Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Newbie
    Join Date
    May 2013
    Posts
    6

    Default Untangle under attack?

    hi all,

    Need your help in this situation.

    I'm getting lots of ARP related error and using tcpdump i found lots of packets are being dropped.
    I was getting lots of nf_queue: full at 1024 entries, dropping packets(s).
    using TCPDUMP i found lots of the following:

    18:27:44.031818 IP 113.23.10.213.5525 > 118.69.169.103.www: S 126336:126336(0) win 16384
    18:27:44.031890 IP 116.101.218.56.10103 > 118.69.169.103.www: S 105631:105631(0) win 16384
    18:27:44.031918 IP 103.11.172.140.12216 > 118.69.169.103.www: S 113282:113282(0) win 16384
    18:27:44.031990 IP 116.101.218.56.10103 > 118.69.169.103.www: S 105631:105631(0) win 16384
    18:27:44.032018 IP 180.148.6.233.25159 > 118.69.169.103.www: S 119016:119016(0) win 16384
    18:27:44.032092 IP 116.101.218.56.10103 > 118.69.169.103.www: S 105631:105631(0) win 16384
    18:27:44.032122 IP 180.148.6.233.25159 > 118.69.169.103.www: S 119016:119016(0) win 16384
    18:27:44.032219 IP 180.148.6.233.25159 > 118.69.169.103.www: S 119016:119016(0) win 16384
    18:27:44.032249 IP 202.158.245.103.10226 > 118.69.169.103.www: S 100589:100589(0) win 16384
    18:27:44.032320 IP 202.158.245.103.10226 > 118.69.169.103.www: S 100589:100589(0) win 16384
    18:27:44.032351 IP 103.21.148.37.3167 > 118.69.169.103.www: S 111402:111402(0) win 16384
    18:27:44.032388 IP 202.158.245.103.10226 > 118.69.169.103.www: S 100589:100589(0) win 16384
    18:27:44.032465 IP dcenter.cuocsongmoi.vn.9059 > 118.69.169.103.www: S 126912:126912(0) win 16384
    18:27:44.032488 IP 103.21.148.37.3167 > 118.69.169.103.www: S 111402:111402(0) win 16384
    18:27:44.032553 IP dcenter.cuocsongmoi.vn.9059 > 118.69.169.103.www: S 126912:126912(0) win 16384
    18:27:44.032583 IP 103.21.148.37.3167 > 118.69.169.103.www: S 111402:111402(0) win 16384
    18:27:44.032642 IP dcenter.cuocsongmoi.vn.9059 > 118.69.169.103.www: S 126912:126912(0) win 16384
    18:27:44.032690 IP 202.9.79.238.15009 > 118.69.169.103.www: S 108079:108079(0) win 16384
    18:27:44.032751 IP 103.19.99.189.21252 > 118.69.169.103.www: S 116903:116903(0) win 16384
    18:27:44.032784 IP 202.9.79.238.15009 > 118.69.169.103.www: S 108079:108079(0) win 16384
    18:27:44.032854 IP 202.9.79.238.15009 > 118.69.169.103.www: S 108079:108079(0) win 16384
    18:27:44.032884 IP 103.19.99.189.21252 > 118.69.169.103.www: S 116903:116903(0) win 16384
    18:27:44.032954 IP 103.19.99.189.21252 > 118.69.169.103.www: S 116903:116903(0) win 16384
    18:27:44.032985 IP static.duytan.edu.vn.14134 > 118.69.169.103.www: S 126146:126146(0) win 16384
    18:27:44.033059 IP static.duytan.edu.vn.14134 > 118.69.169.103.www: S 126146:126146(0) win 16384
    18:27:44.033087 IP 202.56.57.123.22730 > 118.69.169.103.www: S 127479:127479(0) win 16384
    18:27:44.033159 IP static.duytan.edu.vn.14134 > 118.69.169.103.www: S 126146:126146(0) win 16384
    18:27:44.033320 IP 103.11.174.35.12106 > 118.69.169.103.www: S 121015:121015(0) win 16384
    18:27:44.033345 IP 202.56.57.123.22730 > 118.69.169.103.www: S 127479:127479(0) win 16384
    18:27:44.033419 IP 103.11.174.35.12106 > 118.69.169.103.www: S 121015:121015(0) win 16384
    18:27:44.033449 IP 202.56.57.123.22730 > 118.69.169.103.www: S 127479:127479(0) win 16384
    18:27:44.033518 IP 103.11.174.35.12106 > 118.69.169.103.www: S 121015:121015(0) win 16384
    18:27:44.033544 IP 175.103.74.37.25113 > 118.69.169.103.www: S 113693:113693(0) win 16384
    18:27:44.033619 IP 175.103.74.37.25113 > 118.69.169.103.www: S 113693:113693(0) win 16384
    18:27:44.033650 IP 27.79.123.96.4840 > 118.69.169.103.www: S 101504:101504(0) win 16384
    18:27:44.033715 IP 175.103.74.37.25113 > 118.69.169.103.www: S 113693:113693(0) win 16384
    18:27:44.033746 IP 27.79.123.96.4840 > 118.69.169.103.www: S 101504:101504(0) win 16384
    18:27:44.033835 IP 27.79.123.96.4840 > 118.69.169.103.www: S 101504:101504(0) win 16384
    18:27:44.033861 IP mx14217.superdata.vn.28771 > 118.69.169.103.www: S 119116:119116(0) win 16384
    18:27:44.033955 IP pool-106.gds.vn.26621 > 118.69.169.103.www: S 125531:125531(0) win 16384
    18:27:44.033977 IP mx14217.superdata.vn.28771 > 118.69.169.103.www: S 119116:119116(0) win 16384
    18:27:44.034051 IP mx14217.superdata.vn.28771 > 118.69.169.103.www: S 119116:119116(0) win 16384
    18:27:44.034075 IP pool-106.gds.vn.26621 > 118.69.169.103.www: S 125531:125531(0) win 16384
    18:27:44.034158 IP 117.3.160.96.27549 > 118.69.169.103.www: S 108533:108533(0) win 16384
    18:27:44.034182 IP pool-106.gds.vn.26621 > 118.69.169.103.www: S 125531:125531(0) win 16384
    18:27:44.034276 IP 117.3.160.96.27549 > 118.69.169.103.www: S 108533:108533(0) win 16384
    18:27:44.034307 IP 103.7.174.166.20252 > 118.69.169.103.www: S 132110:132110(0) win 16384
    18:27:44.034390 IP 103.7.174.166.20252 > 118.69.169.103.www: S 132110:132110(0) win 16384
    18:27:44.034424 IP 117.3.160.96.27549 > 118.69.169.103.www: S 108533:108533(0) win 16384
    18:27:44.034510 IP 103.7.174.166.20252 > 118.69.169.103.www: S 132110:132110(0) win 16384
    18:27:44.034591 IP 116.118.11.234.1846 > 118.69.169.103.www: S 118663:118663(0) win 16384

