How to stop a ICMP attack?

Posted by cumhur onat on Server Fault See other posts from Server Fault or by cumhur onat
Published on 2012-10-01T00:09:58Z Indexed on 2012/10/01 3:39 UTC
Read the original article Hit count: 513

Filed under:

We are under a heavy icmp flood attack. Tcpdump shows the result below. Altough we have blocked ICMP with iptables tcpdump still prints icmp packets. I've also attached iptables configuration and "top" result. Is there any thing I can do to completely stop icmp packets?

[root@server downloads]# tcpdump icmp -v -n -nn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
03:02:47.810957 IP (tos 0x0, ttl  49, id 16007, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl 124, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.811559 IP (tos 0x0, ttl  49, id 16010, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl  52, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.811922 IP (tos 0x0, ttl  49, id 16012, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl 122, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.812485 IP (tos 0x0, ttl  49, id 16015, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl 126, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.812613 IP (tos 0x0, ttl  49, id 16016, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl 122, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.812992 IP (tos 0x0, ttl  49, id 16018, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl 122, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.813582 IP (tos 0x0, ttl  49, id 16020, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl  52, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.814092 IP (tos 0x0, ttl  49, id 16023, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl 120, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.814233 IP (tos 0x0, ttl  49, id 16024, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl 120, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.815579 IP (tos 0x0, ttl  49, id 16025, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl  50, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.815726 IP (tos 0x0, ttl  49, id 16026, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
        IP (tos 0x0, ttl  50, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.815890 IP (tos 0x0, ttl  49, id 16027, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36

iptables configuration:

[root@server etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ofis       tcp  --  anywhere             anywhere            tcp dpt:mysql
ofis       tcp  --  anywhere             anywhere            tcp dpt:ftp
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere

Chain ofis (2 references)
target     prot opt source               destination
ACCEPT     all  --  OUR_OFFICE_IP        anywhere
DROP       all  --  anywhere             anywhere

top:

top - 03:12:19 up 400 days, 15:43,  3 users,  load average: 1.49, 1.67, 2.61
Tasks: 751 total,   3 running, 748 sleeping,   0 stopped,   0 zombie
Cpu(s):  8.2%us,  1.0%sy,  0.0%ni, 87.9%id,  2.1%wa,  0.1%hi,  0.7%si,  0.0%st
Mem:  32949948k total, 26906844k used,  6043104k free,  4707676k buffers
Swap: 10223608k total,        0k used, 10223608k free, 14255584k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
   36 root      39  19     0    0    0 R 100.8  0.0  17:03.56 ksoftirqd/11
10552 root      15   0 11408 1460  676 R  5.7  0.0   0:00.04 top
 7475 lighttpd  15   0  304m  22m  15m S  3.8  0.1   0:05.37 php-cgi
 1294 root      10  -5     0    0    0 S  1.9  0.0 380:54.73 kjournald
 3574 root      15   0  631m  11m 5464 S  1.9  0.0   0:00.65 node
 7766 lighttpd  16   0  302m  19m  14m S  1.9  0.1   0:05.70 php-cgi
10237 postfix   15   0 52572 2216 1692 S  1.9  0.0   0:00.02 scache
    1 root      15   0 10372  680  572 S  0.0  0.0   0:07.99 init
    2 root      RT  -5     0    0    0 S  0.0  0.0   0:16.72 migration/0
    3 root      34  19     0    0    0 S  0.0  0.0   0:00.06 ksoftirqd/0
    4 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
    5 root      RT  -5     0    0    0 S  0.0  0.0   1:10.46 migration/1
    6 root      34  19     0    0    0 S  0.0  0.0   0:01.11 ksoftirqd/1
    7 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/1
    8 root      RT  -5     0    0    0 S  0.0  0.0   2:36.15 migration/2
    9 root      34  19     0    0    0 S  0.0  0.0   0:00.19 ksoftirqd/2
   10 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/2
   11 root      RT  -5     0    0    0 S  0.0  0.0   3:48.91 migration/3
   12 root      34  19     0    0    0 S  0.0  0.0   0:00.20 ksoftirqd/3
   13 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/3

uname -a

[root@server etc]# uname -a
Linux thisis.oursite.com 2.6.18-238.19.1.el5 #1 SMP Fri Jul 15 07:31:24 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

arp -an

[root@server downloads]# arp -an
? (77.92.136.194) at 00:25:90:04:F0:90 [ether] on eth0
? (192.168.0.2) at 00:25:90:04:F0:91 [ether] on eth1
? (77.92.136.193) at 00:23:9C:0B:CD:01 [ether] on eth0

Developer IT

How to stop a ICMP attack? - Developer IT

How to stop a ICMP attack?

linux

iptables

icmp

dos

website-attack

Related posts about linux

apt-get install and update fail

kernel module compiling error

Build-Essentials installation failing

Updating Debian kernel

Serial connection over a single USB cable (Windows to linux, or linux to linux)

Related posts about iptables

Sometimes this script fails to update the iptables

My current iptable configuration doesn't work [on hold]

L2TP iptables port forward

iptables -P FORWARD DROP makes port forwarding slow

IPtables AWS EC2 NAT/Reverse NAT - For Reverse Proxy style setup but with IPtables

Categories cloud