for the last few weeks I noticed a significant increase in blocked packets on my asg320.
I used to have around 100.000 dropped packets every day.
This rose up to around 2 Million blocked packets on June 7th. When I look at the logs I constantly see a single IP address trying to access one of my public IPs:
2012:06:24-11:29:55 pluto ulogd[5032]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth7" mark="0x1000" srcmac="0:23:5e:e1:86:1e" dstmac="0:1a:8c:17:30[:D]7" srcip="190.85.41.18" dstip="78.x.x.x" proto="17" length="200" tos="0x00" prec="0x00" ttl="45" srcport="20852" dstport="10320"
2012:06:24-11:29:55 pluto ulogd[5032]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth7" mark="0x1000" srcmac="0:23:5e:e1:86:1e" dstmac="0:1a:8c:17:30[:D]7" srcip="190.85.41.18" dstip="78.x.x.x" proto="17" length="200" tos="0x00" prec="0x00" ttl="45" srcport="20852" dstport="10320"
2012:06:24-11:29:55 pluto ulogd[5032]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth7" mark="0x1000" srcmac="0:23:5e:e1:86:1e" dstmac="0:1a:8c:17:30[:D]7" srcip="190.85.41.18" dstip="78.x.x.x" proto="17" length="200" tos="0x00" prec="0x00" ttl="45" srcport="20852" dstport="10320"
2012:06:24-11:29:55 pluto ulogd[5032]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth7" mark="0x1000" srcmac="0:23:5e:e1:86:1e" dstmac="0:1a:8c:17:30[:D]7" srcip="190.85.41.18" dstip="78.x.x.x" proto="17" length="200" tos="0x00" prec="0x00" ttl="45" srcport="20852" dstport="10320"
Now I tried to block that completly by adding a drop rule to the packetfilter:
source: 190.85.41.18
port: udp 10.320
dst: 78.x.x.x
I activated logging to see if it would do anything but that didn't work. It was always blocked by the "default drop".
Then I checked my NATs if there were any automatic packet filter rules. I found one, but that only affected something else on port 80. Just to be sure I changed that and added a firewall rule for that service. So now i don't have any automatic packet filter rules left.
Still I can't block those "attacks" with the packetfilter.
Then I added a blackhole NAT. That worked and I see the packets being redirected to a non-existent internal IP, however they are still blocked by "default drop".
So that didn't help much and I deleted the NAT again.
When I then added a new firewall rule "any --> any --> additional interface IP: 78.x.x.x --> drop" the firewall logging entries changed from udp packets to rtp: (see picture in attachment).
How do I block this crap? I dodn't want millions of entries clogging up my asg and logfiles... If I could at least get rid of the logging (that's why I tried to add a rule in the first place) it would be very helpful.
Cheers,
Chris
This thread was automatically locked due to age.