# Filtering DDoS/Virus attacks with ipfw



## tea (Nov 9, 2010)

Hello all!

Discovered an interesting tcpdump pattern:


```
tcpdump -c 100 -p -n -i bridge0 icmp

listening on bridge0, link-type EN10MB (Ethernet), capture size 96 bytes
13:49:07.585636 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 25581, length 40
13:49:07.585691 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 25837, length 40
13:49:07.585694 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 35320, length 40
13:49:07.585730 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 26093, length 40
13:49:07.585733 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 33005, length 40
13:49:07.585835 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 26349, length 40
13:49:07.585839 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 33261, length 40
13:49:07.585851 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 26605, length 40
13:49:07.585855 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 33517, length 40
13:49:07.585859 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 35576, length 40
13:49:07.585914 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 37615, length 40
13:49:07.585943 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 59373, length 40
13:49:07.585946 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 33773, length 40
13:49:07.585949 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 37871, length 40
13:49:07.585958 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 59629, length 40
13:49:07.585968 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 34029, length 40
13:49:07.585990 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 38127, length 40
13:49:07.585993 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 35832, length 40
13:49:07.585995 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 59885, length 40
13:49:07.585996 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 34285, length 40
13:49:07.585999 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 38383, length 40
13:49:07.586289 IP 109.227.235.101 > 61.160.212.115: ICMP echo request, id 20481, seq 60141, length 40
```

Request packet :

```
0x0000:  4500 001c 46c8 0000 0201 361a 5cf3 6cd2
0x0010:  58bf 197b 0800 8b4f 0002 6cae aaaa aaaa
0x0020:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa
...
```


Answer packet looks like this:

```
13:53:26.505497 IP 121.12.173.193 > 109.227.235.101: ICMP 121.12.173.193 udp port 80 unreachable, length 112
        0x0000:  4500 0084 24c9 0000 7101 a499 790c adc1  E...$...q...y...
        0x0010:  6de3 eb65 0303 7d79 0000 0000 4500 0068  m..e..}y....E..h
        0x0020:  6b09 0000 7011 5f65 6de3 eb65 790c adc1  k...p._em..ey...
        0x0030:  0ec0 0050 0054 2ddd 2a2a 2a2a 2a2a 2a2a  ...P.T-.********
        0x0040:  2a2a 2a2a 2a2a 2a2a 2a2a 2a2a 2a2a 2a2a  ****************
        0x0050:  2a2a
```


When we try valid ping (even with -f option), it looks like this:

```
14:00:25.097583 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 513, length 40
14:00:25.109523 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 514, length 40
14:00:25.121589 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 515, length 40
14:00:25.133577 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 516, length 40
14:00:25.145588 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 517, length 40
14:00:25.157522 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 518, length 40
14:00:25.169581 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 519, length 40
14:00:25.181636 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 520, length 40
14:00:25.193587 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 521, length 40
14:00:25.205508 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 522, length 40
14:00:25.217586 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 523, length 40
14:00:25.229584 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 524, length 40
14:00:25.241596 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 525, length 40
14:00:25.253808 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 526, length 40
14:00:25.265585 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 527, length 40
14:00:25.277588 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 528, length 40
14:00:25.289582 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 529, length 40
14:00:25.301977 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 530, length 40
14:00:25.313574 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 531, length 40
14:00:25.325584 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 532, length 40
14:00:25.337584 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 533, length 40
14:00:25.349515 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 534, length 40
14:00:25.361581 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 535, length 40
14:00:25.373596 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 536, length 40
14:00:25.385575 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 537, length 40
14:00:25.397514 IP 10.1.1.58 > 10.1.1.199: ICMP echo request, id 62992, seq 538, length 40
```

Opt "seq" is increment evenly.

The impression that working random and genering icmp request with breakneck speed.

Valid ping with -f on fast ethernet (one switch)


```
14:00:25.349515
14:00:25.361581
diff .12066 sec
```

And strangeness:


```
13:49:07.585636
13:49:07.585691
diff .00055 sec
```


Tell me what it is. Virus? or not? And is it means ipfw  close this traffic?


----------



## SirDice (Nov 9, 2010)

tea said:
			
		

> Tell me what it is. Virus? or not?


How about a regular ping?



> And is it means ipfw  close this traffic?


Cannot tell. We only see one part of the 'conversation'.


----------



## ProFTP (Nov 11, 2010)

deny icmp in...


----------

