabello#server-1:~$ sudo tcpdump -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:16:09.291714 IP 10.128.0.62 > 10.128.0.61: ICMP echo request, id 6230, seq 0, length 64
10:16:09.291775 IP 10.128.0.61 > 10.128.0.62: ICMP echo reply, id 6230, seq 0, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
Make sure you have an appropriate firewall rule to allow your node (or your vpc range) reach your destination and check if you VPN is up (if you have one).
I hope it helps! =)
I have a server with multiple network interfaces.
I'm trying to run a network monitoring tools in order to verify network traffic statistics by using the sFlow standard on a router.
I get my sFlow datagram on port 5600 of eth1 interface. I'm able to see the generated traffic thanks to tcpdump:
user#lnssrv:~$ sudo tcpdump -i eth1
14:09:01.856499 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1456
14:09:02.047778 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1432
14:09:02.230895 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1300
14:09:02.340114 IP 198.51.100.253.5678 > 255.255.255.255.5678: UDP, length 111
14:09:02.385036 STP 802.1d, Config, Flags [none], bridge-id c01e.b4:a4:e3:0b:a6:00.8018, length 43
14:09:02.434658 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1392
14:09:02.634447 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1440
14:09:02.836015 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1364
14:09:03.059851 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1372
14:09:03.279067 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1356
14:09:03.518385 IP 10.10.10.10.60147 > 198.51.100.232.5600: UDP, length 1440
It seems all ok, but, when i try to read the packet with netcat it seems that there are no packets here:
nc -lu 5600
Indeed, sflowtool nor nprobe doesn't read anything from port 5600.
Where I'm wrong?
nc -lu 5600 is going to open a socket on port 5600, meaning that it will only dump packages that are received in that socket, i.e, packages aiming to that specific address and port.
On the other side, tcpdump collects all the traffic flowing, even without it being sent to a specific server.
Two causes of your problem here:
a) Your host IP is not 198.51.100.232
With host command you will be able exactly see TCP traffic of your server
for example : tcpdump -i eth1 host 198.51.100.232 port 80
b) There is another server that is listening in UDP port 5600 that is grabbing all the data, so, nothing is leftover for nc socket.
Notice: with TCPDUMP you will not be able to check and listen UDP ports.
Not sure that it can help here but in my case it helped ( I had similar problem ) so i just stopped "iptables" like
service iptables stop.
It seems that tcpdump works on the lower level than iptable and ipdaple can stop datagrams from being proceed to the higher level. Here a good article on this topic with nice picture.
I've found sources that suggest how I can find whether an IP address is available using ping, arping and nmap, but all of these solutions fail when IPv4 is switched off. I'd like to find a way of automatically detecting whether an IPv4 address is available before assigning it to a new machine that does not have an IPv4 address. For example,
$ sudo arping 192.168.2.205
ARPING 192.168.2.205
60 bytes from 00:50:56:91:a5:0d (192.168.2.205): index=0 time=730.931 msec
60 bytes from 00:50:56:91:a5:0d (192.168.2.205): index=1 time=362.976 msec
60 bytes from 00:50:56:91:a5:0d (192.168.2.205): index=2 time=730.205 msec
^C
--- 192.168.2.205 statistics ---
4 packets transmitted, 3 packets received, 25% unanswered (0 extra)
$ sudo ifconfig eth0 0.0.0.0
$ sudo arping 192.168.2.205
arping: Unable to automatically find interface to use. Is it on the local LAN?
arping: Use -i to manually specify interface. Guessing interface eth0.
arping: Unable to get the IPv4 address of interface eth0:
arping: libnet_get_ipaddr4(): ioctl(): Cannot assign requested address
arping: Use -S to specify address manually.
Is there a way to achieve this?
I'm using Shorewall.
How do I enable ping to a specific IP address where the zone containing that IP has ping disabled?
in etc/rules....
Suppose you have a zone dmz and in that zone you have the
external ip address of 67.89.164.199 and the internal ip of 10.0.99.10.
That is the external ip DNAT's to 10.0.99.10
The dmz zone doesn't allow pings from the outside.
Here's what to do:
1) DNAT net dmz:10.0.99.10 icmp 8 - 67.89.164.199
or in other words, send all pings "icmp 8" that come to 67.89.164.199 to 10.0.99.10
2) Ping/ACCEPT net dmz:10.0.99.10
i.e. accept Ping
Allow single ip using
iptables -A INPUT -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT
Reference http://www.trickylinux.net/ping-single-ip-linux/