My network is being flooded by all sorts of beasties, enough that every day when I get home, I must go downstairs and disconnect the DSL line just so I can get access to the router. This has been going on for months, and I am fed up... Here is an example of the log on my router:
04/27/2006 14:35:10 **ICMP Redirect**
04/27/2006 14:26:06 **LAND**
04/27/2006 14:21:58 **Smurf**
04/27/2006 14:11:16 **LAND**
04/27/2006 13:58:10 **LAND**
04/27/2006 13:57:40 **UDP Flood to Host**
04/27/2006 13:56:27 **LAND**
04/27/2006 13:40:18 **ICMP Redirect**
04/27/2006 13:40:18 **ICMP Redirect**
04/27/2006 13:36:21 **Smurf**
04/27/2006 13:10:20 **UDP Flood to Host**
04/27/2006 11:46:00 **ICMP Redirect**
04/27/2006 10:59:38 **Smurf**
04/27/2006 08:18:15 **Smurf**
04/27/2006 08:10:00 **Smurf**
What is this shit, and how do I stop it?
My home network is under attack
Moderator: Thanas
-
Spacebeard
- Padawan Learner
- Posts: 473
- Joined: 2005-03-21 10:52pm
- Location: MD, USA
These are garden-variety DOS attacks. You could Google them for more information, but suffice to say the LAND attack is a malformed packet that would crash older operating systems; it shouldn't affect you unless you are have some system from eight or nine years ago exposed to the Internet. The Smurf attack is a spoofed packet directed to the victim's subnet broadcast address, thus flooding the victim with replies from every host on the subnet. There's nothing the victim can do to mitigate it, but most systems nowadays won't respond to directed broadcasts. ICMP redirects can sometimes be exploited to disrupt open connections; I believe there was a paper about this relatively recently.
I'll second what Ace Pace said, but if your pipe is really completely flooded by these DOS attacks, filtering them on your local gateway won't help. You would need to contact your ISP and get them to filter them further upstream. It would, of course, be nice to contact the attacking system (probably a trojaned zombie PC)'s ISP and try to get it taken offline, but I wouldn't trust the source IP address: none of these attacks depend on a reply being routed back to the attacker, so the source IP can easily be forged.
I'll second what Ace Pace said, but if your pipe is really completely flooded by these DOS attacks, filtering them on your local gateway won't help. You would need to contact your ISP and get them to filter them further upstream. It would, of course, be nice to contact the attacking system (probably a trojaned zombie PC)'s ISP and try to get it taken offline, but I wouldn't trust the source IP address: none of these attacks depend on a reply being routed back to the attacker, so the source IP can easily be forged.
"This war, all around us, is being fought over the very meanings of words." - Chad, Deus Ex