[Nottingham] iptables log analysis

Martin nottingham at mailman.lug.org.uk
Thu Sep 18 17:23:00 2003 

Duncan John Fyfe wrote:
[...]
> When the firewall machine is switched off the cable modem U/L and D/L
> lights indicate  no traffic. When the firewall is switched on my
> iptable rules fill my logs from traffic arriving at eth0 and the
> cable modem lights indicate traffic.
> 
> * Q1: Which side of the cable modem, NTL side or my side, do the
> flashing lights indicate traffic on ? I had always assumed it was the
> NTL side.

Assuming you've got an ntl:home100 or similar modem, then:

The USB or ENET leds are on when that link is active, flashing off-on to
indicate traffic.

U/S flashes for traffic lan -> ntl wan (ie, your eth0 tx)
D/S flashes for incomming traffic, ntl wan -> your lan (your eth0 rx)

SYNC and RDY should both stay always on.

All the leds do a merry sequenced flash on power up and when a carrier
is being negotiated. This will also happen when occasionally ntl switch
off their end and reactivate some time later...


[...]
> Sep 18 07:04:12 dragon kernel:  IPT: INP udp IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:05:74:f7:28:54:08:00 SRC=10.145.167.254
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=53124
> PROTO=UDP SPT=67 DPT=68 LEN=308 Sep 18 07:04:12 dragon kernel:  IPT:
> INP udp IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:74:f7:28:54:08:00
> SRC=10.145.167.254 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00
> TTL=255 ID=53127 PROTO=UDP SPT=67 DPT=68 LEN=308
> 
> These arrive in pairs every 2-3 minutes.  The IP address is always
> the same (10.145.167.254) and it is alway DST=255.255.255.255. I'm
> assuming from the ports that this is aimed at the eth0 dhcp client. 
> The IP address is  private and 'similar' to that of my cable modem
> (10.145.*.*) but not even close to that of either my cable modem
> (213.*.*.*), ntl dhcp server (62.243.0.*) anything else for that
> matter.

These are from your ntl UBR. Its trying to talk to you!


[...]
> Which fills my logs with the likes of:
> 
> Sep 18 07:11:42 dragon kernel:  IPT: Ping scan IN=eth0 OUT=
> MAC=<eth0MACaddress> SRC=213.104.96.41 DST=<eth0IPaddress> LEN=92
> TOS=0x00 PREC=0x00 TTL=121 ID=22537 PROTO=ICMP TYPE=8 CODE=0 ID=768
> SEQ=14668 Sep 18 07:12:17 dragon kernel:  IPT: Ping scan IN=eth0 OUT=
> MAC=<eth0MACaddress> SRC=213.106.53.70 DST=<eth0IPaddress> LEN=92
> TOS=0x00 PREC=0x00 TTL=119 ID=21086 PROTO=ICMP TYPE=8 CODE=0 ID=512
> SEQ=12931
> 
> These messages average  ~~ 3 per minute ( 2972 over ~~ 16 hours
> yesterday).

Yep. Had a few hundred thousand of them to the tune of 3 to 4 kBytes/s 
for the last few weeks. Peaked at around 9kBytes/s for a short while a 
while back.

These are MS Blaster worms and varients. Amazing those local idiots with 
the infected boxes haven't noticed...


> * Q3: Either I'm being pinged a lot by random people (1763 uniq IP
> addresses in 2972 messages, mostly originating within ntl) or my
> understanding of the above rule is wrong. My understanding of the
> rule is "If I receive on average more than 5  pings per minute  from
> a source IP address then the source is logged."

If you want to reduce your logs, either screen out the LEN=92 pings or 
blacklist the idiots.

At the moment, I'm too busy to be too concerned and disk space is cheap. 
The knackering of my bandwidth is more of an annoyance.


For all things ntl and internet, see:

The fount of all UK Cable Modem wisdom, Robin Walker's pages at
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html.


Good luck,
Martin

-- 
----------------
Martin Lomas
martin@ml1.co.uk
----------------