Hello,
Still trying to reach the swisscom/bluewin support since 10 minutes (and the robot keeps telling me "voraussichtliche warte zeit: 4-5 minuten" all the time), so I guess it quicker if I ask here as well.
It's a simple problem: I manage a few intranet boxes (mail/webproxy) connected to the net via standard bluewin adsl lines. Everything was fine the last years until today. Remote access via ssh (NAT on the router).
Since today: no way to connect any of the hosts (about 5) : ports for ssh and http seems to be closed, while some of the IP are still pingable.
Maybe somebody around knows about this thing? For example: maybe they activated a firewall this night on all customers lines to prevent virus/worms problems? (I don't have a bluewin line myself, so it's hard to debug remotely) .
Regards & a nice Weekend/Sechseläuten to you, Olivier
PS: in the mean time, the hotline answered and they know nothing about that, but they are going to check internally and call back later...
Hello Olivier,
I have a similar setting to reach my box at home via an adsl from Bluewin. No problem on my side.
Ruben
Olivier Mueller wrote:
Hello,
Still trying to reach the swisscom/bluewin support since 10 minutes (and the robot keeps telling me "voraussichtliche warte zeit: 4-5 minuten" all the time), so I guess it quicker if I ask here as well.
It's a simple problem: I manage a few intranet boxes (mail/webproxy) connected to the net via standard bluewin adsl lines. Everything was fine the last years until today. Remote access via ssh (NAT on the router).
Since today: no way to connect any of the hosts (about 5) : ports for ssh and http seems to be closed, while some of the IP are still pingable.
Maybe somebody around knows about this thing? For example: maybe they activated a firewall this night on all customers lines to prevent virus/worms problems? (I don't have a bluewin line myself, so it's hard to debug remotely) .
Regards & a nice Weekend/Sechseläuten to you, Olivier
PS: in the mean time, the hotline answered and they know nothing about that, but they are going to check internally and call back later...
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hello
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
If someone needs a dump file, just send me a mail.
Kind Regards Erich
Am Freitag, den 11.04.2008, 14:27 +0200 schrieb Olivier Mueller:
Hello,
Still trying to reach the swisscom/bluewin support since 10 minutes (and the robot keeps telling me "voraussichtliche warte zeit: 4-5 minuten" all the time), so I guess it quicker if I ask here as well.
It's a simple problem: I manage a few intranet boxes (mail/webproxy) connected to the net via standard bluewin adsl lines. Everything was fine the last years until today. Remote access via ssh (NAT on the router).
Since today: no way to connect any of the hosts (about 5) : ports for ssh and http seems to be closed, while some of the IP are still pingable.
Maybe somebody around knows about this thing? For example: maybe they activated a firewall this night on all customers lines to prevent virus/worms problems? (I don't have a bluewin line myself, so it's hard to debug remotely) .
Regards & a nice Weekend/Sechseläuten to you, Olivier
PS: in the mean time, the hotline answered and they know nothing about that, but they are going to check internally and call back later...
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hi all
We notice a heavy DoS attack of TCP SYN packets to port 80 since yesterday 22:02 CEST directed against (random?) targets using a spoofed src ip from Munich (don't call the owner, call your upstream ISP and ask for proper filtering!). Lots of webservers and companies are affected. Some statistics can be found here:
http://www.dshield.org/ipinfo.html?ip=212.224.127.14 http://stats.fp6-noah.org/top.php
With kind regards Goetz von Escher
On 11.04.2008 15:16, Erich Hohermuth wrote:
Hello
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
If someone needs a dump file, just send me a mail.
Kind Regards Erich
Am Freitag, den 11.04.2008, 14:27 +0200 schrieb Olivier Mueller:
Hello,
Still trying to reach the swisscom/bluewin support since 10 minutes (and the robot keeps telling me "voraussichtliche warte zeit: 4-5 minuten" all the time), so I guess it quicker if I ask here as well.
It's a simple problem: I manage a few intranet boxes (mail/webproxy) connected to the net via standard bluewin adsl lines. Everything was fine the last years until today. Remote access via ssh (NAT on the router).
