the router spams with echo requests
Chuck Swiger
cswiger at mac.com
Mon Aug 25 11:03:09 PDT 2003
Stoyan Stratev wrote:
[ ... ]
> The ISP is using a network with hubs therefore we receive echo packets on
> the outside interface, that are not meant for our machine. The problem is
> that that the box forwards those packets multiple times and so the ISP
> thinks we have a virus or are doing portscans.
> i ran 'tcpdump -p -i rl1| grep echo' and noticed the following:
> we receive one packet:
> 20:50:02.596560 some.address.com > machine.on.our.subnet: icmp: echo request
> [tos 0x80]
> we send 20 packets very fast:
> 20:50:02.596851 our.router.com > machine.on.our.subnet: icmp: echo request
> [tos 0x80]
machine.on.our.subnet isn't your network broadcast address, correct?
This smells like a ICMP-amplification based denial-of-service, and I'd
double-check your internal machines. Have you sniffed your internal net to see
whether the ICMPs are coming from inside (and then being NATed)?
Consider blocking ICMP pings ("add deny icmp from any to any icmptypes 0,8")
until you've figured out what's going on.
--
-Chuck
More information about the freebsd-net
mailing list