[CLUE-Tech] MASSIVE UDP packets?

[Dave Anselmi]

Jeffery Cann wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings.
>
> My Slack box has been a bit sluggish, so I examined my
> /var/log/messages and was a bit surprized to see it over 100 MB.
>
> I had recently changed my ipchains rules to deny most of the @home
> network (24.0.0.0).  Previously, the following rule was not in my
> firewall set up script:
>
>     ipchains -A input -l -s 24.0.0.0/8
>         -d  24.6.xxx.xxx/255.0.0.0 -j DENY
>
> I added another input rule to accept my particular box (24.6.xxx.xxx):
>
>     ipchains -A input -l -s 24.6.231.152/8
>         -d 24.6.xxx.xxx/255.0.0.0 -j ACCEPT

Your addresses seem odd to me.  The source addr in the first rule looks
fine.  The dest seems like it should be 24.6.0.0/16 (or
24.6.xxx.xxx/255.255.0.0, which could be more specific if you used your
actual net address and net mask).

In the second, if 24.6.231.152 is your address, it should be a dest addr,
not a source, shouldn't it (you want to keep traffic out, not in)?  Also,
it should be 24.6.231.152/32.  Seems to me that with the /8 it's the same
as 24.0.0.0.

Please correct me if I'm wrong, I'm new to ipchains.

> My questions are many:
> 1.  What is happening to the accepted packets?

If you're logging incoming broadcasts or packets not for you, they get
thrown away when the kernel isn't listening for them.  Your NIC should be
screening non-broadcast traffic not for your subnet, unless it is in
promiscuous mode.

> 2.  Should I worry about this or is it a matter of turning off logging
> for the new input rule?  (I did turn off logging for now to keep my
> syslog from using all file space)

Well, I would try to figure out what you're logging, and turn off logging
on 'known good' traffic.  Getting the ipchains right can be tricky, so you
can log everything at first, make sure it's what you expect, and turn off
logging on the chains that are right.  But accepting broadcast to another
subnet doesn't seem right (see below).

> 3.  While I was writing this email, it occurred to me that this may be
> a simple matter or 'normal' network traffic because I know that UDP
> packets are broadcast.  Is this the case?

Um...  TCP can be broadcast as well, though perhaps it isn't as often.
Things that get broadcast: arp, bootp/dhcp, maybe some netbios (windows)
stuff.  UDP that isn't broadcast: dns, syslog.  Others, of course.

You don't care about stuff not destined for you (unless your sniffing your
neighbors ;-), so no need to log it.  You can put in rules where the dest
is not you and don't bother to log those.  If the dest is you, and you
don't expect it, log that to see where it's coming from.

For example, lets look at your log sample:

> Sep 19 21:13:51 jumanji kernel: Packet log: input ACCEPT eth0 PROTO=17
> 24.1.8.14:121 24.1.15.255:121 L=50 S=0x00 I=61766 F=0x0000 T=30 (#12)
>
The source is 24.1.8.14 and is probably allowed because you have a /8 on
your accept rule.  The dest is a broadcast addr 24.1.15.255 and again you
have the equivalent of /8.  So you accept this even though it seems to have
nothing to do with you (again, assuming that 24.6.231.152 is you - if it
isn't, what the heck is it?)  Port 121 is erpc (never heard of it).  So you
could probably clean things up and reduce your log rate.

> 4.  Are there other anomalies could explain the observations?

Spurious cosmic ray muons?

Perhaps an expert can straighten us both out.  Or you can send your whole
(commented) rules and I can take a stab at making something that does what
you want (off list if you prefer).

Dave