Linux

如何阻止 ICMP 攻擊?

  • July 18, 2013

我們正受到嚴重的 icmp flood 攻擊。Tcpdump 顯示以下結果。儘管我們已經用 iptables tcpdump 阻止了 ICMP,但仍然會列印 icmp 數據包。我還附上了 iptables 配置和“頂部”結果。我可以做些什麼來完全停止 icmp 數據包?

[root@server downloads]# tcpdump icmp -v -n -nn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
03:02:47.810957 IP (tos 0x0, ttl  49, id 16007, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl 124, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.811559 IP (tos 0x0, ttl  49, id 16010, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl  52, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.811922 IP (tos 0x0, ttl  49, id 16012, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl 122, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.812485 IP (tos 0x0, ttl  49, id 16015, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl 126, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.812613 IP (tos 0x0, ttl  49, id 16016, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl 122, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.812992 IP (tos 0x0, ttl  49, id 16018, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl 122, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.813582 IP (tos 0x0, ttl  49, id 16020, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl  52, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.814092 IP (tos 0x0, ttl  49, id 16023, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl 120, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.814233 IP (tos 0x0, ttl  49, id 16024, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl 120, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.815579 IP (tos 0x0, ttl  49, id 16025, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl  50, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.815726 IP (tos 0x0, ttl  49, id 16026, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36
       IP (tos 0x0, ttl  50, id 31864, offset 0, flags [none], proto: ICMP (1), length: 76) 77.92.136.196 > 94.201.175.188: [|icmp]
03:02:47.815890 IP (tos 0x0, ttl  49, id 16027, offset 0, flags [none], proto: ICMP (1), length: 56) 80.227.64.183 > 77.92.136.196: ICMP redirect 94.201.175.188 to host 80.227.64.129, length 36

iptables 配置:

[root@server etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ofis       tcp  --  anywhere             anywhere            tcp dpt:mysql
ofis       tcp  --  anywhere             anywhere            tcp dpt:ftp
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere

Chain ofis (2 references)
target     prot opt source               destination
ACCEPT     all  --  OUR_OFFICE_IP        anywhere
DROP       all  --  anywhere             anywhere

最佳:

top - 03:12:19 up 400 days, 15:43,  3 users,  load average: 1.49, 1.67, 2.61
Tasks: 751 total,   3 running, 748 sleeping,   0 stopped,   0 zombie
Cpu(s):  8.2%us,  1.0%sy,  0.0%ni, 87.9%id,  2.1%wa,  0.1%hi,  0.7%si,  0.0%st
Mem:  32949948k total, 26906844k used,  6043104k free,  4707676k buffers
Swap: 10223608k total,        0k used, 10223608k free, 14255584k cached

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
  36 root      39  19     0    0    0 R 100.8  0.0  17:03.56 ksoftirqd/11
10552 root      15   0 11408 1460  676 R  5.7  0.0   0:00.04 top
7475 lighttpd  15   0  304m  22m  15m S  3.8  0.1   0:05.37 php-cgi
1294 root      10  -5     0    0    0 S  1.9  0.0 380:54.73 kjournald
3574 root      15   0  631m  11m 5464 S  1.9  0.0   0:00.65 node
7766 lighttpd  16   0  302m  19m  14m S  1.9  0.1   0:05.70 php-cgi
10237 postfix   15   0 52572 2216 1692 S  1.9  0.0   0:00.02 scache
   1 root      15   0 10372  680  572 S  0.0  0.0   0:07.99 init
   2 root      RT  -5     0    0    0 S  0.0  0.0   0:16.72 migration/0
   3 root      34  19     0    0    0 S  0.0  0.0   0:00.06 ksoftirqd/0
   4 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
   5 root      RT  -5     0    0    0 S  0.0  0.0   1:10.46 migration/1
   6 root      34  19     0    0    0 S  0.0  0.0   0:01.11 ksoftirqd/1
   7 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/1
   8 root      RT  -5     0    0    0 S  0.0  0.0   2:36.15 migration/2
   9 root      34  19     0    0    0 S  0.0  0.0   0:00.19 ksoftirqd/2
  10 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/2
  11 root      RT  -5     0    0    0 S  0.0  0.0   3:48.91 migration/3
  12 root      34  19     0    0    0 S  0.0  0.0   0:00.20 ksoftirqd/3
  13 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/3

unname -a

[root@server etc]# uname -a
Linux thisis.oursite.com 2.6.18-238.19.1.el5 #1 SMP Fri Jul 15 07:31:24 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

ARP -an

[root@server downloads]# arp -an
? (77.92.136.194) at 00:25:90:04:F0:90 [ether] on eth0
? (192.168.0.2) at 00:25:90:04:F0:91 [ether] on eth1
? (77.92.136.193) at 00:23:9C:0B:CD:01 [ether] on eth0

聯繫您的 ISP 並向他們提供此資訊。他們需要丟棄主幹上的流量。一旦流量到達你的防火牆,你的資源就已經被消耗掉了。阻止這種情況的唯一方法是將其放在主幹上。

這些似乎是ICMP Redirects

這些通常僅在本地網段上。

哪個IP是你的?80.227.64.183 > 77.92.136.196:ICMP 將 94.201.175.188 重定向到主機 80.227.64.129

我讀到(可能是錯誤的)這是說您網段 80.227.64.183 上的網關告訴您(77.92.136.196)通過 80.227.64.129 到達 94.201.175.188?

看起來您的網段上可能存在一些重疊的 VLAN 流量。(你的 arp 表是什麼樣的?arp -an)

引用自:https://serverfault.com/questions/433511