Anyone with a significant number of customers experiencing DOS attacks periodically? We experienced one last night that took our customers down for about 1.5 hours. We were able to use a sniffer and find the connection and shut them down but still our other customers suffered. We found out that it was a customer with 2 PCs that have viruses on them.
What is everyone doing to prevent DOS attacks? Is it an appliance? Is it a software setting? Just need soem direction here. We are using all Layer 3 switching with Cisco 3560 switches and a 6506 Router at our core.
Anyone using a firewall at each AP location? (if so, what kind?)
i have attacks all the time…im going bald trying to figure out how to limit that traffic…what sniffer were you using to track it down and what was the method? i have used ethereal and show traffic with no significant information in tracking that traffic to specific customers…i usually have to use the turn off an AP at a time, then once narrowed down start booting customers with the bam method.
i am getting information on an $80 router that will isolate problems like that to an AP…if you cant beat it, damage control is the next best.
in fact i was up @ 6am working on some sort of attack on my network (internal)
I have tons of info with ethereal but not a whole lot of knowledge on how to fix it…any ideas?
we use routers at each client premises, so that reduces garbage on our network slightly…
My bandwidth manager has specific uplink rules, so that a client can only blast a specified maximum amount of traffic to my main internet gateway.
Lastly, for the internet gateway, we use a server running Linux Fedora Core 3. This has many crazy firewall rules written my my sysadmin. It detects any irregular traffic from a client and blocks their connection immediately. We then advise the client on a course of action before we restore the connection.
When we connect new clients, they sign an Acceptable Usage Policy that explicitly states that abuse of the system will earn them a warning letter. After 5 of these letters, we have the right to terminate the service without any reimbursment of subscriptions paid in advance.
We require routers at all customer premises. When we receive an attack it cripples our network. Takes clusters down and affects other customers performance.
We use etherreal to eliminate certain hubs that it is located on. Based on IP addresses and MAC ID’s we are able to narrow it down to a certain AP cluster, from there we start shutting down customer SMs till we find the one that is doing it. Then keep it shutdown till it is fixed.
Has anyoen put a firewall at each AP location to solve this? like a SOHO box?
Do you have IPV4 multicast filtered in your SM’s?
we just started this and have about 20% of our customer base covered. We are going to move quickly to get it to 100%. Just curious if anyone else was doing something cheap and effective.
i have had a horrible amount of harsh traffic running around on my network…it has taken me 3 days to narrow it down to a site. it will be fine for hours then bam, my network is lagged to hell.
showtraffic and ethereal shows broadcasts from 0.0.0.0 to random public IPs on my network. with ethereal i can check the macs which all apear to be subscribers routers and the ones causing the spikes always change. the source port is always 770 and its using ICMP, the destination port will change between 3 different ports.
my current method is to just shut down site after site to track it down to an AP then kick off each client till the problem goes away…this problem can usually be solved within a few hours, however my customers arnt happy when it happens.
I really need a good solution asap and i can throw what ever money it takes…
please someone give me a good suggestion on this matter
thanks
If it helps. The way I track down a user that is causing a lot of traffic is to find the IP/MAC with ethereal. Then with the MAC in hand I can go to each one of my AP’s bridge table under expanded stats. I do a search for the last 4 characters. Once I have found the MAC match it will tell me the LUID on the same line.
The LUID can be a bit tricky as they don’t always match up with what the true LUID is. For example. The mac that matches may have an LUID of 00D which then gets translated back to 013 in my head. (complained to motorola about this. See if they will fix it.) I then can use the LUID select to get to there radio. I verify that the offending mac is in the bridge table on SM side and then turn off there ethernet port.
this is a stupid question but how do i disable the ethernet port on the modem? im running 6.1
That would be a question for a new thread, but here is the answer anyway.
It has been a long time since 6.1 but I would suspect it is still the same, and likely to change in 8.0.
Go to the configuration page of your SM. For the option 802.3 Link Enable/Disable select Disable, save changes and reboot.
louis.arsenault wrote: If it helps. The way I track down a user that is causing a lot of traffic is to find the IP/MAC with ethereal. Then with the MAC in hand I can go to each one of my AP's bridge table under expanded stats. I do a search for the last 4 characters. Once I have found the MAC match it will tell me the LUID on the same line.
The LUID can be a bit tricky as they don't always match up with what the _true_ LUID is. For example. The mac that matches may have an LUID of 00D which then gets translated back to 013 in my head. (complained to motorola about this. See if they will fix it.) I then can use the LUID select to get to there radio. I verify that the offending mac is in the bridge table on SM side and then turn off there ethernet port.
