ICMP/UDP flood

From: Bill Burgos (wjburgos_at_white-bear-productions.com)
Date: 05/06/04

  • Next message: Alvin Oga: "Re: Wireless LAN Security for Warehouse" 
    To: security-basics@securityfocus.com
Date: Thu, 06 May 2004 10:58:53 +0900

    Greetings Security Focus,

    I recently have been receiving log messages from my router with the
    following message:

    2004-05-02 00:40:03 - ICMP Flood - Source:192.168.X.XX ,0,LAN -
    Destination:2XX.2XX.XX.X,0,WAN

    also:

    2004-05-06 10:25:27 - UDP Flood - Source:192.168.X.XX
    ,45544,LAN - Destination:2XX.2XX.XX.X,53,WAN

    The Source is coming from my firewall box (192.168.X.XX) and the
    Destination is a DNS server on the Internet (2XX.2XX.XX.X).

    I have grepped the logs from internal machines and the firewall for the
    DNS server address with no results.

    My setup:

    Internet
       |
    Router
       |
    ---------------
    | |
    Firewall DMZ server (web server)
    |
    LAN

    The Router is a Planex, the firewall is a PC running RedHat 7.2, the DMZ
    is Debian.

    The other LAN machines are a combo of Linux and one Windows machine, all
    behind the firewall. The messages started while I was out of the house
    and the Windows machine was offline.

    My questions are:

    Should I be worried about this?

    If the flood is coming from the firewall, is it compromised? can I
    verify it in a log?

    Any ideas would be a great help.

    Thanks in advance

    Bill

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Alvin Oga: "Re: Wireless LAN Security for Warehouse"

    Relevant Pages

    • Re: Slow Browser performance
      ... Vladster wrote: ... > The firewall settings are internal to SuSE and are set in the ... the dns server that is specified by my provider. ... and just default the dns to the gateway router. ...
      (alt.os.linux.suse)
    • Re: Home Networking Difficulties
      ... I am running it on both computers. ... With regards to the NAT router as my DNS ... >>firewall provided by my cable internet supplier. ... Does the router provide adequate performance as a DNS server? ...
      (microsoft.public.windowsxp.network_web)
    • Re: Firewall security: Re: Problems with simple Samba file share
      ... address for configuration plus a well-known default password is ... But the firewall will only respond to local ... Having a windows machine means that you are not. ... >> own network, then why haven't you configured it like that? ...
      (comp.os.linux.misc)
    • Re: SSH struggle
      ... firewall is open for port 22 on my LAN. ... > When I SSH from a Windows machine on the LAN using SecureCRT with SSH2, ... > SecureCRT has disconnected from the server. ...
      (comp.os.linux.networking)
    • Re: how to send files from a pc to my home server and viceversa
      ... Should I better use SCP allways? ... Or can I leave that shared folder in the server and just use for ... I'd change my answers to all "yes" until you get a proper firewall. ... to get a second NIC for it and then plug you Windows machine into it. ...
      (Debian-User)