[Wylug-discuss] Another firewall problem
Roger Beaumont
roger.bea at blueyonder.co.uk
Thu Sep 27 12:43:17 BST 2007
Back to my firewall problems...
My previous problem now seems fixed, but the shorewall log is still filling
up the available (RAM-)disk space at a rate of knots.
A few seconds' sample is:
----------------------------------------
Sep 27 11:09:54 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=438 TOS=00 PREC=0x00 TTL=255 ID=1793 PROTO=UDP
SPT=67 DPT=68 LEN=418
Sep 27 11:09:54 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=329 TOS=00 PREC=0x00 TTL=255 ID=1884 PROTO=UDP
SPT=67 DPT=68 LEN=309
Sep 27 11:09:56 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=338 TOS=00 PREC=0x00 TTL=255 ID=1889 PROTO=UDP
SPT=67 DPT=68 LEN=318
Sep 27 11:09:56 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=1931 PROTO=UDP
SPT=67 DPT=68 LEN=308
----------------------------------------
Due to the recent problems, I stored a copy of the shorewall log (that was
what gave me the clue that the IANA table was a problem) a couple of days
ago which includes:
----------------------------------------
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=57512 PROTO=UDP SPT=67
DPT=68 LEN=308
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=57515 PROTO=UDP SPT=67
DPT=68 LEN=337
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=57525 PROTO=UDP SPT=67
DPT=68 LEN=337
Sep 25 14:44:00 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.3.161
DST=77.97.171.44 LEN=64 TOS=00 PREC=0x00 TTL=53 ID=40796 DF PROTO=TCP
SPT=51320 DPT=80 SEQ=2926628468 ACK=0 WINDOW=65535 SYN URGP=0
Sep 25 14:44:07 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.144.9
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=47221 DF PROTO=TCP
SPT=52495 DPT=22 SEQ=851124258 ACK=0 WINDOW=5840 SYN URGP=0
Sep 25 14:44:12 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.144.9
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=47222 DF PROTO=TCP
SPT=52495 DPT=22 SEQ=851124258 ACK=0 WINDOW=5840 SYN URGP=0
Sep 25 14:44:22 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=74.6.20.225
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=15009 DF PROTO=TCP
SPT=32870 DPT=80 SEQ=3994764391 ACK=0 WINDOW=5840 SYN URGP=0
Sep 25 14:46:45 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=59392 PROTO=UDP SPT=67
DPT=68 LEN=308
Sep 25 14:46:45 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=59395 PROTO=UDP SPT=67
DPT=68 LEN=337
Sep 25 14:46:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=59398 PROTO=UDP SPT=67
DPT=68 LEN=337
Sep 25 14:46:55 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=74.6.22.235
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=1209 DF PROTO=TCP
SPT=44327 DPT=80 SEQ=4153290561 ACK=0 WINDOW=5840 SYN URGP=0
----------------------------------------
The last such entry in that file was at 15:09:26, but it continues with the
other stuff until Sep 26 00:08:53 - so it seems to me there was a break in
the attack for at least 9 hours.
Previously, when I've noticed that /var/logs had filled up, I've rebooted
the firewall, but I've noticed that the firewall Disk Status report says:
----------------------------------------
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/root 6144 3364 2780 55% /
tmpfs 258376 1184 257192 0% /tmp
tmpfs 2048 928 1120 45% /var/log
----------------------------------------
so this time I've moved shorewall.log.0 to /tmp to preserve the record.
While I've been typing, that's changed to
----------------------------------------
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/root 6144 3368 2776 55% /
tmpfs 258376 1184 257192 0% /tmp
tmpfs 2048 1076 972 53% /var/log
----------------------------------------
I've discovered that RFC1918 says:
----------------------------------------
3. Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
----------------------------------------
so think I understand that the "SRC=10.153.192.1" field in those records
indicates a spoofed IP - it should only be valid inside a private net and
shouldn't come over the Internet.
Questions:
1. Am I right that "IN=eth0" indicates the traffic is from outside?
2. Is my understanding that I am being attacked using a spoofed IP number
correct?
3. Is this more than a nuisance; is the attack dangerous?
4. Apart from clearing the /var/log directory so there is space for current
entries, is there anything else I should, or shouldn't be doing?
Thanks in advance,
Roger
PS A final glance at what's accumulated since I started this mail showed:
----------------------------------------
Sep 27 11:44:36 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=438 TOS=00 PREC=0x00 TTL=255 ID=24473 PROTO=UDP
SPT=67 DPT=68 LEN=418
Sep 27 11:44:38 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.22
DST=77.97.171.44 LEN=153 TOS=00 PREC=0x00 TTL=247 ID=4906 DF PROTO=UDP
SPT=53 DPT=12580 LEN=133
Sep 27 11:44:39 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=24567 PROTO=UDP
SPT=67 DPT=68 LEN=308
Sep 27 11:44:40 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.21
DST=77.97.171.44 LEN=153 TOS=00 PREC=0x00 TTL=247 ID=53016 DF PROTO=UDP
SPT=53 DPT=34035 LEN=133
Sep 27 11:44:42 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT=
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.21
DST=77.97.171.44 LEN=229 TOS=00 PREC=0x00 TTL=247 ID=53485 DF PROTO=UDP
SPT=53 DPT=47024 LEN=209
Sep 27 11:44:44 pheonix Shorewall:man1918:DROP: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1
DST=255.255.255.255 LEN=339 TOS=00 PREC=0x00 TTL=255 ID=24615 PROTO=UDP
SPT=67 DPT=68 LEN=319
----------------------------------------
with "SRC=10.1.3.22" and "SRC=10.1.3.21" starting to appear as well as the
overwhelming proportion of "SRC=10.153.192.1" entries. Is that significant?
R
More information about the Wylug-discuss
mailing list