    But all of these were showing on my internal interface which is eth1 , this seems to be an attack on IP 118.69.169.103 from different global IPs but how come they are originating from my internal interface?

    Any help will be appreciated.

    Thanks in Advance

  2. #2
    Newbie
    Join Date
    May 2013
    Posts
    6

    Default

    Any one?

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,678

    Default

    We need to know more information about your network. Is 118.69.169.103 on your network? How is it configured in your network? What makes you think it's coming from your internal network?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Are you running Attack Blocker? Whats in the logs?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,497

    Default

    The specific command you used to generate that output, as well as a network map is required as well.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    May 2013
    Posts
    6

    Default

    Thanks for your reply.
    I have mentioned everything in the first post itself.
    IP 118.69.169.103 is some internet IP.

    my eth1 is internal network and eth0 is external

    I run tcpdump -i eth1 and i get all of the messages which makes me think as they are origination from eth1 (my internal interface) and making a web attack on IP 118.69.169.103. i blocked this IP and then attack started on 118.69.169.104 and it keeps on changing the IP , so i had to block the complete subnet.

    Today the attack started again and this time the destination network is 118.69.169.*

    Attack blocker is stopped as for nf_queue related problem somewhere it was mentioned to stop this.

    Thanks

  7. #7
    Newbie
    Join Date
    May 2013
    Posts
    6

    Default

    I replied , is my reply viewable?
    I cant see it


    Eth1 is internal and eth0 is external
    so when i do tcpdump -i eth1 i should see my internal data originating but what i get is pasted about.

    enabling or disabling attack protection module does not make any difference.
    I think getting so many global IPs on internal interface is is leading to arp flooding.
    i tried making firewall rules but to no avail.

    Any thought?
    i disabled all peer-to-peer apps as well
    Last edited by cybexin; 05-23-2013 at 07:55 AM.

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by cybexin View Post
    Attack blocker is stopped as for nf_queue related problem somewhere it was mentioned to stop this.
    If you disabled Attack Blocker this kind of behavior should indeed cause your server to have major performance problems.
    Fix that first.
    Do not continue reading until you have done so.
    Leave it on.

    It looks like someone is spoofing tons of IP to a specific target and just syn-flooding them.
    Get the MAC address (-e in tcpdump i believe), and find out who it is.
    If it is also spoofed just ask your switch which port it came from and track it down.

    You could also try adding a rule to block sessions to the host he is attacking.
    Last edited by dmorris; 05-23-2013 at 09:17 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,497

    Default

    And if you don't have an intelligent switch... have fun unplugging hosts one at a time until you find it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Newbie
    Join Date
    May 2013
    Posts
    6

    Default

    Quote Originally Posted by sky-knight View Post
    And if you don't have an intelligent switch... have fun unplugging hosts one at a time until you find it.


    To find out the source i started removing swicthes from it's cascade and finally i removed the cable directly connecting to eth1 (my local interface) , to my surprise tcpdump -i eth1 kept on showing the same logs.

    Is my untangle box compromised?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2