Untangle under attack?

[cybexin]

hi all,

Need your help in this situation.

I'm getting lots of ARP related error and using tcpdump i found lots of packets are being dropped.
I was getting lots of nf_queue: full at 1024 entries, dropping packets(s).
using TCPDUMP i found lots of the following:

18:27:44.031818 IP 113.23.10.213.5525 > 118.69.169.103.www: S 126336:126336(0) win 16384
18:27:44.031890 IP 116.101.218.56.10103 > 118.69.169.103.www: S 105631:105631(0) win 16384
18:27:44.031918 IP 103.11.172.140.12216 > 118.69.169.103.www: S 113282:113282(0) win 16384
18:27:44.031990 IP 116.101.218.56.10103 > 118.69.169.103.www: S 105631:105631(0) win 16384
18:27:44.032018 IP 180.148.6.233.25159 > 118.69.169.103.www: S 119016:119016(0) win 16384
18:27:44.032092 IP 116.101.218.56.10103 > 118.69.169.103.www: S 105631:105631(0) win 16384
18:27:44.032122 IP 180.148.6.233.25159 > 118.69.169.103.www: S 119016:119016(0) win 16384
18:27:44.032219 IP 180.148.6.233.25159 > 118.69.169.103.www: S 119016:119016(0) win 16384
18:27:44.032249 IP 202.158.245.103.10226 > 118.69.169.103.www: S 100589:100589(0) win 16384
18:27:44.032320 IP 202.158.245.103.10226 > 118.69.169.103.www: S 100589:100589(0) win 16384
18:27:44.032351 IP 103.21.148.37.3167 > 118.69.169.103.www: S 111402:111402(0) win 16384
18:27:44.032388 IP 202.158.245.103.10226 > 118.69.169.103.www: S 100589:100589(0) win 16384
18:27:44.032465 IP dcenter.cuocsongmoi.vn.9059 > 118.69.169.103.www: S 126912:126912(0) win 16384
18:27:44.032488 IP 103.21.148.37.3167 > 118.69.169.103.www: S 111402:111402(0) win 16384
18:27:44.032553 IP dcenter.cuocsongmoi.vn.9059 > 118.69.169.103.www: S 126912:126912(0) win 16384
18:27:44.032583 IP 103.21.148.37.3167 > 118.69.169.103.www: S 111402:111402(0) win 16384
18:27:44.032642 IP dcenter.cuocsongmoi.vn.9059 > 118.69.169.103.www: S 126912:126912(0) win 16384
18:27:44.032690 IP 202.9.79.238.15009 > 118.69.169.103.www: S 108079:108079(0) win 16384
18:27:44.032751 IP 103.19.99.189.21252 > 118.69.169.103.www: S 116903:116903(0) win 16384
18:27:44.032784 IP 202.9.79.238.15009 > 118.69.169.103.www: S 108079:108079(0) win 16384
18:27:44.032854 IP 202.9.79.238.15009 > 118.69.169.103.www: S 108079:108079(0) win 16384
18:27:44.032884 IP 103.19.99.189.21252 > 118.69.169.103.www: S 116903:116903(0) win 16384
18:27:44.032954 IP 103.19.99.189.21252 > 118.69.169.103.www: S 116903:116903(0) win 16384
18:27:44.032985 IP static.duytan.edu.vn.14134 > 118.69.169.103.www: S 126146:126146(0) win 16384
18:27:44.033059 IP static.duytan.edu.vn.14134 > 118.69.169.103.www: S 126146:126146(0) win 16384
18:27:44.033087 IP 202.56.57.123.22730 > 118.69.169.103.www: S 127479:127479(0) win 16384
18:27:44.033159 IP static.duytan.edu.vn.14134 > 118.69.169.103.www: S 126146:126146(0) win 16384
18:27:44.033320 IP 103.11.174.35.12106 > 118.69.169.103.www: S 121015:121015(0) win 16384
18:27:44.033345 IP 202.56.57.123.22730 > 118.69.169.103.www: S 127479:127479(0) win 16384
18:27:44.033419 IP 103.11.174.35.12106 > 118.69.169.103.www: S 121015:121015(0) win 16384
18:27:44.033449 IP 202.56.57.123.22730 > 118.69.169.103.www: S 127479:127479(0) win 16384
18:27:44.033518 IP 103.11.174.35.12106 > 118.69.169.103.www: S 121015:121015(0) win 16384
18:27:44.033544 IP 175.103.74.37.25113 > 118.69.169.103.www: S 113693:113693(0) win 16384
18:27:44.033619 IP 175.103.74.37.25113 > 118.69.169.103.www: S 113693:113693(0) win 16384
18:27:44.033650 IP 27.79.123.96.4840 > 118.69.169.103.www: S 101504:101504(0) win 16384
18:27:44.033715 IP 175.103.74.37.25113 > 118.69.169.103.www: S 113693:113693(0) win 16384
18:27:44.033746 IP 27.79.123.96.4840 > 118.69.169.103.www: S 101504:101504(0) win 16384
18:27:44.033835 IP 27.79.123.96.4840 > 118.69.169.103.www: S 101504:101504(0) win 16384
18:27:44.033861 IP mx14217.superdata.vn.28771 > 118.69.169.103.www: S 119116:119116(0) win 16384
18:27:44.033955 IP pool-106.gds.vn.26621 > 118.69.169.103.www: S 125531:125531(0) win 16384
18:27:44.033977 IP mx14217.superdata.vn.28771 > 118.69.169.103.www: S 119116:119116(0) win 16384
18:27:44.034051 IP mx14217.superdata.vn.28771 > 118.69.169.103.www: S 119116:119116(0) win 16384
18:27:44.034075 IP pool-106.gds.vn.26621 > 118.69.169.103.www: S 125531:125531(0) win 16384
18:27:44.034158 IP 117.3.160.96.27549 > 118.69.169.103.www: S 108533:108533(0) win 16384
18:27:44.034182 IP pool-106.gds.vn.26621 > 118.69.169.103.www: S 125531:125531(0) win 16384
18:27:44.034276 IP 117.3.160.96.27549 > 118.69.169.103.www: S 108533:108533(0) win 16384
18:27:44.034307 IP 103.7.174.166.20252 > 118.69.169.103.www: S 132110:132110(0) win 16384
18:27:44.034390 IP 103.7.174.166.20252 > 118.69.169.103.www: S 132110:132110(0) win 16384
18:27:44.034424 IP 117.3.160.96.27549 > 118.69.169.103.www: S 108533:108533(0) win 16384
18:27:44.034510 IP 103.7.174.166.20252 > 118.69.169.103.www: S 132110:132110(0) win 16384
18:27:44.034591 IP 116.118.11.234.1846 > 118.69.169.103.www: S 118663:118663(0) win 16384