Since today: no way to connect any of the hosts (about 5) : ports for ssh and http seems to be closed, while some of the IP are still pingable.
Maybe somebody around knows about this thing? For example: maybe they activated a firewall this night on all customers lines to prevent virus/worms problems? (I don't have a bluewin line myself, so it's hard to debug remotely) .
Regards & a nice Weekend/Sechseläuten to you, Olivier
PS: in the mean time, the hotline answered and they know nothing about that, but they are going to check internally and call back later...
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Yep, same here... http://service.escapenet.ch/mrtg/escfwconn.html
Could someone at Init7 filter these for us? Thanks!
Regards,
Mike
Our connection in our office is being pounded as well...
04/11/2008 16:26:45 Under SYN flood attack, sent TCP RST 212.224.127.14:3978 192.168.10.11:80 TCP RST 04/11/2008 16:26:44 Under SYN flood attack, sent TCP RST 212.224.127.14:11885 192.168.10.11:80 TCP RST 04/11/2008 16:26:42 Under SYN flood attack, sent TCP RST 212.224.127.14:62699 192.168.10.11:80 TCP RST
Regards,
ack on that, we've seen the same source.. same time..
20500 4 240 (T 4935, slot 147) <-> tcp, 212.224.127.14 41215<-> 213.200.x.x 80 20500 9 540 (T 3325, slot 147) <-> tcp, 212.224.127.14 14591<-> 213.200.x.x 80 20500 9 540 (T 2898, slot 147) <-> tcp, 212.224.127.14 39167<-> 213.200.x.x 80 20500 9 540 (T 3028, slot 148) <-> tcp, 212.224.127.14 55544<-> 213.200.x.x 80 20500 4 240 (T 5150, slot 149) <-> tcp, 212.224.127.14 44281<-> 213.200.x.x 80
-steven
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Goetz von Escher Sent: Friday, April 11, 2008 3:56 PM To: swinog@swinog.ch Subject: Re: [swinog] fw change on bluewin adsl accounts today?
Hi all
We notice a heavy DoS attack of TCP SYN packets to port 80 since yesterday 22:02 CEST directed against (random?) targets using a spoofed src ip from Munich (don't call the owner, call your upstream ISP and ask for proper filtering!). Lots of webservers and companies are affected. Some statistics can be found here:
http://www.dshield.org/ipinfo.html?ip=212.224.127.14 http://stats.fp6-noah.org/top.php
With kind regards Goetz von Escher
On 11.04.2008 15:16, Erich Hohermuth wrote:
Hello
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
If someone needs a dump file, just send me a mail.
Kind Regards Erich
Am Freitag, den 11.04.2008, 14:27 +0200 schrieb Olivier Mueller:
Hello,
Still trying to reach the swisscom/bluewin support since
10 minutes
(and the robot keeps telling me "voraussichtliche warte
zeit: 4-5 minuten"
all the time), so I guess it quicker if I ask here as well.
It's a simple problem: I manage a few intranet boxes
(mail/webproxy)
connected to the net via standard bluewin adsl lines.
Everything was
fine the last years until today. Remote access via ssh
(NAT on the
router).
Since today: no way to connect any of the hosts (about 5) : ports for ssh and http seems to be closed, while some of the IP
are still
pingable.
Maybe somebody around knows about this thing? For example: maybe they activated a firewall this night on all customers
lines to prevent
virus/worms problems? (I don't have a bluewin line
myself, so it's
hard to debug remotely) .
Regards & a nice Weekend/Sechseläuten to you, Olivier
PS: in the mean time, the hotline answered and they know nothing about that, but they are going to check internally and
call back later...
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
re,
On Fri, 2008-04-11 at 15:16 +0200, Erich Hohermuth wrote:
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
Thanks for the feedback Erich! In the mean time, the Bluewin hot-line called back (yes, I know, I couldn't believe it either :-)) but they had no special information: they just confirmed nothing happened this night about the setup.
Asking on #swinog (irc) helped a bit more: it seems some other people had the same problem, and as a solution the suggestion was: "if you do NAT on Zyxel router please consider to close port 80 or block the IP 212.224.127.14" (thx Claudio).
