[Wylug-discuss] Another firewall problem

Roger Beaumont roger.bea at blueyonder.co.uk
Thu Sep 27 12:43:17 BST 2007


Back to my firewall problems...

My previous problem now seems fixed, but the shorewall log is still filling 
up the available (RAM-)disk space at a rate of knots.

A few seconds' sample is:
----------------------------------------
Sep 27 11:09:54 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=438 TOS=00 PREC=0x00 TTL=255 ID=1793 PROTO=UDP 
SPT=67 DPT=68 LEN=418
Sep 27 11:09:54 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=329 TOS=00 PREC=0x00 TTL=255 ID=1884 PROTO=UDP 
SPT=67 DPT=68 LEN=309
Sep 27 11:09:56 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=338 TOS=00 PREC=0x00 TTL=255 ID=1889 PROTO=UDP 
SPT=67 DPT=68 LEN=318
Sep 27 11:09:56 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=1931 PROTO=UDP 
SPT=67 DPT=68 LEN=308
----------------------------------------

Due to the recent problems, I stored a copy of the shorewall log (that was 
what gave me the clue that the IANA table was a problem) a couple of days 
ago which includes:

----------------------------------------
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1 
DST=77.97.171.44 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=57512 PROTO=UDP SPT=67 
DPT=68 LEN=308
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1 
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=57515 PROTO=UDP SPT=67 
DPT=68 LEN=337
Sep 25 14:43:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1 
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=57525 PROTO=UDP SPT=67 
DPT=68 LEN=337
Sep 25 14:44:00 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.3.161 
DST=77.97.171.44 LEN=64 TOS=00 PREC=0x00 TTL=53 ID=40796 DF PROTO=TCP 
SPT=51320 DPT=80 SEQ=2926628468 ACK=0 WINDOW=65535 SYN URGP=0
Sep 25 14:44:07 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.144.9 
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=47221 DF PROTO=TCP 
SPT=52495 DPT=22 SEQ=851124258 ACK=0 WINDOW=5840 SYN URGP=0
Sep 25 14:44:12 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=129.11.144.9 
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=47222 DF PROTO=TCP 
SPT=52495 DPT=22 SEQ=851124258 ACK=0 WINDOW=5840 SYN URGP=0
Sep 25 14:44:22 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=74.6.20.225 
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=15009 DF PROTO=TCP 
SPT=32870 DPT=80 SEQ=3994764391 ACK=0 WINDOW=5840 SYN URGP=0
Sep 25 14:46:45 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1 
DST=77.97.171.44 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=59392 PROTO=UDP SPT=67 
DPT=68 LEN=308
Sep 25 14:46:45 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1 
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=59395 PROTO=UDP SPT=67 
DPT=68 LEN=337
Sep 25 14:46:50 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.153.192.1 
DST=77.97.171.44 LEN=357 TOS=00 PREC=0x00 TTL=255 ID=59398 PROTO=UDP SPT=67 
DPT=68 LEN=337
Sep 25 14:46:55 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=74.6.22.235 
DST=77.97.171.44 LEN=60 TOS=00 PREC=0x00 TTL=53 ID=1209 DF PROTO=TCP 
SPT=44327 DPT=80 SEQ=4153290561 ACK=0 WINDOW=5840 SYN URGP=0
----------------------------------------
The last such entry in that file was at 15:09:26, but it continues with the 
other stuff until Sep 26 00:08:53 - so it seems to me there was a break in 
the attack for at least 9 hours.


Previously, when I've noticed that /var/logs had filled up, I've rebooted 
the firewall, but I've noticed that the firewall Disk Status report says:
----------------------------------------
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/root                 6144      3364      2780  55% /
tmpfs                   258376      1184    257192   0% /tmp
tmpfs                     2048       928      1120  45% /var/log
----------------------------------------
so this time I've moved shorewall.log.0 to /tmp to preserve the record.
While I've been typing, that's changed to
----------------------------------------
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/root                 6144      3368      2776  55% /
tmpfs                   258376      1184    257192   0% /tmp
tmpfs                     2048      1076       972  53% /var/log
----------------------------------------


I've discovered that RFC1918 says:
----------------------------------------
3. Private Address Space

    The Internet Assigned Numbers Authority (IANA) has reserved the
    following three blocks of the IP address space for private internets:

      10.0.0.0        -   10.255.255.255  (10/8 prefix)
      172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
      192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
----------------------------------------
so think I understand that the "SRC=10.153.192.1" field in those records 
indicates a spoofed IP - it should only be valid inside a private net and 
shouldn't come over the Internet.

Questions:
1. Am I right that "IN=eth0" indicates the traffic is from outside?
2. Is my understanding that I am being attacked using a spoofed IP number 
correct?
3. Is this more than a nuisance; is the attack dangerous?
4. Apart from clearing the /var/log directory so there is space for current 
entries, is there anything else I should, or shouldn't be doing?

Thanks in advance,

Roger

PS  A final glance at what's accumulated since I started this mail showed:
----------------------------------------
Sep 27 11:44:36 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=438 TOS=00 PREC=0x00 TTL=255 ID=24473 PROTO=UDP 
SPT=67 DPT=68 LEN=418
Sep 27 11:44:38 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.22 
DST=77.97.171.44 LEN=153 TOS=00 PREC=0x00 TTL=247 ID=4906 DF PROTO=UDP 
SPT=53 DPT=12580 LEN=133
Sep 27 11:44:39 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=24567 PROTO=UDP 
SPT=67 DPT=68 LEN=308
Sep 27 11:44:40 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.21 
DST=77.97.171.44 LEN=153 TOS=00 PREC=0x00 TTL=247 ID=53016 DF PROTO=UDP 
SPT=53 DPT=34035 LEN=133
Sep 27 11:44:42 pheonix Shorewall:rfc1918:DROP: IN=eth0 OUT= 
MAC=00:05:5d:50:b7:b6:00:0d:66:26:a4:8c:08:00 SRC=10.1.3.21 
DST=77.97.171.44 LEN=229 TOS=00 PREC=0x00 TTL=247 ID=53485 DF PROTO=UDP 
SPT=53 DPT=47024 LEN=209
Sep 27 11:44:44 pheonix Shorewall:man1918:DROP: IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:0d:66:26:a4:54:08:00 SRC=10.153.192.1 
DST=255.255.255.255 LEN=339 TOS=00 PREC=0x00 TTL=255 ID=24615 PROTO=UDP 
SPT=67 DPT=68 LEN=319
----------------------------------------
with "SRC=10.1.3.22" and "SRC=10.1.3.21" starting to appear as well as the 
overwhelming proportion of "SRC=10.153.192.1" entries.  Is that significant?

R




More information about the Wylug-discuss mailing list