Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: message log flooded with eth1 logging
« previous next »
Pages: [1]   Go Down

message log flooded with eth1 logging

  • 5 Replies
  • 646 Views

Kirk Ferguson

message log flooded with eth1 logging
« on: October 04, 2003, 02:42:03 AM »
Hello.  I'm having a rather strange problem with my 5.6 server.  The message log is filling up very rapidly with messages like these:

Oct  3 15:29:53 buffy kernel: IN=eth1 OUT=eth1 SRC=209.94.88.197 DST=209.94.64.1 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=18810 DF PROTO=UDP SPT=1672 DPT=53 LEN=52
Oct  3 15:29:53 buffy kernel: IN=eth1 OUT=eth1 SRC=209.94.88.197 DST=209.94.64.1 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=18833 DF PROTO=UDP SPT=9715 DPT=53 LEN=52
Oct  3 15:29:53 buffy kernel: IN=eth1 OUT=eth1 SRC=209.94.88.197 DST=209.94.64.1 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=18833 DF PROTO=UDP SPT=26945 DPT=53 LEN=52
Oct  3 15:29:55 buffy kernel: IN=eth1 OUT=eth1 SRC=209.94.88.197 DST=209.94.64.1 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=19039 DF PROTO=UDP SPT=55366 DPT=53 LEN=52

At 3 - 4 entries per second, ~600k per hour, this is a significant problem.  The SRC and DST addresses are other machines on my ISP's segment (not mine).  Can any one suggest why I am logging what appear to be DNS exchanges between two remote devices?

Thanks,

Kirk
Logged

Greg Zartman

Re: message log flooded with eth1 logging
« Reply #1 on: October 04, 2003, 03:12:17 AM »
Yes, I'm getting the same messages as well.  They are the result a virus attempting unsuccessfully  to connect to machines on your LAN.  


Regards,
 
Greg Zartman
Logged

alejandro

Re: message log flooded with eth1 logging
« Reply #2 on: October 04, 2003, 03:24:10 AM »
try installing acid-snort-guardian
It will prevent  repeated attemps from same ip at least for 24 hours. by blocking packages from the source offensive ip. preventig band waste and giving you a full activities report, graphics charts etc.
there are many references to the rpm contrib and howtos in this forums
maybe a search of acid snort guardian will give a to many matches result. ;-)
Logged

Kirk Ferguson

Re: message log flooded with eth1 logging
« Reply #3 on: October 04, 2003, 03:28:26 AM »
Do you have any suggestion how to stop logging all this?  I've tried using iptables to drop all traffic from the source address, but since the traffic is not actually addressed to my ip, that doesn't work.  

It seems as though my server is  listening in promiscuous mode to traffic on the whole segment.  Strange.

Thanks,

Kirk
Logged

Kirk Ferguson

Re: message log flooded with eth1 logging
« Reply #4 on: October 04, 2003, 03:35:00 AM »
Hi Alejandro,

I had snort/acid/guardian installed previously, but removed it a few months ago after I started having the rules problems discussed in this thread:

http://forums.contribs.org/index.php?topic=7893.msg29228#msg29228

Kirk
Logged

alejandro

Re: message log flooded with eth1 logging
« Reply #5 on: October 04, 2003, 03:39:42 AM »
Ok:
thanks for the info,
I'm using for about two months without any kind of troubles but maybe I'm a lucky newbie
;-)
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: message log flooded with eth1 logging