strange problem with ipfw and some IP
vladone
vladone at spaingsm.com
Thu Aug 11 16:48:28 GMT 2005
Hi!
I have this problem:
i see in my traffic, ip's who in via private interface, and is not
from my network class. Packets sended are less. When i try to block
this traffic, after aprximatively 5-10 min. my internal interface stop
responding.
This is an example from ipfw queue show for in private interface:
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 ip 0.0.0.0/0 0.0.0.0/0 51 5618 0 0 0
9 ip 0.177.220.92/0 0.0.0.0/0 1 60 0 0 0
15 ip 0.15.133.128/0 0.0.0.0/0 1 234 0 0 0
17 ip 0.177.220.80/0 0.0.0.0/0 2 120 0 0 0
20 ip 0.168.101.94/0 0.0.0.0/0 12 1310 0 0 0
26 ip 0.168.101.89/0 0.0.0.0/0 4604 307265 0 0 0
27 ip 0.27.112.0/0 0.0.0.0/0 6 534 0 0 0
98 ip 0.168.101.101/0 0.0.0.0/0 20 6180 0 0 0
106 ip 0.168.101.97/0 0.0.0.0/0 200 25790 0 0 0
108 ip 0.168.101.98/0 0.0.0.0/0 168 11498 0 0 0
154 ip 0.168.101.25/0 0.0.0.0/0 99 7196 0 0 0
156 ip 0.168.101.26/0 0.0.0.0/0 467 26948 0 0 0
162 ip 0.168.101.5/0 0.0.0.0/0 2 166 0 0 0
164 ip 0.168.101.6/0 0.0.0.0/0 5057 305146 0 0 0
178 ip 0.168.101.13/0 0.0.0.0/0 153 10874 0 0 0
184 ip 0.168.101.8/0 0.0.0.0/0 5765 359913 0 0 0
188 ip 0.168.101.10/0 0.0.0.0/0 2612 802506 0 0 0
206 ip 0.168.101.51/0 0.0.0.0/0 44 4516 0 0 0
234 ip 0.168.101.161/0 0.0.0.0/0 7 1008 0 0 0
244 ip 0.168.101.46/0 0.0.0.0/0 407 41688 0 0 0
252 ip 0.0.7.254/0 0.0.0.0/0 1 60 0 0 0
My internal network class is 192.168.101.0/24.
For out from private interface i dont see any suspect ip. Only
packets destinated to my private network.
I thinks is a kind of attack but i dont see anything in my logs, and
arp table show only mac for real traffic.
Please help me with this!
P.S
Rules in ipfw look like this:
$cmd pipe 4 config bw $up
$cmd queue 4 config pipe 4 weight 5 mask src-ip 0xffffff
$cmd add 400 queue 4 ip from any to any in via $lif
....
$lif is my private interface
More information about the freebsd-questions
mailing list