But all of these were showing on my internal interface which is eth1 , this seems to be an attack on IP 118.69.169.103 from different global IPs but how come they are originating from my internal interface?

Any help will be appreciated.

Thanks in Advance

[cybexin]

Any one?

[jcoffin]

We need to know more information about your network. Is 118.69.169.103 on your network? How is it configured in your network? What makes you think it's coming from your internal network?

[dmorris]

Are you running Attack Blocker? Whats in the logs?

[sky-knight]

The specific command you used to generate that output, as well as a network map is required as well.

[cybexin]

Thanks for your reply.
I have mentioned everything in the first post itself.
IP 118.69.169.103 is some internet IP.

my eth1 is internal network and eth0 is external

I run tcpdump -i eth1 and i get all of the messages which makes me think as they are origination from eth1 (my internal interface) and making a web attack on IP 118.69.169.103. i blocked this IP and then attack started on 118.69.169.104 and it keeps on changing the IP , so i had to block the complete subnet.

Today the attack started again and this time the destination network is 118.69.169.*

Attack blocker is stopped as for nf_queue related problem somewhere it was mentioned to stop this.

Thanks

[cybexin]

I replied , is my reply viewable?
I cant see it


Eth1 is internal and eth0 is external
so when i do tcpdump -i eth1 i should see my internal data originating but what i get is pasted about.

enabling or disabling attack protection module does not make any difference.
I think getting so many global IPs on internal interface is is leading to arp flooding.
i tried making firewall rules but to no avail.

Any thought?
i disabled all peer-to-peer apps as well

[dmorris]

Attack blocker is stopped as for nf_queue related problem somewhere it was mentioned to stop this.

If you disabled Attack Blocker this kind of behavior should indeed cause your server to have major performance problems.
Fix that first.
Do not continue reading until you have done so.
Leave it on.

It looks like someone is spoofing tons of IP to a specific target and just syn-flooding them.
Get the MAC address (-e in tcpdump i believe), and find out who it is.
If it is also spoofed just ask your switch which port it came from and track it down.

You could also try adding a rule to block sessions to the host he is attacking.

[sky-knight]

And if you don't have an intelligent switch... have fun unplugging hosts one at a time until you find it.

[cybexin]

And if you don't have an intelligent switch... have fun unplugging hosts one at a time until you find it.

To find out the source i started removing swicthes from it's cascade and finally i removed the cable directly connecting to eth1 (my local interface) , to my surprise tcpdump -i eth1 kept on showing the same logs.

Is my untangle box compromised?