Here's a small Python program I wrote to do what you've described a bit faster.
Now I know it may look a bit wierd at some parts (especially the subnet part ;)) but this is just a quick hack.
You need a Linux/Unix box with snmpwalk, Python and pexpect
#!/usr/bin/python
#
# TODO:
# * clean the code
# * make it more OO
# * use optparse instead of getopt (more OO)
# * NCurses and/or Qt/wx GUI
import pexpect
import sys
import getopt
import re
SUBDOMAINS = ["192.168.0.", "192.168.1."] # example
def getResult(ip):
res = pexpect.run("snmpwalk -v 2c -O q -t 1 -r 0 -c Canopy %s .1.3.6.1.4.1.161.19.3.3.4.1.1" % str(ip) )
res = res.split('\'r\'n')
result = str(ip)+" contains: \'n"
nil = True
for line in res:
if line.startswith('SNMPv2-SMI') and line.find("OID")<0:
mac = ':'.join(line[-18:-1].split())
result += "\'t"+ mac + "\'n"
nil = False
if nil:
result += "\'tNone\'n"
return result
def findMac(mac):
found = "Search report:\'n"
for subdomain in SUBDOMAINS:
for i in xrange(255):
if i > 1:
sys.stdout.write('.') # "Trying "+subdomain+str(i)+" ..."
sys.stdout.flush()
res = getResult(subdomain+str(i))
if res.find(mac)>0:
found += "\'nFOUND IT ON "+subdomain+str(i)+" !!! \'n"
print "FOUND IT ON "+subdomain+str(i)+" !!! \'n"
if found == 'Search report:\'n':
return "I couldn't find this MAC on the network..."
else:
return found
if __name__=='__main__':
opt, args = getopt.getopt(sys.argv[1:], 'h:m:s:')
if len(opt)==0:
print """MAC Address finder/fetcher for Motorola Canopy products.
Coded by Bartosz "yazzgoth" Ptaszynski. yazzgoth at gmail dot com
This code is published under GNU License.\'n
Usage:
getMacs.py [-smh]
Options:
\'t-h\'thostname - get MACs under that hostname
\'t-m\'tMAC - find under which host is the MAC (this may take a while)
\'t-s\'tsubnet - use specified subnet (ie. 192.168.1. ) - only used
\'t \'t when listing all MACs on the network or looking
\'t \'t for a specific MAC.
"""
tIP = re.compile(r'[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}')
tMAC = re.compile(r'[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}')
tSUB = re.compile(r'[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.')
host = ''
mac = ''
print "Hit Control-C anytime to abort..."
try:
for option in opt:
o, v = option
if o == '-s' and tSUB.match(v):
SUBDOMAINS = [v]
if o == '-h' and tIP.match(v):
host = v
if o == '-m' and tMAC.match(v):
mac = v
if mac != '':
print findMac(mac)
elif host != '':
print getResult(host)
else:
for sub in SUBDOMAINS:
for i in xrange(255):
if i > 1:
print getResult(sub+str(i))
except KeyboardInterrupt:
print "Cancelled!"
You may want to try NetEnforcer AC-402 Allot Communications. If you don’t have the Network techs to sest down and isolate and block these attacks then this piece of hardware is extremely helpful. It monitors and blocks the DOS attack automaticlly.
Main features include:
2 or 4 ports
Range of operation speeds: 2, 10, 45 and 100 Mbps (full duplex)
Identifies hundreds of applications and protocols out-of-the-box
Advanced signature and behavior-based recognition
Dynamic QoS, prioritization/shaping based on policy definitions
Proactive alarms
Automatic mitigation of malicious traffic
Supported by NetXplorer centralized management system
Easy upgrade to higher speeds and more policies
Fail-safe performance
It’s a bit expensive though…just for your FYI.
Cheers
howmuch roughly that box cost?
I’ve try look at astaro demo. They have full features linux software and hardware.
What do you think about astaro?
https://demo.astaro.com/
I tried you script and it gives me the following error:
[root@localhost ~]# ./getMacs.py
File “./getMacs.py”, line 41
print “FOUND IT ON “+subdomain+str(i)+” !!! 'n”
^
IndentationError: unindent does not match any outer indentation level
Any idea ?
I beleive the NetEnforcer is 402 is about $9000 CDN. That’s a guess though.