I did that on the routers (by luck a good old isdn-based dial-in was available everywhere), and now everything looks stable. To be continued... ?
regards, Olivier
Well, the only good solution to this ugly attack is to do what Goetz suggested; As an ISP inbound filter the offending IP address. This is what we did several hours ago and all is fine since then.
Firewalls of all type of models have/had issues with this attack. On some you might be able to turn on a SYN flood attack feature which will then blacklist the IP locally on the firewall.
Martin
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog- bounces@lists.swinog.ch] On Behalf Of Olivier Mueller Sent: Freitag, 11. April 2008 16:05 To: swinog@swinog.ch Subject: Re: [swinog] fw change on bluewin adsl accounts today?
re,
On Fri, 2008-04-11 at 15:16 +0200, Erich Hohermuth wrote:
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
Thanks for the feedback Erich! In the mean time, the Bluewin hot-line called back (yes, I know, I couldn't believe it either :-)) but they had no special information: they just confirmed nothing happened this night about the setup.
Asking on #swinog (irc) helped a bit more: it seems some other people had the same problem, and as a solution the suggestion was: "if you do NAT on Zyxel router please consider to close port 80 or block the IP 212.224.127.14" (thx Claudio).
I did that on the routers (by luck a good old isdn-based dial-in was available everywhere), and now everything looks stable. To be continued... ?
regards, Olivier
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hello
I would be much better to fight the root cause and force every isp in the world to block forged packets. For example with unified reverse path checks facing the customers. Ok, I'm just kidding ...
Unfortunately there is no direct benefit for the implementing isp's because it helps all others. But we can start in the "SWINOG" community and make it better.
Maybe we can talk about this on our next meeting ? Because I think the amount of dos attacks are increasing. After the last two presentations about Netflow capturing I guess SWITCH has the space and the cluster to calculate some numbers ;-)
What do you think about an open discussion on the next meeting.
Regards Erich
Am Freitag, den 11.04.2008, 16:56 +0200 schrieb Schenkel Martin:
Well, the only good solution to this ugly attack is to do what Goetz suggested; As an ISP inbound filter the offending IP address. This is what we did several hours ago and all is fine since then.
Firewalls of all type of models have/had issues with this attack. On some you might be able to turn on a SYN flood attack feature which will then blacklist the IP locally on the firewall.
Martin
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog- bounces@lists.swinog.ch] On Behalf Of Olivier Mueller Sent: Freitag, 11. April 2008 16:05 To: swinog@swinog.ch Subject: Re: [swinog] fw change on bluewin adsl accounts today?
re,
On Fri, 2008-04-11 at 15:16 +0200, Erich Hohermuth wrote:
We also have a few customers complaining about connection troubles, most of them have a Zywal. After some netflow debugging we see many port 80 syn connections which seems the cause of the troubles.
Thanks for the feedback Erich! In the mean time, the Bluewin hot-line called back (yes, I know, I couldn't believe it either :-)) but they had no special information: they just confirmed nothing happened this night about the setup.
Asking on #swinog (irc) helped a bit more: it seems some other people had the same problem, and as a solution the suggestion was: "if you do NAT on Zyxel router please consider to close port 80 or block the IP 212.224.127.14" (thx Claudio).
I did that on the routers (by luck a good old isdn-based dial-in was available everywhere), and now everything looks stable. To be continued... ?
regards, Olivier
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Schenkel Martin schrieb:
Well, the only good solution to this ugly attack is to do what Goetz suggested; As an ISP inbound filter the offending IP address. This is what we did several hours ago and all is fine since then.
BTW AS44066 which propagates the offending IP address claims spoofing.
Firewalls of all type of models have/had issues with this attack. On some you might be able to turn on a SYN flood attack feature which will then blacklist the IP locally on the firewall.
Not only firewalls, I think it affects also APC remote power switches.
F.
-
Erich Hohermuth -
Fredy Kuenzler -
Goetz von Escher -
Mike Kellenberger -
Olivier Mueller -
Ruben Merz -
Schenkel Martin -
Steven Glogger